AI Agent Harm: Liability Gaps and Enterprise Accountability

Key Takeaways

• Enterprises deploying AI agents face growing legal exposure as regulators remove “the AI did it” as a viable defense. California’s AB 316 (effective January 1, 2026) explicitly precludes defendants from asserting that an AI system’s autonomous operation caused the harm. [1]

• Standard cyber, general liability, D&O, and E&O policies are developing significant exclusion clauses for AI-related harm. [2] Verisk/ISO published three new commercial general liability exclusion forms effective January 2026 (CG 40 47, CG 40 48, CG 35 08), excluding coverage for bodily injury, property damage, and advertising injury linked to generative AI outputs.

• The EU AI Act’s deployer obligations for high-risk systems become enforceable on August 2, 2026, with penalties up to €15 million per violation. [3][10] The EU Product Liability Directive (Directive 2024/2853), which explicitly classifies AI software as a “product” subject to strict liability, applies to AI systems placed on the EU market after December 9, 2026. [4]

• CSA research from January 2026 found that 65% of organizations experienced an AI agent security incident in the prior 12 months, with 61% reporting data exposure, 43% operational disruption, and 35% financial loss—and zero respondents reporting no material business impact. [5]

• Governance immaturity is a primary contributing factor to both legal exposure and insurance gaps. Only 21% of surveyed organizations have formal agent decommissioning processes, and 82% discovered previously unknown agents operating in their environments despite most reporting high confidence in their visibility posture. [5]

Background

The shift from AI systems that advise to AI agents that act creates meaningfully different risk and accountability dynamics for organizations. Where a conversational AI helps a human make a decision, an AI agent that searches legal databases, drafts the contract, selects counterparty clauses, and transmits the signed document makes and executes decisions in the organization’s name. This distinction—between advisory and agentic—is the boundary that courts, regulators, and insurers are now beginning to address through statute and directive.

Enterprise AI agent deployments have accelerated rapidly beyond governance maturity. CSA’s 2026 AI Agent Governance survey found that 82% of organizations discovered previously unknown AI agents operating in their environments, even though 68% of those same organizations rated their visibility as high or complete. [5] This structural gap—between perceived and actual governance coverage—creates conditions where legal liability can accrue before any organization is aware a problem exists. Agents acquire credentials, access sensitive systems, perform consequential actions, and—in the absence of formal decommissioning—persist with live access long after their intended business purpose has ended.

Three regulatory developments have transformed this from a theoretical concern to an immediate operational one. First, the legal question of who is liable when an AI agent causes harm is being answered through statute and directive rather than waiting for case law to mature. Second, insurers are responding to the exposure by restricting coverage precisely when enterprises most need it. Third, the combination of expanding AI agent adoption and shrinking insurance protection creates an accountability vacuum that governance frameworks must fill. Organizations that have not yet mapped their agent portfolios to their liability and insurance posture are already exposed.

Security Analysis

The Liability Attribution Problem

Traditional tort liability assumes a human actor at the end of a causal chain. When an AI agent operating with broad permissions causes financial harm—deletes the wrong records, sends an unauthorized communication, executes a fraudulent transaction—that assumption fails in ways that existing legal doctrine was not designed to handle. Legal commentary and early regulatory guidance suggest deployer liability is the most likely judicial outcome, reasoning that the organization that chose to deploy the agent, configured its permissions, and pointed it at customers bears first-order accountability regardless of which autonomous decision within the agent ultimately caused the harm. However, binding case law on AI agent liability remains limited, and this trajectory should be treated as a reasoned projection rather than settled doctrine.

California’s AB 316, signed October 13, 2025 and effective January 1, 2026, formalizes this approach by statute. The law prohibits defendants from asserting that an AI system’s autonomous operation was the cause of harm when the defendant developed, modified, or used that system. [1] Notably, AB 316 does not create strict liability; defendants may still contest causation, foreseeability, and comparative fault. What it removes is the specific “the AI acted on its own” argument that deployers might otherwise use to distance themselves from their own systems’ behavior. The practical effect is to make the quality of an enterprise’s agent governance directly relevant to its litigation posture: organizations that can demonstrate they exercised reasonable oversight, maintained appropriate documentation, and bounded agent behavior appropriately retain viable defenses. Organizations that cannot are more exposed.

