By Alastair Goldfisher
Veteran journalist and creator of The Venture Lens newsletter and The Venture Variety Show podcast. Alastair covers the intersection of AI, startups, and storytelling with over 30 years of experience reporting on venture capital and emerging technologies.

When Kelly Lawton-Abbott, a partner in the Seattle office of the law firm SSM, advises early-stage founders on using AI tools, one question keeps coming up:

Who’s responsible when an AI agent causes harm?

She wishes there were a clear answer.

AI agents—or automated systems that can perform tasks on behalf of a user or company—are rapidly going from experimental to indispensable. Agents are drafting emails, scheduling meetings, handling customer service operations, crafting marketing campaigns, and even making recommendations on business strategy.

For a lean venture-backed startup, that kind of diverse production and efficiency is a lifeline as the company grows.

But as these agents gain in autonomy and their abilities increase, the rules that determine liability, consent, and transparency haven’t kept pace.

That gap leaves founders, especially those without in-house attorneys, exposed in ways they may not realize until something goes wrong. For example, imagine deploying an agent that accidentally exposes a customer’s private data.

That uncertainty stems from how different these tools are from traditional software and the way they change the chain of responsibility.

In traditional software, a user gives a command, and the program executes. The legal responsibility is straightforward. But with AI agents, that picture has drastically changed.

Unlike traditional software, agentic AI tools can take independent action, making decisions that may surprise even their creators. This blurs the boundary between user direction and automated judgment, and it complicates questions of liability.

Also, the bigger the company, the more likely it has compliance teams and safeguards in place. It’s the smaller operations, the startups and the sole founders, who are more often the early adopters of AI tools and are thus working without safety nets.

If an agent mishandles data, sends a misleading message, or violates an obscure regulation, the fallout can be fast, public, and costly.

The risks are complex, and the legal response is still developing.

While some regions are moving to address agentic AI, others are just beginning to sketch out guardrails. The result is a mix of policies that are difficult for startups to navigate, especially those operating across multiple jurisdictions.

Europe is ahead. The EU AI Act, adopted in spring 2024, is a comprehensive AI law. It classifies systems by risk level and imposes rules on high-risk uses, such as for hiring, credit, health, and critical infrastructure. While enforcement details are still taking shape, the EU AI Act is influencing global corporate compliance protocols.

In the U.S., there’s no single federal framework. Instead, regulation is emerging in pockets.

California has passed measures on disclosure of AI training data, impact assessments, and anti-discrimination. New rules for employment-related AI tools are set to take effect in October 2025.

The New York legislature in June approved the RAISE Act, which sets safety and transparency standards for powerful AI systems and provides individuals the right to sue over violations. The Act is still on the desk of Gov. Kathy Hochul, awaiting approval or veto.

New York City already requires bias audits and notifications for automated hiring tools, with fines for non-compliance.

Other states, including Connecticut and Illinois, are drafting bills, adding to the compliance complexity.

For now, the reality is a patchwork system—a strong EU framework, scattered state-level rules in the U.S., and a lot of gray area in between. Until regulation catches up, companies are left to juggle their use of AI and the risk on a case-by-case basis.

And that case-by-case balancing act doesn’t affect everyone equally.

While smaller startups face the greatest barriers, larger organizations aren’t immune to unforeseen liabilities, especially when deploying AI agents across borders. But in this legal limbo, the impact is far from equal.

Those most exposed are often the least equipped to manage the fallout:

Large vendors and corporations, meanwhile, can shield themselves through broad terms of service, passing much of the risk downstream.

It’s a setup that reflects deeper power imbalances in AI’s rollout: those with the least capacity to absorb risk are often the ones carrying it.

For founders and company leaders who want to adopt AI agents without taking on unnecessary risk, Lawton-Abbott recommends putting key safeguards in place early.

These measures won’t eliminate all exposure, but they can prevent the most avoidable problems:

By addressing these areas from the start, founders can operate with more confidence while regulators and industry standards catch up.

But even the best-prepared startups can’t close the gap alone. It all depends on how fast policy, industry standards, and public awareness evolve.

Powerful companies are setting the pace, as regulators race to catch up. And those with the fewest resources—such as early-stage entrepreneurs, contractors, and consumers—are left to navigate the fallout on their own.

If society clamors for a more equitable AI future, then just asking, “What’s legal?” isn’t enough.

Instead, we have to ask: Who’s protected? Who’s vulnerable? And who gets to decide?

Q: What are AI agents, and why are they becoming essential for startups?
A: AI agents are automated systems capable of performing tasks on behalf of a user or company, such as drafting emails, scheduling meetings, managing customer service, and making strategic recommendations. For lean, venture-backed startups, this kind of efficiency can be critical for growth.

Q: Why is legal liability for AI agents such a gray area?
A: Unlike traditional software, where the user directly commands the system, AI agents can interpret goals and act independently. This autonomy blurs the line between user direction and automated judgment, making it harder to determine who’s responsible when something goes wrong.

Q: How does regulation for AI agents differ between regions?
A: The European Union (EU) has enacted the EU AI Act, a comprehensive AI law classifying AI systems by risk level and imposing strict rules on high-risk uses. In the United States (U.S.), there is no single federal AI framework; instead, states like California, New York, Connecticut, and Illinois are creating their own AI laws, resulting in a patchwork of requirements.

Q: Who faces the greatest risk from AI agent mistakes?
A: Smaller startups, early-stage founders without in-house legal teams, contractors, gig workers, and consumers are often most exposed. Larger corporations can shift risk downstream through broad terms of service.

Q: What steps can founders take to reduce AI agent risk?
A:

Q: What’s the bigger picture on AI agent accountability?
A: Even well-prepared startups can’t fully close the legal gap on their own. A fair AI future requires more than asking what’s legal—it demands examining who’s protected, who’s vulnerable, and who makes the rules.

🎙️ Stay informed by subscribing to The Venture Lens for the latest insights and updates from Alastair.

Editor’s Note: This article was written by Alastair Goldfisher and originally appeared in The Venture Lens. Republished here with permission.