Cybercrime & Digital Law

Artificial Intelligence and Criminal Accountability: Why the Law Still Finds a Human Behind the Machine

Artificial intelligence now drives cars, scores recidivism risk, generates deepfake video, and flags financial transactions for fraud, decisions that once required a human mind behind them. Criminal law's two oldest building blocks, actus reus (the wrongful act) and mens rea (the guilty mind), were built for an actor capable of intent, and an algorithm has no consciousness in which to locate one.

Andreas Matthias named the resulting problem in 2004: the responsibility gap, where no one retains enough control over a learning machine's output to fairly bear criminal responsibility for it. Two decades of scholarship, built around Gabriel Hallevy's direct liability model, have asked whether an AI system could answer for a crime in its own right. Nearly every real case of AI-caused harm resolves criminal accountability onto a human or corporate actor upstream of the machine: no jurisdiction has adopted a direct AI liability model in practice.

The EU AI Act, Regulation (EU) 2024/1689, is often mistaken for the instrument that finally closes this gap. It does not. The EU AI Act regulates artificial intelligence through administrative fines, not criminal offenses, leaving genuine criminal liability for AI to national law and to a dedicated Council of Europe instrument, one now being drafted and targeted for completion by the end of 2025.

From autonomous-vehicle crashes to algorithmic sentencing to deepfake fraud to Italy's emerging colpa artificiale debate, responsibility keeps landing in the same place: on a human or corporate actor, never on the machine itself.

The Responsibility Gap: Why a Learning Machine Breaks Criminal Law's Oldest Assumptions

In a 2004 paper in Ethics and Information Technology, Andreas Matthias described a situation "where the traditional ways of responsibility ascription are not compatible with our sense of justice and the moral framework of society because nobody has enough control over the machine's actions to be able to assume the responsibility for them."

Two decades later, that sentence remains the starting premise for nearly every serious treatment of AI and criminal law, including the Council of Europe's own 2024 discussion paper on the subject.

The gap is not a general automation problem. It is specific to learning systems: machines whose behavior after deployment is shaped by data and experience the original programmer never fully controlled. A calculator that miscalculates traces cleanly to a coding error. A trading algorithm that develops a manipulative pattern from live market data does not. Neither the guilty mind criminal law expects, nor the causal chain negligence analysis assumes, maps onto an actor that has, in a meaningful sense, taught itself part of its own behavior.

Matthias's own proposed remedy is more radical than almost anything discussed since. He argued for curbing the development and spread of the kind of AI that produces this gap in the first place, rather than solving it after the fact.

That position has aged into the more conservative option. Today's regulatory mainstream, the EU AI Act, the Council of Europe's drafting project, Italy's organizational-fault doctrine, manages the gap instead: through disclosure, oversight, and rules about who answers when a system goes wrong.

Hallevy's Three Models: How Criminal Liability Could Attach to an AI System

A self-driving car can kill a pedestrian. A trading algorithm can manipulate a market. A chatbot can defraud a user into transferring funds. Producing the wrongful act, the actus reus, is straightforward for each. Locating the guilty mind, the mens rea, is not: an algorithm has no consciousness in which to hold intent, knowledge, recklessness, or negligence.

Gabriel Hallevy, writing in the University of Akron Intellectual Property & Technology Law Journal, proposed the framework most commonly cited to answer this problem: three models for attaching criminal liability to an AI system.

The first, perpetration-via-another, treats the AI system as an innocent agent, legally comparable to a person who uses a child, an animal, or someone lacking mental capacity to commit a crime. Liability attaches entirely to the human who used the machine, the programmer or operator, not to the machine itself.

The second, natural-probable-consequence, attaches liability to the programmer or user when the AI's harmful act was a foreseeable consequence of its design or deployment, even without specific intent. This covers the more common scenario: a company deploys a system for a legitimate purpose, and a court asks whether the harm was foreseeable.

The third, direct liability, is the most demanding. It would hold the AI system itself criminally liable, requiring proof of both an actus reus, straightforward, since the system produces the output, and a functional equivalent of mens rea: some capacity to plan, know, or intend an outcome. Most existing systems still lack that capacity in any sense a court could recognize.

Can an AI system itself be criminally prosecuted? Not in practice, anywhere, as of this writing. Hallevy's direct liability model remains a theoretical end point virtually no jurisdiction has adopted. The working assumption almost everywhere responsibility for AI-caused harm actually gets assigned is that liability attaches to a human or corporate actor upstream of the machine: the first two models, not the third.

