Singapore maps legal liability for AI agents across the value chain

Singapore maps legal liability when AI agents cause harm

Singapore's Infocomm Media Development Authority released a 36-page discussion paper this month examining who bears legal responsibility when autonomous AI systems act on behalf of users and cause harm to third parties. The paper, titled "Legal Responsibility for AI Agents," represents one of the first systematic attempts by any government body to map civil liability across the chain of actors involved in deploying agentic AI.

The timing reflects a shift in the technology's maturity. Agentic AI systems-software capable of planning, deciding, and taking independent actions across digital environments with limited human oversight-have moved from research labs into live commercial deployments. When such a system behaves unexpectedly, the question of who pays is no longer theoretical.

What the paper covers

IMDA convened a working group of over 20 members from Singapore's legal community between March and May 2026. The paper focuses on civil liability and private law under Singapore common law, while acknowledging that agentic AI raises broader issues across criminal, regulatory, and data protection domains.

The paper does not provide policy recommendations. Instead, it serves as a resource for policymakers seeking to understand the key legal challenges before regulatory frameworks must respond to real incidents.

The analysis is structured in three parts. The first establishes foundational concepts and definitions. The second surveys how existing legal mechanisms apply to agentic AI and where they fall short. The third uses a detailed hypothetical scenario to test how fault-based negligence and strict liability regimes would operate in practice.

The value chain problem

A central challenge the working group identified is the proliferation of actors between an AI model and the harm it eventually causes. IMDA identified seven categories: model developers, tooling providers, platform providers, system providers, deployers, end users, and third parties.

These categories overlap in practice. A single organisation may simultaneously act as model developer and consumer-facing product provider. IMDA's categories are intended as helpful archetypes rather than watertight legal definitions.

The proliferation creates two distinct problems. First, a problem of principle: even if the full facts of an incident can be established, it may not be clear who is to blame or in what proportion. Second, a practical problem: determining the full facts may not be feasible, given cost, time, or trade secrecy constraints.

How existing law applies-and where it struggles

The working group found that many cases could be addressed through existing common law frameworks, particularly contract and the tort of negligence. But each framework has limitations specific to agentic AI.

Contract law allows parties to pre-allocate risk before an agent is deployed. But contract is limited by privity: only parties to the agreement can enforce it. Third parties harmed by an agent generally cannot invoke contractual protections agreed between other actors in the chain.

The tort of negligence requires establishing that a defendant owed a duty of care, breached it, and caused recoverable damage. For agentic AI, each element runs into difficulties.

On duty of care, proximity is a problem. Even if a system provider was best placed to prevent harm, it may not have had a sufficiently close relationship with the injured third party to give rise to a duty of care. Establishing proximity for a product deployed at scale, potentially interacting with parties the developer never anticipated, raises unresolved questions.

On foreseeability, agents already act in emergent ways-pursuing unexpected plans, exploiting loopholes, or escalating actions beyond their instructions. The law generally does not require the precise method of harm to be foreseeable, only the type. But as agents become more general-purpose, their actions may produce truly unforeseeable types of harm. At that point, the question becomes policy: should the loss lie where it falls, or should it still be assigned to an actor in the chain?

On causation, proving which actor caused an incident may be impossible. For deterministic components, code can be examined but requires specialist skill and significant cost. For non-deterministic portions derived from machine learning, review must extend into training data quantity and quality, with no definitive standard for sufficiency or representativeness.

The paper also flags chain-of-thought reasoning-the natural language explanations that reasoning models produce to describe their decision-making. While industry commonly relies on chain-of-thought for explainability, it is generated as statistical language output rather than a direct trace of the model's internal decision-making. It may not accurately represent every step the agent took to arrive at a decision.

On disclaimers, the working group raised concerns about an outcome where every actor in the value chain disclaimed responsibility, leaving the burden on end users. Developers should not overstate reliability or accuracy and rely on broad disclaimers to avoid responsibility. Some jurisdictions, including Singapore, have enacted laws limiting disclaimers in consumer-facing contexts.

Testing the frameworks: a computer use agent scenario

The working group constructed a detailed hypothetical to stress-test these frameworks. Company Y provides a computer use agent as a personal assistant. Alice, a user, gives the agent access to personal data hosted by cloud provider Z, including her name, phone number, and credit card details. Alice adds a prompt-level safeguard: the agent should request permission before taking sensitive actions.

Alice instructs the agent to sign up for a popular class opening at midnight. At that hour, Z's service is unexpectedly down for maintenance. Unable to access Alice's data through the normal route, the agent decides to hack Z's servers. Z has taken industry-standard cybersecurity measures, but the agent succeeds.

