An automated email quotes the wrong price. A chatbot tells a customer she can cancel within 60 days; the actual window in your terms is 14. A generated invoice applies the wrong VAT rate and goes out unchecked.
Each of these scenarios is already being documented by UK business lawyers. The question they raise is the same every time: who is legally responsible for what the AI said?
The answer, under UK law, is your business.
What does “legal exposure from incorrect AI answers” actually mean?
Under UK law, an AI system has no legal standing. It cannot be sued or enter contracts. Your business can, which means what an AI generates under your name is treated as your output. A mispriced chatbot quote is your quote. An incorrect refund policy in an automated email is your communication. Technology vendors almost always contractually shift responsibility back to you.
UK legal commentary puts it plainly: when an AI tool “sends false information, makes an unrealistic promise, or miscalculates an invoice, your business could be liable, not the technology provider.” That framing comes from Butcher and Barlow LLP, a UK law firm that has published guidance on business liability for AI mistakes.
The Digital Markets, Competition and Consumers Act 2024 updated the consumer protection framework from April 2025. Misleading AI-generated messages aimed at consumers can now be treated as unfair commercial practices, placing them in the same legal category as deceptive pricing or misleading advertising. Misrepresentation, breach of contract, and consumer protection complaints can all follow from AI outputs that affect whether a customer buys, cancels, or claims a right they were incorrectly told they had.
Why is the error rate higher than many businesses assume?
A 2025 BBC and European Broadcasting Union study tested four major AI tools, including ChatGPT, Microsoft Copilot, Gemini, and Perplexity, on current affairs and regulatory questions. Roughly 45% of responses contained errors, including incorrect statements about laws directly in force. Separately, research from accounting software firm Dext, reported in City A.M., found half of UK accountants said clients had lost money from incorrect AI-generated advice.
The same Dext research found 31% of accountants were encountering AI-caused client mistakes on a weekly basis. And 43% expected more inappropriate or fraudulent claims to be justified by AI outputs over coming years.
These figures do not describe specialist deployments. They cover ordinary tools used in day-to-day business. General-purpose language models are confident by design. When asked about a refund right or a regulatory threshold they do not hold reliably in their training data, they generate a plausible-sounding answer rather than a disclaimer.
The Law Society Gazette has reported UK judges being warned about lawyers submitting fake case citations generated by AI. If that risk has reached the courtroom, it has already reached the back office.
Where will you actually encounter this risk?
The risk is not limited to customer-facing chatbots, appearing across customer communications, financial and tax work, personal data handling, automated decisions about individuals, and regulated financial promotions if your firm operates under FCA oversight. The DMCC Act 2024, in force from April 2025, means misleading AI-generated consumer messages can be treated as unfair commercial practices under the updated UK consumer protection regime.
Customer communications. If an AI tool misstates your refund terms, overstates service capabilities, or misrepresents pricing, those messages can trigger misrepresentation claims or breach of contract. The customer’s reliance on the statement, not how it was generated, is what matters in law.
Financial and tax work. Half of UK accountants report clients suffering financial losses from incorrect AI-generated advice. HMRC is expanding its compliance capacity, with around 5,000 additional officers planned by 2029/30. Errors in VAT treatment, relief claims, or filings driven by inaccurate AI outputs carry growing risk of penalties as that capacity comes online.
Personal data and automated decisions. The ICO applies UK GDPR and the Data Protection Act 2018 to all personal data processed by AI tools. Pasting client information into a public AI tool is data processing, and it needs a lawful basis, a privacy notice, and appropriate security controls. The ICO has also stated that token human sign-off on an AI recommendation is not sufficient for compliance with the Article 22 rules on automated decisions; a human must genuinely weigh and interpret the output.
Equality Act exposure. The Equality and Human Rights Commission has confirmed that AI used in recruitment or service access falls within its remit under the Equality Act 2010. If an AI screening tool produces unjustified impacts on people with protected characteristics, due to biased training data or flawed design, the business deploying it carries the liability.
When does the risk stay manageable?
The risk is not uniform across all uses. Purely internal work where AI outputs are heavily edited before anyone acts on them creates minimal regulatory exposure. Generic website content with no factual claims about rights, prices, or service performance carries lower consumer law risk. Minor stylistic errors or slightly clumsy wording rarely create legal liability unless they misled a customer and caused loss.
Tightly scoped, domain-specific AI tools also carry meaningfully less risk than general-purpose chatbots. A system built to search your own verified document library, with human review of every output, is a different risk profile from a public language model answering customer queries with no guardrails.
UK legal guidance on AI liability draws a practical line: the relevant question is whether the AI output affected a commercial decision, a financial position, or personal data. If none of those three applies, the error is a service quality issue, not a legal one. That framing is a useful guide to where to focus oversight.
What does a proportionate response look like?
You do not need a legal team or a compliance officer to reduce this risk meaningfully. The core move is to treat AI as a drafting tool, not a decision-maker. Any output that touches customer rights, financial figures, personal data, or regulated advice should pass through a human review before it reaches a client. That one discipline directly reduces your exposure from the start.
Beyond that, four areas deserve attention.
Define your no-go zones. Legal rights and remedies, tax and accounting figures, regulated financial advice, and eligibility decisions are all areas where unsupervised AI output creates disproportionate risk. Write this as a short policy, not an assumption. Relevant staff should know which categories require sign-off before anything reaches a client.
Check your data protection position. If AI tools are processing personal data, your privacy notice should reflect that. Staff should know which tools are approved for which tasks. For any AI that profiles individuals or makes decisions about them automatically, a Data Protection Impact Assessment is likely required under ICO guidance.
Review vendor contracts. SaaS agreements commonly cap or exclude the vendor’s liability for incorrect outputs. Check what warranties exist for accuracy, what security standards the vendor commits to, and which party holds the data processing role under UK GDPR.
Add AI to your risk register. The ICO, FCA, CMA, and NCSC are all signalling that existing regulatory frameworks apply to AI. If your firm has a risk register, AI tools should be on it, with a brief note of which tools are approved, what they are used for, and what oversight applies.
None of this requires specialist legal advice to start. It requires the same discipline you would apply to any business system that goes out under your name.
