Who Is Liable When AI Decides to Attack?

JUDr. Jakub Dohnal, Ph.D., LL.M.
JUDr. Jakub Dohnal, Ph.D., LL.M.
13.5.2026 | ARROWS law firm

As AI systems gain autonomy in critical business decisions, companies face a pressing legal question: who is responsible when an AI causes harm? This article explores liability frameworks, risk allocation, and protective measures. It outlines legal principles, specific organizational risks, and essential steps to mitigate costly disputes now.

Photograph captures an attorney advising on AI liability frameworks.

Quick summary

Liability depends on context, as AI developers, deployers (businesses using AI), and operators can all be held responsible. This responsibility is determined by who created, controlled, or failed to oversee the system.

Multiple legal grounds apply, with liability potentially arising from product liability, negligence, breach of contract, or regulatory violations. Each of these carries different standards and remedies.

Your business remains accountable as the entity deploying AI systems. You typically cannot escape liability simply by attributing decisions to AI, as corporate responsibility remains paramount.

Prevention requires thorough documentation. Clear AI governance policies, comprehensive audit trails, robust risk assessments, and transparency regarding AI use are essential to minimize liability exposure.

Understanding AI liability: Why your business cannot simply blame the algorithm

When an AI system causes financial loss, damages someone's reputation, or triggers regulatory penalties, businesses often face an uncomfortable reality. The legal system typically does not accept "the AI decided" as a defense, focusing instead on the humans and organizations behind the system.

Your company bears liability for deploying autonomous technology, just as it would for hiring an employee who causes harm. This principle, known as vicarious liability, means you remain responsible for what your AI systems do, regardless of their apparent independence.

The complexity deepens because multiple parties may share responsibility. The AI developer who created the system, your company that deployed it, and your management who failed to implement proper oversight controls can all face legal consequences.
ARROWS Law Firm regularly handles cases involving AI-related liability disputes and has extensive experience advising companies on how to structure their AI implementations to minimize risk while maintaining operational effectiveness.

Who determines what an AI system does? The question of control and accountability

Understanding liability requires understanding algorithmic accountability—the principle that organizations must be able to explain, justify, and take responsibility for decisions made by their systems. In most jurisdictions, including Czech law and European Union regulations, the entity deploying the AI (typically your company) bears primary responsibility for outcomes, even if you did not personally make each decision.

This creates a fundamental challenge: if you cannot fully explain why your AI system made a particular decision, you cannot adequately defend yourself if that decision caused harm. The system might use complex neural networks or machine learning models where even developers cannot predict behavior in edge cases.

Yet legally, this technical uncertainty does not absolve you of responsibility. Instead, it actually increases your exposure because regulators and courts expect you to maintain control and understanding of systems you deploy.

The European Union's AI Act, which applies to companies operating in EU member states including the Czech Republic, explicitly assigns responsibility to "the provider" (developer) and "the deployer" (the organization using the system).

As a deployer, your company cannot transfer this obligation to others simply by purchasing a third-party AI system. This is why specialized guidance from legal professionals who understand both AI technology and regulatory frameworks is essential.

1. If I purchase an AI system from a vendor, am I liable for what it does?
Yes, as the deployer, your company bears liability for outcomes. The vendor may share responsibility through contractual provisions or product liability claims, but you cannot escape responsibility entirely. This is a critical point where many companies misunderstand their legal exposure.

2. What happens if I cannot explain why an AI made a specific decision?
Your inability to explain the decision strengthens arguments that you failed in your duty of oversight and control. This increases liability exposure and may trigger regulatory penalties. ARROWS Law Firm assists companies in documenting AI decision-making processes to address this exact risk.

3. Does the EU AI Act apply to my company?
If your company operates in the EU or processes data of EU residents, the AI Act likely applies to your AI systems, particularly if they fall into higher-risk categories. The regulatory consequences of non-compliance are substantial.

Types of liability arising from AI systems: What legal claims might you face?

AI systems can trigger multip le distinct forms of liability, each with different legal standards, defenses, and potential damages. Understanding these categories helps your company anticipate risks and implement appropriate safeguards.

Product liability: When AI systems cause physical or financial harm

Product liability applies when an AI system fails to perform safely or as represented. If your company sells a product containing AI (autonomous vehicles, medical devices, trading algorithms), and that system causes harm, customers may pursue product liability claims. These claims do not require proving negligence—they only require showing that the product was defective or unreasonably dangerous and caused injury or damage.

