The liability vacuum
When a doctor misdiagnoses using only their own judgment, the liability framework is clear: professional malpractice. When a doctor misdiagnoses based on a recommendation from an AI diagnostic system, the question becomes genuinely complex.
Is the doctor liable for over-reliance on the AI? Is the hospital liable for deploying an insufficiently validated system? Is the AI developer liable for a faulty recommendation? Is it a product liability case or a professional liability case?
This isn't a hypothetical. It's actively unresolved. Courts in the US, EU, and UK are beginning to see the first cases, and they are reaching inconsistent conclusions.
Why AI defies traditional product liability
Traditional product liability law was built around physical goods with knowable failure modes. A car with a defective brake system fails in predictable ways. The defect can be identified, the failure mode can be reconstructed, causation can be established.
AI systems fail differently:
Non-determinism: Many AI systems produce different outputs for the same input across runs. Reconstructing exactly what the system output in a given instance may be impossible.
Distribution shift: A model trained on historical data may fail on new data in ways that weren't predictable from training performance.
Emergent failures: Large models exhibit behaviors that weren't designed and couldn't be predicted from any individual component.
Opacity: Even when you have the model weights, understanding why a specific output was produced may require interpretability research that doesn't fully exist yet.
Product liability frameworks designed for physical goods map poorly onto these characteristics.
The EU AI Act's approach
The EU AI Act, which came into force in August 2024, creates a risk-tiered approach:
Unacceptable risk: Prohibited. Real-time biometric surveillance in public spaces (with narrow law enforcement exceptions), social scoring systems, manipulation of vulnerable groups.
High risk: Permitted with obligations. This includes AI in medical devices, critical infrastructure, employment decisions, credit scoring, and "certain areas of law enforcement." High-risk systems require conformity assessments, human oversight mechanisms, logging, and transparency.
Limited risk: Transparency obligations only. Chatbots must disclose they are AI. Deepfakes must be labeled.
Minimal risk: Unregulated. Most AI applications.
The Act places obligations primarily on "deployers" (organizations using AI in their workflows) and "providers" (developers who put AI systems on the market). The liability for failures is distributed between them.
What the EU AI Act doesn't resolve is how civil liability works when a high-risk AI system causes harm. That is addressed separately in ongoing revision of the Product Liability Directive.
The US approach: agency-by-agency, sector-by-sector
The US has no comprehensive federal AI regulation equivalent to the EU AI Act. Instead, existing sector regulators are extending their mandates:
- FDA: Guidance on AI/ML-based software as a medical device (SaMD). Requires a "Predetermined Change Control Plan" for adaptive algorithms.
- CFPB: Adverse action notices must explain AI-driven credit decisions.
- EEOC: AI hiring tools that produce disparate impact may violate Title VII.
- FTC: Unfair or deceptive AI practices are actionable under Section 5.
The result is a patchwork that varies by industry. A general-purpose AI product used across sectors faces a different regulatory picture depending on which use case is being evaluated.
Intellectual property: the unsettled questions
Three IP questions around generative AI remain actively litigated:
Training data copyright: Do AI models infringe the copyright of works used in training? Ongoing cases in the US (Getty Images v. Stability AI; NYT v. OpenAI) and UK will shape this.
Output ownership: Who owns the copyright in AI-generated content? The US Copyright Office has ruled that purely AI-generated works cannot be copyrighted — a human creative contribution is required. What counts as sufficient contribution is unresolved.
Likeness rights: Voice actors, artists, and celebrities have brought cases over AI systems trained on their work producing similar outputs. Litigation is proceeding faster than legislation here.
The insurance gap
Professional liability insurance typically requires human professional judgment as the proximate cause of a loss. As AI automates that judgment, insurers are rewriting exclusions, adding AI-specific riders, or in some cases declining coverage entirely.
A legal practice using AI for contract review that results in a missed clause: is that a professional liability claim? Does the malpractice insurer cover it? This is being negotiated in real time between law firms and their insurers.
What to watch
The most consequential near-term developments in AI liability:
NYT v. OpenAI — if courts find that training on copyrighted data is infringement, the economics of AI development change significantly.
EU Product Liability Directive revision — the new directive explicitly extends product liability to software, including AI. Implementation into member state law begins 2026.
First high-stakes AI malpractice verdict — precedent from even one large judgment will have outsized effect on AI deployment in regulated industries.
Model cards and transparency standards — whether voluntary disclosure frameworks become the basis for a due care standard or remain insufficient in courts.
The legal infrastructure is being built in response to, not in anticipation of, the technology. That lag is where the risk concentrates.