The liability supply chain creates additional complexity for enterprises that rely on third-party AI agent platforms or foundation models. Under the EU Product Liability Directive (Directive 2024/2853), which entered into force December 8, 2024 and applies to products placed on the EU market after December 9, 2026, AI software is explicitly classified as a product subject to strict liability. [4] The Directive establishes joint and several liability between AI component providers and the integrators who deploy those components into final products. An enterprise deploying a third-party agent framework can therefore be sued directly even when the defect originated in the underlying model or platform. Contractual exclusions and limitation-of-liability clauses cannot override statutory liability under the Directive, removing a common risk-transfer mechanism that enterprises currently rely upon.

The Insurance Coverage Gap

The insurance market has responded to agentic AI risk by excluding AI-related perils from existing policies before sufficient claims data exists to price them accurately. [2] Whether this reflects a deliberate strategic choice or simply the absence of actuarial data for genuinely novel risks is a matter of debate; the practical effect on enterprise coverage is the same. Enterprises face growing legal exposure precisely as their policies become less likely to respond.

The most significant near-term development is the set of ISO exclusion forms that took effect in January 2026 for commercial general liability (CGL) policies. Form CG 40 47 provides a broad exclusion under both bodily injury/property damage coverage (Coverage A) and personal and advertising injury coverage (Coverage B), barring coverage for harms linked to generative AI outputs. This captures a wide range of agent-caused scenarios, from AI-generated defamatory content to physical damages traceable to AI-driven operational errors. Forms CG 40 48 and CG 35 08 provide related exclusions for additional liability categories. Because CGL policies are foundational to most enterprise insurance programs, these exclusions immediately affect coverage that organizations have historically relied upon for technology-related third-party claims. [2]

Professional liability (E&O) and directors and officers (D&O) policies are following a similar trajectory. E&O policies covering professional services may exclude AI-assisted advice or AI-generated work product, which is material for enterprises whose agents interact with clients or produce client-facing outputs. D&O coverage faces pressure from “AI washing” enforcement—claims that executives overstated AI capabilities in public filings—creating personal exposure for senior leaders even when the agent itself did not cause the harm. [2] Major carriers including Great American and W.R. Berkley have sought regulatory approval for broader AI liability exclusions from corporate policies, signaling continued market tightening.

Insurers are simultaneously developing a new class of AI-affirmative endorsements that explicitly address AI-related perils, including model-specific failure events, hallucination liability, regulatory defense costs, and coverage for incidents arising from autonomous agent actions. [2] These endorsements typically require evidence of governance maturity as a condition of coverage: documented agent inventories, defined permission boundaries, human oversight procedures, and incident response plans for autonomous systems. Governance documentation is becoming an underwriting input, not merely a best practice. Organizations that cannot produce this documentation at renewal may find both their premiums and their coverage terms significantly less favorable.

The Regulatory Squeeze

The EU AI Act’s August 2, 2026 enforcement deadline for high-risk AI system obligations adds a compliance dimension to the liability calculus. Deployers of high-risk AI systems—a category that encompasses AI used in employment decisions, credit scoring, critical infrastructure, and several other domains commonly served by enterprise agents—must assign human oversight with the authority to intervene, maintain automated logs for a minimum of six months, monitor system performance continuously, and report serious incidents immediately. [3] Failure to meet these requirements exposes deployers to penalties of up to €15 million per violation, [10] and noncompliance with EU AI Act requirements may be considered as evidence of defect under the Product Liability Directive—creating a direct compliance-to-liability chain. [4]

For organizations operating globally, this regulatory squeeze is not limited to the EU. The combination of California AB 316 and the EU’s expanding liability and compliance frameworks creates a layered accountability environment in which deployers face concurrent exposure across jurisdictions. Legal teams are finding that AI governance decisions carry direct and immediate legal implications, making the traditional separation between technology governance and legal risk management increasingly difficult to maintain.

