AIR-2026-005 · AI Agent Incident Register
Ayinde v Haringey: the UK High Court on lawyers who filed AI-fabricated case law
Incident: 2025-06-06 · Parties: R (Ayinde) v Haringey LBC; Al-Haroun v Qatar National Bank. [2025] EWHC 1383 (Admin), Divisional Court
Liability locus: Deployer-carried. the organisation that deployed the agent answers for its output.
Legal analysis by Michael K. Onyekwere, CIPP/E · Janus Compliance · Published 2026-07-04 · Last reviewed 2026-07-06. Analysis of public facts. Not legal advice.
What happened
On 6 June 2025 the Divisional Court (Dame Victoria Sharp, President of the King's Bench Division, sitting with Mr Justice Johnson) handed down a single judgment in two unrelated cases joined because they raised the same problem: lawyers had placed fabricated legal authorities, generated by AI, before the court. The court acted under its Hamid jurisdiction, the inherent power to regulate proceedings and enforce lawyers' duties to the court.
In Ayinde, a judicial review against the London Borough of Haringey, the claimant's grounds cited five authorities that did not exist. When the court asked for copies, they could not be produced. The court referred the barrister, whom it described as extremely junior, to the Bar Standards Board, and the supervising solicitor to the Solicitors Regulation Authority; it found no fault on the part of a paralegal involved.
In Al-Haroun, a claim against Qatar National Bank, a witness statement relied on forty-five citations, eighteen of them entirely fictitious and most of the rest misquoted or irrelevant. The source was striking: the client had run his own legal research through publicly available generative-AI tools and passed the results to his solicitor, who incorporated them without independent verification. The court referred the solicitor and his firm to the SRA. It treated the lay client as someone let down by unreliable tools and poor advice, not as the party at fault.
The court considered whether the conduct crossed the threshold for contempt and decided, on these facts, to refer the lawyers to their regulators rather than initiate contempt proceedings, citing matters such as the barrister's seniority, unresolved questions about her supervision and pupillage sign-off, and the fact that she had already been criticised in a public judgment and referred to her regulator.
The duty engaged
This is professional-conduct law, not data protection, and that is what makes it useful: it isolates the bare principle of accountability for an agent's output.
The duty to the court. A lawyer owes the court a duty of candour and accuracy. Citing authority that does not exist breaches it whether the fabrication was deliberate or the product of an unchecked tool. The court's position is that the source of the error does not dissolve the duty: the professional who puts material before the court warrants that they have a proper basis for it.
The verification duty, made explicit. The court stated the standard for the AI era in terms. Freely available generative-AI tools "are not capable of conducting reliable legal research" (at [6]). Those who use them anyway "have a professional duty therefore to check the accuracy of such research by reference to authoritative sources, before using it in the course of their professional work" (at [7]). The judgment names those sources: the Government's legislation database, the National Archives' database of judgments, the official Law Reports, and reputable legal publishers' databases. That converts a general professional obligation into a concrete operating rule for any lawyer using these tools.
The regulatory layer. Conduct of this kind engages the SRA Standards and Regulations for solicitors and the BSB Handbook for barristers. Referral to the regulator, rather than contempt, was the court's chosen route here, but the judgment is explicit that the threshold for more serious consequences can be met.
For readers outside the UK, the principle travels: every jurisdiction with a duty of candour to the court now has, or will soon have, its own version of this ruling. The US sanctions decisions (the fabricated-citation cases that produced fines) reach the same place by a different procedural road.
The liability chain
The case is a clean study in where accountability lands when an AI tool produces the work.
The AI tool cannot be the responsible party. It has no duty to the court. The entire weight of the obligation sits on the human who relied on it. This is the same allocation as Moffatt v Air Canada (AIR-2026-003): the company could not hand its liability to its chatbot, and a lawyer cannot hand professional responsibility to a model. The agent's output is the principal's responsibility.
The professional who filed it carries it. In Ayinde the barrister who signed the grounds and the solicitor who supervised were the accountable parties, referred to their respective regulators. Seniority and supervision affected the consequence (referral rather than contempt) but not the locus of responsibility.
Al-Haroun shows the inversion that should never happen. There, the solicitor relied on the client's AI-generated research rather than conducting and verifying his own. The court found it extraordinary that the lawyer was depending on the client for the accuracy of the law. That is the supervision failure stated at its sharpest: the professional outsourced the one thing that was irreducibly his to a layperson with a chatbot.
