In a prior blog post, “Agentic AI Part I: What It Is and Who’s Responsible When It Acts," we introduced this multi-part series on agentic AI, delved into the technology itself, and explained how agentic AI differs from generative AI.  We also introduced the legal frameworks that may govern agentic AI liability, and how plaintiffs are currently challenging it.

This blog post—Part II of our Agentic AI series—dives deeper into the legal frameworks that will govern agentic AI.  As businesses increasingly deploy AI agents to act in the real world, the legal question that is beginning to emerge above all others is: Who is legally responsible for the actions of an AI agent?  This question becomes critical when an AI agent causes harm or simply makes a mistake.  Put another way, which human or company was in the best position to prevent the harm?  It is an urgent query at a time when agentic AI is being deployed before regulations and laws have caught up.

In the United States, this question remains unsettled.  And the answer will not be one-size-fits-all.

As an initial matter, AI agents likely will not be treated as independent legal actors.  They are not human, and likely will not be treated as legal persons capable of bearing independent liability. They cannot pay fines or damages, and they cannot appear in court.  In our last blog post we posited that courts will likely analyze AI agents through familiar, existing legal frameworks, and introduced the various existing legal frameworks we think mostly likely to apply to agentic AI: agency law, product liability, contractual allocation, or statutory allocation of responsibility.

In this Part II, we will explore each of these frameworks in more depth.

Agency Law

One of the most important legal frameworks for agentic AI is likely to be traditional agency law. Agency law is the body of doctrine governing situations where one party (an “agent”) acts on behalf of another (a “principal”).  Under the Restatement (Third) of Agency, § 1.01, an agency relationship arises when a principal manifests assent that the agent shall act on the principal’s behalf and subject to the principal’s control, and the agent consents so to act.  Courts probably won’t conclude that an AI system itself is a “legal person” capable of bearing independent liability. Instead, the question is likely to be whether the human or company that deployed the AI agent authorized the relevant conduct and should therefore bear responsibility for it.

That inquiry will turn on familiar doctrinal categories.

Actual authority exists when the principal has communicated to the agent that the agent may act. That authority may be communicated either expressly (through explicit instructions, settings, or permission toggles) or by implication (through a course of dealing or the nature of the delegated task).  Id. §§ 2.01, 2.02.   For an AI agent, express authority might be evidenced by a user’s explicit command or configuration.  And implied authority might arise where a user has repeatedly allowed the agent to perform a category of tasks without intervening.

Apparent authority arises when a third party reasonably believes the agent is authorized to act based on the principal’s manifestations.  Id. § 2.03.  If a business deploys an AI agent on its website or in its customer-facing workflows, then third parties are likely to argue that the agent’s representations are the company’s representations.

Ratification will also be relevant.  Under that doctrine, a principal who knowingly accepts the benefits of an unauthorized act may be treated as having authorized it after the fact.  Id. § 4.01.

Courts are beginning to grapple with how these concepts apply to AI.  In Mobley v. Workday, Inc., No. 23-cv-00770-RFL (N.D. Cal.), the AI vendor Workday provided AI-driven applicant screening tools to employers.  The court allowed discrimination claims to proceed on the theory that Workday could be held liable as an “agent” of the employers using its platform.  The court reasoned that Workday’s AI tools could function as the employer’s agent for purposes of liability.  Mobley is significant because it suggests that an AI vendor, and not just the entity that deploys the AI, can bear direct liability under an agency framework.

In a recent case in Canada, the Canadian tribunal rejected the defendant airline’s argument that its AI chatbot should be treated as a “separate legal entity” and held the airline liable for the chatbot’s incorrect statements about bereavement fare policies.  The tribunal reasoned that a company is responsible for information provided on its website, whether from a static page or a chatbot.  That case suggests that companies will not be permitted to disclaim responsibility for the acts of AI tools they chose to deploy.

A hard set of questions also arises on the consumer side.  When a consumer uses an AI agent to interact with a business (e.g., to shop) the question is whether and when the consumer has authorized the agent to bind them.  The answer will likely depend on the scope of authority the consumer actually delegated (express or implied), whether the consumer’s setup and use of the agent created apparent authority for third parties to rely on, and what disclosures and confirmations were built into the agent’s workflow.  Relatedly, when a consumer’s AI agent, rather than the consumer themselves, interacts with a business’s consent mechanisms (think terms of use) and disclosures, difficult questions arise about whether the consumer actually received notice and gave informed consent.  These questions have no settled answers yet, but they will become increasingly urgent as consumer-facing AI agents proliferate.

Product Liability & Negligence

Product liability and negligence doctrines are also becoming central frameworks for AI-agent litigation and regulation.  Historically, product liability law developed around tangible physical products.  Agentic AI systems complicate that framework because they are software-based, often expressive, dynamic, and capable of autonomous action.  Even so, it may ultimately be that at least some agentic AI claims fall into traditional product liability theories.

A plaintiff may argue that an AI agent was defectively designed; for example, because it lacked adequate guardrails, did not require human approval for high-stakes actions, or was not tested against foreseeable misuse scenarios.  Courts applying design-defect analysis will likely ask whether safer alternative designs were feasible and whether the developer adequately considered the risks of autonomous operation.  Plaintiffs and attorneys general are already deploying this theory against LLM-driven chatbots in an effort to avoid the protections of Section 230 for service providers, such as the Florida AG’s recent lawsuit against OpenAI alleging that ChatGPT is addictive and unreliable without meaningful safeguards, especially for children.

