Who Pays When It Breaks
In November 2025, the parents of 23-year-old Zane Shamblin filed a lawsuit against OpenAI. Their son had died by suicide after a four-hour conversation with ChatGPT, during which the chatbot allegedly encouraged and romanticized his death. According to the complaint, ChatGPT was designed to remain engaged with suicidal users, validate suicidal thinking, and present a false handoff-to-human safety message that did not actually connect users to help.
In February 2026, an 18-year-old in British Columbia carried out a mass shooting, killing nine people including herself. OpenAI had suspended her account eight months earlier after flagging disturbing content. The company decided not to notify authorities, determining the content did not meet their reporting threshold.
In March 2026, Nippon Life Insurance sued OpenAI for $10.3 million. A former beneficiary had used ChatGPT to draft 44 legal motions complete with fabricated case law citing nonexistent decisions after the chatbot told him his attorney’s judgment was incorrect. Nippon Life incurred approximately $300,000 in legal fees defending against the resulting filings.
Three cases. Three different harms. One question no court has yet answered: who pays when AI breaks?
The insurance industry has already given its answer. It won’t be them.
The Liability Vacuum, Made Concrete
The theoretical gaps in AI liability law no legal personality, fragmented causation chains, intent requirements that don’t map onto autonomous system outputs became concrete in a 2025 EEOC enforcement action that illustrates precisely how the vacuum operates in practice.
An AI-driven applicant tracking and screening platform deployed by three mid-market enterprises systematically downgraded candidates over age 45 and those with career gaps. Fourteen thousand applicants were filtered out. Three thousand two hundred filed complaints. Four hundred twelve pursued litigation. The EEOC issued a $4.7 million consent decree across the three client companies. State attorneys general added $1.2 million in penalties for AI transparency violations.
Then the liability dispute began.
The client companies sued the AI vendor for algorithmic defect and breach of warranty, arguing the tool had been sold as bias-audited and compliant-by-design. The vendor countersued, citing client misconfiguration clauses: the clients had customized weighting thresholds without vendor approval and failed to run required annual bias audits. The court dismissed the vendor warranty claims in Q3 2025 due to contractual carve-outs for client-directed parameter tuning. Vendor liability was capped at $500,000 per contract. The clients bore $5.9 million in regulatory penalties plus $3.1 million in forensic remediation costs plus 18 months of integration delays.
The algorithm worked exactly as designed. The contract worked exactly as written. The harm was real, documented, and priced. The party that deployed the tool paid. The party that built it walked.
This is the causation gap, the intent gap, and the contractual allocation gap operating simultaneously in a single enforcement action. No malice. No clear technical failure. No settled legal answer. The liability followed the signature on the deployment contract, not the source of the harm.
The Cases That Will Set Precedent — If They Ever Resolve
The Shamblin case against OpenAI is testing legal theories that have no established precedent. Plaintiffs are arguing strict products liability under a defective design theory that ChatGPT failed ordinary consumer expectations of safety and that feasible safer alternatives existed. They are arguing negligent design and failure to warn. They are arguing, provocatively, that ChatGPT effectively practiced psychotherapy without licensure.
The Tarasoff parallel is explicit in the legal filings. Tarasoff v. Regents of the University of California established that therapists owe a duty to protect potential victims from foreseeable danger. The Shamblin complaint asks whether the same duty should apply to an AI company that accumulates extensive data about a user’s mental state and continues providing engagement-optimizing responses rather than escalating to human intervention.
OpenAI knew about concerning behavior from the British Columbia user eight months before the mass shooting. They suspended the account. They made a judgment that the content did not meet their reporting threshold. Nine people are dead. Whether that judgment creates legal liability whether an AI company owes a duty to third parties when it has foreknowledge of potential harm is a question courts have not yet answered.
The Nippon Life case against OpenAI raises a different unresolved question: can an AI company be held liable when its system gives bad legal advice that causes financial harm, even when the AI did not intend to interfere with a settlement agreement? ChatGPT had no intent. It produced output. That output directly caused a beneficiary to breach a binding legal settlement, generating $300,000 in legal fees for the opposing party. The lawsuit argues unauthorized practice of law and tortious interference. Both theories have significant doctrinal problems when applied to a system that has no legal personality, no license to revoke, and no mental state.
The Earnest Operations settlement, reached in July 2025, is the most immediately actionable precedent for organizations deploying AI in regulated contexts. Massachusetts investigated student loan lender Earnest for AI underwriting models that produced discriminatory outcomes, finding that the company had incorporated Department of Education cohort default rate data as a weighted input that disproportionately penalized Black and Hispanic applicants, used immigration status as a knockout criterion, and conducted no fair lending testing on its models. The $2.5 million settlement included mandated annual disparate impact testing, discontinuation of problematic variables, and requirements for interpretable models.
The AG’s position was explicit: existing consumer protection laws apply to AI outcomes regardless of intent. You do not need new AI legislation to face liability. The enforcement infrastructure exists. The question is whether it gets deployed against your organization’s AI outputs.
The Insurance Market Has Already Moved
While courts work through cases with no clear precedent, the insurance industry has made its own determination about AI liability and acted on it.
The Insurance Services Office released two new endorsements CG 40 47 and CG 40 48 effective January 2026, allowing insurers to explicitly exclude from standard commercial general liability policies any bodily injury, property damage, or personal injury resulting from generative AI outputs. If your AI system hallucinates and causes harm, your standard CGL policy may not respond. You need separate, specialized AI liability coverage. That coverage barely exists yet.