The practical lesson for any firm or in-house team: an AI tool in the workflow does not redistribute professional liability, it concentrates the verification duty on whoever signs. Procurement and policy should be written from that fact.
What would have prevented it
- A non-negotiable verification step. Every citation or proposition sourced from or assisted by AI is checked against the primary source before filing. The court has now made this an express professional expectation, not a nice-to-have.
- Supervision that matches the tool. A junior practitioner using generative AI needs a supervisor who knows the tool is being used and checks the output. The Ayinde supervisory questions are the warning.
- A firm AI-use policy with a sign-off gate. Who may use which tools, for what, and who verifies before anything leaves the building. The absence of one is what turns an individual slip into an institutional referral.
- Never invert the verification chain. Client-supplied or AI-supplied research is an input to be checked, never a substitute for the professional's own verified work.
Mapped controls
- OWASP Top 10 for Agentic Applications 2026: ASI09 Human-Agent Trust Exploitation, mapped as a partial fit: the failure is over-reliance on confident, plausible, incorrect AI output (the LLM09:2025 Misinformation lineage), in a non-adversarial setting. No squarely-fitting agentic category exists for professional over-reliance on a generative tool; flagged as partial.
- NIST AI RMF: primarily a MEASURE failure (no verification of the AI output against ground truth before reliance) and a MANAGE failure (no firm-level policy or supervisory checkpoint governing AI use). GOVERN is implicated at the firm that lacked an AI-use policy.
- Singapore IMDA Model AI Governance Framework for Agentic AI (v1.5, May 2026): the dimension it names "Make humans meaningfully accountable" — clear allocation of responsibility for the agent's output, with meaningful oversight and real approval checkpoints — is exactly the control whose absence produced the referrals.
- The general rule the case stands for: professional accountability for AI output is non-delegable. Together with Moffatt, this is the register's spine on agent-output liability: the organisation, and the professional, answer for what the tool produced.
Sources
- R (Ayinde) v London Borough of Haringey; Al-Haroun v Qatar National Bank [2025] EWHC 1383 (Admin), Divisional Court, 6 June 2025 — full judgment verified against the National Archives caselaw text at caselaw.nationalarchives.gov.uk/ewhc/admin/2025/1383 (also on judiciary.uk and BAILII) — [primary]
- Carruthers Law, "Solicitors' Negligence & AI: Ayinde v Haringey & Al-Haroun v QNB — Judgment Analysis" — checked June 2026
- Burges Salmon, "Professional conduct and AI — Ayinde v Haringey" — checked June 2026
- Mountford Chambers, "Prompting Misconduct: When Lawyers Misuse AI" — checked June 2026
Corrections
- 6 July 2026: the IMDA mapping above previously described the framework's "human-oversight and accountability dimensions". The framework (v1.5, May 2026) names four dimensions; the one engaged here is "Make humans meaningfully accountable". Wording corrected against the primary; the substance of the mapping is unchanged.
Cite this entry as AIR-2026-005 (https://companyscope.io/register/air-2026-005). Entry IDs are stable; corrections publish as dated addenda on this page.
Talk to Michael about your agent deployment — or your AI vendor governance more broadly
CompanyScope's public profiles cover the general picture. Michael runs Janus DPO-as-a-Service for businesses that need ongoing AI vendor governance, and writes one-off CIPP/E-reviewed Vendor Risk Notes for specific procurement decisions. Tell him what you're actually trying to clear.
Your context goes only to Michael. We don't share with the vendor or anyone else. Privacy notice.
Subscribe to the AI Agent Incident Register
Every new Register entry delivered with the legal analysis: the incident, the duty engaged, who is liable across the chain, and what governance would have prevented it. Written by Michael K. Onyekwere, CIPP/E. Free.
Subscribe — freeDelivered via Compliance Engineering on Substack, which handles your subscription and consent. Unsubscribe any time. Privacy notice.
This analysis is the work Janus Compliance does for clients before the incident. For a fixed-scope read of your own EU AI Act Article 50 exposure, see the Article 50 teardown; for ongoing agent governance, Janus DPO-as-a-Service. Browse the full register or the vendor compliance index.