In 2023, a lawyer named Steven Schwartz submitted a legal brief to a New York federal court containing citations to six court cases — all entirely fabricated by ChatGPT. The cases did not exist. The judges, the decisions, the reasoning — all invented by an AI system that presented its hallucinations with the same confident authority it applies to accurate information. The court sanctioned Schwartz and his firm. But the case raised a question that courts, regulators, businesses, and legal scholars have been wrestling with ever since: when AI causes harm — whether through false information, biased decisions, autonomous actions, or simple errors — who exactly is responsible?
The honest answer in 2026 is that the law has not yet fully caught up with the technology, and the gap between what AI systems can cause and what legal frameworks can clearly assign responsibility for is one of the most consequential unresolved problems in technology policy. The EU AI Act — described by the European Commission as “the first-ever legal framework on AI” — entered its phased enforcement in 2024 and 2025, establishing risk categories and compliance requirements but leaving many liability questions to existing national law and case-by-case judicial interpretation. In the United States, federal AI legislation remains fragmented, with a patchwork of sector-specific regulation, evolving FTC guidance, and state-level frameworks (California’s being the most developed) filling the gaps that no federal statute has yet addressed. Meanwhile, AI is being deployed in healthcare, law, finance, hiring, criminal justice, and dozens of other high-stakes domains where errors cause real harm to real people — and the question of who bears the cost of those errors is being answered, imperfectly and inconsistently, one case at a time.
This guide explains the current state of AI liability law, how responsibility is allocated across the chain from developer to deployer to user, what the EU and US regulatory approaches look like and how they differ, the specific liability risks in high-stakes sectors, what the “human on the hook” principle means in practice, and what businesses and individuals need to understand to protect themselves in a legal environment that is evolving faster than most practitioners can track.
The Core Problem: AI Does Not Fit Existing Legal Categories
Legal liability frameworks were built around human actors and physical products. When a person causes harm through negligence, the law asks whether they owed a duty of care, whether they breached it, and whether that breach caused the harm suffered. When a product causes harm, the law asks whether the product was defective when it left the manufacturer’s control. Both frameworks assume a relatively clear causal chain from a human decision or a physical object to a harmful outcome.
AI systems complicate both frameworks in ways that are not merely technical inconveniences — they reflect genuine conceptual challenges. AI systems make decisions through statistical pattern recognition processes that their own developers often cannot fully explain or predict. They produce outputs that vary with context, change as underlying models are updated, and can fail in ways that were not observable during testing. The causal chain from a harmful AI output to the decisions that produced it runs through multiple layers: the research team that developed the underlying model, the company that trained and deployed it, the business that integrated it into a product, the operator who configured it for a specific use case, and the individual who ultimately acted on its output. When something goes wrong, “which human or company had the best chance to stop this and failed?” — the question that liability law actually asks — does not have a simple answer when the answer could plausibly be any of several actors across that chain.
The “black box” opacity problem compounds the attribution challenge. In a medical malpractice case, an expert can review the doctor’s clinical reasoning and identify where it deviated from the standard of care. When an AI diagnostic system produces a wrong recommendation, examining the reasoning is often technically impossible — the system’s internal processes are not interpretable in the way human reasoning is. Proving that the AI system was “defective” rather than that it was correctly operating within its documented limitations, or that the harm was foreseeable rather than a genuinely unexpected failure mode, requires evidentiary capabilities that courts and litigants are still developing.
Who Carries Legal Liability: The Chain of Responsibility
When AI causes harm, legal analysis typically examines liability at four levels of the deployment chain. Understanding which level bears primary responsibility in which circumstances is the practical core of AI liability in 2026.
AI Developers — the companies that train and maintain the underlying models — face liability primarily through product liability doctrine. If an AI system was defective when it left the developer’s control — meaning it had a flaw that made it unreasonably dangerous for its intended use — the developer may be liable for harms that result from that flaw, regardless of fault. This is the strict liability framework that applies to defective physical products, and courts in multiple jurisdictions have begun applying it to software products including AI systems. Developers are also exposed to FTC enforcement in the United States for unfair or deceptive practices — marketing AI systems as reliable and accurate when the developer knows they frequently produce errors in specific use cases could constitute deceptive trade practice. The challenge for plaintiffs is proving that the AI system was defective at the time of release, rather than that it simply failed in a specific instance in ways consistent with its documented limitations.
