By Chanté Eliaszadeh | July 2026
In March 2025, an attacker slipped two fraudulent prompts into a crypto trading agent’s queue. The agent did exactly what agents do. It read its instructions and executed them, transferring 55.5 ETH --- about $106,200 --- to the attacker.1 No human clicked anything. The agent was not hacked in the traditional sense; it was persuaded.
Losses like that one force a question the industry has mostly deferred: when an autonomous AI agent loses a user’s money, who is liable? Users assume someone stands behind the agent. Platforms write terms saying the agent’s acts are not theirs. Developers point to disclaimers, and model providers point to usage policies. Everyone points somewhere.
The pointing works less well than the industry thinks. There is no AI-liability statute for financial losses, and none is needed for liability to exist. Existing law resolves most of these cases through one organizing principle: liability follows control. This article maps who can be reached, where the law actually has a gap, and what the next two years of fights will look like.
Key Takeaways
- “The bot did it” is not a defense. The law treats an AI agent as a tool of whoever deployed it, and California now bars defendants from arguing the AI autonomously caused the harm.2
- Liability follows control. The user bears the first loss by default; deployers, developers, and platforms become exposed as their choices --- permissions, data pipelines, missing safeguards --- caused the failure.
- Courts are split on whether AI software is a “product.” A federal court refused to dismiss a strict product liability theory against an AI chatbot in Garcia v. Character Technologies before the parties reached a settlement in principle in early 2026.34
- Decentralization relocates liability rather than erasing it. Van Loon and Ooki DAO mark the two poles: truly ownerless code may sit beyond reach, while humans who vote to govern a protocol can be personally liable.56
- The genuine gap is Regulation E. Nobody knows whether a prompt-injected agent transfer is “unauthorized,” and the loss allocation for the agentic-payments economy rides on that unanswered question.7
There Is No AI-Liability Statute. There Is Also No Liability Gap.
Existing law already assigns responsibility for an AI agent’s trades, because the law treats the agent as a tool of the person who deployed it, not as an actor with its own legal status. Under E-SIGN and the state electronic-transactions laws, a contract formed by an “electronic agent” cannot be thrown out just because no human reviewed it, and the agent’s actions count as the acts of the person it transacted for.8 The starting point is uncomfortable but clear: the user owns their agent’s trades.
The real question is whether someone up the chain breached a duty along the way. That can be a negligence claim against a deployer who shipped the agent without basic safeguards. It can be a product-defect theory where the claim targets the system’s design rather than its output. It can be a fiduciary claim where the agent is effectively giving investment advice --- the SEC told robo-advisers back in February 2017 that automating the advice does not dilute the fiduciary duty.9 And under the market access rule, broker-dealers already bear a non-delegable duty to maintain risk controls over their automated order flow --- controls the rule requires to stay under the broker-dealer’s “direct and exclusive control.”10
Legislatures are closing off the one escape route the industry hoped for. California’s AB 316, effective January 1, 2026, added Civil Code section 1714.46: in an action against a defendant who developed, modified, or used AI that allegedly caused harm, “it shall not be a defense, and the defendant may not assert, that the artificial intelligence autonomously caused the harm.”2 Defendants can still fight causation. They just cannot say the machine did it on its own.
If you deploy an agent that moves money, assume every one of its transactions will be attributed to a person --- and that the person the plaintiff picks may be you.
