What is AI liability?
Global AI regulation
AI liability is the legal question of who is responsible when an AI system causes harm, why that party is legally connected to the harm, and what remedy follows. It is not one standalone rulebook. In practice, liability usually sits inside existing law, such as product liability, negligence, contract and consumer protection, discrimination, data protection and sector-specific regulation. AI changes the analysis because systems can be opaque, updated after release, supplied by several parties and used in high-impact settings.
What this means
AI liability is mostly a backward-looking concept. It asks what happens after an AI system or AI-enabled product has caused injury, loss, discrimination, privacy harm, misleading conduct or some other legally recognised problem. The core questions are usually the same: what harm occurred, who owed a duty, what failed, how the harm can be linked to that failure, and what remedy should follow.
That makes liability different from adjacent ideas such as AI risk, AI assurance and AI audit. Risk management tries to prevent harm before something goes wrong. Assurance and audit test whether controls, claims and records are credible. Liability uses the same material later, when a court, regulator, insurer or claimant asks who should compensate, stop, fix, disclose or explain.
Because AI is often built by one party, integrated by another and used by a third, liability is rarely a simple developer-only question. A vendor contract can shift cost between businesses, but it does not automatically remove duties that a deployer, employer, manufacturer or seller may owe to affected people.
Why it matters
Organisations do not need a special "AI lawsuit" to face AI liability. Existing law can already create compensation claims, regulator action, product changes, monitoring duties, notices to affected people, training requirements and operational disruption. A business may face more than one track at once, for example a customer claim, a regulator investigation and a dispute with a supplier over who must bear the loss.
For leaders, the practical issue is not abstract blame. It is whether the organisation can show what system was used, by whom, for what purpose, with what testing, limits, supervision and response plan. If that chain of evidence is weak, legal exposure rises. If it is strong, the organisation is in a much better position to prevent harm, defend decisions, recover from suppliers and support people affected by a failure.
How it works
<strong>Liability starts with harm, not with the model name</strong>
AI liability is not triggered merely because a tool uses machine learning or generative AI. It arises when a person, business or public body can point to a legally recognised harm and connect that harm to a defect, a failure of reasonable care, an unfair or misleading practice, a discriminatory act, or a breach of a sector rule. The label "AI" matters because it affects proof and governance, but it does not create a universal cause of action on its own.
This is why one incident can produce several legal questions at once. A claimant may want compensation. A regulator may want the practice stopped or changed. A supplier and deployer may argue over indemnities and responsibility inside their contract. An insurer may then ask whether the event falls inside policy cover.
<strong>Claims usually travel through existing legal routes</strong>
Product liability is one route. Here the focus is the product or software itself. In the EU's revised product liability regime, software and AI systems count as products, and liability can continue where defects appear after an update or through continuous learning that remains under the manufacturer's control. That route is mainly about defect and causal connection, rather than proving fault.
Fault-based claims, including negligence-style claims, ask a different question: did someone fail to act with reasonable care in design, testing, deployment, monitoring, warning, human oversight or response? This route becomes important where the dispute is about how a system was built, configured or used rather than whether it was a defective product.
Consumer and contract law add another route. If an AI-enabled service gives inaccurate information, is marketed beyond what it can reliably do, or is used in a way that is unfair to consumers, liability may arise through ordinary consumer protection and contractual duties. Rights-based and public law routes can also matter, especially in employment, biometrics, privacy and other regulated settings.
<strong>Responsibility can attach to more than one actor</strong>
The original model developer is not always the only actor that matters. A product manufacturer may package the system under its own name. A deployer may decide the use case, the thresholds, the review process and whether staff must rely on or challenge the system. A service provider may fine-tune, host or continuously update the model. In some regimes, importers, authorised representatives, fulfilment providers and certain platforms can also be drawn into the liability chain.
The practical lesson is simple: responsibility follows role, control and legal duty. If a manufacturer keeps control over updates, patches or post-release learning, upstream liability can remain important. If an employer, retailer, hospital or public authority chooses the setting, the human workflow and the action taken on the system's result, downstream liability can be just as important.
Internal contracts still matter, but mainly for cost allocation between businesses. They do not automatically wipe away responsibilities owed to workers, consumers, patients or regulators.
<strong>Causation and proof are often the hardest part</strong>
AI complicates proof because behaviour may depend on data quality, deployment context, model changes, third-party components and human handovers. A harmful result may come from several small failures rather than one obvious bug. That makes it harder to show what specifically caused the harm, or to show that a business acted reasonably.
This is one reason AI governance records matter so much. Evidence such as intended use statements, version history, data provenance where available, test methods, known limits, user notices, complaint handling, monitoring records and incident reports can make or break a case. The revised EU product liability rules now include access-to-evidence mechanisms in national court proceedings, which reflects how central proof problems have become in digital and AI disputes.
