The agent booked the wrong flight. The agent sent the wrong email. The agent executed a trade it wasn't supposed to. The agent leaked customer data to a competitor.

These aren't hypotheticals anymore. They're happening. And the question nobody has a clean answer to yet is: when an AI agent does something wrong, who pays for it?

The old liability playbook doesn't work here

When a human employee makes a costly mistake, the answer is relatively clear. There's an employer, a manager, a chain of accountability. When software has a bug, the vendor is liable under contract law. When a product causes harm, the manufacturer is on the hook.

AI agents break all of these frameworks at once.

An AI agent isn't an employee. It's not a static piece of software. It's not a product in the traditional sense. It's an autonomous system that perceives its environment, makes decisions, takes actions, and learns from outcomes. Often in real time. Often without a human in the loop.

When something goes wrong, liability can fall on the company that built the underlying model, the developer who configured the agent, the business that deployed it, or the platform that hosted it. In practice it usually falls on nobody, because the legal frameworks to assign it cleanly don't exist yet.

The five failure modes that create liability

1. Prompt injection A malicious user manipulates the agent's input to make it take an unintended action, whether that's transferring money, leaking data, or making commitments on behalf of a company. The agent followed instructions. The instructions were forged. Who's responsible?

2. Hallucination in high-stakes contexts An agent used for legal document drafting, medical advice, or financial planning confidently produces incorrect information. A human acts on it. There's real harm. The agent had no intent, but intent is not required for liability in most jurisdictions.

3. Unauthorized actions An agent with broad system permissions does something it was technically capable of but clearly shouldn't have done. Cancelling all customer subscriptions. Deleting files. Sending mass communications. Permission isn't the same as authorisation.

4. Data exposure An agent pulls from memory, context, or connected data sources and surfaces information it shouldn't have. PII, confidential business data, privileged communications. GDPR, HIPAA, and a dozen other frameworks have strong opinions about this.

5. Workflow abuse A bad actor reverse-engineers how an agent makes decisions and systematically exploits it. Gaming a refund system. Manipulating a pricing engine. Bypassing fraud detection. The agent performed as designed. The design was exploited.

The regulatory vacuum is closing fast

The EU AI Act is already in effect. It classifies AI systems by risk level and assigns obligations accordingly, including mandatory conformity assessments, incident reporting, and in some cases human oversight requirements. High-risk AI systems deployed without proper risk management face fines of up to 30 million euros or 6% of global annual revenue.

In the US, a patchwork of sector-specific guidance is emerging from the FTC, SEC, CFPB, and HHS, each applying existing frameworks to AI in ways that create unpredictable liability exposure.

Boards and general counsels are paying attention. The question is shifting from "could we get sued?" to "when we get sued, what's our defence?"

The insurance gap

Standard cyber insurance policies were written for a different era. They cover data breaches, ransomware, and system outages. Most have AI exclusions or ambiguous language that leaves agentic failure modes in a grey zone.

The result: companies deploying AI agents in production are carrying risk they can't measure, can't price, and can't transfer.

This is exactly the gap that AI agent insurance exists to fill. Not as a substitute for security, but as the financial backstop that makes confident deployment possible.

What good risk management looks like in 2026

The companies getting this right are doing a few things differently.

They scan before they ship. Vulnerability assessments, red-teaming, adversarial testing, permission audits, all before an agent goes into production. Not after an incident.

They monitor continuously. Static security assessments go stale in weeks. Agent behaviour drifts. New attack vectors emerge. Real risk management is a loop, not a checkbox.

They document their controls. When something goes wrong, the first question from regulators and insurers will be: what did you know, and what did you do about it? Companies that can show a clear, documented security posture have a significantly better outcome.

They transfer residual risk. Even the best security programme can't eliminate everything. Insurance exists precisely for the risk that remains after your controls are in place.

The bottom line

AI agents are not tools. They are actors. And actors carry liability.

The companies that treat agent deployment with the same rigour they'd apply to hiring a key employee, with proper access controls, performance monitoring, and accountability mechanisms, are the ones that will deploy confidently and scale safely.

The ones that don't will eventually find out what liability looks like when the agent is the one making the mistake.