AI Integrators and Deployers — businesses that embed AI systems into their products or use them in their operations — carry the most significant and most consistently identified liability exposure in 2026. The principle is straightforward: if your business uses an AI system that causes harm to a customer, employee, or third party, your business is likely liable regardless of whether the AI system was developed in-house or licensed from a third party. Courts look at whether the business had appropriate controls, whether it acted reasonably in managing the risk, and whether it adequately disclosed the AI’s role in decisions that affected the people it harmed. The business cannot transfer liability to the AI developer simply by including a terms-of-service clause — liability follows the party with control over the deployment, not the party that happened to write the model weights.
Negligence claims against deployers are the most common current vehicle for AI liability litigation. The analysis follows standard negligence doctrine: did the deployer owe a duty of care to the affected party? Did the deployer breach that duty by deploying an AI system without adequate testing, oversight, or safeguards? Did that breach cause the harm? In most commercial contexts where customers rely on AI-assisted services, the duty of care is established. The breach and causation questions are where the specific facts of each case determine the outcome.
Professional Users — lawyers, doctors, financial advisers, and other licensed professionals who use AI tools in their practice — face a specific and increasingly well-established liability principle: the AI does not reduce their professional responsibility. A lawyer who cites AI-hallucinated cases (as Schwartz did) is sanctioned for submitting false information, not excused because AI generated it. A doctor who acts on an AI diagnostic recommendation without exercising independent clinical judgment faces the same malpractice standard as a doctor who acts on any other information source without adequate care. A financial adviser who follows AI-generated investment recommendations without client-appropriate due diligence faces the same fiduciary standard as one using any other advisory tool. The “human on the hook” principle — drawn from a UnitedLex report on AI in legal practice — captures this precisely: professionals can use AI to support their work, but they cannot transfer accountability to it. The accountability stays with the licensed professional who exercised or failed to exercise appropriate judgment over the AI’s output.
End Users — individuals who directly interact with AI systems — generally bear the least liability in the chain, particularly in consumer contexts. However, users who provide false or misleading inputs to AI systems that then cause harm, or who use AI tools for purposes clearly outside their intended scope, may share responsibility for resulting harms. The terms of service that users accept when accessing AI platforms may also affect their rights to seek remedies — though courts have been increasingly sceptical of broad liability waivers in consumer contexts, particularly for harms involving personal injury or discrimination.
The EU AI Act: A Framework with Real Teeth
The European Union’s AI Act, which entered its compliance phase in 2024 with full enforcement expanding through 2025 and 2026, represents the most comprehensive AI regulatory framework currently in force anywhere in the world. Its approach to liability — which works in conjunction with existing EU product liability and consumer protection law rather than replacing it — has significant implications for any business operating in or serving EU markets.
The EU AI Act classifies AI systems into four risk categories. Prohibited AI applications — those whose risks the EU has determined are unacceptable — include real-time biometric identification in public spaces (with narrow exceptions), social scoring systems by public authorities, and AI systems that exploit psychological vulnerabilities to manipulate behaviour. These are banned outright; deploying them carries fines of up to €35 million or 7 percent of global annual turnover. High-risk AI applications — including AI used in hiring, credit decisions, medical devices, critical infrastructure, law enforcement, and education — face the most stringent requirements: mandatory conformity assessments, risk management systems, transparency requirements, human oversight measures, and registration in the EU’s public AI database before deployment. Limited-risk AI — chatbots, deepfake generators, emotion recognition systems — face transparency obligations requiring users to be informed they are interacting with AI. Minimal-risk AI — the large majority of AI applications — faces no specific obligations beyond existing law.
