Answer-First Lead
The UK Competition and Markets Authority has published guidance that makes businesses deploying AI agents legally responsible for everything those agents do — hallucinations, misleading claims, bad contract terms, miscalculated refunds, the lot. Fines reach up to 10% of worldwide turnover. The model maker isn’t liable. You are. The “it was the AI” defence is officially dead in the UK.
🔍 THE BOTTOM LINE
If your AI agent screws up, you pay — not OpenAI, not Anthropic, not whoever built the model. The UK just made that crystal clear, and every country watching will likely follow.
What the CMA Actually Said
Published on 9 March 2026, the CMA’s guidance on Complying with Consumer Law When Using AI Agents establishes one principle above all others: deploying an AI agent instead of a human does not reduce your legal obligations. The same consumer protection laws apply — the Consumer Rights Act 2015, the Consumer Contracts Regulations 2013, and the Digital Markets, Competition and Consumers Act 2024.
The guidance is built on four pillars:
- Transparency — Customers must know when they’re interacting with AI, not a human
- Compliance by design — AI agents must be grounded in consumer protection law at the inference layer, with guardrails and compliance rule sets baked in
- Human oversight — Deploying an AI agent is not “set it and forget it.” Ongoing monitoring is mandatory
- Swift remediation — AI agents can interact with tens of thousands of customers rapidly; when something goes wrong, the speed of harm demands speed of response
What is the CMA’s agentic AI guidance? It’s a regulatory framework published by the UK’s Competition and Markets Authority that establishes how existing consumer protection laws apply to businesses deploying AI agents. The guidance makes clear that businesses — not AI model makers — bear legal responsibility for their agents’ actions, with fines up to 10% of worldwide turnover for non-compliance.
Why This Matters
This isn’t a theoretical exercise. Companies are already deploying AI agents to handle customer queries, process refunds, recommend products, and negotiate contracts. The CMA guidance directly addresses what happens when those agents go off-script:
- An AI agent misrepresents a discount → that’s a misleading action under consumer law
- An AI agent fails to disclose mandatory fees until late in checkout → banned practice territory
- An AI agent creates false urgency (“only 2 left!”) → potentially a misleading action
- An AI agent miscalculates a returns deadline → consumer rights violation
- An AI agent negotiates a contract with unfair terms → the business is on the hook
Here’s the sting: the CMA explicitly states it’s the business deploying the agent that’s liable — not the company that designed or trained the model. So if your AI agent powered by [insert frontier model company here] hallucinates a refund policy that doesn’t exist, that’s your fine, not theirs.
🔍 Fines: Not Slap-on-the-Wrist Territory
The maximum penalty is 10% of worldwide turnover. For a large retailer, that’s real money. The CMA isn’t messing around — the Digital Markets, Competition and Consumers Act 2024 gave it teeth, and this guidance shows it intends to use them.
The “It Was the AI” Defence Is Over
This is the part that should make every CTO sit up. The CMA’s position effectively kills the “technical failure” defence. You can’t say “the AI made a mistake” any more than you can say “the employee made a mistake” — you’re still responsible for what your employee does, and now your AI agent is held to the same standard.
As law firm Cooley noted in their analysis: the guidance equates a business’s responsibility for AI agents with its responsibility for employees. The AI is your agent in both the technical and legal sense.
How This Connects Globally
The UK isn’t the first to tackle agentic AI governance — Singapore published its agentic AI governance framework earlier in 2026, and China has been developing its own human-in-the-loop requirements. But the CMA guidance is the first to explicitly map existing consumer protection liability onto AI agents with concrete enforcement consequences.
The EU’s AI Act takes a risk-classification approach. The US has… well, mostly vibes and executive orders so far. The UK’s approach is pragmatic: we already have consumer protection laws, and they already apply — here’s how to comply when your “employee” is a language model.
What This Means for NZ
New Zealand’s Consumer Guarantees Act and Fair Trading Act already prohibit misleading conduct and unfair contract terms. The Commerce Commission enforces these. If a NZ company’s AI agent misleads a customer, the legal framework to hold them accountable arguably already exists — it just hasn’t been tested with AI agents yet.
The UK guidance gives NZ a template. When the Commerce Commission faces its first AI agent complaint — and it will — the CMA’s four-pillar framework (transparency, compliance by design, oversight, swift remediation) is a ready-made approach. NZ businesses deploying AI agents should treat this guidance as a preview of what’s coming locally.
Practical Steps for Businesses
If you’re deploying AI agents in any consumer-facing capacity:
- Ground your agent in consumer law — fine-tune or add guardrails at the inference layer that enforce compliance with consumer protection rules
- Don’t trust the model maker’s compliance claims — the CMA guidance is clear that using a third-party AI tool doesn’t transfer liability
- Monitor relentlessly — set up dashboards, A/B test agent interactions, review logs
- Disclose AI interaction — customers must know they’re talking to a bot
- Have a kill switch — if the agent goes rogue, you need to be able to stop it fast
❓ Frequently Asked Questions
Q: What does this mean for NZ? NZ’s Fair Trading Act and Consumer Guarantees Act already cover misleading conduct. The UK guidance is a preview — when NZ’s Commerce Commission gets its first AI agent complaint, expect a similar framework. NZ businesses should prepare now.
Q: Who is liable — the business or the AI company? The business deploying the AI agent is liable. The CMA is explicit: the model maker is not responsible. If you deploy an AI agent and it misleads a customer, you pay the fine.
Q: What should I do if I’m already using AI agents? Audit your agents against the four pillars: transparency, compliance by design, human oversight, and swift remediation. If you can’t demonstrate all four, you’re exposed.
🔍 THE BOTTOM LINE
The UK just established the most consequential legal precedent for AI agents so far: businesses own their agents’ actions, full stop. With fines up to 10% of global turnover and the “it was the AI” defence officially dead, this guidance will reshape how every company thinks about deploying agentic AI. Expect every regulator watching to follow suit.