Enterprise Governance Deficits

The urgency of the liability and insurance gap is compounded by the degree to which enterprise AI agent governance has not kept pace with agent deployment. CSA’s 2026 survey of 418 IT and security professionals found that 65% of organizations experienced at least one AI agent security incident in the previous twelve months. Of those experiencing incidents, 61% reported data exposure or mishandling, 43% reported operational disruption, and 35% reported direct financial cost. No respondents—zero percent—reported that their incident produced no material business impact. [5]

The governance practices most directly relevant to liability are also among the least mature. Only 21% of organizations have formal decommissioning processes for agents whose business purpose has ended—creating what CSA’s research terms “retirement debt,” in which agents persist with live credentials and broad access long after the intended use case has closed. [5] Only 23% of organizations have a formal, organization-wide agent identity management strategy, while 37% operate on informal practices and 10% report no strategy at all. [6] More than half of organizations doubt they could pass a compliance audit focused on agent behavior or access controls. [6] These gaps are not academic: decommissioned agents with active credentials, agents operating without documented ownership, and agents whose actions cannot be traced to a human authorizer are precisely the conditions that create liability exposure and underwriting risk.

A useful frame for prioritizing governance investment is what CSA research describes as an access-times-autonomy risk model: an agent’s liability exposure scales roughly with the breadth of its access and the degree of its autonomy. [5] An agent with narrow permissions operating under continuous human review presents limited liability exposure even if it errs. An agent with broad access to sensitive systems, operating autonomously without human checkpoints, decommissioned without credential revocation, and undocumented in any agent inventory, represents substantial liability exposure in multiple simultaneous directions. Most enterprise portfolios contain agents across this entire spectrum without systematic differentiation.

Recommendations

Immediate Actions

Conduct an agent discovery and inventory exercise as a first priority. The 82% rate of unknown agent discovery in CSA’s survey [5] means that most organizations cannot assess their liability exposure without first knowing what is running. Discovery should span cloud platforms, SaaS tools with built-in automation, internal scripting environments, LLM development platforms, and developer-created workflows—all environments where shadow agents are commonly found.

Review insurance policies for AI exclusions before the next renewal cycle. The January 2026 ISO exclusion forms have potentially already altered coverage under existing CGL policies. Enterprises should engage their brokers to understand whether current coverage responds to AI agent incidents and evaluate available AI-affirmative endorsements that explicitly cover autonomous agent actions. Do not assume existing policies cover AI-caused harm.

Map the agent liability supply chain. For each significant agent deployment, identify who developed the underlying model, who built or customized the agent framework, who integrated it into the business process, and who deployed it. Understand the contractual terms—and their statutory limits—governing liability allocation between each party. This mapping is necessary both for insurance claims and for litigation positioning.

Short-Term Mitigations

Implement a formal agent RACI framework that assigns clear Responsible, Accountable, Consulted, and Informed roles for each agent in the portfolio. The EU AI Act requires deployers to assign qualified human oversight with the competence and authority to intervene, and California AB 316 ties available defenses to the quality of governance practices in place at the time of harm. [1][3] A RACI assignment for each agent directly addresses both requirements while also providing the documentation trail that insurers increasingly require.

Establish decommissioning procedures and apply them retroactively. An agent whose business purpose has ended but whose credentials remain active is a liability artifact. Formal decommissioning should include credential revocation, permission removal, logging of the retirement action, and ownership sign-off. Applying retroactive decommissioning to the existing portfolio reduces the retirement debt exposure identified in CSA research. [5]

Enable comprehensive audit logging and traceability for all agents with access to sensitive data or consequential systems. The EU AI Act requires high-risk deployers to maintain logs for a minimum of six months. [3] Broader traceability—mapping every agent action to the human authorizer who delegated it—is the governance capability most directly relevant to liability defense: it allows an organization to demonstrate, after an incident, that appropriate oversight was exercised and that the harm was not a foreseeable consequence of their governance choices.

Strategic Considerations

Treat EU AI Act compliance as the practical baseline for liability risk reduction rather than the ceiling. The August 2026 deadline for high-risk system obligations creates a concrete milestone that legal, security, and engineering teams can align around. Organizations that complete this compliance work will simultaneously satisfy most of what insurers require to issue AI-affirmative endorsements and will have built the documentation necessary to contest liability claims that argue inadequate oversight.

Build governance maturity as a measurable, reportable metric for boards and executive leadership. CSA and Google Cloud’s December 2025 research found governance maturity to be a leading predictor of AI readiness and security outcomes. [7] Boards are being held accountable for AI governance quality through D&O exposure, and executives who can demonstrate a quantified governance improvement trajectory—measured through agent inventory completeness, RACI coverage, decommissioning completion rate, and audit log coverage—are in a materially better position than those who cannot.

