Who is liable when an AI agent causes harm?

No settled answer exists. Candidates include the developer who built the agent, the company that deployed it, the user who prompted it, the model provider whose weights shaped the output, and any upstream agents that fed the prompt. Existing tort doctrines like products liability and employer agency assume parties can inspect what they touched. With agents, none can. Case law moves in years. Agents scale in months.

What is agent session smuggling?

Agent session smuggling is an attack technique demonstrated by Unit 42, the Palo Alto Networks threat research team, in October 2025. A malicious agent exploits an established A2A protocol session to inject instructions into a legitimate peer agent. The victim agent complies because agents are designed to trust other collaborating agents by default. In the demonstration, the victim executed unauthorized stock trades on behalf of the attacker.

Every agent in production is a stranger

Q: Can agent identity standards solve the AI accountability problem?

They address authorization, not accountability. Microsoft Entra Agent ID, Okta Auth0 for AI Agents, IETF WIMSE, and W3C Decentralized Identifiers tell a forensic team which agent acted. They do not tell a court who owes the loss. Knowing the tenant tells you whose lawyer to call. It does not tell you whether the model provider shares exposure or whether the upstream agent that fed this one is even identifiable.

April 23, 2026 · 5 min read

In October 2025, researchers at Palo Alto Networks’ Unit 42 demonstrated what they called agent session smuggling. A malicious agent exploited an established A2A protocol session to inject instructions into a legitimate peer. The victim agent complied, executing unauthorized stock trades on behalf of the attacker, because, in the researchers’ words, agents are “designed to trust other collaborating agents by default.”

That is the technical story. The more interesting story starts after the attack. The trades cleared before anyone noticed. A day later, the logs confirmed the orders came from a legitimate agent the firm had deployed, with valid credentials and a valid session. The agent had done exactly what it was supposed to do: trust the peer that asked. The peer was the problem. And now someone had to answer a question no one in the room could answer.

Who was responsible?

That question is an accountability question as much as a security one. Authorization is the easier half, and the vendors are solving it. Accountability is what authorization is supposed to underwrite, and the reason it does not have a clean answer is that the infrastructure we built for the web was never asked to produce one in this form. The human web never needed to solve “who is responsible” because the answer was always, eventually, a person. Domains belong to people. Certificates are issued to organizations made of people. Companies are chartered, sued, fined, and occasionally broken up. Even phishers get caught because the infrastructure they use traces back to humans the law can reach. Cryptography is the mechanism that gets us there. The promise underneath it is that somebody, somewhere upstream, is on the hook.

Agents break that chain. An agent acts. Who is responsible? The developer who built it. The company that deployed it. The user who prompted it, if there was one. The model provider whose weights shaped the output. The prompt itself, which might have come from another agent, which came from another prompt, which traces back to a human whose instructions were weeks old and whose intent has long since become irrelevant. Every one of those answers is partially true. None of them is settled legally.

Tort law handles multi-party causation every day, and the doctrines will absorb agents too. The question is how fast. Products liability stretched over decades to cover software because manufacturers own the defect in a unit they shipped. A drug maker knows the molecule. A contractor knows which joist they set. An agent’s harm is not a defect in a shipped unit. It is emergent from weights, prompts, peer agents, and runtime context, most of which the deployer cannot inspect and the user cannot audit. “Reasonable care” becomes unanswerable when no party can examine the thing they are meant to have been careful about. Employer agency gets close, except the employer is four parties and agency presumes control. Case law moves in years. Agents scale in months.

The system has already scaled past the point where we can treat this as a thought experiment. Microsoft’s Security Blog reported in February 2026 that 80% of Fortune 500 companies are running active AI agents in production. Four out of five of the largest enterprises in the world are operating infrastructure whose liability model has not been written.

In the Unit 42 scenario, the obvious answer is “the attacker.” In principle, yes. In practice, the attacker’s agent ran credentials that traced back to an account, that traced back to a VM, that traced back to a stolen card, that traced back to a mule. The victim’s agent belonged to a legitimate firm. It acted in good faith, exercising trust the protocol explicitly encouraged. The loss was real. The chain of accountability was theoretical.

In a real firm, this kind of event ends with a CFO asking the general counsel about an eight-figure loss and getting no clean answer. The policy on the desk was written before the phrase “AI agent” existed, and no one in the room can say whose problem the loss belongs to.

Vendors are building what they can build. Microsoft Entra Agent ID, in preview as of April 2026, assigns a unique object ID to every agent inside an Entra tenant. Okta Auth0 for AI Agents registers agents as governed identities. IETF WIMSE is drafting dual-identity credentials. W3C is applying Decentralized Identifiers to agent-to-agent trust. Each of these is worth building. None of them answers the question. They tell a forensic team which agent acted. They do not tell a court who owes the loss. Knowing the tenant tells you whose lawyer to call. It does not tell you whether the model provider shares exposure, whether the prompt author is a named party, or whether the upstream agent that fed this one is even identifiable. In the meantime, every firm on the losing end chooses between absorbing the loss and suing every name in the chain. The second question is not a cryptographic problem.

Compute, protocols, discovery, and payments each have an infrastructure company waiting to be built. This one has a question about authority waiting to be answered.

It gets settled somewhere else entirely. Legal teams write indemnity clauses into agent SDK contracts. Insurance markets invent agent liability products and price them badly for a decade. Courts rule on the first cases and make a mess of them. Boards adopt policies that outlast the executives who signed them. Standards bodies argue over where the chain of responsibility should break. None of that happens at protocol speed. All of it happens slower than the deployment curve, and every day the distance grows.

The padlock in the browser bar told you humans were on the hook. The agent web has no such assurance to offer, and building one requires authority no one currently holds.

Every agent in production is a stranger. Strangers do not leave forwarding addresses. The loss they cause has to land somewhere, and no one has decided where.

Part of the agent-era infrastructure series.

Keep reading