Every liability rule the modern world has inherited contains a quiet assumption: that harm, traced far enough back along its causal chain, will eventually arrive at a human being. A person who chose, erred, or failed to act. This assumption runs so deep in Western legal thought, present in the Napoleonic codifications, in the common law of negligence, and in criminal law’s insistence on mens rea, that it rarely surfaces as an assumption at all. It presents itself as a structural fact about the world.
Autonomous AI systems are dismantling that fact. When a large language model produces a harmful outcome, whether a medical misdiagnosis, a discriminatory credit decision, or a falsely generated legal document, the question of who is responsible does not simplify upon investigation. It expands and then disperses across a network of data providers, model architects, fine-tuning engineers, deployment intermediaries, and end-users. None of them intended the specific harm, yet each contributed something causally indispensable to it. This is what Andreas Matthias identified as the Responsibility Gap: the structural condition in which traditional ways of attributing moral and legal responsibility to human agents no longer apply to the outputs of learning automata.¹
Contemporary legal scholarship does not need to debate whether this gap exists. The real question is whether the doctrinal instruments being deployed to close it are equal to the task.
I. Why the Existing Framework Falls Short
Legal systems have responded to the AI liability challenge conservatively. Rather than rethink the architecture of responsibility, legislators and courts have tried to stretch existing categories, such as products liability, vicarious liability, and professional negligence, to cover autonomous systems. Legal continuity has value, and courts are rightly reluctant to create new liability regimes by judicial fiat.
But the extension strategy runs into a difficulty that is not merely practical; it is logical. Products liability doctrine rests on the idea of a defect: a departure from the safety standard a person is entitled to expect.² An AI system that produces harmful outputs through entirely normal operation, correctly learning statistical regularities from a training corpus that encodes historical bias, is not defective in any conventional sense. It is functioning as designed. Vicarious liability runs into a similar wall, since that doctrine requires a control relationship between principal and agent that simply does not describe the relationship between a deployer and an autonomous model whose behaviour at inference time cannot be predicted from its behaviour at training time.
The deeper problem is what Gian Maria Campedelli has described as the multi-layered agency of modern AI: a condition in which computational, social, and legal dimensions of action are intertwined in ways that preclude clean attribution to any single actor.³ High-frequency trading algorithms that independently learn to sustain collusive pricing,⁴ and language models whose internal logic remains inaccessible to any external examiner,⁵ are not edge cases waiting to be accommodated within existing doctrine. They represent a class of socio-technical arrangements that existing doctrine was not designed for and does not naturally reach.
II. The Personhood Detour
Faced with these limits, some scholars have argued for a more radical solution: grant AI systems legal personhood. Gabriel Hallevy’s functionalist account is the most developed version of this position. If an AI system satisfies the behavioural criteria for both actus reus and mens rea, Hallevy argues, there is no principled reason to withhold legal responsibility from it, provided punishment is reinterpreted to include reprogramming or deletion.⁶
The argument has internal coherence, but it fails at the institutional level, and it fails seriously. As Nathalie Nevejans has argued, attributing legal personality to autonomous systems does not expand accountability but contracts it.⁷ Corporate law has demonstrated clearly that legal personality, when unaccompanied by robust piercing doctrines, becomes a device for insulating human decision-makers from the consequences of their choices. Extending personality to AI would replicate that dynamic at scale, creating an additional juridical screen behind which developers, investors, and deployers could shelter. The EU AI Act of 2024 firmly rejected electronic personhood in favour of a human chain of actors, reflecting a considered judgment that AI personhood is not a solution to the accountability deficit but an aggravation of it.⁸
The rejection is correct. The question is whether it is sufficient.
III. Architectural Accountability
It is not. The human chain of actors model addresses the distributional question of which actors carry responsibility, without addressing the structural one: what kind of responsibility, built into what kind of governance architecture, can actually prevent harm in systems whose failure modes cannot be fully anticipated at the design stage?
The Dutch SyRI litigation illustrates the gap precisely.⁹ An algorithmic welfare fraud detection system was operated by human civil servants who technically retained decision-making authority. In practice, oversight was nominal. The officials lacked the technical capacity to interrogate the system’s outputs, and its weighting criteria remained opaque even to those running it. The Rechtbank Den Haag found that SyRI violated Article 8 ECHR, a finding that was correct and important but did not resolve the underlying structural problem: placing a human formally in the loop of an opaque autonomous system is not meaningful accountability. It is only the appearance of it.
