The court found the airline liable for what its chatbot said. Verification would have changed the outcome

Moffatt v. Air Canada is now the reference case for AI agent liability. The pattern it established reaches well beyond airlines.

B

Balagei G Nagarajan

4 MIN READ


AI agent liability and verification in regulated domains
Liability doesn't come from the hallucination, it comes from delivering it unverified to someone who acts on it.
— from “The court found the airline liable for what its chatbot said. Verification would have changed the outcome”

Key facts.

  • Moffatt v. Air Canada (BCCRT, 2024): Air Canada held liable for its chatbot's wrong bereavement fare information. The "separate entity" defense was explicitly rejected. The chatbot's words are the company's words (Moffatt v. Air Canada, BCCRT 2024).
  • EU AI Act: AI systems used in critical public infrastructure, education, vocational training, essential private services, employment, healthcare, and essential financial services are classified high-risk. Mandatory human oversight and accountability requirements apply.
  • HIPAA (Health Insurance Portability and Accountability Act) requires covered entities to maintain controls over the accuracy of protected health information shared with patients - including via AI agent interactions that involve patient health information.
  • Legal professional conduct rules in most jurisdictions hold the supervising attorney responsible for AI-generated legal advice delivered to clients, including via automated systems operating under the attorney's brand.
  • Verification requirements in regulated contexts differ from general agent verification in a critical dimension: they must produce an auditable record of what was verified, by whom or by what system, and when - not just whether the output was correct.

What Moffatt v. Air Canada actually established

The Air Canada case is widely misread as a chatbot technology failure. it's actually a verification failure. The AI chatbot provided incorrect bereavement fare policy information to a customer who then acted on it. The company's defense - that its website's official policy page contained the correct information, making the chatbot's statement non-binding - was rejected. The tribunal found reasonable reliance. Customer acted on what the chatbot said. Company didn't honor it. Harm resulted.

A verification layer checking policy outputs against the authoritative database before delivery would have caught the error. The hallucinated policy statement never reaches the customer. Liability doesn't come from the hallucination, it comes from delivering it unverified to someone who acts on it.

Verification requirements by regulated domain

Each regulated domain has a distinct verification requirement profile. Healthcare: agent outputs that involve medication information, diagnostic support, or clinical guidance require validation against clinical knowledge bases and, for high-risk outputs, human clinician review before delivery. Legal: agent outputs that constitute legal advice require attorney review before delivery to the client, or must be clearly scoped as general information rather than specific legal guidance. Financial: agent outputs involving product suitability recommendations require suitability verification against the customer's known risk profile and product eligibility rules before delivery. Customer service in any regulated industry: agent outputs that involve policy commitments require verification against the current authoritative policy document before delivery, to prevent exactly the failure mode in Moffatt v. Air Canada.

Decision flowchart for verification requirements by regulated domain

Verification requirements by regulated context

DomainVerification requirementAudit requirementKey regulation
Healthcare adminClinical knowledge base check; human review for high-riskInteraction log + reviewer IDHIPAA, state medical board rules
Legal supportAttorney review or explicit scope limitationReview record + scope disclosureBar conduct rules, jurisdiction specific
Financial servicesSuitability rule engine; compliance reviewFull interaction + suitability check recordReg BI, MiFID II, FINRA rules
Customer service (regulated)Policy database cross-check before deliveryInteraction log + policy version verifiedConsumer protection law, Moffatt precedent

Moffatt v. Air Canada made the chatbot's words the company's; a newer model says it as confidently, so unverified output is a late liability. (Moffatt)

VibeModel's Pattern Intelligence Layer identifies which agent outputs in your regulated deployment carry the highest verification risk based on the pattern of outputs that have historically produced policy mismatches, suitability gaps, or accuracy failures. For each output type, it surfaces the specific verification check that the audit record will need to show was performed. That converts compliance from "we checked something" to "we checked these specific claims against these authoritative sources at this timestamp."

Frequently asked questions

Does Moffatt v. Air Canada apply only in British Columbia?
The specific ruling is from a British Columbia tribunal. But the liability principle it articulates - that companies are responsible for representations made by their AI agents - is consistent with consumer protection law principles in most common law jurisdictions. US state consumer protection statutes, UK consumer rights law, and EU consumer protection law all support similar conclusions by different legal pathways.

Is a disclaimer sufficient to avoid liability for AI agent outputs in regulated domains?
Not in the way most companies write disclaimers. A disclaimer that says "this AI may be incorrect" doesn't override a specific incorrect statement that the customer reasonably relied on, as Moffatt v. Air Canada illustrated. Disclaimers reduce risk for general information. For specific policy, clinical, legal, or financial statements, verification before delivery is the only reliable risk reduction measure.

How do we verify against "current" policy when policy changes frequently?
Policy verification must reference the current version of the policy document, not a snapshot. The verification system needs a live connection to the authoritative policy source - not a training-time copy - and must record the policy version and timestamp that was checked. If the policy changes after an interaction, the audit record shows what was authoritative at the time of the interaction.


Share this post

Join the discussion

Have a take, a war story, or a question? Sign in with GitHub to comment and react. Comments are powered by GitHub Discussions, ad-free and yours to moderate.

Continue Reading

Find where your agent breaks, before you build it

Faultmap maps where your agent will fail from the goal and your data, then hands you the first test suite it has to pass.