Back

When AI Makes a Mistake: Who’s Liable?#

Your AI-powered chatbot promises a customer a delivery date you can’t meet. Your AI billing tool sends an invoice with the wrong amount. Your AI screening tool rejects a qualified candidate based on biased training data.

Who’s liable—you, the AI vendor, or nobody?

Under current law in most jurisdictions, the answer is almost always: you. AI cannot enter into contracts, hold insurance, or be held accountable. The business that deploys the tool carries the risk. The EU’s Product Liability Directive (enforced December 2024) explicitly extends liability to AI system providers and deployers. In the US, a patchwork of state laws is emerging—Colorado’s AI Act and Connecticut’s proposals among them. The global trend is clear: liability is moving toward the deployer and the provider, not away from them.

This isn’t legal advice. It’s a practical risk framework to help you understand where liability falls, how to reduce it, and what to do when something goes wrong.

The Liability Landscape: Who’s on the Hook?#

You (the business): Under current law, you are almost always the liable party when AI you deploy makes a mistake that harms a customer, employee, or third party. You chose the tool. You configured it. You put it in front of your customers. The buck stops with you. This is true even if you didn’t intend for the error to occur—even if the AI acted in a way you didn’t predict or couldn’t have foreseen.

The AI vendor: May share liability if the tool was defective, but their terms of service almost always include limitation-of-liability clauses (those sections nobody reads but everyone agrees to). These clauses cap the vendor’s financial exposure, often at the subscription price you paid that month. A $200/month subscription doesn’t buy you much protection when a $50,000 mistake happens.

The employee: Can be held internally accountable, but externally, your business bears responsibility for their use of AI on your behalf. If an employee uses ChatGPT to draft client advice and it’s wrong, your client isn’t suing the employee. They’re suing you. This is true regardless of whether the employee had permission to use the tool.

Nobody (the gap): Some AI harms fall into regulatory gray zones where no clear precedent exists. A chatbot that gives vague but harmful advice. A recommendation engine that nudges users toward a bad choice. An AI hiring tool that discriminates without anyone noticing. These are the cases that keep lawyers up at night, because there’s no playbook yet, and the law hasn’t caught up to the technology.

Key legal principles worth knowing:

  • The EU Product Liability Directive now covers defective products including software and AI systems, and it applies to both providers and deployers
  • The US has no comprehensive federal AI liability law; state-level laws are emerging piecemeal, with Colorado’s AI Act and Connecticut’s proposals among the most developed
  • The trend globally: liability is moving toward the deployer and the provider, not away from it

Practical takeaway: Act as if you’re fully liable, because you probably are.

The Four Categories of AI Risk#

Category 1: Output Errors#

AI generates wrong information, a wrong price, an incorrect legal citation, bad medical advice. The chatbot that promises a delivery date the business can’t meet creates a breach of contract or misrepresentation risk. The invoice that’s $3,000 off isn’t a “glitch”, it’s your problem.

Liability: Yours. You deployed the tool; you’re responsible for verifying its output.

Category 2: Bias and Discrimination#

An AI screening tool rejects candidates based on protected characteristics (age, gender, race). A pricing tool charges different customers different amounts based on location or demographics.

Liability: Yours. Anti-discrimination laws apply regardless of whether a human or AI made the decision. “The algorithm did it” is not a legal defense, just ask anyone who’s faced an EEOC complaint from automated hiring tools that screened out candidates over 40.

Category 3: Data Breaches and Privacy Violations#

An employee inputs customer personally identifiable information (PII, data that can identify a specific person, like names, addresses, or Social Security numbers) into an AI tool without proper safeguards. An AI vendor uses your data for training without consent. Maybe an employee pastes a client’s full financial statement into ChatGPT to “summarize it,” and that data now exists on someone else’s servers.

Liability: Yours for the breach. The vendor may be liable if they violated their Business Associate Agreement (BAA, a contract that governs how a vendor handles your sensitive data) or data processing agreement. But you’re the one reporting to your customers that their data was exposed. You’re the one fielding the angry calls. You’re the one facing regulatory scrutiny.

Secureframe’s 2025 research found that 38% of AI-using employees share sensitive data with AI tools without proper authorization. That’s not a fringe risk. That’s happening in your office right now.

Category 4: Intellectual Property Infringement#

AI generates content that infringes on copyright. AI produces output that copies trade secrets or proprietary information from its training data.

Liability: Yours for distribution. The vendor may have indemnification clauses, promises to cover your legal costs if you’re sued over their output, but read the fine print. Many clauses are narrower than they first appear.

Practical takeaway: Every AI risk category leads back to you. Plan accordingly.

The Risk Reduction Framework: Protect Your Business#

Think of risk reduction in four layers. Each one reduces your exposure significantly.

Layer 1: Policy (Prevention)#

Write an AI acceptable use policy. Classify your data into tiers: what can and can’t go into AI tools. Define prohibited uses, no autonomous decisions on hiring, pricing, or legal matters without human review.

This doesn’t have to be a 50-page document. A one-page policy that your team actually reads beats a comprehensive one that nobody opens.

Layer 2: Process (Verification)#

Mandatory human review for any AI output that reaches a customer, client, or regulator. Spot-check AI outputs weekly at minimum for accuracy and bias. Document your review process, if you’re ever audited, “we check” isn’t enough. You need “here’s how we check, and here’s the log showing we did.”

