AI Liability: Who Is Responsible When Algorithms Cause Harm?
As AI systems move from research environments into consequential real-world applications — medical diagnostics, hiring, lending, criminal justice risk assessment — the question of who bears legal responsibility when those systems cause harm has become pressing. Existing legal frameworks were not designed with automated decision-making in mind, and courts, regulators, and legislators are actively working out new approaches.
The Gap in Existing Law
Traditional product liability law imposes responsibility on manufacturers for defective products. Applying this framework to AI is complicated by features specific to machine learning systems: their behavior emerges from training data and optimization rather than explicit programming; they may perform differently in real-world conditions than in test environments; their predictions can be difficult to explain; and they are typically sold as services rather than physical products. Courts applying product liability doctrine to AI have had to wrestle with whether a flawed prediction constitutes a manufacturing defect, a design defect, or an inadequate warning.
Negligence and the Standard of Care
Negligence claims against AI developers and deployers require establishing that the defendant owed a duty of care, breached that duty, and caused harm. In practice, establishing the standard of care for AI systems — what would a reasonably prudent AI developer have done? — is technically complex. Frameworks like the NIST AI Risk Management Framework have gained traction as reference points for what responsible AI development looks like, and courts may use them to assess whether specific practices fall below an emerging industry standard.
The EU's Liability Framework
The EU has taken a regulatory approach with direct liability implications. The EU AI Act, which entered into force in 2024, imposes strict compliance requirements on high-risk AI systems. The European Commission's AI Liability Directive proposal would further facilitate civil claims by creating a rebuttable presumption of causation — if a defendant violated the AI Act's requirements and harm occurred, courts could presume the violation caused the harm. This reversal of the burden of proof addresses the structural information asymmetry between AI developers and injured parties, who rarely have access to the technical documentation needed to prove causation independently.
Developer vs. Deployer Liability
A recurring issue in AI liability is the distribution of responsibility across the AI supply chain. Foundation model developers, API providers, fine-tuning services, system integrators, and end-user deployers all contribute to the AI system that ultimately causes harm. The EU AI Act assigns primary obligations to the developer who places a system on the market, with secondary obligations on deployers who put it into service. In U.S. litigation, supply chain liability theories familiar from pharmaceutical and product cases have been applied to AI, though the case law is still developing.
Algorithmic Bias and Discrimination Claims
A distinct liability category involves AI systems that produce discriminatory outcomes. Under U.S. anti-discrimination law, plaintiffs can bring disparate impact claims by showing that a neutral-seeming practice — including an algorithmic one — has a statistically significant adverse effect on a protected class, without needing to prove intentional discrimination. The CFPB (consumer lending) and EEOC (employment) have issued guidance noting that algorithmic systems are subject to existing anti-discrimination requirements. The Federal Trade Commission has highlighted algorithmic bias as a potential unfair or deceptive trade practice concern.
The Attribution Problem in Autonomous Systems
Fully autonomous AI systems create what legal scholars call the "attribution problem" — when an AI acts independently in a way that causes harm, traditional liability frameworks struggle to identify a responsible human actor. Autonomous vehicle accidents have been the most litigated context, but the problem extends to trading algorithms, automated medical devices, and AI-assisted hiring tools. Some scholars argue existing respondeat superior doctrine can extend to AI "agents" acting on behalf of organizations; others argue new legislative frameworks are needed. The EU's proposed frameworks generally favor strict liability for certain high-risk autonomous systems as a way of resolving this attribution complexity.
Practical Implications
Organizations deploying AI systems should maintain thorough documentation of model development, testing, and deployment decisions — this documentation will be central to any liability defense. Insurance products specifically covering AI liability are emerging, though the market is still developing. Contractual allocation of liability between AI developers and customers — through indemnification clauses and limitation of liability provisions — is a practical near-term tool. Most importantly, risk assessment processes modeled on the NIST AI RMF or the EU AI Act's requirements help identify liability-relevant risks before deployment rather than after.