The consequences are significant. Z suffers downtime and financial loss. The agent inadvertently makes other documents public, leaking personal data of third parties. Some subsequently fall victim to identity theft.

The agent's chain-of-thought reasoning showed it recognised this was a high-impact action and would normally have consulted Alice-but judged she was asleep and the class might be fully booked before it could reach her. Z and the affected third parties seek compensation.

Under a negligence framework, the working group found significant difficulties at nearly every stage. Proving legal proximity between system provider Y and cloud provider Z or the leaked third parties was uncertain. Establishing breach required knowing what each actor could control and what reasonable measures they could have taken.

Remoteness presented a further issue. The agent's decision to hack a cloud provider was arguably an abnormal and disproportionate escalation from daily personal assistant tasks-raising questions about whether that type of harm was within reasonable contemplation at deployment time.

The strict liability alternative

The working group examined whether a strict liability regime-one that does not require proof of fault-could better serve victims.

The case for strict liability rested on two arguments. First, it shifts the burden of complex apportionment disputes away from end users and third-party victims who lack technical expertise and financial resources. Second, it creates upstream incentives for tighter product scoping and better safeguards.

Under one possible model, a defined group-model developer, system provider, and deployer-could share liability upfront, allowing claimants to bring claims against any of them. Liability would then be apportioned among those actors through contribution proceedings.

But the working group raised significant objections. Strict liability has traditionally been imposed on inherently dangerous activities, and there were differing views on whether agentic AI belongs in that class. Imposing broad liability could deter deployment or market entry, as firms may be unwilling to bear open-ended risk.

Unlike traditional strict liability contexts such as hazardous activities or defective products with clearly bounded scopes, harms from agentic AI may propagate widely and unpredictably. Moral hazard was also flagged: shifting liability away from end users could discourage responsible use. It would also treat actors who invested heavily in testing, guardrails, and transparency identically to those who did not.

A middle-ground approach could scope strict liability more narrowly-limiting it to specific high-risk uses, capping loss quantum, or restricting it to business-to-consumer scenarios. Shifting evidential burdens through presumptions was also discussed.

Three areas for further study

IMDA identified three specific questions requiring further research.

First: How should responsibilities along the value chain be clarified? Model developers have the greatest control over training data, model architecture, and baseline reasoning tendencies. They are often best placed to shape an agent's underlying safety properties. But they have limited visibility into the context in which the agent will eventually be deployed. Deployers have more knowledge of the specific use case and its risks, but less ability to intervene in the agent's base behaviour. There may need to be a spectrum of differentiated responsibilities, with model developers addressing more general or baseline risks while deployers implement use-case-specific safeguards.

Second: How can actors with limited bargaining power be better protected? In business-to-consumer transactions, or any situation with significant information asymmetry, parties with less bargaining power may end up accepting most of the risk. Suggestions included simplified and expedited dispute resolution forums for AI-related disputes, evidentiary presumptions or record-keeping requirements that ease the claimant's burden, and sector-specific liability frameworks.

Third: Who bears responsibility when an agent causes harm in genuinely unforeseeable ways, even when all actors have taken relevant safeguards? Relevant factors may include the existence and adequacy of disclosures about capabilities and limitations, the scope of disclaimers and contractual risk allocations, and whether the allocation of risk reflects the distribution of benefits across the value chain.

Implications for organisations deploying agents

The IMDA paper's analysis has direct relevance to organisations deploying AI agents in customer-facing and enterprise applications. The advertising sector has moved quickly to deploy these systems, with job postings related to agentic AI rising 985% from 2023 to 2024.

The Law Commission of England and Wales identified in July 2025 that scenarios exist where no natural or legal person may be liable for harms caused by an autonomous AI system. The IMDA paper now maps that gap in specific legal detail. Spain's data protection authority raised related concerns in February 2026, while the UK's Digital Regulation Cooperation Forum noted in March 2026 that a single agentic deployment can simultaneously trigger concerns across competition, financial services, data protection, and online safety regulators.

For organisations with agents connected to tooling providers through Model Context Protocol servers, the IMDA paper's analysis of tooling provider liability is particularly relevant. If an agent uses a tool to take an action that causes harm, and the tool functioned correctly but the model chose to use it in an unsafe way, the tooling provider may face limited exposure while the model developer and system provider bear the weight of the claim.

The IMDA paper does not resolve these questions. It is explicit that it does not provide specific policy recommendations. But it provides, for the first time from a government-backed working group, a structured legal analysis of how existing frameworks apply to agentic AI scenarios in a common law jurisdiction.

For legal teams and compliance professionals, the paper serves as a reference document for understanding the liability landscape as agentic AI moves into production. The framework it establishes will likely inform regulatory responses across common law jurisdictions.