The EU’s proposed Artificial Intelligence Liability Directive (AILD), still working through the legislative process, aims to complement the AI Act by making it easier for victims to obtain compensation when high-risk AI causes harm. The most significant AILD provision is a rebuttable presumption of causality: in cases involving high-risk AI, courts would be allowed to presume that the AI system caused the harm if the claimant demonstrates that the defendant failed to comply with AI Act requirements. This shifts the burden of proof in a way that meaningfully reduces the evidentiary barrier facing victims — instead of proving that the AI system caused the specific harm (which is technically demanding), they need only show non-compliance with mandatory requirements, and the burden shifts to the defendant to disprove causation.
The EU’s two-stage liability framework — strict liability for operators of “high-risk” AI with significant damage potential, fault-based assessment for other AI — is the most developed codification of AI liability principles currently in force. For the global technology industry, the EU AI Act functions as a de facto global standard in the same way that GDPR did for data protection: companies that want to serve European markets must comply, and the most efficient path to compliance is building AI governance frameworks that meet EU standards rather than maintaining separate architectures for different jurisdictions.
The US Approach: Sector Regulation and Evolving Case Law
The United States has not enacted comprehensive federal AI legislation as of April 2026. The regulatory landscape is instead a mosaic of sector-specific rules, agency guidance, executive orders, and state-level regulation — supplemented by case law that is actively developing as AI-related disputes reach courts.
The Federal Trade Commission’s authority over unfair or deceptive practices gives it jurisdiction over AI systems that make false claims about their capabilities, make biased decisions in consumer contexts (credit, employment, housing), or collect and use consumer data in ways that violate their disclosed privacy practices. FTC enforcement actions related to AI are increasing, and the Commission has been clear that Section 5 of the FTC Act — which prohibits unfair or deceptive acts or practices in commerce — applies to AI systems as fully as to any other commercial product or service.
The Equal Employment Opportunity Commission has issued guidance on AI in hiring, making clear that if an AI hiring tool produces discriminatory outcomes — filtering out candidates on the basis of protected characteristics — the employer is liable under existing employment discrimination law regardless of whether the discriminatory pattern was the developer’s intent or the employer’s. The EEOC’s “disparate impact” doctrine, which prohibits employment practices that have a disproportionate adverse effect on protected groups even without discriminatory intent, applies directly to AI screening tools whose design or training data produces such effects.
California’s regulatory framework — built on the California Consumer Privacy Act (CCPA) and expanded through 2026 by California Privacy Protection Agency (CPPA) rulemaking — places the most stringent requirements of any US jurisdiction on automated decision-making systems that affect Californians. Businesses must disclose when automated decision-making is used in decisions about consumers, provide meaningful explanations of how those decisions are made, and give consumers the right to opt out of automated decision-making and request human review. Given California’s size and the practical difficulty of maintaining California-specific data practices separately from other markets, CPPA regulation functions similarly to GDPR in its effective national reach.
The bipartisan framework for a federal US AI Act, published in the National Law Review, proposes to establish legal accountability for harm caused by AI, promote transparency, and protect consumers particularly in high-risk situations. As of April 2026, this framework remains in proposal stage — it has not been enacted as federal law, and the timeline to enactment is uncertain in the current legislative environment. The practical implication is that federal AI liability law in the US remains to be developed primarily through case law rather than through comprehensive statute, creating the uncertainty and inconsistency that litigation-driven legal development always produces.
High-Stakes Sectors: Where AI Liability Matters Most
AI liability risks are not uniform across sectors. The combination of harm severity, regulatory density, and established professional liability frameworks creates particularly significant liability exposure in several specific domains.
Healthcare presents the most acute AI liability environment because errors can directly cause patient injury or death, an extensive regulatory framework already governs medical devices and clinical practice, and the malpractice liability system creates direct personal exposure for clinicians who act on AI recommendations without independent clinical judgment. AI diagnostic systems that produce false negatives (missing a diagnosis that a competent clinician would have identified) or false positives (recommending treatment for a condition that does not exist) can cause patient harm that is legally attributable to the AI system’s deploying institution, the clinician who relied on it without sufficient scrutiny, or both. The FDA’s oversight of AI-based medical devices — through its Software as a Medical Device framework — creates specific compliance requirements and establishes the regulatory standard that determines what “reasonable” deployment of AI in medical contexts looks like.