Who Can Be Held Liable: The Four-Candidate Map
Liability can land on the user, the deployer, the developer, or the model provider, and the allocation follows control of the failure that caused the loss. The table maps the candidates to their exposure.
| Party | When exposure attaches | What cuts the other way |
|---|---|---|
| User | Default first-loss position. The user authorized the agent, and a user who disables human-approval settings and grants broad permissions has knowingly accepted substantial risk. | Consumer-protection statutes; unconscionability limits on terms; the open Regulation E question below. |
| Deployer | Negligence and product theories when the deployer’s choices caused the loss --- a corrupted data pipeline feeding the agent bad information is a deployer problem, not a user problem. | Documented safeguards: human-in-the-loop defaults, spend caps, permission scoping, logging. |
| Developer | Foreseeable-failure arguments. Prompt injection is a cataloged attack vector on the OWASP Top 10 for LLM applications, not an act of God; shipping a financial agent vulnerable to a studied, published attack invites a design-defect claim.11 | Disclaimers and open-source posture --- Coinbase’s AgentKit terms state that acts performed by an agent through the software “are NOT acts of Coinbase.”12 |
| Model provider | Furthest from liability today. Scholars have proposed professional-negligence standards for developers, and plaintiffs will keep testing the perimeter.13 | Usage policies that require human review of consequential financial decisions, which contractually push risk downstream to deployers.14 |
If your product touches any link in this chain, your exposure turns on which failure modes you controlled and what your terms, defaults, and logs prove about it.
Is an AI Agent a “Product”? Courts Are Split, and the Split Matters
Whether AI software counts as a “product” for strict-liability purposes is genuinely unsettled, and the answer decides whether victims must prove negligence or only a defect. In 2020, the Third Circuit held in a non-precedential opinion applying New Jersey law that an algorithmic risk-assessment tool was not a product, reasoning that information and recommendations fall outside products-liability law.15 Then came Garcia v. Character Technologies. In May 2025, a federal court in Florida refused to dismiss strict product liability claims against an AI chatbot, holding that the system is a product “for the purposes of Plaintiff’s product liability claims so far as [the] claims arise from defects in the Character A.I. app rather than ideas or expressions within the app.”3
The line the court drew is the one to watch: design versus expression. Claims that target how the system was built --- its guardrails, its permissions, its failure modes --- can proceed on a product theory. Claims that target what the system said run into First Amendment and content defenses. The parties reached a settlement in principle in January 2026, so there will be no appellate ruling.4 The pleading-stage reasoning is the template plaintiffs will reuse.
A trading agent that loses money sits close to the line. A bad trade looks like output, which favors defendants. An agent that lost money because it lacked spend limits, ignored its mandate, or fell to a known attack looks like defective design, which favors plaintiffs.
If your agent’s failure can be described as a missing safeguard rather than a bad opinion, expect the product theory --- and design your safeguards like exhibits.
What Changes on DeFi Rails
Decentralization does not erase liability. It relocates it, and two cases mark the poles. In Van Loon v. Department of the Treasury, the Fifth Circuit held in November 2024 that Tornado Cash’s truly immutable smart contracts are not “property” anyone owns or controls, so those particular contracts sat beyond OFAC’s sanctions reach.5 Genuinely ownerless code, in other words, may have no one standing behind it at all. At the other pole sits CFTC v. Ooki DAO: when regulators cannot find a company, they can treat the protocol as an unincorporated association and reach the token holders who voted to govern it.6 That theory won by default judgment, so it has not been tested in a contested fight, but it is on the board.
An AI agent trading on DeFi rails sits between those poles. The answer turns on who retains control: the agent’s deployer, the front-end operator, the governance token holders. And the loss scenarios are not hypothetical. The 55.5 ETH prompt-injection theft that opens this article hit a live trading agent.1 Academic red-teams have also shown that “memory injection” attacks --- planting malicious instructions in an agent’s persistent memory --- can defeat agents that resist ordinary prompt injection.16
If your protocol, front end, or DAO touches an agent that moves user funds, the question is not whether you are decentralized. It is whether a court can find control in your hands.