The Black Box Problem: Why Opaque AI Undermines Intent and Causation

Yavar Bathaee, writing in the Harvard Journal of Law & Technology, named a structural problem underneath Hallevy's second model. Modern machine-learning systems, deep neural networks especially, can reach an output through a process not fully interpretable even to the people who built them. That opacity is what lawyers call the black box problem.

Criminal law needs two things to function: a chain of causation a court can trace, and evidence of what a human defendant knew or should have foreseen about a system's likely behavior. An opaque system undermines both. If a developer cannot fully explain why a model produced a given output, a prosecutor faces a genuine evidentiary problem proving that the developer should have foreseen that specific harm.

That evidentiary gap lands directly on the natural-probable-consequence model from the previous section. Foreseeability is the entire test, and foreseeability is exactly what a black box makes hard to prove. The result is not that liability disappears. It is that establishing liability against a human defendant becomes a harder, more technical fight than it was for earlier generations of software, where a bug traced cleanly to a line of code.

The EU AI Act: An Administrative Architecture, Not a Criminal One

Regulation (EU) 2024/1689 entered into force in August 2024. Its enforcement architecture runs almost entirely on administrative fines, not criminal offenses, a deliberate structural choice leaving criminal accountability to national legislators and, prospectively, to a separate instrument under development at the Council of Europe.

Article 5 of the Act bans a specific set of practices outright, effective since 2 February 2025. It prohibits:

Annex III sets out the Act's high-risk category: AI systems used in employment decisions, access to essential services, credit scoring, law enforcement, migration, and the administration of justice. These carry obligations around conformity assessment, registration, risk management, and human oversight. Those obligations become applicable on 2 August 2026, extending to 2 August 2027 for high-risk AI embedded in products already regulated elsewhere, medical devices and machinery among them.

Article 99 sets the penalty tiers, and they are the single most quotable figures in the Act.

Violation Category Maximum Fine
Prohibited practices (Article 5) EUR 35 million, or 7 percent of global annual turnover, whichever is higher
High-risk system non-compliance EUR 15 million, or 3 percent of global annual turnover
Supplying incorrect information to regulators EUR 7.5 million, or 1 percent of global annual turnover

The Act's own text leaves the definition of criminal offenses and penalties to Member States: non-compliance can still trigger civil and criminal liability, but only depending on national law, layered on top of the Act rather than written into it. Conduct AI makes possible, unlawful deepfake dissemination or algorithmic fraud among them, may separately constitute a criminal offense under existing national law, independent of the Act's own administrative machinery. It is the same administrative-versus-criminal split found in the enforcement structure of the General Data Protection Regulation (GDPR), where the regulation's fines sit alongside, rather than replace, whatever criminal exposure national law separately provides.

The Council of Europe's Separate Track: Drafting Genuine Criminal Liability for AI

The Council of Europe is not an EU institution. It is a separate, older international organization, and the distinction matters here because its criminal-law project on AI runs on an entirely different track from the AI Act described above.

The Council of Europe's European Committee on Crime Problems, the CDPC, has been developing a dedicated instrument on AI and criminal liability. A discussion paper dated 13 November 2024, catalogued as CDPC(2024)09, frames the project's central question.

Where AI functions merely as a tool for a crime that already exists, homicide, theft, fraud, current domestic law may be adequate. The harder question the paper poses is whether AI-system involvement should function as an aggravating circumstance attached to an existing offense, or whether liability should expand further up the chain, to the developer, the deployer, or the operator, for harms that do not fit neatly into any current category.

That framing is more conservative than it sounds. Rather than proposing new AI-specific criminal offenses from scratch, the CDPC's own starting position favors treating AI involvement as an aggravating factor on offenses that are already on the books.

A follow-up questionnaire to member states, CDPC(2025)01, dated 11 June 2025, gathered comparative input on these questions, with a legal instrument targeted for completion by the end of 2025. Taken together, the discussion paper and the questionnaire are the clearest evidence that European institutions treat criminal liability for AI as a distinct legislative project, running on its own timeline, not a subset of the AI Act's administrative-fine regime.

Where Responsibility Actually Lands: Autonomous Vehicles and Algorithmic Sentencing

Criminal responsibility for an autonomous-vehicle crash tracks the level of automation involved. At lower levels, where driver-assist systems still have a human behind the wheel, liability typically rests with that operator if they failed to supervise the system or ignored its warnings.

At Level 4 or Level 5, particularly robotaxi services with no human occupant, responsibility shifts substantially toward the manufacturer or software developer. A sensor defect or algorithmic misjudgment moves the analysis closer to product liability than to ordinary vehicular negligence.