In practice, liability is often shaped by what an organisation can document after the event. If you cannot explain what was deployed and how it was controlled, both defence and redress become harder.
<strong>AI-specific governance does not replace ordinary liability law</strong>
Standards and governance frameworks do not create automatic immunity. NIST's AI RMF is voluntary and risk-based, and its value lies in structuring governance around harms, accountability, transparency and ongoing management. NIST's generative AI profile adds practical emphasis on legal and regulatory requirements, pre-deployment testing, content provenance and incident disclosure. Those activities do not answer liability by themselves, but they shape the evidence available when liability is disputed.
The same is true for AI-specific regulation. New AI rules may create documentation, transparency and monitoring duties, yet compensation and fault questions often still run through ordinary product, consumer, labour, privacy and negligence law. In Europe, that point is especially important because the 2022 AI Liability proposal did not become law. In the Commission's 2025 work programme, it was listed as having no foreseeable agreement, with the Commission saying it would assess another approach. So the central legal picture remains one of adaptation, not full replacement.
<strong>Sector rules can change both the standard of care and the remedy</strong>
Once AI is used in a supervised field, general liability analysis is only part of the story. Employment is a clear example. If hiring software screens people out in a discriminatory way, the fact that software did the first pass does not remove the employer's responsibility. In US enforcement, the EEOC has treated automated discrimination as ordinary discrimination carried out through new tools.
Health care is another strong example. For AI-enabled medical devices, the FDA expects lifecycle documentation, evidence supporting safety and effectiveness, and post-market performance monitoring. That means liability arguments in health settings are often shaped by what the device sponsor documented before release, how it manages changes, and whether users were given information appropriate to the context of use.
The wider lesson is that supervised domains usually have a thicker evidence base. Sector regulators often make the expected standard of care more concrete, which can sharpen both prevention and later disputes.
<strong>Good governance creates legal evidence</strong>
The most durable way to think about AI liability is to treat governance artefacts as future evidence. Useful records include AI inventories, intended use statements, role allocation, supplier due diligence, documented tests, model and system change controls, logs, user notices, operator training, complaint channels and incident escalation paths. Good recordkeeping turns a vague story into a defensible chronology.
This is also where assurance and audit matter. They do not replace legal analysis, but they test whether the documentation is complete, current and usable under pressure. If harm occurs, those records shape arguments about reasonable care, causation, apportionment and remedy. If the records are poor, liability risk becomes evidential as well as legal.
Examples
Current example, retail surveillance: in December 2023 the US Federal Trade Commission said Rite Aid used AI-based facial recognition in hundreds of stores without reasonable procedures to prevent harm to consumers, leading to false alerts and other consumer harms. The case ended with a five-year ban on facial recognition for surveillance purposes and required safeguards around future biometric systems. The practical point is that liability can attach to harmful deployment practices, not only to a coding defect.
Current example, automated hiring: in September 2023 the EEOC announced that iTutorGroup would pay $365,000 and provide further relief after its online recruitment software automatically rejected female applicants aged 55 or older and male applicants aged 60 or older. The lesson is that employers remain legally responsible when automation embeds unlawful discrimination inside a workflow.
Current regulatory example, medical devices: in January 2025 the FDA issued draft guidance on AI-enabled device software functions, saying marketing submissions should include documentation and information that support FDA review of safety and effectiveness across the total product life cycle, including post-market performance monitoring. The lesson is that in regulated sectors, liability exposure is strongly shaped by lifecycle controls and the quality of the evidence kept before and after release.
Common misunderstandings
AI liability means the model developer is always liable. Not necessarily. In many disputes the deployer, manufacturer, employer or seller is a primary target because that is the actor that chose the use case and dealt directly with the affected person.
If there is a human in the loop, liability disappears. Not automatically. Human review only helps if it is real, informed and matched to the risk. A weak sign-off step may not break causation or prove reasonable care.
AI liability is only about physical injury. No. Depending on the legal route, it can also involve financial loss, discrimination, privacy and biometric harm, unfair commercial practice, property damage or corrupted personal data.
Following a standard means you cannot be sued or investigated. Wrong. Standards and guidance can improve governance and evidence, but they are not a universal defence.
We need a special AI liability law before existing law can apply. Wrong again. Regulators and courts are already applying product, consumer, labour and sector law to AI-related harm.
Risks and boundaries
AI liability is not a universal answer to every AI harm. Some jurisdictions give strong regulator powers but limited private damages routes. Some harms are easy to describe but hard to prove. And some duties sit in public law, procurement rules, discrimination law or sector supervision rather than ordinary civil compensation claims.