Layer 3: Contracts (Transfer)#

Review vendor terms of service. What do they promise about accuracy, data handling, and liability? Many AI vendors include broad disclaimers about output accuracy and strict liability caps. Know what you’re signing up for.

Negotiate indemnification clauses where possible, provisions that require the vendor to cover your legal costs if you’re sued because of their tool’s output. Not all vendors will agree, but it’s worth asking.

Ensure BAAs and data processing agreements are in place for any tool handling sensitive data. These aren’t optional formalities, they’re your legal basis for sharing data with a third party.

Know what your insurance covers, general liability, errors and omissions (E&O, professional liability insurance that covers mistakes in professional services), and cyber policies, and whether they extend to AI. Ask your broker specifically about AI-related incidents.

Layer 4: Documentation (Evidence)#

Keep records of what AI tools you use, what data goes into them, what outputs come out, and who reviewed them. Maintain an incident log: when something goes wrong, document what happened, the impact, and the corrective action.

This documentation is your best defense in a dispute. It shows you weren’t reckless, you were diligent.

Practical takeaway: Policy, process, contracts, documentation. Four layers, significant protection.

What to Do When Something Goes Wrong#

Step 1: Contain. Stop the AI tool from continuing to produce the problematic output. Pull the chatbot offline. Pause the automated workflow. Disable the integration. Don’t let the problem compound.

Step 2: Assess. Determine the scope. How many customers were affected? What data was exposed? What financial impact occurred? Be honest about the numbers, not optimistic.

Step 3: Notify. Inform affected parties promptly. Breach notification laws in many jurisdictions require disclosure within 30 days (HIPAA, a federal law protecting health information) or 72 hours (GDPR, the EU’s data protection regulation). Even when not legally required, prompt notification builds trust and demonstrates good faith.

Step 4: Document. Create a written incident report: what happened, when, root cause, corrective action, timeline. Include who was affected, how you found out, and what steps you took. This isn’t bureaucracy, it’s your legal and reputational shield. In a dispute, a well-documented response shows you acted responsibly.

Step 5: Correct. Fix the underlying issue. Update the prompt. Retrain the model. Add a human review step. Change the policy. Don’t just fix the symptom.

Step 6: Review. After 30 days, assess whether the correction is working. Update your AI policy and incident response plan based on what you learned.

Practical takeaway: Contain, assess, notify, document, correct, review. Six steps. Memorize them.

The Insurance Question: Does Your Policy Cover AI?#

Standard general liability policies typically don’t explicitly cover AI-generated errors. If your chatbot gives a customer wrong pricing information and they sue, your general liability policy may not respond, because the error wasn’t caused by a person, and most policies were written before AI was a factor.

Professional liability (E&O) may cover AI advice that causes harm, but check your specific policy. Some policies have exclusions for automated decision-making or algorithmic outputs that could leave you exposed.

Cyber liability policies may cover data breaches involving AI tools. If an employee inputs client data into an unapproved AI tool and that data is exposed, a cyber policy might respond, but again, the specifics matter enormously.

Here are the questions to ask your insurance broker:

  • Does my policy cover errors from AI tools I deploy?

  • Does it cover third-party AI tools my employees use without approval?

  • What’s my deductible for an AI-related claim?

New specialized AI liability insurance products are emerging in 2025–2026. Until coverage is clear, assume you’re self-insuring for AI risk and budget accordingly.

Practical takeaway: Call your insurance broker this week. “I don’t know” is the most expensive answer when a claim arrives.

A Quick Self-Assessment: How Exposed Are You?#

Rate your business on these five questions. Score each 1–5:

  1. Do you have a written AI use policy?
  2. Do you know which AI tools your employees use?
  3. Do you require human review of AI outputs before they reach clients?
  4. Have you reviewed your vendor agreements for AI liability clauses?
  5. Does your insurance explicitly cover AI-related incidents?

Score interpretation:

  • 20–25: Well-protected. Keep improving.
  • 15–19: Some gaps. Address within 30 days.
  • 10–14: Significant exposure. Prioritize immediately.
  • 5–9: High risk. Stop deploying new AI tools until you fix the basics.

The Bottom Line#

You are liable for what your AI does. Not the vendor, not the employee, not the algorithm, you. That sounds intimidating, but here’s the flip side: most AI risk can be dramatically reduced with three things. A clear policy. A human review step. Good documentation.

You don’t need to eliminate risk. You need to manage it visibly and defensibly. The businesses that get sued aren’t the ones who made a mistake, they’re the ones who made a mistake and couldn’t show they tried to prevent it. Documentation, policy, and human review are your three lines of defense. They’re not expensive. They’re not complicated. They just require the discipline to put them in place.

Start with the self-assessment above. Fix the gaps. Then turn the AI back on with confidence.


“Ready to implement this?” Get the templates, checklists, and step-by-step guides at Rozelle.ai

Sources#

AI Liability: Who's Responsible When AI Makes a Mistake?
https://answerbot.cloud/articles/ai-liability-risk-framework
Author Rozelle
Published at May 5, 2026
Copyright © 2026 Rozelle.ai. All rights reserved.