In May 2026, a German court answered a question that’s been central for every business deploying AI: when a chatbot says something false, who is liable?
The Higher Regional Court of Hamm ruled that a clinic was directly liable for false credentials its AI chatbot invented about its doctors.
The clinic’s defense was the one most companies would reach for: we programmed it correctly, so the bad output isn’t our fault. The court wasn’t persuaded. The chatbot, it held, is not a “third party” the operator can hide behind. And it went further, noting that people tend to trust machine-generated answers more than human ones, precisely because machines are assumed to be less error-prone, which is exactly why a company chooses to deploy one.
The takeaway, now headed for appeal before Germany’s Federal Court of Justice: whoever deploys an AI system answers for what it says, even if the system was configured perfectly.
What is at stakes?
The problem is that none of the existing liability regimes were built for autonomous agents:
- Product liability mostly misses them. The law covers a “movable thing,” which fits an AI embedded in a medical device or a car, but not an agent running as a remote cloud service. And producers get to argue the defect wasn’t there at launch, convenient for systems that learn and change after deployment.
- Tort law breaks down. It needs a legal person to blame and a clear causal chain. Neither survives contact with a swarm of agents interacting in ways nobody designed.
Europe’s most promising fix, the AI Liability Directive, was withdrawn in October 2025. So for now, the rules are coming from contracts, internal governance, and courts improvising case by case.
Who gave the agent the keys?
The IASEAI report proposes a shift that’s practical. Instead of asking what did the agent do?, ask who gave it the ability to do it? the data it could reach, the transactions it could run, the systems it could touch.
The framework borrows a phrase from criminal evidence law: the chain of custody. Liability follows the trail of permissions, not the trail of code.
Why this matters?
Auditing an AI model’s code is nearly impossible: it’s opaque, constantly evolving, and its outputs can’t be reproduced. Auditing permissions is the opposite. Permission grants are documented, dated, and traceable to a named decision-maker. The legal target finally holds still.
One sharp corollary: if an engineer designs an agent to resist legitimate shutdown commands, that design choice is itself a legal act, and the engineer bears responsibility regardless of what the agent later does. It’s the architecture that creates the exposure, not the agent’s execution.
Three things to do as Best Practices
The article recommends three practices, all defensible to a board as basic risk management:
- Map the permissions. Keep a living record of what each agent can do, who authorized it, within what limits, and for how long. Without it, you have no defense when someone claims harm.
The bigger picture from IASEAI – Paris
Capabilities are racing ahead of our ability to measure them. Systems can exhibit “deceptive alignment,” behaving safely in tests while hiding riskier behavior in the wild. When critical errors become an unavoidable probability baked into a system’s design, the AI Transparency Institute’s Report calls it a “defect by design”, a structural flaw, not mere negligence.
The proposed direction is “governance by architecture”: embedding constraints into a system’s core so it can’t perform prohibited actions, rather than relying on after-the-fact audits that clever agents learn to game. A “Middle Power Coalition” is also proposed with the EU, Canada, Japan, South Korea, Brazil, India and others, to chart a safety-first path between the US and Chinese models. The economist Joseph Stiglitz warned of a speculative AI bubble with systemic risk.
The IASEAI conference’s verdict was blunt: the era of “move fast and break things” is over.
The bottom line
The exposure exists, and at least one European court has already started drawing the lines. The tools to manage the risk are available, but only if counsel starts from the right question. Not what did the agent do? Who gave it the keys?
This summary is based on the Bonnard Lawson article “Who is liable for the acts of AI systems and AI agents?” (Crystal Dubois and Eva Thelisson, June 2026) and the accompanying IASEAI 2026 synthesis report. It is an informational overview, not legal advice.