The legal picture is also uneven and still moving. Europe has updated product liability law for software and AI, but the separate 2022 AI Liability proposal did not pass. In February 2025 the Commission said there was no foreseeable agreement and that it would assess another approach. Elsewhere, many regulators still rely mainly on existing law rather than dedicated AI liability statutes. That means the same system can face different legal treatment across jurisdictions and sectors.
Finally, liability should not be confused with ethics, assurance, safety engineering or insurance. Those disciplines reduce exposure and improve evidence, but they do not by themselves decide who is legally responsible after harm occurs. This article explains the concept and the governance logic around it. It is not legal advice for a live dispute.
What to do next
Map each AI use case to the legal routes that are most likely to matter before you scale it: product safety, consumer law, employment and discrimination, privacy, professional duty and any sector-specific rule. Name an internal owner for each high-impact use and make that owner responsible for documentation, testing, approval and incident escalation.
Keep the evidence that a court, regulator, customer or insurer would later ask for: intended use, supplier role, version history, known limits, test records, user notices, operator training, monitoring records and complaints. Rework supplier contracts so you can get timely access to logs, update notices and cooperation if an incident occurs.
Then prioritise the uses that affect jobs, health, safety, identity, eligibility, pricing or vulnerable people. These are the places where harm, proof difficulty and regulator attention are most likely to meet.
FAQs
Is there one global AI liability law?
No. Liability usually runs through existing law, such as product liability, consumer protection, discrimination, privacy, negligence and sector rules. What changes from place to place is which route is strongest and what remedy is available.
Who is usually liable, the developer or the deployer?
Either, both or several actors at once. The answer turns on role, control, representations made, the type of harm and the legal regime being used.
Does buying a third-party model move the risk to the vendor?
Not by itself. A contract can shift cost between businesses, but it does not automatically remove duties owed to users, workers, customers, patients or regulators.
Is AI liability only about physical injury?
No. Depending on the regime, it can involve economic loss, discrimination, privacy and biometric harm, unfair commercial practices, property damage or corrupted personal data.
Does a human review step remove liability?
Not automatically. Review helps only if it is meaningful, informed and properly designed for the risk. A symbolic approval step may do very little.
Does compliance with NIST or FDA guidance guarantee protection?
No. Standards and guidance can strengthen governance and evidence, but they are not universal immunity. Courts and regulators still look at the specific harm, the applicable law and the facts.
Is the EU AI Liability Directive in force?
No. The 2022 proposal did not become law. In the Commission's 2025 work programme it was listed as having no foreseeable agreement, with the Commission saying it would assess another approach.
Can insurance remove AI liability?
Insurance can transfer some financial exposure, but it does not decide who is legally responsible and it does not replace testing, monitoring, documentation or incident response.
Sources
Artificial Intelligence Risk Management Framework (National Institute of Standards and Technology). NIST's voluntary, risk-based AI framework; harms, accountability, transparency, and the GOVERN, MAP, MEASURE, MANAGE structure used to explain why governance records matter when liability is later disputed.
Artificial Intelligence Risk Management Framework: Generative Artificial Intelligence Profile (National Institute of Standards and Technology). Legal and regulatory requirement mapping, pre-deployment testing, content provenance, incident disclosure, and error tracking as practical evidence for AI governance and liability analysis.
Report on the safety and liability implications of Artificial Intelligence, the Internet of Things and robotics, COM(2020) 64 final (European Commission). The distinction between fault-based and strict liability, the way AI autonomy can complicate causation, and the need to adapt liability thinking for digital systems.
Defective products - liability (EUR-Lex, European Union). Revised EU product liability rules covering software and AI, updates and continuous learning under manufacturer control, access to evidence, compensable damage and limitation periods.
2025 Commission work programme - annexes (European Commission). The current status of the 2022 AI Liability proposal, listed as having no foreseeable agreement, with the Commission indicating it would assess another approach.
Rite Aid Banned from Using AI Facial Recognition After FTC Says Retailer Deployed Technology without Reasonable Safeguards (Federal Trade Commission). US consumer protection enforcement against harmful AI deployment, showing that unfair use of biometric or AI systems can trigger bans, safeguards and compliance duties.
iTutorGroup to Pay $365,000 to Settle EEOC Discriminatory Hiring Suit (U.S. Equal Employment Opportunity Commission). Employment liability where automated hiring software discriminates, and the principle that employers remain responsible for software used in recruitment.
Artificial Intelligence-Enabled Device Software Functions: Lifecycle Management and Marketing Submission Recommendations (U.S. Food and Drug Administration). Medical device sector expectations around lifecycle documentation, safety and effectiveness evidence, and post-market monitoring for AI-enabled devices.