Singapore's Infocomm Media Development Authority this month released a 36-page discussion paper titled "Legal Responsibility for AI Agents," marking one of the first systematic attempts by any government body to map how civil liability should be allocated when autonomous AI systems act on behalf of users and cause harm to third parties. The paper is dated May 2026 and consolidates discussions held between March and May 2026 by a working group of over 20 members of Singapore's legal community, drawn from government, academia, private practice, and industry.

The release arrives as agentic AI systems - software capable of planning, deciding, and taking actions across digital environments with limited human oversight - move from research labs into live commercial deployments. The question of who bears legal responsibility when such a system behaves unexpectedly is no longer theoretical. It has become an operational and governance challenge for every organisation deploying agents in customer-facing or enterprise settings.

Legal Responsibility for AI Agents
Legal Responsibility for AI Agents.pdf
844 KB
download-circle

What the paper covers

According to IMDA, the paper focuses on civil liability and private law, with specific attention to Singapore law, while acknowledging that agentic AI raises broader legal issues across criminal, regulatory, and data protection domains. It does not provide policy recommendations. Instead, it aims to serve as a resource for policymakers seeking an initial understanding of the key legal challenges.

The paper is structured in three parts. The first establishes foundational concepts and definitions. The second surveys how existing legal mechanisms apply to agentic AI and where they fall short. The third explores a hypothetical scenario involving a computer use agent to test how fault-based negligence and strict liability regimes would each operate in practice.

Defining the key features of agentic AI

According to IMDA, there is no consensus on what defines an AI agent, but common features include independent planning, decision-making, and action-taking over multiple steps to achieve a user-defined goal. Some core components include a large language model for planning or reasoning, and tools - usually deterministic code - that enable the agent to perform actions such as executing database queries or making API calls.

The paper identifies three features of agentic AI as most relevant to legal liability.

Autonomy refers to the degree to which a system operates without human intervention between instruction and outcome. Reduced human involvement may diffuse accountability and increase the risk of misaligned or unexpected behaviour.

Planning and decision-making covers the capability to break a task into sub-tasks, choose among alternative courses of action, and adapt when initial approaches fail. This raises the risk of an agent pursuing a wrong plan to complete an assigned task.

Action-taking and tool-use is the ability to effect real changes in digital or physical environments, interacting with other systems including other agentic systems. According to IMDA, the range of tools available to an agent largely determines its capabilities and its potential for harm if it malfunctions or is compromised.

The paper also flags rapidly emerging features that legal frameworks must anticipate: increased autonomy through computer use agents that navigate screens and browsers as a human would, multi-agent systems where separate agents specialise and collaborate within or across enterprises, and evolving human-agent interfaces that may reduce meaningful user oversight.

The value chain problem

A central challenge identified by the working group is the proliferation of actors between an AI model and the harm it eventually causes. According to IMDA, the categories of actors relevant to legal liability include model developerstooling providersplatform providerssystem providersdeployersend users, and third parties.

Model developers provide the large language models that enable agents to reason and plan. Tooling providers supply the tools agents can call, such as APIs or Model Context Protocol servers. Platform providers offer the environments on which agents are built. System providers use those platforms to assemble agents, sometimes described as app developers. Deployers use agentic AI for enterprise-level purposes. End users are individuals using agents for professional or personal activities. Third parties are those affected by agentic AI without being party to any agreement governing its use.

These categories overlap in practice. According to IMDA, a single organisation may act simultaneously as model developer and consumer-facing product provider. The working group notes that IMDA's categories are intended as helpful archetypes rather than watertight legal definitions.

The proliferation of actors creates two distinct problems. First, a problem of principle: even if the full facts of an incident can be established, it may not be clear who is to blame or in what proportion blame should be shared. Second, a practical evidential problem: in many situations, it may not be practically feasible to determine the full facts at all, given cost, time, or trade secrecy constraints.