The Real Gap: Regulation E Was Written for People Who Click Buttons
The sharpest unsolved problem is consumer payments. Regulation E protects consumers against “unauthorized” electronic fund transfers --- transfers “initiated by a person other than the consumer without actual authority.”7 A transfer the consumer initiates, even when scammed into it, is generally treated as authorized. That is the “Zelle gap,” and it has survived regulatory pressure: the CFPB pressed fraud-liability theories against the banks behind Zelle in December 2024, and the lawsuit was dismissed with prejudice in March 2025.17
Now put an AI agent in the middle. Nobody knows how a standing instruction --- “manage my portfolio, keep purchases under $2,000” --- maps onto Reg E’s transaction-level authorization rules. And the harder question is coming fast. When an attacker prompt-injects an agent into moving money, the better analogy may be a stolen credential, not a deceived consumer. The attacker initiated that transfer, not the user. The CFPB has said a consumer tricked into giving up credentials has not “furnished” an access device, which points toward unauthorized --- and toward the institution bearing the loss.18
The counterargument is statutory and serious. The Electronic Fund Transfer Act excludes from “unauthorized” any transfer initiated by a person who “was furnished with the card, code, or other means of access” by the consumer.19 A bank will argue that a user who deliberately hands an agent its credentials has furnished the means of access, full stop. No regulator or court has resolved the question for AI agents. One CFPB interpretation, or one district-court ruling, would flip the allocation --- that is the event to watch, and the loss allocation for the whole agentic-payments economy rides on it.
If you operate agentic payments, build the authorization record now: what the user approved, in what scope, with what limits. That record is what wins the unauthorized-transfer fight, whichever way the rule breaks.
Are New AI Liability Rules Coming? Expect Standards, Not Statutes
Do not expect a bespoke AI-liability statute to allocate these losses: none of the new state AI laws squarely reaches a financial trading agent, and this cycle’s dedicated AI-liability instruments have mostly died. The Senate stripped a proposed ten-year federal moratorium on state AI laws from the July 2025 reconciliation bill by a 99-to-1 vote, so states kept their power to regulate --- but what states are enacting is governance law, not loss-allocation law.20 The European Commission withdrew its proposed AI Liability Directive in 2025.21 The SEC withdrew its proposed predictive-data-analytics rule in June 2025.22 Colorado replaced its AI Act in May 2026, before the original act ever took effect.23 And the fight has moved to the courts: a December 2025 executive order stood up a Justice Department task force to challenge state AI laws, so states are legislating while the federal government pushes back.24
What fills the space is standards, not statutes. The NIST AI Risk Management Framework is quietly becoming the de facto standard of care --- Texas wrote substantial compliance with it into a statutory safe harbor effective January 1, 2026, and other states are moving the same direction.25 The GENIUS Act will put regulated, reserve-backed issuers behind the stablecoin rails agents will transact on.26 And the payment networks are building the evidence infrastructure themselves: Google’s Agent Payments Protocol binds transactions to cryptographically signed mandates, while Visa and Mastercard tie tokenized credentials to a specific agent, merchant, and consent policy.27 Different mechanics, same idea --- a tamper-evident record of exactly what the user authorized. That is the industry writing the evidence trail for the liability fights to come.
Human-in-the-loop approvals and spend limits are hardening into the standard of care. Whether the user or the platform turned them off will be the first question in every one of these cases.
How to Reduce AI Agent Liability Exposure Now
Deployers, users, and platforms can each cut AI-agent loss exposure today, with controls that double as litigation exhibits. For deployers, the near-term work is concrete: keep human-approval defaults on for consequential transactions, scope agent permissions to the minimum, set spend caps, and log every instruction the agent receives and every action it takes. Those controls now do double duty: they prevent losses, and they are the exhibits that defeat a negligence or design-defect claim after one.
For users --- retail or institutional --- the risk decision is the settings screen. Disabling approvals and widening permissions is a legal act, not just a convenience choice, and it is the first thing the other side’s lawyer will raise.
For platforms and payment businesses, the Regulation E question is the one to get ahead of. The firms that can prove exactly what a user authorized, at what scope, will be fine under either answer. The firms that cannot will fund the test cases. These allocations are being set now, in product design and in terms of service, before any regulator speaks --- which is precisely why the design choices deserve counsel’s eyes before launch.
