
Key facts.
- Moffatt v. Air Canada (BCCRT, 2024): Air Canada held liable for its chatbot's wrong bereavement fare information. The "separate entity" defense was explicitly rejected. The chatbot's words are the company's words (Moffatt v. Air Canada, BCCRT 2024).
- EU AI Act: AI systems used in critical public infrastructure, education, vocational training, essential private services, employment, healthcare, and essential financial services are classified high-risk. Mandatory human oversight and accountability requirements apply.
- HIPAA (Health Insurance Portability and Accountability Act) requires covered entities to maintain controls over the accuracy of protected health information shared with patients - including via AI agent interactions that involve patient health information.
- Legal professional conduct rules in most jurisdictions hold the supervising attorney responsible for AI-generated legal advice delivered to clients, including via automated systems operating under the attorney's brand.
- Verification requirements in regulated contexts differ from general agent verification in a critical dimension: they must produce an auditable record of what was verified, by whom or by what system, and when - not just whether the output was correct.
What Moffatt v. Air Canada actually established
The Air Canada case is widely misread as a chatbot technology failure. it's actually a verification failure. The AI chatbot provided incorrect bereavement fare policy information to a customer who then acted on it. The company's defense - that its website's official policy page contained the correct information, making the chatbot's statement non-binding - was rejected. The tribunal found reasonable reliance. Customer acted on what the chatbot said. Company didn't honor it. Harm resulted.
A verification layer checking policy outputs against the authoritative database before delivery would have caught the error. The hallucinated policy statement never reaches the customer. Liability doesn't come from the hallucination, it comes from delivering it unverified to someone who acts on it.
Verification requirements by regulated domain
Each regulated domain has a distinct verification requirement profile. Healthcare: agent outputs that involve medication information, diagnostic support, or clinical guidance require validation against clinical knowledge bases and, for high-risk outputs, human clinician review before delivery. Legal: agent outputs that constitute legal advice require attorney review before delivery to the client, or must be clearly scoped as general information rather than specific legal guidance. Financial: agent outputs involving product suitability recommendations require suitability verification against the customer's known risk profile and product eligibility rules before delivery. Customer service in any regulated industry: agent outputs that involve policy commitments require verification against the current authoritative policy document before delivery, to prevent exactly the failure mode in Moffatt v. Air Canada.

Verification requirements by regulated context
| Domain | Verification requirement | Audit requirement | Key regulation |
|---|---|---|---|
| Healthcare admin | Clinical knowledge base check; human review for high-risk | Interaction log + reviewer ID | HIPAA, state medical board rules |
| Legal support | Attorney review or explicit scope limitation | Review record + scope disclosure | Bar conduct rules, jurisdiction specific |
| Financial services | Suitability rule engine; compliance review | Full interaction + suitability check record | Reg BI, MiFID II, FINRA rules |
| Customer service (regulated) | Policy database cross-check before delivery | Interaction log + policy version verified | Consumer protection law, Moffatt precedent |
Moffatt v. Air Canada made the chatbot's words the company's; a newer model says it as confidently, so unverified output is a late liability. (Moffatt)
VibeModel's Pattern Intelligence Layer identifies which agent outputs in your regulated deployment carry the highest verification risk based on the pattern of outputs that have historically produced policy mismatches, suitability gaps, or accuracy failures. For each output type, it surfaces the specific verification check that the audit record will need to show was performed. That converts compliance from "we checked something" to "we checked these specific claims against these authoritative sources at this timestamp."
Frequently asked questions
Does Moffatt v. Air Canada apply only in British Columbia?
The specific ruling is from a British Columbia tribunal. But the liability principle it articulates - that companies are responsible for representations made by their AI agents - is consistent with consumer protection law principles in most common law jurisdictions. US state consumer protection statutes, UK consumer rights law, and EU consumer protection law all support similar conclusions by different legal pathways.
Is a disclaimer sufficient to avoid liability for AI agent outputs in regulated domains?
Not in the way most companies write disclaimers. A disclaimer that says "this AI may be incorrect" doesn't override a specific incorrect statement that the customer reasonably relied on, as Moffatt v. Air Canada illustrated. Disclaimers reduce risk for general information. For specific policy, clinical, legal, or financial statements, verification before delivery is the only reliable risk reduction measure.
How do we verify against "current" policy when policy changes frequently?
Policy verification must reference the current version of the policy document, not a snapshot. The verification system needs a live connection to the authoritative policy source - not a training-time copy - and must record the policy version and timestamp that was checked. If the policy changes after an interaction, the audit record shows what was authoritative at the time of the interaction.

