Governing Agentic AI: No Single Legal Framework Exists Yet

The Regulatory Vacuum Around Agentic AI

As AI agents move from research demonstrations to production deployments that make purchasing decisions, negotiate contracts, file documents, and interact with customers on behalf of businesses, a critical legal question has emerged: who or what governs these agents? Mayer Brown, one of the world's largest law firms, has published a comprehensive analysis that reaches a sobering conclusion: no single legal framework governs agentic AI. Instead, enterprises must navigate a fragmented patchwork of existing laws, each of which applies partially and imperfectly to AI agents.

This regulatory ambiguity creates real problems for enterprises deploying AI agents. Legal teams cannot point to a single set of rules that define what their agents can and cannot do. Instead, they must analyze each agent deployment against multiple overlapping legal frameworks, none of which were designed with autonomous AI systems in mind.

Consumer Protection Law and AI Agents

Consumer protection law was designed to govern transactions between businesses and human consumers. When an AI agent interacts with a consumer on behalf of a business, existing consumer protection principles apply but with significant interpretive challenges.

Deceptive Practices and Disclosure

The Federal Trade Commission's prohibition on deceptive practices requires that businesses not mislead consumers. When an AI agent interacts with a consumer, must the business disclose that the consumer is dealing with an AI rather than a human? Mayer Brown's analysis notes that the FTC has not issued definitive guidance, but enforcement trends suggest that failing to disclose AI involvement in customer-facing interactions could be deemed deceptive, particularly when consumers reasonably believe they are communicating with a human.

Several states have enacted or proposed laws requiring AI disclosure. California's Bot Disclosure Law requires bots to identify themselves in certain contexts. The challenge for enterprises is that disclosure requirements vary by jurisdiction and the definition of what constitutes a "bot" versus an "AI agent" remains unsettled.

Unfair Practices and Algorithmic Harm

Consumer protection law's prohibition on unfair practices may apply when AI agents cause harm through algorithmic decisions. If an AI agent denies a consumer a service, charges a higher price, or provides a lower quality of service based on factors that correlate with protected characteristics, consumer protection authorities may take enforcement action even in the absence of AI-specific legislation.

The FTC has signaled through multiple policy statements that it will use its existing authority over unfair and deceptive practices to address AI-related harms. This means enterprises cannot wait for AI-specific consumer protection rules. They must ensure their AI agents comply with existing consumer protection standards as interpreted for AI contexts.

Privacy Regulations and AI Agents

GDPR Implications

The European Union's General Data Protection Regulation imposes requirements on automated decision-making that apply directly to AI agents. Article 22 of the GDPR gives individuals the right not to be subject to decisions based solely on automated processing that produce legal effects or similarly significant effects. When an AI agent makes a decision about a data subject, such as approving or denying a loan application, setting an insurance premium, or determining employment eligibility, GDPR requires:

• Human review capability: The data subject must have the right to obtain human intervention in automated decisions
• Explainability: The organization must provide meaningful information about the logic involved in the automated decision
• Right to contest: Data subjects must be able to challenge automated decisions and express their point of view

For enterprises deploying AI agents in the EU, these requirements are not optional. They impose concrete technical and operational obligations on how agents are designed, deployed, and monitored.

CCPA and US State Privacy Laws

The California Consumer Privacy Act and its successor, the CPRA, along with comprehensive privacy laws in Virginia, Colorado, Connecticut, and other states, create a patchwork of obligations for AI agents that process personal information. These laws grant consumers rights to know what data is collected about them, to delete their data, and in some cases to opt out of automated decision-making. AI agents that collect, process, or make decisions based on personal data must be designed to respect these rights across all applicable jurisdictions.

Contract Law for Agent Transactions

When an AI agent enters into a transaction on behalf of a business, fundamental contract law questions arise. Mayer Brown identifies several areas of uncertainty:

Authority and Agency

Under traditional agency law, an agent's authority to bind a principal comes from either express authorization, implied authority, or apparent authority. AI agents present novel questions. Does an AI agent have actual authority granted by its deploying organization? If the AI agent exceeds its intended parameters and makes a commitment the business did not authorize, is the business bound? Can a counterparty reasonably rely on an AI agent's representations?

Mayer Brown notes that courts have not yet addressed these questions comprehensively. The existing precedent on automated systems, such as automated trading systems, provides some guidance but does not fully address the unpredictability and autonomy of modern AI agents.