Legal practice has seen the most publicised AI liability incidents, with multiple court sanctions for AI-hallucinated citations in legal filings. The Schwartz case is the most famous but not unique — courts have sanctioned lawyers in multiple jurisdictions for submitting AI-generated content without adequate verification. The professional responsibility framework in legal practice — which requires competence, candour to the tribunal, and supervision of non-lawyer assistants — applies directly to AI tools used in legal work. Bar associations including the State Bar of California and the American Bar Association have issued guidance requiring lawyers to disclose AI use in certain contexts, apply adequate oversight to AI-generated work product, and understand enough about AI tools’ limitations to evaluate their outputs critically. A lawyer who does not understand what AI hallucination is, or who does not have a systematic process for verifying AI-generated citations, is not meeting the competence standard that professional responsibility requires.
Financial services faces AI liability through multiple regulatory channels: SEC and FINRA oversight of AI-generated investment advice, banking regulators’ requirements for model risk management in credit decisions, consumer financial protection requirements for fair and accurate disclosures, and the fiduciary duty applicable to investment advisers. When AI trading systems cause market disruptions, when AI credit models produce discriminatory lending patterns, or when AI-generated financial advice causes client losses, the regulatory and litigation exposure is substantial and the “the AI did it” defence has consistently failed to shift liability away from the financial institution that deployed the system.
Practical Protection: What Businesses Need to Do Now
The evolving legal landscape creates specific obligations and risk management priorities for businesses deploying AI in any context where errors could harm customers, employees, or third parties. The following principles reflect the emerging consensus from regulatory guidance, case law, and legal scholarship.
Document your AI governance framework. Courts and regulators consistently look at what controls a business had in place, what risk assessments it conducted, and whether it acted reasonably in managing the risks its AI deployment created. A documented AI governance framework — covering how AI systems are selected, tested, monitored, and updated — is the evidence that reasonable risk management occurred. Its absence is evidence that it did not.
Maintain human oversight for consequential decisions. The consistent principle across both the EU AI Act and US regulatory guidance is that high-stakes decisions affecting individuals — employment, credit, healthcare, housing — must include meaningful human review rather than being fully automated. “Meaningful” in this context means more than a rubber stamp — it means a human reviewer who has the information, authority, and time to exercise genuine independent judgment about the AI’s recommendation. Designing review processes that are nominally human-in-the-loop but structurally unable to override AI recommendations does not satisfy this requirement and creates the worst of both worlds: the liability of deploying the AI without the accountability of genuine human judgment.
Understand your contractual exposure with AI providers. Most AI platform terms of service include significant liability limitations and indemnification provisions that may be enforceable, may be overridden by applicable consumer protection law, or may be irrelevant to third-party claims that do not flow through the contractual relationship. Understanding what your AI vendor’s terms actually say about liability allocation — and ensuring that allocation is appropriate for your risk profile and legally enforceable in your jurisdiction — is basic due diligence that many businesses deploying AI have not completed.
Review your insurance coverage. Standard commercial general liability policies were not written with AI deployment in mind, and many may not cover AI-related liability claims. Specific technology errors and omissions insurance, AI liability riders, and professional liability policies for AI-using professionals are becoming more widely available as the market develops. Reviewing coverage with a broker familiar with AI-related exposures is increasingly a standard risk management recommendation for any business for which AI liability represents a meaningful financial risk.
AI has not changed the underlying principles of liability — duty, breach, causation, harm — but it has changed the context in which those principles are applied, the complexity of the causal chains that must be analysed, and the technical expertise required to navigate liability questions effectively. The businesses that manage AI liability well in 2026 are not primarily those with the most sophisticated AI systems — they are those with the clearest understanding of what their AI systems can and cannot do, the most deliberate processes for human oversight of consequential decisions, and the governance documentation that demonstrates reasonable risk management when something inevitably goes wrong. In the words of the April 2026 legal analysis: “AI has not changed the underlying principles of liability, but it has shortened the distance between a mistake and its consequences.”
0 Comments
No comments yet. Be the first to share your thoughts!