Mobley v. Workday holds vendors directly liable. Air Canada pays for chatbot advice. The AI LEAD Act proposes federal product liability. Five theories, four parties, and the governance that determines who pays.
The liability landscape is forming: Mobley v. Workday: vendor directly liable for AI discrimination. Air Canada: deployer liable for chatbot advice. Affable: client’s case terminated for lawyer’s AI misuse. Character AI: developer lawsuits for harm to minors. AI LEAD Act (Sep 2025): proposed federal product liability for AI developers and deployers.
In Mobley v. Workday, a court allowed discrimination claims directly against the AI vendor, finding it acted “in place of the human.” Air Canada was held liable for chatbot advice it tried to disclaim. The AI LEAD Act would create federal product liability for AI. Multiple families sued Character AI after minors suffered harm. The question is not whether AI causes harm but who in the chain bears responsibility. This article maps five liability theories, four parties, key cases, and the governance that determines outcomes.
The Four Parties in the Chain
The Developer. Designs, trains, creates. Liable for design defects, training data failures, inadequate testing, failure to warn, baked-in bias. AI LEAD Act would impose product liability. Courts look to ISO 42001 and NIST for reasonable care standards.
The Deployer. Integrates and uses AI in operations. Broadest liability exposure: deployment context, human oversight, impact assessments, regulatory compliance, using AI outside intended purpose. Colorado: duty of reasonable care. AI LEAD Act: liable if substantially modifying or misusing.
The AI Vendor. Sells or licenses the tool. Mobley v. Workday: direct liability when AI is “delegated responsibility” and acts in place of humans. Vendors cannot hide behind deployers. Most vendor contracts shift liability to customers, but courts are rejecting this.
The User. Limited liability. May bear contributory responsibility for ignoring warnings or prohibited uses. But the burden of safe AI falls on developers and deployers, not consumers.
Five Theories of AI Liability
| Theory | Application to AI | Key Authority | Who Bears It |
|---|---|---|---|
| Negligence | Failed reasonable care in design, testing, deployment, monitoring | RAND: industry standards define care. Colorado: “reasonable care” duty. | Developer (design). Deployer (deployment). Both if both negligent. |
| Product Liability | Design defect, failure to warn, breach of warranty, unreasonably dangerous | AI LEAD Act (proposed). Scholars: AI = product. | Developer primarily. Deployer if modified/misused. |
| Discrimination | Disparate impact on protected classes. No AI statute needed. | Mobley v. Workday. EEOC. IL HB 3773. | Deployer. Vendor if “delegated responsibility.” |
| Breach of Contract | Warranty, data protection, bias testing, compliance commitments breached | Stanford: 17% warranties. Air Canada: chatbot advice binding. | Party that breached. Allocatable via contract clauses. |
| Professional Malpractice | Professional relied on AI without verification | Affable (2026): default judgment. 700+ hallucination cases. | The professional. AI doesn’t practice law/medicine/finance. |
The Cases Defining Liability
Mobley v. Workday: Vendor as “Agent”
Discrimination claims proceed directly against the vendor. Workday’s AI screened applicants autonomously, rejecting within an hour with no human review. Court distinguished from passive tools: AI had been “delegated responsibility.” May 2025: conditional certification for age discrimination collective action. Vendors are now directly exposed.
Air Canada v. Moffatt: No “Technological Veil”
Chatbot gave wrong fare information. Airline argued chatbot was separate entity. Tribunal: you’re responsible for all information on your platform. Small damages ($650 CAD), profound precedent. Organizations cannot disclaim AI outputs.
Affable: Terminal Sanctions for AI Misuse
Default judgment terminated client’s case. Lawyer filed fabricated citations, refused to verify despite warnings and Westlaw access. Professional malpractice liability falls on the professional, not the AI provider.
Character AI: Developer Liability for Foreseeable Harm
Multiple lawsuits after minors suffered severe harm. Complaints allege failure to warn and inadequate safeguards. Tests developer liability for consumer AI without age restrictions. AI LEAD Act introduced in direct response.
AI LEAD Act: Proposed Federal Product Liability
Bipartisan (Durbin/Hawley, Sep 2025). Federal cause of action: design defects, failure to warn, breach of warranty, unreasonably dangerous. Covers developers and deployers. Individuals, class actions, or AGs can sue. Does not fully preempt state law. Uncertain under current administration but has bipartisan support.
The responsibility gap: Black-box decisions (can’t explain the harm). Post-deployment learning (model drifts from what was shipped). Multi-party supply chains (foundation model + fine-tuning + deployment + user prompt). Without contracts and governance documentation, each party points to the others. ISO 42001 documentation and the 12 contract clauses resolve who bears what.
How Governance Determines Who Pays
ISO 42001 = reasonable care evidence. Colorado requires it. Texas TRAIGA provides safe harbors. Without certification, prove care from scratch in every proceeding.
Documentation = the evidentiary record. Risk assessments, impact assessments, lifecycle records, incident response. Proves due diligence or reveals its absence. Affable: the court noted available verification tools went unused.
Contracts = liability allocation. The 12 AI contract clauses determine whether liability falls on vendor or deployer. Without them, the deployer typically bears exposure.
Insurance = governance-dependent. Robust governance gets competitive premiums. No governance gets exclusions. Vendor indemnification provides minimal protection (excludes indirect damages, caps at contract value).
Liability Is Not If. It Is Where It Lands.
AI failures produce real harm. The question is which party bears it. Governance, contracts, and evidence determine the answer. Organizations with ISO 42001, strong vendor agreements, and documented due diligence demonstrate reasonable care and shift liability to the parties that caused the harm. Those without governance carry the full exposure.
GAICC offers ISO/IEC 42001 Lead Implementer training that builds the governance infrastructure determining liability outcomes. The program covers risk assessment, documentation standards, and the management system framework that courts and regulators evaluate when deciding who was reasonable and who was negligent. Explore the program to protect your clients before the liability question arrives.