The challenge with AI-based products is defining what "defective" means when behavior is probabilistic rather than deterministic. An AI system that makes correct decisions 99% of the time may still be deemed defective if that 1% failure rate causes severe harm.

Courts increasingly examine whether companies failed to warn users about AI limitations, failed to implement adequate testing, or knew about safety risks and ignored them.

This is where many companies discover that technical excellence in AI development does not automatically translate to legal compliance. A sophisticated machine learning model might perform admirably in testing environments but behave unpredictably in real-world conditions your engineers did not anticipate.

The legal standard focuses on whether your company should have anticipated these risks through reasonable testing and disclosure.

Negligence claims: The failure to exercise reasonable care

Negligence liability arises when your company fails to exercise reasonable care in developing, implementing, or monitoring an AI system. Unlike product liability, negligence requires proving four elements: duty of care, breach of that duty, causation, and damages. The key question becomes: what constitutes "reasonable care" for AI systems?

Courts are increasingly defining reasonable care to include AI-specific practices. These include conducting prior risk assessments, implementing testing protocols that simulate real-world conditions, and establishing clear governance structures.

Additionally, maintaining audit trails of system decisions and implementing human oversight mechanisms are crucial. Failure to adopt these practices strengthens negligence claims against your company.

ARROWS Law Firm works with companies on a daily basis to implement AI governance frameworks that demonstrate reasonable care. This practical approach significantly reduces litigation risk and helps your organization survive legal scrutiny if disputes arise. 

The lawyers at ARROWS Law Firm have developed templates and procedures specifically designed to protect companies deploying autonomous systems while maintaining operational efficiency.

Regulatory and compliance liability: Penalties for violating AI regulations

Beyond private lawsuits, regulatory bodies impose penalties when AI systems violate applicable laws. In the European Union, including Czech Republic operations, companies face significant penalties under the AI Act.

Non-compliance with the prohibition of certain AI practices or other core requirements can lead to fines of up to €35 million or 7% of the annual worldwide turnover of the preceding financial year, whichever is higher.

Other violations related to high-risk AI systems, such as failing to implement required documentation, testing, or transparency measures, can result in fines of up to €15 million or 3% of the annual worldwide turnover.

Compliance liability differs from other forms because regulators do not require proving that harm actually occurred. They only need to show that your company violated regulatory obligations. This creates significant exposure even when your AI system never actually caused injury—the violation itself triggers penalties.

This area is exceptionally complex in practice, with hidden exceptions and procedural requirements that laypeople rarely anticipate. For example, the classification of whether your system is "high-risk" under the AI Act depends on subtle factors about its intended use and impact on fundamental rights.

Misclassifying your system can result in applying too-lenient safeguards, which regulators then treat as non-compliance. ARROWS Law Firm's lawyers regularly deal with this classification challenge and have experience helping companies understand which regulatory obligations actually apply to their specific AI implementations.

1. Which AI systems are considered "high-risk" under EU regulations?
High-risk systems include those affecting fundamental rights, recruitment decisions, credit scoring, and law enforcement use. The categorization depends on your system's specific purpose and impact. Many companies misclassify their systems, leading to compliance gaps.

2. What documentation must I maintain for AI systems?
Required documentation typically includes purpose specifications, training data descriptions, testing protocols, performance metrics, and human oversight procedures. ARROWS Law Firm assists companies in creating compliant documentation systems that satisfy regulatory requirements.

3. Can I face penalties even if my AI system never actually harmed anyone?
Yes, regulatory penalties focus on compliance failures, not outcomes. You can face significant fines for inadequate documentation, testing, or transparency regardless of whether harm occurred.

Contractual liability: What you promised about your AI system's performance

When your company enters agreements involving AI systems—whether licensing software, providing AI-enabled services, or purchasing AI platforms—contractual liability becomes crucial. Your contracts determine what promises you made about AI performance, what guarantees you provided, and what liability you accepted or transferred.

Many companies discover too late that their purchase agreements place responsibility for AI failures entirely on them, while their liability insurance explicitly excludes AI-related claims. This leaves your company exposed to contractual liability without coverage.

Alternatively, contracts may contain conflicting provisions—one section stating that AI outcomes are unpredictable while another section requiring you to guarantee specific performance levels.