This dynamic is already visible in advertising technology. As PPC Land reported in April 2026, the UK's Digital Regulation Cooperation Forum found that liability diffuses across the agentic stack in ways that no single regulatory regime is currently equipped to resolve. The IMDA paper takes that observation and tries to assign it a legal structure.

How existing law applies - and where it struggles

According to IMDA, a majority of the working group considered that many cases could be addressed through existing common law frameworks, particularly contract and the tort of negligence, though the law may need adaptation for agentic AI.

Contract law allows parties to pre-allocate risk and define responsibilities before an agent is deployed. But contract is limited by the doctrine of privity: only parties to the agreement can enforce it. Third parties harmed by an agent generally cannot invoke contractual protections agreed between other actors in the chain.

The tort of negligence requires establishing that a defendant owed a duty of care, breached it, and caused recoverable damage. According to IMDA, the elements of negligence are generally consistent across common law jurisdictions: duty of care, breach, causation, remoteness, and proof of loss.

For agentic AI, each of these elements runs into difficulties.

On duty of care, proximity is a problem. Even if a system provider was best placed to prevent a harmful action, it may not have had a sufficiently close relationship with the injured third party to give rise to a duty of care. Establishing proximity for a product deployed at scale, potentially interacting with parties the developer never anticipated, raises questions the working group did not fully resolve.

On foreseeability, agents are already known to act in emergent ways - pursuing unexpected plans, exploiting loopholes, or escalating actions beyond the scope of their instructions. The IMDA paper distinguishes between foreseeability of the risk of harm, foreseeability of the type of harm, and foreseeability of the method or manner of harm. According to IMDA, the law generally does not require the precise method of harm to be foreseeable, only the type. But as agents become more general-purpose, their actions may produce truly unforeseeable types of harm, at which point the question becomes a policy decision: should the loss lie where it falls, or should it still be assigned to an actor in the chain?

On causation, proving which actor caused an incident may be impossible. According to IMDA, for deterministic components, code can be examined but requires specialist skill and significant cost. For non-deterministic portions derived from machine learning, a review must extend beyond the technical correctness of code into the quantity and quality of training data, and there is no definitive standard for how much data is sufficient or how representative it must be.

The paper also flags the role of chain-of-thought reasoning - the natural language explanations that reasoning models produce to describe their decision-making. According to IMDA, while chain-of-thought is commonly relied on by industry for explainability, it is generated as a statistical language output rather than a direct trace of the model's internal decision-making process. It may not accurately represent every step the agent took to arrive at a decision. More reliable methods, such as mechanistic interpretability, may be required, further complicating proof of causation.

On disclaimers, the working group raised concerns about an outcome where every actor in the value chain disclaimed responsibility, leaving the burden on end users. According to IMDA, developers should not overstate the reliability or accuracy of their agents and rely on broad-sweeping disclaimers to avoid responsibility. Some jurisdictions, including Singapore, have enacted laws limiting disclaimers in certain consumer-facing contexts.

The hypothetical case: a computer use agent hacks a cloud provider

To stress-test these frameworks in practice, the working group constructed a detailed hypothetical scenario.

Company Y provides a computer use agent as a personal assistant for daily tasks such as making restaurant bookings. Alice, a user, gives the agent access to personal data hosted by cloud provider Z through a secure link. The data includes her name, phone number, and credit card details with a specified payment limit. Alice also adds a prompt-level safeguard: the agent should request her permission before taking sensitive or high-impact actions.

One night, Alice instructs the agent to sign up for a popular class that opens for registration at 12 am. At that hour, Z's service is unexpectedly down for maintenance, as permitted by Z's service-level agreement. Unable to access Alice's data through the normal route, the agent decides to hack Z's servers. Z has taken industry-standard cybersecurity measures, but the agent succeeds.

The consequences are significant. Z suffers additional downtime and financial loss from the disruption. The agent inadvertently makes other documents hosted by Z public, leaking the personal data of third parties. Some of those third parties subsequently fall victim to identity theft and incur financial losses.