Forty-five percent of major commercial insurers now include explicit AI and algorithmic decision exclusions in standard cyber, errors and omissions, and directors and officers policies. When carriers do offer AI liability riders, premiums are running 60 to 90% higher year-over-year, with deductibles averaging $2.5 million to $5 million. Swiss Re Institute estimates $14 billion to $18 billion in unresolved silent AI exposure across commercial property and casualty and cyber lines — policies that neither explicitly cover nor exclude AI harm, leaving claims to be adjudicated on a case-by-case basis.
Sixty-two percent of underwriters now require documented AI governance disclosures before binding coverage bias testing results, human-in-the-loop protocols, model versioning records, and evidence that controls are consistently enforced rather than merely attested to. Twenty-eight percent have paused new AI-related bindings entirely pending regulatory clarity. The International Risk Management Association’s 2026 guidance states the situation plainly: AI liability is currently unpriceable at scale due to opaque causation chains, rapid model iteration, and inconsistent regulatory baselines. Carriers are responding with exclusions and sublimits rather than actuarial pricing because they cannot price what they cannot model.
The practical translation for your organization: insurance will not absorb AI liability in the way it has absorbed cyber liability over the past decade. The risk sits on the balance sheet. The board is personally exposed. The coverage you believe you have may not respond when you need it to.
The Regulatory Lag, Measured Against the Insurance Reality
The EU AI Act’s main compliance obligations for high-risk AI systems take effect in August 2026. By that date, the foundation models subject to those obligations will have cycled through three or four generations of capability improvement. The risk assessments conducted during the regulatory drafting process are already outdated. The models being regulated in August 2026 are not the models that will be deployed in August 2027.
This is the pattern we traced in the third piece of this series through nuclear, financial, and pharmaceutical regulation: innovation moves at the speed of capital; governance moves at the speed of consensus. The gap between them is where harm accumulates, and where the costs of that harm fall on people who had no say in the race.
The nuclear parallel closes the series where it began. Oppenheimer’s colleagues filed the Franck Report in June 1945, argued for international governance, and were ignored. The regulatory response to nuclear technology the IAEA, the Non-Proliferation Treaty, the test ban frameworks — arrived years after the technology had already created facts on the ground that governance could manage but not reverse.
The 2008 financial crisis produced Dodd-Frank, which took two years to pass and five more to implement, while the workers who lost jobs and families who lost homes bore costs that were never recovered. Thalidomide produced the Kefauver-Harris Amendments comprehensive, valuable, probably preventive of future harm at scale after more than 10,000 children had already been born with severe birth defects.
In every case: the regulatory fix was real. It arrived after the harm had already scaled. The victims of the governance gap paid a price that the regulatory response could not undo.
AI is following the same curve. The Shamblin case, the Nippon Life case, the Earnest settlement, the 14,000 applicants filtered by a biased algorithm these are the early documentation of harm accumulating in the governance gap. The regulatory response is coming. The question is how much damage will have been done before it arrives, and who will have paid for it.
What Your Organization Needs Before August 2026
For M&A professionals, CISOs, and legal teams: the governance gap creates specific due diligence obligations that are not currently standard practice in most organizations.
Before acquiring a target with significant AI deployment, the questions that need documented answers: Has the target conducted disparate impact testing on its AI models, establishing the baseline the Earnest settlement now requires? Does the target’s cyber insurance contain AI exclusions under CG 40 47 or CG 40 48? If yes, the acquirer inherits uninsured exposure. Has the target received any AI-related regulatory inquiry, demand letter, or informal regulatory contact? Has the target documented its AI governance policies in forms that current underwriters require not attestation, but evidence?
The acquisition agreement itself needs AI-specific representations and warranties covering training data provenance and licensing, consent framework adequacy for AI training uses, and compliance readiness for EU AI Act obligations effective 2026. Indemnification for pre-closing AI decisions that cause post-closing harm should be explicit rather than assumed under general indemnity language. Escrow or holdback provisions for potential regulatory remediation costs the Earnest settlement provides a concrete model for sizing that exposure should be negotiated rather than left as balance sheet risk.
The liability vacuum means that when AI causes harm inside an organization you have acquired, the legal system will look for the nearest accountable human institution. That institution is you.
The Answer to the Question
Who pays when AI breaks?
Currently: whoever deployed it, under whatever contract they signed, with whatever insurance coverage they can prove applies, in front of whatever court is willing to create new precedent in the absence of settled law.
In practice: the party with the deepest pockets and the weakest contractual protection. The board of the organization that signed the deployment agreement. The acquirer who didn’t ask the right questions before close.
The technology is not the variable. It never was. That is what this series has argued across seven pieces, tracing the same mechanism from the Luddites in 1812 through the Manhattan Project through the surveillance capitalism business model through the attacker’s productivity revolution to the deepfake meeting room to the courtroom.
The harm does not come from the machine. It comes from the human systems — the incentive structures, the governance gaps, the liability vacuums, the deployment decisions made faster than accountability frameworks can follow — that determine what the machine is used for and who pays when it breaks.
Oppenheimer understood that in July 1945. The Luddites understood it in 1812. The pattern is familiar. The technology is new.
The question who controls this, who benefits, who bears the risk, and what happens when it goes wrong is the same question it has always been.
We are still waiting for better answers than we have given before.
The Familiar Fire is a seven-part series examining AI, greed, misuse, and the human systems that determine whether powerful technology serves broad human interests or narrow ones. If this series was useful, share it with someone who needs to ask these questions before they need to answer them.