This complexity means that contractual liability often exceeds what companies anticipate when signing agreements. The structure of these agreements significantly impacts your actual exposure.

A well-drafted contract with a vendor can allocate certain risks to the vendor and limit your liability; a poorly structured agreement can make you fully responsible for events beyond your practical control.

ARROWS Law Firm can arrange for your company to have all AI-related agreements reviewed and negotiated before signing. The lawyers at ARROWS Law Firm understand how to structure these contracts to protect your interests while remaining reasonable and commercially acceptable to vendors. This proactive approach saves both money and legal disputes down the road.

Defense against AI liability claims: What actually works in court

When facing liability claims related to AI decisions, certain defenses work better than others. Understanding which defenses apply to your situation helps you evaluate your actual risk exposure and plan appropriate responses.

The "black box" problem as a liability shield

Some companies believe that because their AI system is a "black box"—meaning neither developers nor operators can fully explain specific decisions—they face less liability. This assumption is dangerously incorrect.

Courts treat inability to explain AI decisions as evidence of inadequate oversight and control, which strengthens liability claims rather than weakening them. Defendants who say "we do not know what our AI decided or why" face judicial skepticism and regulatory penalties.

Vendor indemnification and contractual protections

Your company's strongest defense often comes from contractual provisions requiring your AI vendor to indemnify you (cover your losses) for certain failures. However, these provisions only work if you negotiated them before signing and if the vendor remains solvent when you need them. Many companies discover that their vendor bankrupted or refuses to honor indemnification clauses.

Demonstrated reasonable care and governance

Stronger than contractual provisions is evidence that your company exercised reasonable care in selecting, implementing, and monitoring the AI system. Documentation showing that you conducted risk assessments, implemented appropriate human oversight, and established monitoring systems significantly strengthens your position in disputes.

This is why the lawyers at ARROWS Law Firm emphasize that AI governance frameworks protect your company as legal defense, not just as operational best practice.

Compliance with applicable regulations

For regulatory claims, showing that your company complied with all applicable AI regulations (EU AI Act, Czech legal requirements, industry-specific regulations) may reduce penalties or eliminate certain violations. However, regulatory compliance does not necessarily prevent private negligence claims.

Risks and Sanctions

How ARROWS helps (office@arws.cz)

Regulatory fines for AI compliance violations : Significant penalties, potentially up to €35 million or 7% of global annual turnover, for failing to comply with AI Act prohibitions or key obligations, and up to €15 million or 3% for other high-risk AI violations.

ARROWS Law Firm reviews your AI systems, advises on regulatory classification, and prepares documentation demonstrating compliance with EU AI Act and Czech legal requirements.

Product liability claims : Customers or third parties sue for damages caused by defective AI decisions, claiming your company failed to implement adequate testing or warning systems.

ARROWS Lawyers prepare documentation of testing protocols, risk assessments, and reasonable care measures; represent your company in product liability disputes.

Contractual liability exposure : Your company faces unexpected liability because purchase or licensing agreements contain provisions that make you fully responsible for AI failures while limiting vendor responsibility.

Contract review and negotiation: ARROWS Law Firm reviews all AI-related agreements, identifies liability gaps, negotiates vendor indemnification, and restructures terms to protect your interests.

Negligence claims following AI failures : Third parties or regulators argue your company failed to exercise reasonable care in deploying AI, failed to implement oversight, or ignored known risks.

Negligence defense and prevention: ARROWS Lawyers help establish governance frameworks, oversight procedures, and audit trails proving reasonable care; represent your company in negligence disputes.

Third-party liability from autonomous systems : Your AI system makes a decision (offensive cybersecurity response, autonomous trading action, automated enforcement decision) that damages third parties or violates their rights.

Representation in AI damage claims: ARROWS Law Firm represents your company in disputes over third-party harm, negotiates settlements, and pursues recovery from relevant parties.

International dimensions of AI liability: Operating AI systems across borders

Companies deploying AI systems globally face compounded liability exposure because different jurisdictions apply different legal standards. The European Union has adopted the AI Act, which applies throughout the EU including the Czech Republic.

The United States follows a fragmented approach with state-specific regulations and industry-specific oversight. China, Singapore, and other jurisdictions impose different requirements.

