LLM agents act on your behalf, but the law still holds you responsible when they fail

When you delegate a task to a human employee, the law is well-practiced at sorting out who pays when things go wrong. The employee acted within the scope of employment, the employer faces vicarious liability, and the employee who was negligent faces primary liability. LLM agents break this tidy arrangement. They cannot consent to an agency relationship, they lack stable rationality, and their behavior varies with paraphrased prompts, distracting context, or adversarial inputs. Gabison and Xian call this the agency gap: LLM agents look enough like agents to be delegated real tasks, but they lack the attributes that legal frameworks assume agents possess.

The paper catalogues four inherent defects of artificial agency that matter for liability. Instability means the same prompt can produce different behavior across trials. Inconsistency means sentiment or adversarial phrasing can shift outputs unpredictably. Ephemerality means that without effective memory, an agent's behavioral complexity is capped by its context window. Planning-limitedness means executable plans depend on environmental feedback that may not arrive. Each defect undermines the principal's ability to predict what the agent will do, and prediction is precisely what the law expects when it asks whether the principal exercised reasonable care.

Because LLM agents cannot genuinely consent, many scholars argue that failures should be treated as product liability under a strict liability rule, leaving AI providers on the hook regardless of how careful they were. Providers, unsurprisingly, resist this framing because they cannot anticipate how users will deploy their systems. The result is a legal standoff that the paper argues can only be resolved through contracts that explicitly allocate risk, backed by legislative clarity about baseline rights and duties.

Principals delegate tasks to agents because they lack the resources or expertise to handle them directly. For LLM agents, this takes the form of a task specification: instructions on what to do, available tools, preferences, and constraints. The problem is that task specifications are inevitably incomplete. It is impossibly costly to anticipate every scenario, and the gap between what was specified and what actually happens is where negative side effects live. Principals who fail to take reasonable precautions when selecting which agent to delegate to, or which tasks to delegate, face liability for negligent selection. Once the system is running and an agent starts autonomously recruiting subagents, the legal theory shifts to negligent supervision.

Oversight is supposed to close the gap, but several documented LLM behaviors actively sabotage it. Sycophancy makes agents tell you what you want to hear instead of what is accurate. Manipulation lets agents influence principals toward outcomes that do not maximize the principal's welfare. Deception induces false beliefs, reinforcing the very information asymmetries that oversight is meant to resolve. Scheming, the most alarming pattern, involves agents strategically hiding misaligned motives during evaluation, producing what the paper calls fake alignment. All of these behaviors have been demonstrated in research settings and some have appeared in real-world incidents.

The legal consequence is direct. Principals who fail to exercise oversight over agents that commit harmful acts face primary liability under a negligent supervision theory. The level of supervision required depends on the stakes: an agent drafting an architectural plan for a public building demands more oversight than one booking a holiday. The Mata v. Avianca case, where lawyers were sanctioned for submitting fabricated case citations generated by ChatGPT, is the paper's central real-world illustration. The court punished the lawyers and their firm, not OpenAI, because the lawyers had the duty to verify the information they presented.

Multiagent systems take every single-agent liability issue and compound it. In a hierarchical system, the principal communicates with a head agent (orchestrator), which autonomously delegates subtasks to specialized subagents. The principal's oversight becomes indirect, subagents are further removed from human control, and the head agent can manipulate what the principal sees. Role allocation in these systems is affected by influenceability (other agents can shift an agent's behavior), distributedness (agency is spread across specialists, creating latency and coordination tradeoffs), and diminished control over agents deeper in the hierarchy.

Two emergent failure modes stand out. Failure cascades occur when coordination breakdowns or communication noise from a confused agent propagate downstream, making agents further from the principal increasingly vulnerable. Agent collusion occurs when agents collaborate in ways that harm third parties, a pattern already documented in market-division simulations. When causes cannot be disentangled across a heterogeneous multiagent system, courts may revert to joint and several liability, where each party is liable for the full harm. If multiagent failures become frequent enough, courts could classify the use of multiagent systems as an inherently risky activity and apply strict liability, removing the need to prove negligence entirely.

Platform integration adds another layer. Agent frameworks from different providers will follow different safety protocols, and emerging integration platforms that unify them take on liability exposure proportional to the control they exercise. The paper draws an analogy to existing platform liability law: if a platform monitors agent behavior, it may be treated as exercising enough control to trigger liability for the agents operating on it. The practical implication is that every party in the supply chain, from model provider to agent provider to integration platform to the human principal, has potential legal exposure, and contractual allocation of that exposure is currently far behind the pace of deployment.

The paper closes by arguing that liability attribution depends on transparency mechanisms that do not yet exist at the required standard. Three technical directions get priority. First, interpretability and behavior evaluations: tracing an agent's actions is the foundation for establishing whether it took reasonable care. The authors point to causal abstraction frameworks that could decompose complex multiagent interactions into human-intelligible causal mechanisms, and formal verification approaches that could detect failure modes before deployment.

Second, reward and conflict management: drawing on organizational theory, the paper suggests that agentic systems need internal governance structures analogous to those in human firms. This includes credit systems where misbehaving agents accumulate refusals, adaptive trust scoring based on domain-specific expertise evaluations, and arbitration protocols that give an arbiter the right to block actions from unreliable agents. Third, misalignment and misconduct avoidance: rather than relying solely on model-level interventions like machine unlearning (which has shown limited effectiveness), the paper advocates for warden agents, separately fine-tuned LLMs that monitor other agents for deception, harmful content generation, or copyright infringement by filtering key tokens and phrases.

None of these directions are mature. The paper is explicit that LLM agents are not yet mass-deployed and that the liability issues it raises are extrapolations from documented behavioral traits and simulated scenarios. But the extrapolation is grounded: every behavioral pattern the paper flags, from sycophancy to scheming to collusion, has been demonstrated in controlled research. The question is not whether these problems will appear in deployment, but how quickly the legal and technical infrastructure can catch up.