Related Resources
- AI Agent Liability in DeFi: Who’s Responsible When the Bot Trades?
- Not an Agent, Not a Defense: Seven Doctrines That Reach AI Deployers
- Do Agentic Payments Need a Money Transmitter License?
- Who Is the BSA Customer When an AI Agent Sends Stablecoins?
- Can an AI Agent Legally Enter Into a Contract?
This article provides general information for educational purposes only and does not constitute legal advice. AI and financial-services regulation is evolving rapidly. Consult qualified legal counsel for advice on your specific situation.
Footnotes
-
AI Incident Database, Incident 1003, aixbt/Simulacrum incident (Mar. 18, 2025), available at https://incidentdatabase.ai/cite/1003/. ↩ ↩2
-
Cal. Civ. Code Section 1714.46 (added by AB 316, ch. 672, approved Oct. 13, 2025; effective Jan. 1, 2026), available at https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=202520260AB316. ↩ ↩2
-
Garcia v. Character Technologies, Inc., No. 6:24-cv-01903 (M.D. Fla. May 21, 2025) (order on motions to dismiss, Dkt. 115). ↩ ↩2
-
Reporting on the settlement in principle: CNBC, “Google, Character.AI to settle suits involving minor suicides and AI chatbots” (Jan. 7, 2026), available at https://www.cnbc.com/2026/01/07/google-characterai-to-settle-suits-involving-suicides-ai-chatbots.html. ↩ ↩2
-
Van Loon v. Department of the Treasury, No. 23-50669 (5th Cir. Nov. 26, 2024), available at https://www.ca5.uscourts.gov/opinions/pub/23/23-50669-CV0.pdf. ↩ ↩2
-
CFTC v. Ooki DAO, No. 3:22-cv-05416 (N.D. Cal. June 8, 2023) (order granting default judgment), available at https://www.cftc.gov/media/8736/enfookidaoorder060923/download. ↩ ↩2
-
12 C.F.R. Section 1005.2(m) (Regulation E, definition of unauthorized electronic fund transfer), available at https://www.ecfr.gov/current/title-12/chapter-X/part-1005/subpart-A/section-1005.2. ↩ ↩2
-
15 U.S.C. Section 7001(h) (E-SIGN Act, electronic agents); Cal. Civ. Code Sections 1633.14, 1633.9 (California UETA, automated transactions and attribution). ↩
-
Securities and Exchange Commission, Division of Investment Management, IM Guidance Update No. 2017-02, Robo-Advisers (Feb. 2017), available at https://www.sec.gov/investment/im-guidance-2017-02.pdf. ↩
-
17 C.F.R. Section 240.15c3-5 (risk management controls for brokers or dealers with market access), available at https://www.ecfr.gov/current/title-17/chapter-II/part-240/subject-group-ECFR665f9ada9c1342b/section-240.15c3-5. ↩
-
OWASP Foundation, OWASP Top 10 for Large Language Model Applications (prompt injection, LLM01), available at https://owasp.org/www-project-top-10-for-large-language-model-applications/. ↩
-
Coinbase, AgentKit repository, Legal and Privacy disclaimer, available at https://github.com/coinbase/agentkit. ↩
-
See, e.g., Bryan H. Choi, “Negligence Liability for AI Developers,” Lawfare (Sept. 26, 2024), available at https://www.lawfaremedia.org/article/negligence-liability-for-ai-developers. ↩
-
Anthropic, Usage Policy, High-Risk Use Case Requirements (human-in-the-loop review for financial decisions), available at https://www.anthropic.com/legal/aup; OpenAI, Usage Policies, available at https://openai.com/policies/usage-policies/. ↩
-
Rodgers v. Christie, No. 19-2616 (3d Cir. Mar. 6, 2020) (not precedential), available at https://www2.ca3.uscourts.gov/opinarch/192616np.pdf. ↩