Contract Formation

For a valid contract to form, there must be offer, acceptance, and consideration. When two AI agents negotiate and agree on terms on behalf of their respective principals, has a valid contract been formed? Mayer Brown's analysis suggests that existing electronic contracting frameworks, including the Uniform Electronic Transactions Act and the Electronic Signatures in Global and National Commerce Act, can accommodate AI agent transactions, but the boundaries have not been tested in court.

Tort Liability for Agent Actions

When an AI agent causes harm, tort law provides potential avenues for liability, but the analysis is complex:

• Product liability: If an AI agent is considered a product, strict liability or negligence theories may apply to the developer, the deployer, or both. The question of whether AI outputs constitute a "product" versus a "service" remains unsettled and varies by jurisdiction
• Negligence: Establishing negligence requires showing that the defendant owed a duty of care, breached that duty, and caused harm. For AI agents, questions include what standard of care applies, whether the duty lies with the developer, the deployer, or the operator, and how foreseeability is assessed for autonomous systems
• Vicarious liability: Under respondeat superior principles, an employer is liable for the acts of its employees within the scope of employment. If an AI agent is analogized to an employee, the deploying organization could face vicarious liability for the agent's autonomous actions

Regulatory Gaps Identified by Mayer Brown

The analysis identifies several critical gaps where no existing legal framework provides adequate guidance:

• Multi-agent interactions: When AI agents from different organizations interact autonomously, the legal framework for allocating responsibility between the parties is undeveloped
• Emergent behavior liability: When an AI agent's harmful action results from emergent behavior that neither the developer nor the deployer anticipated, existing liability frameworks struggle to assign responsibility
• Cross-jurisdictional operations: AI agents that operate across jurisdictions face conflicting requirements and uncertain enforceability of any single jurisdiction's rules
• Temporal accountability: AI agents that learn and change over time create challenges for establishing what the agent "knew" or how it was configured at the time of a specific incident

What Enterprises Must Do Now

Given the absence of a unified framework, Mayer Brown recommends that enterprises take proactive steps to manage legal risk:

• Conduct jurisdiction-by-jurisdiction compliance mapping: Identify which existing laws apply to each AI agent deployment based on the agent's function, the data it processes, the jurisdictions where it operates, and the populations it serves
• Implement comprehensive logging and auditability: Maintain detailed records of agent configurations, decisions, and actions to support legal defense and regulatory compliance
• Define clear authority boundaries: Establish and document the scope of each agent's authority, including monetary limits, decision types, and escalation triggers
• Prepare for regulatory evolution: Build agent architectures that can adapt to new regulatory requirements as AI-specific legislation develops over the next two to three years

Frequently Asked Questions

Is an AI agent legally considered a person, an employee, or a tool?

Under current law, AI agents are not legal persons. They cannot hold rights, enter into contracts in their own name, or bear legal responsibility. They are generally treated as tools or instrumentalities of the organizations that deploy them. However, the autonomous and adaptive nature of modern AI agents challenges this classification, and legal scholars are debating whether new legal categories are needed. For now, the deploying organization bears responsibility for its agents' actions.

What happens if an AI agent makes an unauthorized commitment on behalf of a business?

Under existing agency and contract law, a business may be bound by its AI agent's commitments if a counterparty reasonably believed the agent had authority to make the commitment, a concept known as apparent authority. This creates significant risk for businesses that deploy customer-facing agents without clear limitations on their transactional authority. Best practice is to implement hard guardrails that prevent agents from making commitments beyond defined parameters and to disclose these limitations to counterparties.

How does the EU AI Act address agentic AI specifically?

The EU AI Act categorizes AI systems by risk level and imposes requirements accordingly. Many agentic AI applications fall into the "high-risk" category, particularly those used in employment, credit scoring, law enforcement, and essential services. High-risk systems must meet requirements for transparency, human oversight, robustness, and data governance. However, the AI Act was drafted before the current wave of agentic AI systems and does not specifically address issues like multi-agent coordination or autonomous real-time decision-making at scale.

Should enterprises wait for clearer AI regulations before deploying agents?

Mayer Brown advises against waiting. The competitive costs of delayed adoption are significant, and regulatory clarity is likely years away. Instead, enterprises should deploy agents within a governance framework that complies with existing laws across applicable jurisdictions, implements best practices for transparency and oversight, and builds the architectural flexibility to adapt as regulations evolve. Proactive compliance positions organizations better than reactive scrambling when new rules take effect.