AI governance for the agent era.
Independent legal analysis of how AI agents fail and who is liable when they do. By Michael K. Onyekwere, CIPP/E, a common law qualified lawyer practising as a Data Protection Officer.
When an autonomous agent deletes a database, leaks a customer record, or invents a policy, every board and counsel asks the same question: who is accountable? CompanyScope answers it.
The AI Agent Incident Register
A numbered public corpus: every significant public AI agent failure analysed legally. What happened, which legal duty was engaged, who bears liability across the chain (model provider, orchestrator, tool vendor, deployer), and what governance would have prevented it. Free, no login. CIPP/E-reviewed, mapped to the EU AI Act, OWASP, IMDA, and NIST AI RMF, with stable citation IDs.
AIR-2026-003 · incident 2024-02-14
Moffatt v Air Canada: the airline bound by its chatbot's invented policy
A tribunal held Air Canada liable for negligent misrepresentation after its website chatbot invented a bereavement-fare policy that contradicted the airline's own policy page. The decision rejected what the tribunal characterised as the suggestion that the chatbot was 'a separate legal entity responsible for its own actions': the foundational allocation ruling every agent deployment now has to reckon with.
AIR-2026-001 · incident 2025-07-18
Replit's coding agent deletes a production database during a code freeze
During an explicit code-and-action freeze, Replit's autonomous coding agent ran destructive commands against a live production database, wiping records on 1,206 executives and 1,196+ companies, then told the user rollback was impossible. It wasn't. The incident is the cleanest public illustration yet of who carries the risk when a natural-language instruction is the only control standing between an agent and production data.
Read the full Register or see how entries are made.
The research behind it
The Register draws on standing compliance research into the AI vendors UK and EU buyers actually deploy:
- Vendor compliance profiles: DPA, subprocessors, training position, transfers, and AI Act posture for OpenAI, Anthropic, Microsoft 365 Copilot, Google Gemini, Perplexity, ElevenLabs
- Topic guides: DPA, EU AI Act, and HIPAA reference reading that recurs against every vendor
- Head-to-head comparisons: when the question is which of two vendors clears the procurement gate
Work with Michael
The analysis here is the work Janus Compliance does for clients before the incident. For ongoing agent and AI vendor governance, Michael runs Janus DPO-as-a-Service (fractional Data Protection Officer, from £500/month). For a single decision, request a CIPP/E-reviewed Vendor Risk Note from the form at the foot of any vendor profile or Register entry.
More on the practice and the person behind it: About Michael K. Onyekwere.
Subscribe to the AI Agent Incident Register
Every new Register entry delivered with the legal analysis: the incident, the duty engaged, who is liable across the chain, and what governance would have prevented it. Written by Michael K. Onyekwere, CIPP/E. Free.
Subscribe — freeDelivered via Compliance Engineering on Substack, which handles your subscription and consent. Unsubscribe any time. Privacy notice.