Who's liable? Legal accountability in the age of AI: Part 4

In this series, we have explored some of the ways AI systems have challenged our traditional legal frameworks around liability, causation, and remoteness of damage and examined how there are many evidential questions that will need to be confronted when these issues come before the courts.

In this part we examine certain sectors and themes that have been identified as being under the spotlight with the increased use of AI. These include:

1. The Public Sector
2. The Automotive Industry
3. Intellectual Property – copyright
4. Cyber

The Public Sector

In the public sector, AI tools are already beginning to introduce efficiencies and improved productivity. However, given the potential scale of AI use by public authorities, the risks introduced when AI systems are used becomes far reaching. Without proper oversight, biases or other errors in the system could cause harm or give rise to claims by almost any person who interacts with the State. The key question is what will be the appropriate level of human oversight and where might be the tipping point for liability shifting from the human decision maker to the AI developer or supplier.

Public bodies are under an obligation to base decisions on rational, lawful reasoning; consider relevant evidence; and exercise discretion fairly. Any departure from these standards can render a decision unlawful and subject to judicial review. Dependence on AI tools in the decision-making process introduces additional risk if decision-makers rely too heavily on AI recommendations without sufficient oversight and critical evaluation.

Decision-makers are also accorded a degree of flexibility in the exercise of their authority. They can, and should, take individual circumstances into account when exercising their discretion, rather than rigidly following procedure or policy. Risks associated with over-reliance on AI outcomes are likely to be heightened where decision makers do not know how the outcomes were reached, or the technical details underlying the system, including the data on which it was trained.

These issues are also pertinent in the justice system, both civil and criminal. AI systems could assist judges in reviewing evidence and accelerate delivery of judgments in civil and criminal cases, improving efficiency and timeliness. But the risks associated with poor oversight or overreliance will need to be carefully managed and mitigated.

Public authorities now face the challenge of selecting, using, and monitoring AI responsibly. Guidance on the use of AI is available, including the UK Government AI Playbook for public authorities: AI Playbook for the UK Government - GOV.UK

The Automotive Industry

As it is not a natural or legal person, a machine cannot be liable for negligent acts or omissions that cause damage to third partie.s. Nor is a machine the agent of its owner or manufacturer.

Where then will liability fall? Does it rest with the driver because they failed to follow instructions or the alerts from the driver assistance system? Taking two examples to illustrate:

• what if a driver did not keep their car sensors clean, causing the car to malfunction or ignored instructions which made clear the limitations of certain functionality in the car’s operating systems.
• suppose an accident occurred because an AI enabled driving system was trained to recognise stop signs in good conditions but not in fog or received inaccurate information from external sources, maintained by a third party such as a connected street map and acted on it.

As we examined in prior parts of this series, if the damage results from the car behaving in a way that was wholly unforeseeable it could result in nobody being liable in negligence.

Key considerations for the automotive sector include:

• Where will responsibility lie as between insurers, software developers, or manufacturers if fully automated vehicles cause harm?

• Liability and insurance considerations will be of significant concern with questions arising over whether fault arises as a result of human intervention or oversight or from the operation of the vehicle itself.

• Fully automated vehicle accidents are arguably more likely to arise from vehicle failure, increasing manufacturer responsibility which may result in additional costs to the consumer.

• Whilst manufacturers of self-driving cars may be primarily liable, we are likely to see claims for contributory negligence where there is reliance on developers for the integrated AI systems and potential user interference.

• We may also see insurers limiting liability for prohibited software alterations or failure to install safety-critical updates.

In this regard it should be noted that the Automated Vehicles Act 2024 is set to provide a comprehensive legal framework for safety, authorisation, and operational standards, with proposals for their implementation in the coming years. This potentially sets the automotive sector apart when it comes to a consideration of the various AI liability issues we’ve examined in this series. The legislation in this arena proposes making automotive manufacturers, software developers and/or insurance companies liable for the self-driving vehicles’ behaviour, with scope for claims for contributory negligence as appropriate, and seeks to protect users from unfair accountability, but we are yet to see the full impact of how the interests and liability exposure of each of the stakeholders will be managed. Read more here Great Britain: Automated Vehicles Bill receives Royal Assent.

AI and copyright – whose rights are they anyway?

As AI systems become more sophisticated, determining liability for copyright infringement becomes increasingly intricate. There are two angles to copyright infringement and AI.

The first relates to input, where large language models are trained on vast amounts of data protected by copyright (and sometimes database rights and other intellectual property rights). Using material protected by copyright without the permission of the copyright owner infringes that copyright. ‘Using’ includes making copies and other activities that constitute copyright infringement under UK law.

