Skip to content
News update

AI agents: What boards need to know about the legal risks

AI agents are now being deployed across a growing number of Australian organisations. These systems, which are characterised by their ability to autonomously pursue goals and interact with real-world systems, will require a rethink of existing approaches to AI governance. In research commissioned by the Governance Institute of Australia, Mallesons has examined the legal risks of agentic AI and what it means for AI governance.

AI agents raise new legal risks

AI agents raise several legal risks beyond those of standard generative AI. For example, their additional autonomy increases the risk of entering into unintended transactions or contractual commitments. While agents have the potential to automate business workflows, they may not always be aware of the legal and regulatory requirements applying to those workflows. Agents are also often given access to proprietary data and internal IT systems, increasing the risk of data breaches that could have significant consequences under privacy laws, cybersecurity laws and confidentiality obligations. These and many other legal issues (including issues arising under competition law, consumer law and the law of negligence, plus sector-specific regulation) will need to be carefully considered in rolling out AI agents.

Liability for agents

Unlike employees or agents in the legal sense, AI agents are not distinct legal entities from their users. Australian law is likely to treat an organisation’s AI agents as part of its IT systems. This means organisations may struggle to distance themselves from the actions of their agents in the same way as they might from a rogue employee acting outside the scope of their authority. Courts and regulators are likely to be unsympathetic towards organisations trying to avoid liability for acts or omissions of their AI agents.

Directors and other officers may also face personal liability for their management of these risks, including under their duty in the Corporations Act to act with reasonable care and diligence. ASIC has indicated that, in its view, this duty requires officers to be aware of AI use within their companies and the associated risks, and has identified artificial intelligence as a focus area in its 2025-29 plan.

What this means for governance

AI governance for earlier generative AI systems has been able to rely on the assumption that systems would generate outputs for humans to review and would have limited ability to act directly in the real world. Agentic AI challenges this. The volume and speed of agents’ interactions make it impractical for a human to review each decision. Changes to an agent’s environment and data inputs can dramatically impact its behaviour.

As a result, organisations deploying these systems may need to rethink their approach to managing AI and take a broader look at the environment in which agents operate. While there is yet to be consensus on best practice for governance of AI agents, more guidance is emerging from governments and institutions both in Australia and internationally, which organisations should be engaging with as they deploy these agents.

For more details on these legal risks, recommended governance measures and questions boards should be asking, see  Governance Institute White Paper on AI Agents, due to be released on 18 May 2026.

Budget 2026: Tax reform dominates, but productivity is key

Next article