Responsibility for AI agents:
A company relies on a piece of software with AI integration. The AI makes a wrong decision, the company suffers concrete damage. The CEO comes down hard on the software vendor. The vendor points to the AI provider whose model is integrated. The AI provider says: control over deployment sits with the integrator. Suddenly nobody admits to it, and whoever can’t prove they met their duty of care is left with the loss.
Why classic liability models fail with AI agents
In classic software development the chain of liability is manageable. The vendor delivers a product, the operator runs it, and when something goes wrong you can usually trace where the error originated. With AI agents that clarity often dissolves. An agent makes decisions based on training data the provider curated, in a context the operator defined, with inputs the user supplied. When the result is wrong, the cause often can’t be pinned to a single actor. The EU tried to solve this with a dedicated AI liability directive, then withdrew the draft in February 2025 after sustained disagreement. There is still no successor. A harmonised EU liability framework specifically for non-contractual AI damages remains absent.
What the EU AI Act demands of operators anyway
The EU AI Act fills part of this gap, through compliance obligations rather than liability rules. For GPAI models, documentation and transparency requirements have applied since August 2025, with fines of up to 15 million euros or 3 percent of global turnover for breaches. Operators of high-risk systems have to ensure human oversight by qualified people, monitor operations continuously and retain automatically generated logs. For serious incidents the primary reporting obligation sits with the system provider, and operators have to inform the provider without delay. The most important lever for the liability question right now is the revised Product Liability Directive, which from December 2026 covers software and AI systems too and eases the burden of proof for affected parties in certain constellations. If you operate an AI system and can’t demonstrate that you met your duty of care, your position in a damages case gets considerably worse. If you are currently checking how your company is set up here, documentation and traceable decision chains are turning into the decisive shield.
Do you know how your company is positioned on AI compliance? We support organisations in setting up an AI management system based on ISO/IEC 42001, from maturity assessment to AI governance design and staff training. The frame in which documentation, accountabilities and audit trails come together before things turn serious.
