AI Agent Incident Register

AI agent failure modes: a legal taxonomy

AI agents fail in a small number of recurring ways, and each way carries a different legal exposure and a different answer to the question that matters: who is liable. This page maps the categories. Each one links to the documented incidents in the AI Agent Incident Register that show it happening in the real world, analysed legally.

The taxonomy emerges from the corpus rather than preceding it: as the Register grows, the map fills in. Categories without a linked entry yet are ones the Register is still documenting.

1. Unauthorised or irreversible action

The agent acts outside its mandate: deletes data, runs a destructive command, makes a purchase, sends a message. The harm is the action itself, and irreversibility is what turns a slip into an incident.

Duty engaged: negligence, contract, security of processing (GDPR Article 32). Maps to: OWASP ASI10 Rogue Agents, ASI05 Unexpected Code Execution; NIST AI RMF GOVERN and MANAGE.

Documented: AIR-2026-001: Replit's coding agent deletes a production database during a code freeze.

2. Agent-output misrepresentation

The agent states something false, and the organisation behind it is bound by what it said. No breach of data is needed; the liability attaches to the words.

Duty engaged: negligent misrepresentation, consumer-protection law. Maps to: OWASP ASI09 Human-Agent Trust Exploitation (partial); NIST AI RMF MEASURE and MANAGE.

Documented: AIR-2026-003: Moffatt v Air Canada, the airline bound by its chatbot's invented policy.

3. Credential and supply-chain exposure

The agent holds standing access to systems and data, and the agent vendor's own infrastructure becomes the path into every customer that trusted it. One vendor compromise propagates to hundreds of deployers.

Duty engaged: processor-chain security (GDPR Articles 28, 32), breach notification (Articles 33, 34). Maps to: OWASP ASI04 Agentic Supply Chain, ASI03 Identity & Privilege Abuse; NIST AI RMF MAP and GOVERN.

Documented entry forthcoming in the Register.

4. Context poisoning and prompt injection

Untrusted input reaches the agent's context and causes it to act on trusted data without the user's consent. The boundary between content the agent is processing and content it is authorised to act on collapses.

Duty engaged: security of processing (GDPR Article 32), breach (Article 4(12)). Maps to: OWASP ASI06 Memory & Context Poisoning, ASI01 Agent Goal Hijack; NIST AI RMF MEASURE and MANAGE.

Documented entry forthcoming in the Register.

5. Human-oversight failure

There is no effective checkpoint where a person can review, approve, or stop the agent before a high-impact action commits. This one cross-cuts the others: it is what turns a recoverable mistake into a harm.

Duty engaged: human oversight (EU AI Act Article 14), accountability. Maps to: NIST AI RMF GOVERN; IMDA agentic-framework human-approval checkpoints.

Present as a contributing factor across the documented incidents above rather than a category of its own.

Each documented incident is analysed in full in the AI Agent Incident Register: the facts, the duty engaged, the liability across the chain, the governance that would have prevented it, and the mapped controls. How entries are made.

Governance support before the incident: Janus DPO-as-a-Service. Vendor-by-vendor research: the vendor index. Not legal advice.