Who Is Liable When an AI Agent Makes a Mistake?

 A practical guide for UK businesses deploying AI agents

AI is moving well beyond chatbots. The latest generation of tools – now commonly referred to as “AI agents” – can act autonomously: sending emails, reviewing contracts, placing orders and interacting with third–party systems, often without a single human in the loop. The technology is developing rapidly, and the law has not kept pace, but that doesn’t mean businesses are operating in a legal vacuum.

AI can’t be liable, so who is? 

The starting point is important: AI systems have no legal personality under English law and therefore cannot be held liable for their actions. This principle is consistent across all major common law jurisdictions and was affirmed in the UK government’s own consultations on AI and intellectual property. 

In practice, responsibility falls on one or more of three parties:  

• • The developer who built the model 
  • The business that deployed it 
  • The end user who directed its actions. 

In most commercial settings, the deploying business carries the greatest exposure – it is typically the data controller, the principal whose authority the agent exercises, and the entity whose staff relied on the output. 

The key legal risks 

Data protection 

UK GDPR and the Data Protection Act 2018 apply in full wherever an AI agent processes personal data. Article 22 of the UK GDPR places specific restrictions on automated decision-making that produces legal or similarly significant effects; without meaningful human review, certain automated decisions may be unlawful altogether. The ICO’s 2023 AI guidance expects organisations to be able to explain and audit how AI decisions are made.  

Breach of confidence

business may be liable if its AI agent routes confidential information to the wrong recipient – even if the disclosure was entirely unintentional. This can also become incredibly complex where trade secrets are involved under the Trade Secrets (Enforcement, etc.) Regulations 2018. 

Intellectual property 

Under s.9(3) of the Copyright, Designs and Patents Act 1988, copyright in computer-generated works vests in the person who made the necessary arrangements for its creation – in most cases, the deploying business. That business therefore also bears responsibility if AI-generated content infringes a third party’s copyright. If that content contains misleading claims, the Consumer Protection from Unfair Trading Regulations 2008 and the CAP Code may also be engaged. 

Contractual liability 

If an AI agent is authorised to interact with third parties – accepting quotes, negotiating fees, placing orders, agreeing terms – the business may be bound by those agreements under ordinary principles of apparent authority, even where the agent acted beyond its intended scope. 

Why supplier contracts matter

Most AI supplier agreements are drafted to minimise the supplier’s liability as far as possible. Businesses should pay close attention to liability caps (often limited to fees paid in the preceding 12 months), broad exclusions for consequential loss, and disclaimers that outputs are accurate or fit for purpose. Where personal data is processed, a compliant data processing agreement under Article 28 of the UK GDPR is a legal requirement, not an optional extra. 

What should businesses do? 

• • Define the agent’s permissions precisely – understand exactly what it can access, process and do.
  • Build in human oversight for consequential decisions: significant orders, sensitive disclosures, public–facing content.
  • Conduct a DPIA before deploying any agent that processes personal data at scale.
  • Negotiate supplier contracts – standard terms are rarely adequate.
  • Document governance – regulators expect accountability, not just compliance. 

The unchanging principle

The legal framework will continue to evolve – the EU AI Act is already in force with obligations rolling in through 2027, and UK reform is ongoing. But one principle remains constant: delegating a task to an AI agent does not delegate liability. The business that deploys the agent, benefits from its actions, and authorised its operation will ordinarily bear the consequences when things go wrong. 

For questions or further advice surrounding this topic, please contact peter.pegasiou@glaisyers.com