A single AI system might trigger liability under EU regulations, U.S. state laws, and local requirements wherever it operates. Your company might deploy an AI system compliant with EU standards, only to discover it violates California privacy laws or Chinese data residency requirements, creating separate liability exposures in each jurisdiction.

This is where the international presence of ARROWS Law Firm becomes valuable. As a leading Czech law firm based in Prague in the European Union, ARROWS Law Firm combines deep knowledge of Czech and EU legal requirements with experience in cross-border AI cases through the ARROWS International network.

The lawyers at ARROWS Law Firm have spent over a decade building relationships with legal partners across multiple jurisdictions, enabling coordinated AI liability management for companies with international operations.

If your company operates AI systems across the EU and beyond, ARROWS Law Firm can advise on how to structure deployments, documentation, and governance to satisfy requirements in all relevant jurisdictions. This proactive international approach prevents the costly situation where your company faces multiple separate liability disputes because it failed to anticipate jurisdiction-specific requirements.

Practical steps your company should take today to manage AI liability

Waiting until a liability dispute arises leaves your company vulnerable. Proactive measures significantly reduce risk and demonstrate reasonable care if disputes eventually occur. Here are concrete steps your organization should implement immediately:

First, audit all AI systems your company currently operates. Document which systems exist, what decisions they make, what data they use, and what outcomes they produce. Many companies deploy AI without maintaining clear inventory, which creates regulatory compliance gaps and makes defending liability claims nearly impossible.

Second, implement robust governance structures. Establish clear procedures for AI deployment decisions, including who approves new systems, what testing must occur before deployment, and how the company monitors ongoing system performance. Document these procedures and evidence of compliance.

Third, review all AI-related contracts. Have your purchase agreements, licensing agreements, and client-facing terms reviewed by legal professionals who understand AI liability. Poorly structured agreements leave your company bearing unexpected risk.

Fourth, implement monitoring and audit systems. Establish processes to track AI decision-making, identify anomalies, and intervene when systems behave unexpectedly. Demonstrate that humans are actively overseeing autonomous systems rather than blindly trusting them.

These steps sound straightforward, but they involve substantial complexity in actual implementation. What appears simple—"document your AI systems"—involves hidden technical, legal, and operational considerations.

How you classify systems, what data you collect, how you define "acceptable performance," and how you document decisions all have legal implications that laypeople typically miss.

This is exactly the type of specialized work that ARROWS Law Firm handles regularly. Because our lawyers deal with AI governance on a daily basis, they understand these hidden complexities and can guide your company efficiently toward compliant structures. Significantly, this professional involvement reduces both your legal risk and the time your company spends on these issues.

ARROWS Law Firm is insured for damages up to CZK 400,000,000, providing you additional security when entrusting these critical matters to experienced professionals. Corporate legal departments regularly engage ARROWS Law Firm as partners for handling AI-related special matters, and your company should consider doing the same.

Executive summary for management

Why this matters: AI liability represents an emerging risk category that traditional insurance, governance structures, and legal approaches often fail to address adequately. Your company faces potential exposure through product liability claims, regulatory penalties, contractual disputes, and negligence allegations regardless of whether the AI system actually caused harm.

Your company's specific exposure: As the deployer of AI systems, your company bears primary liability for outcomes even when you did not design the systems. You cannot transfer this responsibility to vendors or blame poor performance on technical complexity. Regulators and courts expect you to maintain control, understanding, and oversight of autonomous systems.

Key actions required: Audit existing AI systems, establish governance frameworks, review all AI-related contracts for liability gaps, and implement monitoring systems that demonstrate reasonable care. These measures reduce actual risk while strengthening legal defenses if disputes arise.

Professional support recommendation: Given the complexity of AI liability across multiple legal domains, regulatory jurisdictions, and technical considerations, management should engage specialized legal counsel experienced in both AI technology and liability frameworks. ARROWS Law Firm provides exactly this expertise, allowing your company to implement protective measures efficiently without consuming extensive internal resources.

Conclusion of the article

Liability for AI system actions represents a fundamentally different legal challenge than traditional business liability. It combines rapidly evolving technology, uncertain regulatory frameworks, and fundamental questions about responsibility that courts are still developing.

Your company cannot escape liability by deploying autonomous systems; rather, you expand your risk exposure if you do not implement proper governance, oversight, and contractual protections.

The central principle is simple but profound: your company remains accountable for what AI systems do because you chose to deploy them. This accountability flows through product liability law, negligence doctrine, regulatory obligations, and contractual provisions.

