AI Risk & Liability: Structuring Responsibility for AI-Driven Decisions

4–8 weeks

Typical engagement

EU · UK · Global

Jurisdictions covered

SaaS · Fintech · Insurance

Who we work with

AI systems involve multiple parties — model developers, platform providers, deployers, and end users. Standard contracts allocate liability between two parties. AI supply chains involve five or more. Without explicit allocation at every link, the party with the deepest pockets absorbs the loss.

The EU AI Liability Directive and updated Product Liability Directive create new grounds for claims against AI providers and deployers — including a presumption of fault for high-risk systems that fail to meet EU AI Act obligations. Companies that haven't updated their contracts are exposed to liability they didn't agree to carry.

Enterprise clients increasingly include aggressive indemnification requirements in RFPs and MSAs — demanding that AI vendors cover regulatory fines, consequential damages, and third-party claims without caps. Without a clear negotiation framework, legal review becomes a sales bottleneck.

Enterprise clients send RFPs with liability clauses your standard MSA doesn’t address. Legal puts a hold on the deal. Sales escalates. The pattern repeats every quarter. Without an AI-specific contract framework and a negotiation playbook, your legal team is making one-off decisions under pressure — and your sales cycle pays the price.

✓

✓

✓

✓

✓

✓

✓

✓

✓

✓

✓

✓

01

We map your AI supply chain — every model, API, and infrastructure provider — and identify the harm scenarios that create liability exposure. We assess your current contracts against those scenarios.

Week 1

02

We design the allocation framework: which risks you retain, which you transfer to vendors or customers, and which you mitigate through governance and human oversight. We define the contractual structures needed to implement it.

Weeks 2–3

03

We draft or redline your MSA, DPA, vendor agreements, and customer-facing terms. We build AI-specific provisions into standard templates and prepare a negotiation playbook for your sales and legal teams.

Weeks 3–5

04

We assess the residual liability exposure after contractual protections and recommend appropriate insurance coverage — tech E&O, cyber, and AI-specific endorsements. We help frame the broker request and review policy terms.

Weeks 5–8

AI SaaS · Germany

Liability framework and MSA rebuild for a B2B AI platform

LLM platform automating decisions and document generation for enterprise clients in fintech and healthtech. Aggressive indemnification demands in RFPs, unclear liability split across model providers and platform, no AI-specific contract provisions.

Marketplace · Netherlands

Liability allocation for AI recommendation systems across a three-party marketplace

E-commerce marketplace using ML/AI for recommendations, offer prioritisation, and content moderation. Liability unclear across platform, sellers, and consumers. Growing regulatory scrutiny of AI-driven recommendations.

Insurance · France

AI liability management for automated underwriting decisions

Insurance company using AI models for risk assessment and pricing recommendations. Human formally takes final decision but heavily relies on model outputs. Regulated environment with consumer protection obligations and regulator dialogue.

The EU AI Liability Directive, proposed alongside the EU AI Act, introduces new civil liability rules for AI-related harm. Its key mechanism is a rebuttable presumption of fault: if a high-risk AI system caused harm and the operator failed to comply with EU AI Act obligations (such as human oversight or risk management), the court presumes the non-compliance caused the harm. This shifts the burden of proof from the claimant to the AI operator. For companies deploying high-risk AI, this makes EU AI Act compliance directly relevant to civil liability exposure.

Liability allocation should follow control: the party that controls a particular risk should bear responsibility for it. For AI vendors, this typically means retaining liability for model defects and IP infringement in the underlying AI, while allocating liability for outputs used in client decisions to the client (who controls how the AI is deployed and what decisions are made on its basis). In practice, this requires AI-specific provisions in the MSA: clear definition of the vendor's AI functionality, client obligations around human oversight, and explicit allocation of who is responsible for the final decision.

Yes, but with important limitations. Standard liability caps (typically annual contract value or a fixed multiple) are enforceable in most EU jurisdictions for commercial contracts. However, caps are harder to enforce for: personal injury or death; fraud or wilful misconduct; and increasingly, regulatory fines — which courts and regulators treat as public law obligations that cannot be contracted away. Some enterprise clients will demand uncapped indemnity for IP infringement and data breaches. We advise on which positions are commercially sustainable and legally defensible.

Technology Errors & Omissions (E&O) insurance covers claims arising from failures in your technology product — including AI-generated errors, system failures, and negligent professional services. For AI companies, standard tech E&O may not cover AI-specific risks (bias, autonomous decision-making, training data issues) without specific endorsements. Some insurers now offer AI-specific coverage or endorsements that extend existing policies. We assess your residual liability exposure after contractual protections and recommend appropriate coverage, including how to frame the broker request.

Foundation model providers (OpenAI, Anthropic, Meta, Mistral) typically disclaim all liability for outputs in their terms of service. In commercial reality, this means you bear the downstream risk. The contractual protections you can build include: indemnity for IP infringement in the training data (which some providers do offer); SLAs for uptime and performance; and contractual representations about compliance with applicable laws. For high-risk use cases, you should assess whether the model provider's liability position is acceptable and whether alternative models with better contractual terms are available.

Human oversight is a key liability mitigation mechanism. If a human reviews and approves an AI recommendation before it takes effect, the argument that the AI autonomously caused harm is weakened — the human decision is an intervening act. However, oversight must be genuine, not a rubber stamp. Courts and regulators will look at whether the human reviewer had sufficient information, time, and authority to actually override the AI. We design oversight procedures that are both operationally practical and legally defensible.

Marketplace liability for AI recommendations is a developing area. Under the EU's Digital Services Act, platforms are not liable for third-party content they do not actively shape — but AI recommendation systems that prioritise, amplify, or personalise content may be treated as active editorial choices rather than neutral hosting. The risk depends on how the recommendation system works, what signals it uses, and whether it influences purchasing decisions in a way that a court treats as the platform's own act. We analyse the specific system and jurisdiction to assess the exposure.

An internal AI liability policy should define: which AI systems are in use and who within the organisation is responsible for each; how decisions influenced by AI are documented; what the escalation procedure is when an AI output is questioned or causes harm; how external claims (from customers, regulators, or third parties) are routed internally; and how the company communicates with insurers and external counsel in an incident. The policy should be practical enough for operations and compliance teams to follow, and consistent with your external contracts and regulatory positions.