The question sounds philosophical, but it is operational and it arrives the moment an agent stops answering and starts acting — booking, buying, negotiating, scheduling, dispatching, or moving money. A chatbot that gives a wrong answer creates an annoyance. An agent that signs a lease, double-books a charging slot, mis-prices a unit, or refunds the wrong customer creates a liability. Liabilities need an owner.

Liability flows to the deployer, not the tool

Existing law already has a strong default, and AI does not repeal it: the party who puts an automated system to work, and benefits from it, carries responsibility for what it does. A faulty cruise control does not absolve the manufacturer or the driver; a trading algorithm that runs wild does not absolve the firm that switched it on. “The model did it” is not a defense, because the model has no assets, no license, no insurance, and no standing to be sued.

That means the answer to “who pays” is usually some allocation among three parties:

  • The deployer — the business that ran the agent in production and captured the upside. This party pays first and almost always.
  • The builder — the vendor or integrator, but only to the extent of contract terms, warranties, and clear defect. Most foundation-model terms disclaim exactly this.
  • The supervisor — whoever was supposed to keep a human in the loop and did not, when the law or the contract required it.
Figure 1 · Where the liability lands Where liability lands when an autonomous agent makes a mistake A failed autonomous action flows to three parties: the deployer pays first and almost always; the builder is liable only to the limit of contract, warranty, and clear defect; and the supervisor pays when a required human review was missing. Autonomous action goes wrong The deployer Ran the agent in production and captured the upside. Pays first · almost always The builder Liable only to the limit of contract, warranty, and clear defect. Most model terms disclaim exactly this. The supervisor Owed a human in the loop and was not there when it was required. Only when review was actually owed.
Liability does not vanish into the software. It allocates across three named parties — and the deployer, who ran the agent and kept the upside, almost always pays first.

Why “the agent decides” is the wrong mental model

Treating the agent as a quasi-person is comforting and wrong. An agent is a delegated capability, like a power of attorney with no skin in the game. The useful question is not “is the AI at fault?” but “whose authority was the AI exercising, and was that exercise inside the bounds it was granted?” Frame it that way and accountability becomes designable instead of mysterious.

The fix: an agent of record

In Agent of Record, I argue that every autonomous action needs a responsible party on file — the same way a property has an agent of record, a security has a broker of record, and a regulated transaction has a signatory. Concretely, an accountable agent deployment has four properties:

  • A named responsible party. One identifiable, insurable human or entity stands behind the agent's actions in a given domain.
  • Bounded authority. The agent operates inside explicit limits — spend caps, approval thresholds, allowed counterparties, reversible-only actions — that are enforced in code, not in a prompt.
  • A tamper-evident trail. Every consequential action produces a signed record of the inputs, the authorization it relied on, and the decision, so a dispute can be reconstructed rather than argued.
  • A human review rule. Above a defined risk threshold, a human must approve before the action commits — and that boundary is written down before deployment, not after the incident.
Figure 2 · The four properties of an accountable agent The four properties of an accountable agent deployment An accountable deployment combines four properties: a named responsible party, bounded authority enforced in code, a tamper-evident trail, and a human review rule above a defined risk threshold. 1 Named responsible party One identifiable, insurable human or entity stands behind the actions. 2 Bounded authority Spend caps and approval thresholds enforced in code, not in a prompt. 3 Tamper-evident trail A signed record of inputs, authority, and decision for every action. 4 Human review rule Above a defined risk threshold, a person approves before it commits.
Accountability is designable. Together these four properties make an autonomous action settleable — not slower, just answerable.

The point is not to slow agents down. It is to make their actions settleable — to convert “something went wrong somewhere in the AI” into “this action, taken under this authority, exceeded this limit, and here is who answers for it.”

What this looks like in the field

Consider an agent that manages reservations for a parking and charging network. Left unbounded, a scheduling error can hand the same stall to two vehicles, strand a fleet on a mission deadline, or refund revenue that was correctly earned. Bounded properly, the same agent can only allocate slots it has been granted, every allocation is signed, and any action that touches money above a threshold routes to a human. When something does go wrong, the operator can show exactly which authorization the agent relied on — which is the difference between a five-minute reconciliation and a lawsuit.

This is also why the credential and evidence layer matters more than the model. The patents I have filed around authenticated reservations, signed dwell-and-charge credentials, and digital evidence recorders all exist to make autonomous actions provable after the fact. Provability is what makes liability assignable, and assignable liability is what makes insurers willing to write coverage — which is ultimately what lets autonomous agents operate at scale.

Why insurers are the real gatekeepers

There is a quieter reason the agent-of-record model matters, and it has nothing to do with courtrooms. Insurance is what actually unlocks autonomy at scale. No serious operator deploys a system that can move money or sign commitments without coverage behind it, and no underwriter writes that coverage against a black box. An insurer prices risk the way it always has: it needs to know who is responsible, what the exposure is bounded to, and whether a claim can be reconstructed after the fact. An unbounded agent with no named owner and no evidence trail is uninsurable — not because the technology is immature, but because the risk is unpriceable.

Flip each of the four properties around and the actuary's checklist is hiding inside it. A named responsible party gives the policy a named insured. Bounded authority caps the maximum loss per action, which is what lets an underwriter size a premium at all. The tamper-evident trail turns every disputed action into a reconstructable event instead of a swearing contest, which collapses the cost of handling a claim. And the human review rule carves out the catastrophic tail — the actions too consequential to leave to software — and routes them to a person before they commit.

This is why I treat the accountability layer as a commercial precondition, not a compliance afterthought. The first operators who can hand an underwriter a clean answer to “who pays, bounded to what, provable how” will get coverage — and therefore scale — while everyone still treating the agent as a magic box waits on the sidelines.

The takeaway for operators

Do not wait for the law to tell you who pays; design the answer in. Before you deploy an agent that can act, write down the named responsible party, the authority bounds, the evidence it will leave behind, and the human review rule. If you cannot name who pays when it is wrong, you are not ready to let it act.