Engage legal counsel proactively on California AB 316 implications for current deployments, particularly any agents operating in customer-facing or consequential business workflows. Organizations with agents already in production in California-governed relationships should consult legal counsel on whether AB 316’s obligations extend to conduct predating the January 1, 2026 effective date. Law firm commentary suggests the law may affect existing deployments, but retroactivity under California law is a matter for qualified legal interpretation in each organization’s specific circumstances.

CSA recommends that enterprises treat agent governance not as an engineering concern but as a liability management function, with clear accountability chains, audit-ready logging, and insurance reviews conducted before harm occurs rather than after.

CSA Resource Alignment

CSA has developed a body of work that directly addresses the governance capabilities required to manage the liability and insurance exposure analyzed in this note.

MAESTRO (Multi-Agent Environment, Security, Threat, Risk, and Outcome) provides a threat modeling framework for agentic AI systems structured around a seven-layer reference architecture spanning foundation models, data operations, agent frameworks, deployment infrastructure, evaluation and observability, security and compliance, and the agent ecosystem. Organizations can use it to identify threats and control gaps at each layer, making it a practical input to the risk-based control prioritization that EU AI Act compliance requires. The framework is available at the CSA blog and GitHub repository. [8]

The AI Controls Matrix (AICM) provides a structured set of AI security controls organized by provider role—model provider, application provider, orchestrated service provider, and AI customer. AICM’s shared security responsibility model (SSRM) for AI maps control ownership across the agent supply chain, addressing the multi-party liability attribution challenge described in this note rather than leaving allocation to contractual negotiation. Control domains covering audit logging, access management, lifecycle management, and incident response align with the governance capabilities that both regulators and insurers require.

AI Organizational Responsibilities: Governance, Risk Management, Compliance, and Cultural Aspects provides RACI models, risk assessment procedures, shadow AI prevention strategies, and regulatory compliance guidance across the EU AI Act, NIST AI RMF, and related frameworks. [9] Its cross-cutting framework covering accountability, implementation, monitoring, access control, and compliance serves as a practical implementation guide for the agent RACI and accountability chain recommendations in this note.

CSA STAR (Security Trust Assurance and Risk) for AI provides an assessment and certification pathway that can supply the governance documentation required for AI-affirmative insurance endorsements. Organizations seeking to demonstrate governance maturity to underwriters, regulators, or counterparties may find the STAR for AI program’s structured assessment a useful starting point for building the required documentation.

References

[1] Baker Botts. “California Eliminates the ‘Autonomous AI’ Defense: What AB 316 Means for AI Deployers.” Baker Botts OurTake Blog, 2025.

[2] Insurance Thought Leadership. “Cyber Insurance Exclusions to Expect in 2026.” Insurance Thought Leadership, 2025.

[3] EU AI Act Service Desk. “Article 26: Obligations of Deployers of High-Risk AI Systems.” EU Artificial Intelligence Act, 2024.

[4] Gibson Dunn. “EU Product Liability Directive: Responding to Software, AI and Complex Supply Chains.” Gibson Dunn, 2024.

[5] Cloud Security Alliance. “New Cloud Security Alliance Survey Reveals 82% of Enterprises Have Unknown AI Agents in Their Environments.” CSA Press Release, April 2026.

[6] Cloud Security Alliance. “Securing Autonomous AI Agents.” CSA Research Report, 2026.

[7] Cloud Security Alliance. “Governance Maturity Is Strongest Predictor of AI Readiness and Security.” CSA Press Release, December 2025.

[8] Cloud Security Alliance. “Agentic AI Threat Modeling Framework: MAESTRO.” CSA Blog, February 2025.

[9] Cloud Security Alliance. “AI Organizational Responsibilities: Governance, Risk Management, Compliance and Cultural Aspects.” CSA, October 2024.

[10] EU AI Act Service Desk. “Article 99: Penalties.” EU Artificial Intelligence Act, 2024.

Additional Resources

The following sources were consulted in preparing this note and are offered for further reading.

Squire Patton Boggs. “The Agentic AI Revolution: Managing Legal Risks.” Squire Patton Boggs, 2025.

Covasant. “The Agent Governance Imperative: Why the EU AI Act Changes Everything for Enterprises Running Autonomous AI in 2026.” Covasant Blog, 2026.