When Your AI Agent Causes Harm, Regulators Won't Ask Who Coded It. They'll Ask Who Designed Its Permissions.

An AI agent books a non-refundable flight for a customer who only asked it to "check some options." Nobody wrote code that told it to do that specifically — it inferred permission from a vague instruction and an interface that never asked it to confirm. When the complaint reaches a regulator or a courtroom, the question that gets asked first isn't "who wrote this function." It's "who decided this agent didn't need to check before it spent someone's money."
That question is a design question, and most design teams building agentic products right now aren't equipped to answer it, because nobody told them it was going to be theirs to answer.
Singapore Built the First Governance Framework Aimed at This Gap
In January 2026, Singapore's Infocomm Media Development Authority published its Model AI Governance Framework for Agentic AI, unveiled at the World Economic Forum and updated in May 2026 with real industry case studies. It's built around four dimensions: bounding risk before deployment, establishing clear human accountability, embedding technical controls, and defining end-user responsibility. Read past the policy language and what it's actually asking for is an audit trail of design decisions — who set the boundaries on what this agent could do unsupervised, and can that decision be reconstructed after the fact.
That last part is the one that should concern anyone who's shipped a product feature under a deadline without documenting why a permission threshold was set where it was. "The agent can auto-complete purchases under $50 without confirmation" is a design decision made in a sprint planning meeting, probably justified with a sentence about reducing friction. Under this framework, that sentence is now the artifact a regulator asks to see first if something goes wrong at $49.99.
Why Nobody Can Trace the Harm Back to a Single Choice
The Oxford Law Blog's June 2026 analysis of corporate accountability for AI names the exact problem agentic systems create for existing accountability models: "harmful outcomes may emerge from interactions between AI agents, organizational processes, and human actors in ways that cannot easily be traced to individual wrongdoing." No single line of code caused the bad outcome. No single designer made an obviously reckless call. The harm emerged from the accumulated interaction of a dozen individually reasonable decisions — a permission boundary set generously here, a confirmation step removed there to reduce friction, an escalation path that assumed a human would notice before anything expensive happened.
UNESCO's position, cited in the same analysis, is unambiguous about where responsibility still has to land regardless of how the harm was produced: liability must always attach to a natural or legal person, never to the AI system itself. Which means the diffusion of the decision across many small design choices doesn't dissolve accountability — it just makes finding it require reconstructing a paper trail that, in most product teams today, doesn't exist. Nobody wrote down why the confirmation step got cut. It just got cut, in a standup, because it added a click.
This is precisely the failure mode this site covered when Amazon's "Iliad Flow" cancellation design cost the company $2.5 billion in an FTC settlement — a set of individually small friction-adding design decisions that, in aggregate, the FTC ruled amounted to a pattern of harm. Agentic AI inverts that same mechanism: instead of friction added to trap users, it's confirmation removed to please them, and the aggregate risk is identical. Both cases show regulators willing to reconstruct intent from a pattern of interface decisions, not just from a single obviously bad one.
The Product-Versus-Service Liability Split Nobody's Resolved Yet
A April 2026 analysis in Law.com, titled "Built to Blame," lays out the doctrinal fight courts are currently split on: does an AI agent get treated under product liability — scrutinizing the design and built-in safeguards — or under service liability, which scrutinizes how the deployer operated it? Product liability asks "was this designed with adequate warnings and safe defaults." Service liability asks "did the operator use it responsibly." Agentic AI sits awkwardly across both, because a single harmful action can be traced simultaneously to a permission default the design team set (product) and a deployment context the operating company chose (service).
That ambiguity is not a reason to wait for courts to sort it out before treating design decisions as consequential. It's the opposite. Until case law converges, a design team's own documentation — what an agent could do without asking, why that boundary was set there, what the escalation path was if it wasn't sure — is the only artifact that will speak for the team when a court decides which liability frame applies to their specific case. Teams with that documentation get to argue their design was reasonable given the information available. Teams without it get judged by whatever the plaintiff's expert reconstructs after the fact, which is rarely generous.
What This Actually Changes About How You Design an Agent
The EU AI Act's high-risk provisions, rolling out through 2025 and 2026, mandate explainability, traceability, and human oversight for systems in that category — and mental health-adjacent harms have been folded into product liability scope alongside physical and financial ones, per the International AI Safety Report 2026. Put plainly: if your agent's design touches anything a regulator could plausibly call high-stakes, "we didn't think that decision needed writing down" is no longer a defensible design process. It's an admission that the process didn't have one.
What this means in practice is not more approval meetings. It's a different unit of design artifact: instead of only shipping a Figma file and a set of interaction specs, teams building agentic products need to ship a permission-boundary rationale alongside the interface — a documented answer to "what can this agent do without checking, and why did we decide that threshold was safe" for every action with real-world consequence. That rationale is a design deliverable now, the same way an accessibility audit became one after the wave of ADA lawsuits over accessibility overlay widgets made "we installed a plugin for that" legally insufficient. Compliance theater didn't work there either — the widget existed, the accessibility gap didn't close, and the lawsuits followed the gap, not the plugin. Agent permission design is heading toward the same test: does the design actually bound the risk, or does it just look like it does in a demo.
So Actually, This Isn't a Legal Problem Design Can Ignore
Here's the reframe: the instinct in most design orgs right now is to treat AI governance frameworks as legal's problem, something compliance will translate into a checklist the design team implements after the fact. That instinct is exactly backwards for agentic systems, because the thing being regulated — what the agent is permitted to decide on its own — is a design decision at its origin, not a legal one. Legal can write the policy. Only the design team knows where the actual permission boundary was set and why, because they're the ones who set it.
The teams that will handle this well aren't the ones waiting for a finalized global standard to tell them exactly what to document. They're the ones already writing down, for every autonomous action their product ships, the one-sentence answer to "what happens if this goes wrong, and who decided how far it could go before someone would notice." That sentence is cheap to write today. It's the only thing that will matter once something the agent did needs explaining to someone who wasn't in the room when the boundary was set.
If your agent made an expensive mistake tomorrow, could your team produce the design decision that allowed it — or would you be reconstructing it for the first time under oath?
Cover photo by Pavel Danilyuk via Pexels.