-
Atharv Singh Patlan et al., “Real AI Agents with Fake Memories: Fatal Context Manipulation Attacks on Web3 Agents” (2025), arXiv:2503.16248, available at https://arxiv.org/abs/2503.16248. ↩
-
Consumer Financial Protection Bureau, enforcement action, Early Warning Services, LLC; Bank of America, N.A.; JPMorgan Chase Bank, N.A.; Wells Fargo Bank, N.A. (filed Dec. 20, 2024; dismissed with prejudice Mar. 5, 2025), available at https://www.consumerfinance.gov/enforcement/actions/early-warning-services-llc-bank-of-america-na-jpmorgan-chase-bank-na-wells-fargo-bank-na/. ↩
-
Consumer Financial Protection Bureau, Electronic Fund Transfers FAQs, Unauthorized EFTs Question 6 (updated Jan. 15, 2025), available at https://www.consumerfinance.gov/compliance/compliance-resources/deposit-accounts-resources/electronic-fund-transfers/electronic-fund-transfers-faqs/. ↩
-
15 U.S.C. Section 1693a(12) (Electronic Fund Transfer Act, definition of unauthorized electronic fund transfer). ↩
-
U.S. Senate Committee on Commerce, Science, and Transportation, “Senate Strikes AI Moratorium from Budget Reconciliation Bill in Overwhelming 99-1 Vote” (July 1, 2025), available at https://www.commerce.senate.gov/2025/7/senate-strikes-ai-moratorium-from-budget-reconciliation-bill-in-overwhelming-99-1-vote/8415a728-fd1d-4269-98ac-101d1d0c71e0. ↩
-
IAPP, “European Commission withdraws AI Liability Directive from consideration” (Feb. 2025), available at https://iapp.org/news/a/european-commission-withdraws-ai-liability-directive-from-consideration. ↩
-
Securities and Exchange Commission, Withdrawal of Certain Proposed Rules, Release No. 33-11377 (June 2025) (withdrawing File No. S7-12-23), available at https://www.sec.gov/files/rules/final/2025/33-11377.pdf. ↩
-
Colorado SB26-189, Automated Decision-Making Technology (signed May 2026, repealing and reenacting the provisions of SB 24-205), available at https://leg.colorado.gov/bills/sb26-189; SB25B-004 (2025 special session, delaying SB 24-205’s effective date to June 30, 2026), available at https://leg.colorado.gov/bills/sb25b-004. ↩
-
Executive Order 14365, “Ensuring a National Policy Framework for Artificial Intelligence” (Dec. 11, 2025), available at https://www.whitehouse.gov/presidential-actions/2025/12/eliminating-state-law-obstruction-of-national-artificial-intelligence-policy/. ↩
-
National Institute of Standards and Technology, AI Risk Management Framework, available at https://www.nist.gov/itl/ai-risk-management-framework; Texas Responsible Artificial Intelligence Governance Act, HB 149, Section 552.105(e)(2)(D) (effective Jan. 1, 2026). ↩
-
GENIUS Act, Pub. L. No. 119-27 (signed July 18, 2025) (permitted-issuer restriction and 1:1 reserve requirement), available at https://www.govinfo.gov/content/pkg/PLAW-119publ27/html/PLAW-119publ27.htm. ↩
-
Google, Agent Payments Protocol (AP2), available at https://ap2-protocol.org/; Visa, Visa Intelligent Commerce developer documentation, available at https://developer.visa.com/capabilities/visa-intelligent-commerce; Mastercard, “Mastercard Unveils Agent Pay” (Apr. 2025), available at https://www.mastercard.com/global/en/news-and-trends/press/2025/april/mastercard-unveils-agent-pay-pioneering-agentic-payments-technology-to-power-commerce-in-the-age-of-ai.html. ↩