Comparative approaches diverge sharply. The United Kingdom moved early, building a dedicated insurance and liability framework under the Automated and Electric Vehicles Act 2018. Germany ties liability to the vehicle's operating mode, manual or autonomous, at the moment of the incident, while the United States relies on a patchwork of state-level laws rather than one federal framework.

The same underlying question, who controlled the decision-making process at the moment of impact, resurfaces in a very different setting: automated judicial risk-scoring.

COMPAS, the Correctional Offender Management Profiling for Alternative Sanctions tool developed by Northpointe, generates a recidivism-risk score from 1 to 10, predicting whether a defendant will reoffend within two years.

ProPublica's 2016 investigation found racial disparities in paired cases, Black and white defendants with comparable records receiving different scores. Northpointe disputed the methodology.

Subsequent academic work found something more troubling than bias alone: COMPAS performed worse than untrained human evaluators, roughly 65.2 percent accuracy against 62.8 percent for individual humans, with pooled crowd judgment reaching 67.0 percent, beating the algorithm outright.

State v. Loomis, 881 N.W.2d 749 (Wis. 2016), is the leading case testing what a defendant can challenge about such a tool. Eric Loomis argued his COMPAS-informed sentence violated due process because he could not examine the proprietary algorithm and because the score allegedly incorporated his gender.

The Wisconsin Supreme Court unanimously upheld the sentence but limited the holding: a COMPAS score cannot be the sole or determinative sentencing factor. The US Supreme Court denied certiorari on 26 June 2017, leaving the constitutional question unresolved.

Were COMPAS-style tools struck down or banned after Loomis? No. The tool remains in lawful use across multiple US jurisdictions; Loomis only limited how a court may weigh it.

A related, broader question, whether automated systems in policing, immigration, and welfare administration produce discriminatory outcomes, is currently addressed mostly through non-discrimination and civil-rights law rather than the criminal code directly. That is a live doctrinal gap, not settled ground.

Deepfakes and AI-Enabled Fraud: Where New Criminal Law Is Actually Being Written

Deepfakes and AI-enabled fraud are the one area covered in this article where legislators are writing genuinely new, AI-specific criminal statutes, rather than stretching categories that already existed.

The US TAKE IT DOWN Act, signed 19 May 2025, is the first major federal response. It makes it a federal crime to knowingly publish, or threaten to publish, non-consensual intimate imagery through an interactive computer service, regardless of whether the image is authentic or AI-generated, with penalties up to two years for adult victims and up to three years where the victim is a minor.

State legislatures moved even faster on election integrity. At least 30 states now have deepfake statutes targeting elections ahead of the 2026 midterms.

Pennsylvania's Act 35, signed 7 July 2025, criminalizes creating or disseminating a deepfake with fraudulent or injurious intent as a first-degree misdemeanor, $1,500 to $10,000 and up to five years, escalating to a third-degree felony, up to $15,000 and up to seven years, when used to defraud, coerce, or steal monetary assets.

Washington's HB 1205 criminalizes the intentional use of a forged digital likeness to defraud, harass, threaten, or intimidate, a gross misdemeanor carrying up to 364 days and a $5,000 fine.

Beneath these new statutes, most deepfake prosecution still runs through offense categories that predate AI: wire fraud where a deepfake defrauds a victim, identity theft where synthetic media impersonates a real person to obtain value. That is the same territory covered in depth by the article on Cybercrime Legislation Across EU Jurisdictions: the statutory categories, unauthorized computer access and computer-related fraud among them, through which AI-enabled offenses actually get prosecuted today.

The scale is now large enough to track as its own category.

Fraud Category Reported Loss Period
Total AI-enabled fraud (FBI Internet Crime Complaint Center) Approximately $893 million 2025, the first year it tracked AI-enabled fraud as its own reporting line
Deepfake-specific fraud Exceeded $410 million First half of 2025
Celebrity and government-impersonation investment scams $1.13 billion, 52 percent of all tracked deepfake fraud losses 2025
Voice-cloning-enabled phishing ("vishing") $12.5 billion in global losses 2024

Is deepfake harm mainly a disinformation problem? The dollar figures say otherwise: the largest quantifiable harm category is financial fraud, not political disinformation.

Italy's "Colpa Artificiale" Debate: Organizational Fault Meets Algorithmic Choice

Italian criminal-law scholarship treats artificial intelligence as straining, though not abandoning, the traditional criteria for criminal responsibility, dolo (intent) and colpa (fault or negligence), whenever an intelligent system causes harm.

Writing in Sistema Penale, Archivio Penale, and Diritto di Difesa, scholars including Cupelli, Lanzi, and Borsari converge on the same conclusion: new forms of complicity and participation are needed to distribute responsibility across the human and corporate actors involved, not an entirely new mental-state category.