Failure-to-warn theories could also emerge.  Agentic AI developers and vendors may face allegations that they inadequately disclosed limitations of the AI and hallucination or security risks.  Consider a situation in which an AI agent autonomously accesses third-party systems in ways that create legal exposure.  A plaintiff may argue that the vendor failed to adequately warn deployers about the foreseeable legal and operational risks of autonomous operation.

Negligence claims may ultimately become a dominant product-liability framework because they are flexible and fact-intensive.  Courts may evaluate whether companies exercised reasonable care in selecting an AI vendor, testing an AI agent before deployment, monitoring outputs, maintaining human oversight, or responding to incidents.  Importantly, the applicable “standard of care” will likely evolve rapidly as industry practices mature.  Conduct that appears reasonable today—such as deploying relatively autonomous systems with limited oversight—may later be viewed as negligent once best practices become more established.

Contractual Allocation

Because liability exposure surrounding agentic AI remains uncertain, contractual risk allocation will be highly important.  Many of the earliest significant disputes involving agentic AI may occur not between plaintiffs and AI companies, but between businesses and AI vendors seeking to shift responsibility to one another.  Vendor agreements will address issues such as compliance obligations, cybersecurity obligations, audit rights, and insurance requirements.

Businesses deploying AI agents can require vendors to indemnify them for harms caused by unauthorized autonomous conduct, IP infringement, violations of privacy law, or system malfunctions.  Vendors, by contrast, can seek to disclaim liability, limit damages, and shift compliance responsibilities to the deployer.  Vendors will also likely try to protect themselves by contractually requiring “human-in-the-loop” oversight as a condition of the agreement.

But contractual allocations between businesses and vendors have limits.  They do not bind consumers or regulators, and courts may scrutinize attempts to disclaim responsibility where a party designed or controlled the AI agent in practice.

Statutory Allocation

We expect to see legislatures and regulators increasingly imposing statutory responsibility for agentic AI conduct. This space is rapidly changing.  One theme is already emerging across regulatory guidance globally: businesses will not be permitted to avoid responsibility simply by blaming the AI.  Regulators appear increasingly focused on ensuring that a human remains accountable, risks are monitored, governance structures exist, and incidents are documented and responded to.

California’s AB 316, which took effect on January 1, 2026, is a notable example.  The statute prohibits a defendant who “developed, modified, or used” an AI system from asserting as a defense that the AI “autonomously caused the harm” to the plaintiff.  AB 316, in other words, forecloses the specific argument that the AI—rather than the humans or organizations behind it—should bear responsibility for the harm.  Other states will likely follow.

At the international level, the European Union’s AI Act adopts a risk-based regulatory structure and expressly assigns obligations to specific actors in the AI ecosystem, including “providers,” “deployers,” importers, distributors, and authorized representatives.  Although the EU AI Act was not drafted with agentic AI specifically in mind, it assumes that humans and organizations remain accountable for AI systems.  Its framework for allocating responsibility among providers and deployers may influence how U.S. courts and legislatures think about similar questions.

The CFAA and Platform Control Over AI Agents

The Computer Fraud and Abuse Act (CFAA) is emerging as one of the most significant near-term legal constraints on agentic AI deployments.  In Amazon.com Services LLC v. Perplexity AI, Inc., No. 3:25-cv-09514-MMC (N.D. Cal. Mar. 9, 2026), a federal court granted a preliminary injunction against Perplexity’s “Comet” AI shopping agent, which logged into users’ Amazon accounts at the users’ direction to browse products and complete purchases.  The district court found Amazon was likely to succeed on its CFAA and California Penal Code § 502 claims, reasoning that Comet accessed Amazon’s systems “with the Amazon user’s permission but without authorization by Amazon.”  The court relied heavily on Facebook, Inc. v. Power Ventures, Inc., 844 F.3d 1058 (9th Cir. 2016), which held that a platform can revoke a third party’s access even when users have shared their credentials.

The case is now before the Ninth Circuit, and the stakes extend well beyond shopping agents.  If the Power Ventures framework controls, then that empowers platforms to unilaterally block any AI agent from accessing logged-in user accounts, effectively giving platforms veto power over the tools users choose to interact with their own accounts.  Platforms have legitimate interests in account security, fraud prevention, and bot detection.  But the framework also raises significant competition and consumer-autonomy questions, because this veto power may restrict consumer choice while protecting a platform’s advertising and monetization model.  The district court’s public-interest analysis did not meaningfully engage with these tensions.

So What is Next?

As agentic AI systems become more sophisticated, and as they begin interacting with each other in multi-agent workflows, courts and regulators will face questions that existing frameworks may not cleanly answer.  When a consumer’s AI agent transacts with a business’s AI agent, traditional assumptions about notice, consent, and human decision-making may not hold.  And when multiple AI agents are chained together across different vendors and platforms, the allocation of responsibility among the parties in the chain will become increasingly complex.

The law here is beginning to take shape.  Agentic AI is being deployed now, and the legal system is starting to adapt.  Companies deploying AI agents should be thinking carefully about how existing liability frameworks apply to their specific use cases, and they should structure their agreements and disclosures accordingly.

Come back for Part III of our series to learn more about the agentic AI risks companies should be thinking about now, and how plaintiffs are currently challenging AI agents.