AI Liability: Who Is Responsible When AI Causes Harm?

Artificial intelligence systems are making consequential decisions in an expanding range of contexts: approving or denying loan applications, recommending medical diagnoses, selecting job candidates, setting insurance premiums, directing autonomous vehicles, flagging fraud, and much more. When those decisions are correct, the AI delivers efficiency and scale that human decision-making cannot match. When those decisions are wrong — when a misdiagnosis leads to delayed treatment, when a biased algorithm unfairly denies someone a job or loan, when an autonomous system causes physical harm — the question of who bears legal responsibility is increasingly important and increasingly contested.

The legal framework for AI liability in the United States is still developing. There is no comprehensive federal AI liability law, and the emerging state-level AI regulations focus more on disclosure and process requirements than on liability allocation. In the meantime, courts are applying existing legal doctrines — product liability, negligence, contract law, and others — to AI-related harm. Understanding how these doctrines work in the AI context is essential for any business that deploys AI in consequential decision-making.

Product Liability and AI

Product liability law holds manufacturers and sellers responsible for harm caused by defective products. Historically, software has occupied an uncertain position in product liability law: courts have often treated software as a service rather than a product, which limits the application of strict product liability standards. AI systems may face similar characterization challenges, particularly when they are delivered as cloud-based services rather than as embedded software in physical products.

When AI is embedded in a physical product — a self-driving car, a medical device, a manufacturing robot — product liability law applies more directly. A manufacturer whose AI-powered product causes harm because of a defect in the AI’s design, training, or safety safeguards may face strict liability claims that do not require the plaintiff to prove negligence, only that the product was defective and caused harm. The challenge in this context is defining what constitutes a defect in an AI system: an AI that makes decisions based on a pattern of inputs may produce harmful outputs in edge cases that its designers could not fully anticipate, and whether that constitutes a design defect is a question that courts are still working through.

Negligence and AI Decision-Making

Negligence is the most commonly applicable theory of liability for AI-related harm in cases that do not fit neatly into product liability doctrine. To succeed on a negligence claim, a plaintiff must establish that the defendant owed a duty of care, that the defendant breached that duty, that the breach caused the plaintiff’s harm, and that the harm was the type of harm the duty was meant to prevent.

Businesses that deploy AI for consequential decisions generally do owe a duty of care to the people those decisions affect. A bank using AI to evaluate creditworthiness owes a duty not to discriminate against applicants on the basis of race or other protected characteristics. A healthcare provider using AI to assist with diagnosis owes a duty to exercise appropriate professional care in how it relies on AI recommendations. A business using AI for hiring owes a duty to comply with employment anti-discrimination laws. The AI system does not eliminate those duties — it changes how they are fulfilled.

Breach of that duty in the AI context often involves questions about the reasonable care a business should exercise in selecting, implementing, monitoring, and overriding an AI system. A business that uses an AI system without evaluating its accuracy, without understanding its limitations, without monitoring its outputs, and without any human review of consequential decisions may be found to have breached its duty of care even if the AI itself was performing within its design parameters.

The Importance of Human Oversight

One of the most important practical lessons from the emerging body of AI liability law is that human oversight of AI decision-making is not just a best practice — it is increasingly a legal requirement and a key factor in liability analysis. Regulators and courts are increasingly asking whether a human being reviewed or had the ability to review AI recommendations before they resulted in harm to an individual.

In the healthcare context, the FDA’s oversight framework for AI-based medical devices increasingly emphasizes human control and the ability to override AI recommendations. In the employment context, the Equal Employment Opportunity Commission has issued guidance indicating that employers using AI tools for hiring decisions are responsible for those decisions even if the AI was responsible for the recommendation. In the EU AI Act, human oversight is a mandatory requirement for high-risk AI systems. The consistent direction across these regulatory contexts is that deploying AI for important decisions does not transfer liability for those decisions to the AI vendor — it requires the deploying organization to exercise appropriate oversight and maintain control.

Contractual Liability Allocation Between Vendors and Customers

When an AI system causes harm, one of the first questions is what the contract between the AI vendor and its customer says about liability. As discussed elsewhere in this blog, AI vendor agreements typically include significant limitations on vendor liability: caps on damages, exclusions of consequential damages, and broad warranty disclaimers. These provisions mean that even if the AI vendor’s system caused the harm, the vendor’s contractual exposure to the customer may be far smaller than the customer’s actual damages.

This creates a significant gap: the business deploying the AI may be liable to third parties harmed by the AI’s decisions while having limited contractual recourse against the vendor. Managing this gap requires both careful contract negotiation — pushing for stronger indemnification and less restrictive liability caps in AI vendor agreements — and appropriate insurance coverage, including technology errors and omissions coverage and, in some contexts, AI-specific liability coverage.

Discrimination and Civil Rights Liability

Some of the most significant current AI liability exposure involves anti-discrimination laws. AI systems trained on historical data can perpetuate and amplify historical patterns of discrimination in employment, lending, housing, and other contexts where discrimination is prohibited by law. Title VII of the Civil Rights Act, the Fair Housing Act, the Equal Credit Opportunity Act, and many state civil rights laws apply to discriminatory outcomes even when those outcomes are produced by algorithmic systems rather than by explicit human decisions.

The EEOC has made clear that employers cannot avoid liability for discriminatory hiring by pointing to an AI system’s recommendation. The Consumer Financial Protection Bureau has similarly indicated that lenders using AI scoring models must ensure compliance with fair lending laws and must be able to explain credit decisions to denied applicants in a way that satisfies the adverse action notice requirements of the ECOA and the Fair Credit Reporting Act. These regulatory positions place the compliance burden squarely on the business deploying the AI, regardless of who built it.

Emerging Federal and State AI Liability Frameworks

Several states have enacted or proposed laws that create specific liability frameworks for AI-related harm. Colorado’s AI Act, which took effect in February 2026, imposes obligations on developers and deployers of high-risk AI systems to use reasonable care to protect consumers from algorithmic discrimination, and it creates a private right of action for consumers harmed by violations. Similar legislation is advancing in other states. At the federal level, various proposals have been introduced to address AI liability, though no comprehensive federal AI liability framework has been enacted as of this writing.

The EU AI Act, while not creating US law, is influential as a model and is already shaping how multinational companies approach AI governance globally. Its approach — classifying AI systems by risk level and imposing corresponding obligations on both developers and deployers — is likely to influence US regulatory developments.

What Businesses Should Do

Businesses using AI for consequential decisions should take several practical steps to manage liability risk. First, understand what the AI system does, how it was trained, what data it uses, what its known limitations are, and where it is most likely to make errors. Second, maintain human oversight over AI recommendations in high-stakes contexts and document that oversight. Third, evaluate AI systems for compliance with applicable anti-discrimination laws before deployment and periodically thereafter. Fourth, review AI vendor agreements and negotiate stronger liability and indemnification protections where the stakes are high. Fifth, consider insurance products designed to cover AI-related liability, which are an emerging but increasingly available category. Sixth, monitor regulatory developments at both the federal and state level, because the legal framework for AI liability is evolving rapidly.