The AI-specific piece of that debate is a term now circulating in Italian legal commentary: colpa artificiale, or artificial fault. It describes organizational fault under D.Lgs. 231/2001, formally Decreto Legislativo 8 giugno 2001, n. 231, Italy's corporate and entity criminal-liability decree, as mediated by an AI system's design and deployment choices. An inadequate choice of software, or a decision to fully automate a compliance function without adequate human oversight, becomes itself the basis for entity liability.

That framing carries a real tension, worth stating plainly: reducing organizational fault to which software vendor a company picked risks diluting the subjective-accountability requirement D.Lgs. 231/2001 was built on.

This material comes from secondary legal-commentary sources, Altalex, PenaleDP, and Sistema Penale among them, not primary case law. Read it as emerging scholarly debate, not a settled legal standard. No Italian court has yet ruled on colpa artificiale directly.

Italian commentators draw an explicit comparative parallel to the United Kingdom's Corporate Manslaughter and Corporate Homicide Act, whose failure-to-prevent doctrine mirrors the same logic: an organization answers for harm that adequate internal systems could have prevented.

The general mechanics of D.Lgs. 231/2001, its compliance-model defense, predicate-crime catalogue, and sanction and quota system, sit outside this section's scope and are reserved for this site's dedicated corporate-liability article.

Frequently Asked Questions About AI and Criminal Accountability

Does the EU AI Act create new criminal offenses for misusing AI?

No. Article 99 works through administrative fines from regulators, not prison sentences from courts. Defining actual crimes stays a national-legislature job; the Council of Europe is separately building the criminal-law side of the picture.

Has any court held an AI system directly criminally liable in its own right?

Not so far. Every prosecuted case traces back to a person or organization that built, trained, or deployed the system. Hallevy's direct liability model, where the machine answers for its own crime, remains a scholarly proposal with no real-world adopter.

Is the 2017 European Parliament "electronic personhood" proposal actual EU law or policy?

No. It was a non-binding resolution that never became legislation. Scholars pushed back hard, and the EU's 2020 and 2022 liability work deliberately dropped the personhood framing for conventional liability rules.

Do self-driving car crashes mean no one is criminally liable?

No. Responsibility moves rather than vanishing. As automation level rises, the analysis shifts from driver negligence toward the manufacturer or software developer, following product-liability-style reasoning.

Were COMPAS-style risk-assessment tools struck down or banned after State v. Loomis?

No. The Wisconsin Supreme Court let COMPAS-informed sentencing stand; it only barred courts from treating the score as the deciding factor. Several US jurisdictions still use the tool today.

Not yet. It is a term appearing in Italian legal commentary describing how AI deployment choices can feed into organizational-fault liability under D.Lgs. 231/2001. No court decision has adopted it as settled doctrine.

Why No Jurisdiction Has Given AI Its Own Criminal Liability

On 16 February 2017, the European Parliament passed a resolution, 396 votes in favor, 123 against, 85 abstentions, recommending the European Commission consider electronic personhood, a legal status for sophisticated autonomous robots, paired with a mandatory insurance scheme for manufacturers. The proposal collapsed under sustained scholarly criticism.

First, no existing legal framework accommodates robot personhood cleanly: natural-person status implies rights that make no sense for a machine, while legal-entity status, the kind a corporation holds, still requires human representatives standing behind it.

Second, granting an AI system its own liability status would functionally shield the designers, engineers, and corporations actually responsible for the technology, the opposite of the accountability the proposal claimed to pursue.

What replaced it says as much as what failed. The European Parliament's October 2020 civil liability resolution, followed by the Commission's 2022 AI Liability Directive proposal, deliberately dropped personhood language for conventional strict and fault-based liability regimes. That track is civil liability, compensation and damages, not criminal.

The pattern holds across every domain this article has examined. Autonomous vehicles, algorithmic sentencing, deepfake fraud, and Italy's emerging colpa artificiale debate all arrive at the same practical destination by different doctrinal routes. Common-law and civil-law systems alike locate liability in a human or corporate actor upstream of the machine, never in the machine itself.

This article closes a five-part series on how criminal law is adapting to digital conduct. The other four pieces cover Cybercrime Legislation Across EU Jurisdictions, Data Privacy and Criminal Liability, Digital Evidence Standards in Criminal Proceedings, and social media and criminal defamation. Read together, they trace the same question this article has asked about machines: who answers when a screen, a network, or an algorithm sits between the harmful act and the person or organization behind it.