Managing this accountability requires understanding each liability domain and implementing coordinated protective measures that demonstrate reasonable care while maintaining operational effectiveness.

ARROWS Law Firm regularly assists companies in managing exactly these challenges. The lawyers at ARROWS Law Firm provide comprehensive services including: preparation and review of AI governance policies and procedures; risk assessments and compliance documentation; contract review and negotiation with AI vendors; representation in regulatory inspections and compliance proceedings; defense against product liability and negligence claims; and expert legal advice on jurisdiction-specific AI requirements.

As a leading Czech law firm based in Prague operating within the European Union, ARROWS Law Firm combines in-depth knowledge of Czech and EU legal requirements with international experience managing cross-border AI liability issues.

If your company deploys AI systems or is considering doing so, the time to address liability frameworks is now—before disputes arise. Do not hesitate to contact our office at office@arws.cz and leave the solution to this complex matter to specialists who handle it daily. ARROWS Law Firm will help you establish protective structures that reduce risk while enabling your company to benefit from AI capabilities.

1. Can my company avoid liability by including disclaimer statements that "AI outcomes are unpredictable"?
No. Including disclaimers does not eliminate liability; in fact, disclaimers stating that you cannot predict or control AI behavior strengthen arguments that you failed to exercise reasonable care. Courts interpret such disclaimers as evidence that you deployed systems you did not adequately oversee. The proper approach is implementing governance structures that show you understand your systems and maintain active oversight, not disclaiming responsibility. If you face questions about your current disclaimer language, contact us at office@arws.cz.

2. If my company's AI system causes harm but the vendor bears contractual responsibility, am I still liable?
Potentially. While contracts may allocate responsibility to the vendor, this does not eliminate your company's exposure. Third parties harmed by your AI system can sue you directly regardless of your contract with the vendor. Your dispute with the vendor happens separately. Additionally, if your contract with the vendor does not adequately allocate responsibility or if the vendor lacks resources to satisfy the contract, your company bears the loss. Reviewing AI vendor contracts with legal counsel before signing significantly protects your position. Write to office@arws.cz to have ARROWS Law Firm review your vendor agreements.

3. Do I need to implement human review of every AI decision my company makes?
The legal requirement depends on the specific AI system, its risk level, and the regulatory framework applying to your company. High-risk systems affecting fundamental rights typically require human review of significant decisions. Lower-risk systems may only require monitoring and intervention capability. The EU AI Act specifies different requirements by risk category. Rather than guessing which standard applies to your systems, ARROWS Law Firm can assess your specific AI deployments and advise which human oversight procedures you legally must implement. Contact our office at office@arws.cz.

4. What happens if my company cannot explain why an AI system made a particular decision that caused harm?
Your inability to explain the decision creates severe legal exposure. Regulators treat inability to explain as evidence of inadequate oversight. Plaintiffs in civil suits argue you failed to maintain control of the system. Courts increasingly view explainability as part of the reasonable care standard. Rather than relying on unexplainable "black box" systems, implement systems you can monitor and explain, or ensure your vendor provides explainability guarantees. If you are concerned about your company's current explainability practices, the lawyers at ARROWS Law Firm can help implement improvements—contact office@arws.cz.

5. If my company operates AI systems in multiple countries, which legal standards apply?
All of them. Your company must comply with the legal requirements of every jurisdiction where your AI system operates or where it affects residents. This creates complex compliance obligations when operating internationally. The EU AI Act applies throughout EU member states including the Czech Republic. U.S. states impose separate requirements, and other countries have distinct rules. ARROWS Law Firm handles cross-border AI liability cases and structures AI deployments to satisfy multiple jurisdictions. If your company operates international AI systems, contact us at office@arws.cz.

Disclaimer: The information contained in this article is for general informational purposes only and serves as a basic guide to the issue as of 2026. Although we strive for maximum accuracy, laws and their interpretation evolve over time. We are ARROWS Law Firm, a member of the Czech Bar Association (our supervisory authority), and for the maximum security of our clients, we are insured for professional liability with a limit of CZK 400,000,000. To verify the current wording of the regulations and their application to your specific situation, it is necessary to contact ARROWS Law Firm directly (office@arws.cz). We are not liable for any damages arising from the independent use of the information in this article without prior individual legal consultation.