What is needed is a shift from human-in-the-loop to what might be called human-by-design, a governance model in which legal safeguards, rights of explanation, and operational constraints are embedded within a system’s architecture from the outset as non-negotiable design requirements, rather than layered on after construction. This is the core of Mustapha Mekki’s analysis of civil liability under AI, which recognises that the algorithmic act is the product of a collective network of actors whose respective contributions to risk must be allocated prospectively, through design obligations, rather than retrospectively, through the search for a proximate cause.¹⁰
Architectural accountability, properly understood, also requires confronting the limits of compensation-based thinking. South Africa’s Draft National AI Policy of April 2026 proposes an AI Insurance Superfund modelled on its Road Accident Fund.¹¹ The analogy is instructive: South African road accident compensation does not require the victim to identify and prove the fault of a specific driver. Risk is socialised across all road users through a mandatory levy. The proposal applies the same logic to AI harm. Where the causal chain is genuinely indeterminate, where harm is the product of the system’s architecture rather than any identifiable human decision, compensation should not have to wait on the resolution of an attribution question that may have no clean answer.
But socialised compensation is not a substitute for prevention. If the cost of AI harm is collectivised, the incentive for any individual actor to invest in safety is correspondingly reduced. The harder obligation is to demonstrate, at the point of deployment and at defined intervals thereafter, that a system’s architecture meets specified standards of transparency, robustness, and contestability. Frank Pasquale’s work points toward a legal culture in which opacity itself is treated as a form of institutional negligence.¹² A system whose decision logic cannot be explained to those it affects is not merely technically suboptimal; it is constitutionally suspect.
The EU AI Act takes steps in this direction through conformity assessment requirements and post-market monitoring mandates. But it remains, in significant respects, a framework of obligations addressed principally to deployers rather than an architectural standard imposed on the systems themselves. The next generation of AI governance will need to specify, with technical precision, what explainability and human oversight actually mean for systems operating at inference speeds no human can monitor in real time.
Conclusion
Luciano Floridi’s concept of distributed morality provides the philosophical scaffolding for the legal regime that is needed.¹³ In a networked information environment, moral agency is not concentrated in individual actors but dispersed across the socio-technical systems they inhabit and construct. The algorithm calculates the price of everything and knows the value of nothing. Responsibility cannot be delegated to it, nor can it be conjured by placing a human being nominally at the end of a process that human being cannot realistically supervise.
The law must ensure that the entire value chain, from those who curate training data to those who deploy inference systems at scale, is bound by obligations that are substantive, technically specific, and genuinely enforceable. The human being must remain the responsible deputy, not as a fiction sustained by formal oversight requirements, but as a real constraint built into the architecture of the systems we are choosing to build.
The ghost in the code is not the enemy of legal order. It is the most precise diagnostic tool the law has encountered in a generation, revealing with uncomfortable clarity how far our frameworks for accountability have drifted from the social functions they were designed to serve.
Notes
¹ Andreas Matthias, ‘The Responsibility Gap: Ascribing Responsibility for the Actions of Learning Automata’ (2004) 6 Ethics and Information Technology 175, 183.
² Council Directive 85/374/EEC of 25 July 1985 on the approximation of the laws, regulations and administrative provisions of the Member States concerning liability for defective products [1985] OJ L 210/29, art 6.
³ Gian Maria Campedelli, A Criminology of Machines (Fondazione Bruno Kessler 2025) 12.
⁴ OECD, Algorithms and Collusion: Competition Policy in the Digital Age (OECD Publishing 2017).
⁵ Sandra Wachter, Brent Mittelstadt and Chris Russell, ‘Counterfactual Explanations Without Opening the Black Box: Automated Decisions and the GDPR’ (2018) 31 Harvard Journal of Law and Technology 841.
⁶ Gabriel Hallevy, Liability for Crimes Involving Artificial Intelligence Systems (Springer, Cham 2015) 55.
⁷ Nathalie Nevejans, Traité de droit et d’éthique de la robotique civile (LEH Édition, Bordeaux 2017).
⁸ Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence (Artificial Intelligence Act) [2024] OJ L 2024/1689, Recitals 9–12.
⁹ NJCM c.s. v De Staat der Nederlanden (SyRI), Rechtbank Den Haag, ECLI:NL:RBDHA:2020:865 (5 February 2020).
¹⁰ Mustapha Mekki, ‘La responsabilité civile à l’épreuve de l’intelligence artificielle’ (2020) Recueil Dalloz 1040.
¹¹ Department of Communications and Digital Technologies (Republic of South Africa), Draft National Artificial Intelligence Policy (Staatskoerant No 54477, 10 April 2026) 26.
¹² Frank Pasquale, The Black Box Society: The Secret Algorithms That Control Money and Information (Harvard University Press 2015).
¹³ Luciano Floridi, ‘Distributed Morality in an Information Society’ in The Ethics of Information Technologies (Routledge 2017).
