Highlights
- AI liability in supply chains involves complex allocation across model developers, product providers, and deploying firms.
- Professional firms using AI tools likely bear primary exposure under English law for inaccurate outputs.
- Westlaw AI research aids legal analysis by mapping possible claims and supply chain actors in AI disputes.
This is the first in a short series exploring emerging issues around AI in English law disputes, as part of work Hogan Lovells is doing with Thomson Reuters.
The idea is simple: ask the AI about AI.
We are taking legal questions that are emerging as generative AI becomes embedded in business workflows, and exploring them with the help of Westlaw AI. The first question is this: where might responsibility sit in the AI supply chain when a general-purpose AI system produces inaccurate or unsafe output, and a third party suffers loss?
This is important because AI systems are rarely implemented in a simple way. A model may sit at the base. Another provider may wrap it into a product. That product may then be integrated or adapted for a particular use case, deployed by a business or professional services firm, and used by human decision-makers in the real world.
When something goes wrong, the issue may lie in the model, product layer, implementation, instructions, safeguards, human supervision, or some combination of those things. The legal routes are familiar – contract, negligence, assumption of responsibility, product liability, insurance and contractual allocation of risk – but applying them across a layered AI supply chain is unlikely to be straightforward.
Take a simple example. An audit process uses AI. The output is wrong. A third party suffers loss. Who is most exposed: the firm using the system, the product provider, the integrator, or the original model developer?
Jump to ↓
How we did it
The firm using the AI may carry much of the practical risk
What did Hogan Lovells lawyers say?
How we did it
For this series, we are exploring how best to conduct research using Westlaw Advantage. We used Deep Research and AI-Assisted Research, drawing from Westlaw UK case law and legislation, but also Practical Law thought leadership and commentary, because these questions are unlikely to have been comprehensively answered by the courts.
For this exercise, I ran two queries: one simple version of the question, and one more detailed prompt drafted with the help of an LLM.
The simple query was: “Under English law, where does responsibility sit in the AI supply chain when a general-purpose AI system produces inaccurate or unsafe output, and a third party suffers loss?”
The detailed prompt took a more structured approach, specifying the professional context, requesting analysis across multiple legal frameworks, and asking for practical outputs including an executive summary and specific follow-up questions for practitioners.
The question is not only which answer is longer or more polished, but which approach gives a lawyer the better starting point for analysis.
I also asked Westlaw to suggest follow-up questions that could be put to Hogan Lovells lawyers. The point was not to treat the AI output as the answer. It was to see whether it could produce a useful first-pass research map: the possible claims, the likely obstacles, the actors in the supply chain, and the questions a lawyer would need to test before advising a client.
The firm using the AI may carry much of the practical risk
Returning to our audit scenario, the most obvious exposure under English law is likely to sit with the professional firm deploying the AI. That is because the firm is producing the professional output, giving the opinion and facing the client or any foreseeable claimant who may rely on it.
On current English law principles, it’s possible a court might treat AI as a tool used by the professional, rather than as an independent actor that breaks the chain of responsibility.
The UKJT’s January 2026 draft paper is useful here, although it is not the final word. Its starting point is that AI itself does not have legal personality, so liability “must be attributed to legal persons, using ordinary legal principles“. Much of the allocation of risk is also likely to happen by contract.
In the professional services context, a firm is likely not protected by simply saying that the AI got it wrong. Professional standards still matter, and the firm remains responsible for the advice and/or work product it ultimately gives to a client. But the detail will matter: the scope of the engagement, what the client was told, the role AI played, the level of human review, foreseeable reliance and any disclaimers or limitations.
Claims against upstream AI providers may be more challenging. There will often be no direct contract with the third party suffering loss, and supplier contracts are likely to contain robust exclusions and limitations. A duty of care may be difficult to establish without a clear assumption of responsibility. Product liability may not provide an easy answer either, particularly where the alleged failure lies in software and the loss is pure economic loss.
That could leave the deploying firm carrying much of the real-world exposure, while onward claims against suppliers may be difficult, limited by contract, or commercially unattractive. Different facts will produce different answers, especially outside professional services or where a supplier has made specific representations about performance, testing or risk controls.
