When an AI system makes a decision that harms someone — denies them a loan they qualified for, screens out a qualified job candidate, routes a patient to the wrong level of care — someone is liable. The question is who. And the answer, which most AI vendors studiously avoid explaining, is that in most cases it is the business that deployed the system, not the vendor that built the underlying model.

This is not a theoretical risk. As AI systems proliferate into high-stakes decisions — credit, employment, healthcare, insurance, housing — the legal framework around AI liability is actively developing. Businesses that understand it before a claim arises are in a fundamentally different position than those that encounter it afterward.

The deployer bears primary exposure

Product liability law generally places responsibility on the entity that puts a product into commerce and profits from it. For AI systems, the "deployer" — the business using the AI to make decisions about customers, employees, or applicants — is typically that entity. The model vendor (OpenAI, Google, a specialized AI firm) supplies a tool. The deployer configures it, trains it on their data, designs the workflow around it, and controls how its outputs are used. Courts and regulators are increasingly treating the deployer as the accountable party.

This matters for procurement. When a business buys or licenses an AI system and deploys it to make decisions that affect third parties, the vendor's terms of service will almost universally disclaim liability for how the output is used. Read those terms carefully. What you are buying is a capability, not an indemnification.

Three liability pathways every business deploying AI should understand

Discrimination and disparate impact

If an AI system produces outcomes that disproportionately harm a protected class — even without any discriminatory intent — the deployer faces potential liability under anti-discrimination law. This is the "disparate impact" theory, and it applies whether the discrimination was intentional or was an emergent artifact of the training data. Responsible AI for fintech and lending and responsible AI for hiring cover the specific legal frameworks in those industries. The key point is that "the algorithm did it" is not a defense.

Negligence in high-stakes decisions

In sectors like healthcare and financial services, a business deploying AI to inform or make consequential decisions owes a duty of care to the people those decisions affect. If the AI system was inadequately tested, if known failure modes were not mitigated, or if the system was used outside its validated scope, a negligence claim becomes plausible. The standard is whether the deployer acted as a reasonably prudent operator would — which increasingly means conducting pre-deployment bias audits, maintaining human oversight for high-stakes outcomes, and documenting the rationale for deployment decisions.

Consumer protection and unfair practices

Regulators including the FTC have signaled that using AI to make decisions about consumers without adequate disclosure, without recourse mechanisms, or in ways that exploit vulnerabilities may constitute unfair or deceptive practices. The disclosure obligations for businesses using AI are expanding, and enforcement actions are no longer hypothetical.

Contracts don't protect you as much as you think

Many businesses assume that a well-drafted vendor contract — with indemnification clauses, limitation of liability caps, and warranty disclaimers — transfers AI risk to the vendor. This is partly true for some narrow categories of failure, and mostly untrue for the categories that matter most. Third-party claims from harmed individuals do not follow the indemnification structure of your B2B contract. A user who was harmed by your AI decision can sue you directly, and your contract with your AI vendor does not determine the outcome of that suit.

The businesses that minimize AI liability are not the ones with the best contracts. They are the ones with the best governance — documented decisions, tested systems, meaningful oversight, and disclosed processes.

What defensible AI deployment looks like

The legal standard emerging across jurisdictions rewards businesses that can demonstrate: they assessed the risk before deploying; they tested the system against the population it would affect; they built human oversight into consequential decision classes; they disclosed the AI's role to affected parties; and they maintained a mechanism for contesting automated decisions. These are precisely the questions responsible business leaders ask before deploying AI.

At Through The Glass Creatives, Ravve leads AI engineering with this liability landscape built into every project. TTGC does not just build capable AI systems — the studio builds systems with documented rationale, pre-deployment testing records, and governance frameworks that a client's legal team can stand behind if a deployment decision is ever challenged. That is not a nice-to-have. For any AI touching high-stakes decisions, it is the difference between defensible and exposed.