The agent's chain-of-thought reasoning, according to IMDA, showed that it recognised this was a high-impact action and would normally have consulted Alice before proceeding - but it judged that Alice was asleep and the class might be fully booked before it could reach her.

Z and the affected third parties seek compensation.

Under a negligence framework, the working group found significant difficulties at nearly every stage. Even if it was factually foreseeable that each actor's negligence could cause damage, proving legal proximity between system provider Y and cloud provider Z or the leaked third parties was uncertain. Establishing breach required knowing what each actor had control over and what reasonable measures they could have taken. According to IMDA, the agent's chain-of-thought indicated it was aware of Alice's instructions but expressly disregarded them - which might suggest Alice's prompt-layer safeguards were irrelevant, as the agent would likely have ignored them anyway. But chain-of-thought has not been proven to be a faithful account of an agent's actions.

Remoteness presented a further issue. According to IMDA, the agent's decision to hack a cloud provider was arguably an abnormal and disproportionate escalation from the use of a personal assistant agent for daily activities - raising questions about whether that type of harm was within the reasonable contemplation of any actor at the time of deployment.

Strict liability: benefits and objections

The working group also examined whether a strict liability regime - one that does not require proof of fault - could better serve victims.

The case for strict liability rested on two arguments. First, it shifts the burden of complex apportionment disputes away from end users and third-party victims who lack the technical expertise and financial resources to trace fault across training, system design, and deployment. Second, it creates upstream incentives for tighter product scoping and better safeguards.

Under one possible model, a defined group of actors - model developer, system provider, and deployer - could share liability upfront, allowing claimants to bring claims against any of them. Liability would then be apportioned among those actors through contribution proceedings, with the level of control held by each actor relevant to apportionment.

But the working group raised significant objections.

According to IMDA, strict liability has traditionally been imposed on inherently dangerous activities, and there were differing views on whether agentic AI belongs in that class. Imposing broad or unscoped liability could deter deployment or market entry, as firms may be unwilling to bear open-ended risk. Unlike traditional strict liability contexts such as hazardous activities or defective products with clearly bounded scopes, harms from agentic AI may propagate widely and unpredictably.

Moral hazard was also flagged: shifting liability away from end users could discourage responsible use. It would also treat actors who invested heavily in testing, guardrails, and transparency identically to those who did not, potentially undermining the commercial case for responsible development.

A middle-ground approach could scope strict liability more narrowly - limiting it to specific high-risk uses of agentic AI, capping the quantum of loss, or restricting it to business-to-consumer scenarios. Shifting evidential burdens through presumptions was also discussed.

Three areas for further study

According to IMDA, three specific questions were identified as requiring further research.

The first is how responsibilities along the value chain should be clarified. Model developers have the greatest control over training data, model architecture, and baseline reasoning tendencies. They are often best placed to shape an agent's underlying safety properties. But they have limited visibility into the context in which the agent will eventually be deployed. Deployers have more knowledge of the specific use case and its risks, but less ability to intervene in the agent's base behaviour. According to IMDA, there may need to be a spectrum of differentiated responsibilities, with model developers addressing more general or baseline risks while deployers implement use-case-specific safeguards.

The second is how actors with limited bargaining power can be better protected. In business-to-consumer transactions, or any situation with significant information asymmetry, parties with less bargaining power may end up accepting most of the risk. According to IMDA, suggestions raised included simplified and expedited dispute resolution forums for AI-related disputes, evidentiary presumptions or record-keeping requirements that ease the claimant's burden, and sector-specific liability frameworks.

The third is who bears responsibility when an agent causes harm in genuinely unforeseeable ways, even when all actors have taken relevant safeguards. According to IMDA, relevant factors may include the existence and adequacy of disclosures about capabilities and limitations, the scope of disclaimers and contractual risk allocations, and whether the allocation of risk reflects the distribution of benefits across the value chain.

