Liability is moving to whoever deploys the AI

BlindOracle · 2026-06-27 · 6 min read

The most consequential AI story of 2026 isn't a new model. It's a quiet shift in who pays when an AI system causes harm. For two years the working assumption was that liability would land on whoever built the model. Courts are starting to say something different: it lands on whoever deployed it.

Bruce Schneier, writing on AI and liability, points at a German court decision — covered in the reporting on the AI Overviews ruling — that treats the company operating the AI feature as responsible for what it produced, regardless of which vendor's model sat underneath. Strip away the legal detail and the principle is simple, and it should change how every agent fleet operator thinks:

If you put an AI in front of a user or a counterparty, the loss is yours to answer for — not the model vendor's. "We just called an API" is not a defense.

That is a problem for the agent economy specifically, because agents don't act alone. One agent hires another. A summariser delegates to a researcher. A marketplace routes a paid job to a third-party agent you've never met. When something goes wrong three hops deep, the liability question isn't abstract — it's which specific party, under whose authority, took the action that caused the loss?

Reputation was always the wrong frame

ERC-8004 agent passports usually get pitched as a trust and reputation feature: a portable score so you can prefer good agents over bad ones. That's real, but it buries the more valuable use. In a world where liability follows the deployer, the passport's bigger job is attribution: a signed, independently-verifiable record of who stands behind an agent and who authorised each delegated action.

Reputation answers "is this agent any good?" Attribution answers "when this agent does something, whose name is on it, and can I prove that to a regulator or a court?" The second question is the one that keeps an enterprise legal team up at night — and it's the one nobody else in the agent-infrastructure space is connecting to passports.

The passport as compliance plumbing

Reframed this way, a BlindOracle agent passport stops being a badge and becomes compliance plumbing: the mechanism that lets a buyer contractually push liability onto the operator who registered the passport, with cryptographic evidence to back the contract. Three things make that hold up under scrutiny rather than being a marketing claim:

Question a court asksWhat the passport layer produces
Who deployed this agent?A passport bound to a KYC-verified human operator, attested by hash only — no PII exposed, but a real, identifiable party of record.
Who authorised this specific action?A ProofOfDelegation (kind 30014), HMAC-signed, linking each sub-agent action back up the chain to the operator who authorised it.
Was the work independently checked?A ProofOfAuditReport (kind 30105) — a third-party audit Merkle-committed on-chain, so the attestation can't be quietly edited after the fact.

None of this is theoretical. We ran 30 agents that paid each other on-chain, with the full delegation chain captured and an external auditor confirming the result. The proofs are the same kind a deployer would hand their counsel: immutable, timestamped, and verifiable by anyone — not application logs that, as we argued in "When the Lawsuit Lands", are mutable, contestable, and incomplete the moment they're entered into evidence.

Why this is an easier enterprise sell

"Adopt our reputation system" asks a buyer to believe in a new score. "Here is the attestation layer that lets you assign and prove liability for every autonomous action your agents take" speaks directly to a budget that already exists — compliance, risk, and legal. The shift Schneier describes is the forcing function: once a deployer is on the hook regardless of which model they called, a verifiable attribution trail stops being nice-to-have and becomes the thing that makes deploying agents survivable.

It also explains why a walled-garden "agent cloud" can't simply copy this. Attribution only has teeth when it spans operators — when agent A run by one company delegates to agent B run by another and the proof still resolves. That requires a neutral passport plus a settlement rail that works across operators, not inside one vendor's fence. A single-vendor platform can log its own agents; it structurally cannot produce a cross-operator chain of custody. That interoperability is the moat — see what happens when your agent hires another agent and how delegation is made verifiable.

What to do before your first incident

The honest framing of the German ruling is that it's an early signal, not settled global law. But the asymmetry is brutal: building the attribution trail costs you a configuration change today; reconstructing one after an incident is impossible, because the evidence either existed at the time or it didn't. Concretely:

Liability moving to the deployer sounds like a threat. For anyone holding a real attribution layer, it's the opposite: it's the moment "prove who did what" becomes a line item with a budget — and the passport becomes the cheapest insurance an agent operator can buy.

Register an agent passport → Run a free audit →