The practical questions are evidential as much as legal. What happened? What records show how the tool was selected, tested, deployed and supervised? What did the supplier promise? What did the user understand? Was there meaningful human oversight?
What did Hogan Lovells lawyers say?
I also asked Matthew Bullen and Lydia Savill to test specific points suggested by the Westlaw AI research output.
Matthew Bullen is a litigation partner at Hogan Lovells, focusing on professional negligence, trusts and pensions disputes.
Matthew looked at assumption of responsibility and disclaimers. His answer was that “the use of AI does not change the basic starting point”. With any professional engagement, the professional assumes responsibility, or may be treated as assuming responsibility, for the services they provide and advice they give, “per the terms of their engagement and principles set out in case law”. The professional firm remains responsible for the opinion, advice or recommendations it provides, “even if they incorporate, or draw upon, tasks that used AI tools”. AI promises significant opportunities and efficiencies, but it also presents challenges.
Limitations and disclaimers of liability in engagement terms can limit liability in appropriate circumstances, but the “appropriate standard of care” for a professional in an AI-age will also be relevant, both when a professional uses AI and when it chooses not to use AI. Matthew noted that this is likely to be “an evolving area over the next several years”.
As co-head of Hogan Lovells’ global insurance disputes practice, Lydia has more than 15 years’ experience helping her clients resolve their most complex disputes. Lydia’s practice focuses on policyholder and re/insurance disputes across a wide range of insurance classes. In addition to handling claims, Lydia also advises on policy design and coverage and has particular expertise in emerging risks such as climate litigation and AI. Outside the pure insurance sphere, Lydia also has extensive experience in complex group/collective actions and regulatory investigations.
Lydia looked at insurance. Her answer was, in substance, that this is still likely to be analysed through traditional types of insurance cover. AI use does not necessarily create a wholly new type of insured risk. In the audit example, if the professional firm remains responsible to the outside world for its advice or work product, “this looks first and foremost like a standard professional indemnity issue and you would be looking to a typical professional indemnity insurance policy for protection”.
That does not mean the insurance analysis is simple. The starting point is the insuring clause, but you then have to look carefully at what cover the exclusions in your particular policy might take away. As Lydia put it, the policy may give you the cake, but the exclusions start taking slices out of it. The question for policyholders is therefore not only whether the claim falls within a standard professional indemnity cover, but also whether any relevant exclusions are engaged; in the AI context, you would want to pay close attention to any exclusions relating to e.g. losses connected with computer systems, technology failures or (potentially) cyber risk carve-outs.
The practical point is that AI may change the underwriting conversation even if it does not change the liability analysis. Firms using AI should expect insurers to ask more questions about governance, validation, supervision and controls. If insurers perceive increased risk, they may offer cover on different terms or at a higher premium.
The questions that remain
When it comes to allocating liability in the AI supply chain, the questions are familiar: ask who owed the duty, what was promised, what caused the loss, who assumed responsibility, and how risk was allocated by contract.
The hard part is working out what actually happened. With AI, loss may be difficult to trace to a particular design choice, implementation decision, prompt, dataset, safeguard or human act.
The 2026 International AI Safety Report provides a useful counterweight to the suggestion that existing liability regimes are fit for purpose in the GenAI era. It suggests that AI creates distinctive difficulties and that the current law may not always be capable of adequately addressing AI-related harms.
As for the research exercise, my view is that the more detailed prompt produced the more useful answer. The most useful output was a practical table breaking down the actors in the supply chain and the possible routes by which liability might attach to each of them.
It did not answer the question definitively, but it helped turn a difficult issue into something structured enough for lawyers to test, challenge and improve.
In our next installment of this series, we will look at another live question in light of publicity around Anthropic’s Mythos: what should businesses do when faced with an AI-enabled cyber threat?
Reuben Vandercruyssen is a Senior Associate at Hogan Lovells, advising on complex disputes, investigations and business crime. He has a particular focus on AI and emerging contentious risk, including liability and governance issues arising from generative AI.