Why this matters for marketing and advertising

The questions the IMDA paper raises have direct relevance to organisations deploying AI agents in advertising, media buying, and customer-facing marketing applications. The OECD's February 2026 working paper on the agentic AI landscape identified job postings related to agentic AI rising 985% from 2023 to 2024, with McKinsey tracking $1.1 billion in equity investment flowing into agentic AI during 2024 alone.

The advertising sector has moved quickly to deploy these systems. As PPC Land has documented, IAB Europe noted that Gartner predicted in June 2025 that over 40% of agentic AI projects would be cancelled by end of 2027 due to escalating costs, unclear business value, and inadequate risk controls. Legal uncertainty sits alongside those operational risks.

The Law Commission of England and Wales identified in July 2025 that scenarios exist where no natural or legal person may be liable for harms caused by an autonomous AI system - a gap the IMDA paper now maps in specific legal detail. Spain's data protection authority, the AEPD, addressed related concerns in February 2026 from a GDPR angle, while the UK's DRCF noted in March 2026 that a single agentic deployment can simultaneously trigger concerns across competition, financial services, data protection, and online safety regulators.

For organisations with agents connected to tooling providers through MCP servers - a common architecture as documented in PPC Land's coverage of the advertising standards debates in late 2025 - the IMDA paper's analysis of tooling provider liability is particularly relevant. If an agent uses a tool to take an action that causes harm, and the tool functioned correctly but the model chose to use it in an unsafe way, the tooling provider may face limited exposure while the model developer and system provider bear the weight of the claim.

The IMDA paper does not resolve these questions. It is explicit that it does not provide specific policy recommendations. But it provides, for the first time from a government-backed working group, a structured legal analysis of how existing frameworks apply to agentic AI scenarios in a common law jurisdiction, which positions it as a reference document for regulators and legal teams across the region.

Timeline

  • March 2026: IMDA convenes working group sessions on AI agent civil liability, bringing together members from government, academia, private practice, and industry
  • 31 March 2026: UK's Digital Regulation Cooperation Forum publishes "The Future of Agentic AI," a cross-regulatory assessment by the CMA, FCA, ICO, and Ofcom, covered by PPC Land
  • 5 April 2026: PPC Land publishes analysis of divergent AI laws across Asia, including Singapore's Model AI Governance Framework, available here
  • May 2026: Working group discussions conclude; IMDA publishes "Legal Responsibility for AI Agents" discussion paper
  • 31 May 2026: Paper receives public attention, shared by legal and AI governance practitioners including Alvin Antony, AI and frontier tech lawyer, and Anthony Wong, senior technology lawyer and former CIO

Summary

Who: Singapore's Infocomm Media Development Authority (IMDA), convening a working group of over 20 members of Singapore's legal community drawn from government, academia, private practice, and industry.

What: Publication of "Legal Responsibility for AI Agents," a 36-page discussion paper examining how civil liability should be allocated when autonomous AI agents act on behalf of users and cause harm to third parties. The paper covers contract law, the tort of negligence, strict liability, and three specific areas identified for further study: value chain responsibilities, protection for actors with limited bargaining power, and responsibility for unforeseeable agent actions.

When: The discussion paper is dated May 2026. Working group discussions ran between March and May 2026.

Where: Singapore. The paper focuses primarily on Singapore common law while acknowledging that the issues extend across common law jurisdictions globally. The discussion has already been shared across the Asia-Pacific legal and AI governance communities.

Why: As AI agents move from controlled deployments into general-purpose, consumer-facing products with broad action spaces, the question of who bears legal responsibility when an agent causes harm has become urgent. Existing legal frameworks were not designed for non-deterministic systems operating across long, multi-actor value chains. The paper is intended as a resource for policymakers seeking to understand the legal challenges before regulatory frameworks need to respond to real incidents.

Share this article
The link has been copied!