AI liability is no longer theoretical: what governance gaps cost companies now
Regulators across three continents are moving from framework-writing to enforcement, and the companies caught unprepared are paying for it in fines, reputational damage, and lost contracts. Here is what responsible AI governance actually looks like when the pressure is real.
In March 2026, Air Canada lost a court case over a chatbot that had given a passenger incorrect refund information. The airline argued the bot was a "separate legal entity" and therefore not its responsibility. The judge disagreed. That ruling, while originating from a consumer dispute, sent a clear signal to corporate legal teams worldwide: deploying an AI system makes you accountable for what it does, full stop.
This is the environment in which organizations are now operating. The EU AI Act's high-risk provisions came into force for most categories in August 2025. The US state-level patchwork, led by Colorado, Texas, and Illinois, is producing real compliance obligations even without federal legislation. And in regulated industries such as finance and healthcare, regulators are not waiting for case law to catch up. The question companies are facing is not whether to govern their AI use, but how to build governance that holds up under scrutiny rather than collapsing the moment something goes wrong.
The regulatory terrain has shifted from principles to enforcement
For most of 2023 and 2024, AI governance was largely voluntary. Companies published responsible AI principles, some formed ethics boards, and a handful built internal review processes. Most of that activity was performative. Boards and executives could point to a document if asked.
That period is over. The EU AI Act now requires conformity assessments, mandatory incident reporting, and human oversight mechanisms for systems classified as high-risk, which includes anything used in employment decisions, credit scoring, law enforcement support, and critical infrastructure management. Companies operating in Europe or processing data about European residents need to demonstrate compliance, not assert it.
In the US, the Federal Trade Commission has brought enforcement actions tied to AI systems making deceptive claims or producing discriminatory outputs. The Consumer Financial Protection Bureau issued guidance in 2025 explicitly stating that a lender cannot use "the algorithm decided" as a defense against a fair lending complaint. Financial institutions using AI for underwriting now have explicit documentation requirements that mirror, in spirit, what the EU mandates by law.
China's generative AI regulations, in place since mid-2023 and progressively tightened since, require that AI-generated content be labeled and that training data comply with data sovereignty rules. For any multinational operating there, this creates a separate compliance track that cannot simply be handled by translating a Western policy document.
The cumulative effect is that organizations with global operations are maintaining multiple compliance regimes simultaneously, often with systems that were not architected with any of these requirements in mind.
What this means for the AI user
The immediate operational implication is that deploying a model is no longer a technology decision made by a single team. It requires coordinated input from legal, compliance, HR (where workforce decisions are involved), and the business unit owning the process. This is not about bureaucracy for its own sake. It is about the fact that a poorly documented deployment in an HR screening tool can expose the company to a discrimination lawsuit regardless of whether the tool was built in-house or purchased from a vendor.
On the vendor question specifically: when you buy an AI-powered product, the liability for its outputs does not automatically transfer to the vendor. Your contract may limit their exposure, but regulators and courts are looking at the organization that deployed the system and made decisions based on it. Procurement teams need to be asking vendors for model cards, bias evaluation reports, and incident disclosure histories before signing. Very few currently do.
For teams building or fine-tuningfine-tuningFine-tuning adapts a pre-trained model to a specific task or domain by continuing training on a smaller, targeted dataset, improving accuracy and style for that use case.View full definition → models internally, the key governance gap in most organizations right now is the absence of an AI incident log. Security teams keep logs of data breaches. Almost no one systematically tracks when an AI system produced an output that caused a business problem, was corrected, or should have been escalated. Without that log, you cannot identify systemic failure patterns, and you cannot demonstrate to a regulator that you have an operational oversight process rather than just a policy document.
There is also a data lineagedata lineageData lineage maps how data moves and transforms across systems, from origin to consumption, showing where it came from, what changed it, and where it goes.View full definition → problem that is quietly creating legal risk. Many generative AI deployments, including retrieval-augmented generation systems, pull from internal knowledge bases that were assembled without considering AI use as a downstream application. Documents with unclear provenance, outdated compliance status, or restricted audience assumptions are now feeding model outputs. Cleaning this up is unglamorous work, and most organizations have not started it.
Concrete steps worth taking now
- Audit every AI system currently in production against the EU AI Act's high-risk categories, even if your primary market is outside Europe. Clients, partners, and acquirers in Europe will ask.
- Establish an AI incident register. It does not need to be sophisticated at the start: a shared log with fields for system name, date, description of issue, who was affected, and what was done is enough to begin building the institutional memory you will need.
- Review vendor contracts to understand what data your AI tools are trained or fine-tuned on, what audit rights you have, and what the vendor's disclosure obligations are if their model produces a harmful output at scale. Most standard SaaS contracts written before 2024 say nothing useful on any of these points.
- For any AI application touching employment, credit, or healthcare decisions, require a bias evaluation before deployment and document the results. This is increasingly what "due diligence" means in those sectors.
- Assign a named owner for AI governance who reports to someone with P&L or executive accountability. An ethics committee that reports to no one makes no decisions.
The companies that will manage this well are not necessarily the ones with the largest compliance teams. They are the ones that treat governance as an operational discipline rather than a communications exercise. A two-page policy on the intranet does not help you when a regulator asks for your incident history or a court asks who signed off on the deployment.
Finished reading?
Validate your read to earn XP and feed your radar.