As such, using copyright protected material to train AI models without permission could infringe copyright and give rise to liability. This is provided that evidential and jurisdictional hurdles can be overcome in order to bring a successful case (such as in which jurisdiction did the training take place and what exactly was used). The long-running UK case of Getty Images v Stability AI, in which the court recently handed down its judgment, illustrated some of the difficulties in bringing a successful claim. There, during closing submissions the claimant dropped all claims relating to primary copyright infringement for jurisdictional/evidential reasons. There therefore remains no case law on whether training AI in the UK would amount to an infringement.

The second angle to copyright infringement and AI relates to outputs - that is materials created by AI models in response to user prompts. If an output reproduces all or a substantial part of a work protected by copyright without the rights holder’s permission, then that copyright could be infringed (and other intellectual property rights could also be infringed). This raises the question of where liability would fall: a) on the developer of the AI model, b) the user prompting the model to produce the outputs, c) any intermediary parties, or d) a combination of some or all of the above?

In the UK there is no ‘fair dealing’ defence as there is in the US, nor is there yet the text and data mining exception (with opt-out rights for copyright holders) that exists in the EU. The UK government has yet to indicate whether it will follow the EU approach, or introduce a wider text and data mining exception with no right to opt out, or require licensing of copyright works in all cases.

The Law Commission refers to the delay of the Data (Use and Access) Act being passed this summer. This delay was caused by amendments being repeatedly proposed to give greater transparency over what data was used to train models in order to facilitate compensation for rights holders, however these proposals were ultimately not included. The UK government felt it was not the right vehicle, preferring instead to undertake an economic impact assessment of the different options on rights holders and AI users and developers.

In addition, the UK government is still considering responses received during its consultation on copyright and AI which closed in February 2025. We can therefore expect (and hope) for legislative guidance in due course. Both angles of copyright infringement referred to above remain murky areas of UK law in which further case law or legislative guidance is needed to lift the current uncertainty for AI developers and users and rights holders alike.

For further information see: The AI & copyright conundrum: Global challenges and regulations | Tech Talks - Episode 8 | Eversheds Sutherland and Legal guide to navigating artificial intelligence - Legal issues around AI.

Wider risk areas – cyber-attacks and fraud

Pervasive across all sectors is the significant risk of cyber-attacks and fraud. AI presents significant cybersecurity risks which organisations need to rapidly identify and systematically mitigate, especially in the wake of highly disruptive cyberattacks on supply chains and ransomware incidents.

AI tools may have vulnerabilities that can be exploited by attackers, presenting organizations with the risk of a data breach. AI itself can also be used to process trade secret or other confidential information, including personal information, which becomes a potential target, especially for extortion-based attacks.

However, threat actor use of AI to advance traditional cybersecurity threats like phishing is not the only concern. This is because AI models are generated based on the data they ingest. As such, if employees “feed” a public AI tool with sensitive or confidential data, the AI model may incorporate that into its model and feed it back to outside parties as an output to a query.

AI also ingests huge troves of data to create a model of expected outputs. If the model is poisoned by feeding it bad data, the outputs will be bad too (this is referred to as the ‘GIGO’, or garbage in, garbage out problem). A poisoned AI model could produce bad code that could lead to exploitable vulnerabilities. It could also produce inaccurate research or discriminatory results that could expose the organization with additional legal risk.

It has been widely reported that fraudsters are leveraging AI to create convincing deepfakes, or digital impersonations of real people, to advance their fraudulent schemes. For example, they are creating digital replicas of C-suite executives and using them to direct unwitting employees to wire money to criminal-controlled accounts.

Conclusion

In this part we’ve examined two particular sectors of the economy and two thematic issues where we see some of the greatest potential for legal issues arising from the use of AI. Those involved in those sectors are all now grappling with the opportunities and risks presented by this new technology, overlaid with a unique legal framework. The issues regarding AI’s interaction with intellectual property rights and cybersecurity are ones that will affect all corners of the economy. Understanding how they might arise is the first step in being ready to address and mitigate any risks.

'Who's liable? Legal accountability in the age of AI' articles

• Part 1: The AI Liability Gap: Are existing laws capable of responding to AI-related liability?
• Part 2: Can businesses predict the risk, and therefore be held responsible for, harm caused by autonomous, adaptive AI?
• Part 3: What evidence will be available to navigate these liability issues and prove fault?
• Part 5: Contracting considerations – what is the best approach to take?