When AI Becomes Evidence, Who Is Culpable?

Read Time: 16 minutes

AI Evidence, Platform Duties, and the New Liability Layer

An Anant AI Governance Brief

By Lili Kazemi, Anant
Featuring a law enforcement AI perspective from Chris Ryan


Chris Ryan

Lili Kazemi

An uncomfortable truth is taking hold: what you type to an AI chatbot may not stay private. It can become discoverable evidence.

And not just evidence of one thing. An AI conversation can reveal three things at once: what a person intended, what a system generated, and who had the power to intervene.

So when an AI chat becomes Exhibit A, who is actually on trial? The user who typed the prompt? The platform that built the model? The company that deployed it? Or the human who was supposed to be watching?

That question is no longer hypothetical. ChatGPT logs, AI-generated advice, safety controls, and agentic actions are moving into investigations, discovery requests, and lawsuits. The fight is over how far that evidence travels, and where culpability stops.

Because as AI shifts from retrieving information to advising, refusing, recording, and acting, the old defense gets shaky. “It’s just a tool” no longer holds up when the tool talks back.

For years, AI ethics focused heavily on algorithmic bias and group fairness. Those issues still matter, but safety, intervention, and accountability are becoming the next frontier.

The most visible cases are criminal. But the implications reach much further: consumer claims, product liability, employment disputes, regulated decision-making, and every enterprise AI deployment in between.

At Anant, we help organizations build AI capability across platforms, data systems, governance, and operations. From that vantage point, the human edge is disciplined accountability: knowing what the system did, what the human knew, and who kept the authority to intervene.

To bridge the gap between legal theory and investigative practice, we also include a law enforcement perspective from Chris Ryan from Policereports.ai, on the operational realities of AI evidence.

Why This Matters Now

Courts are not waiting for this accountability framework to mature. High-profile investigations are already turning to AI interactions to establish timelines and intent.

Consider the Tampa case involving the deaths of two University of South Florida doctoral students. According to The Guardian, prosecutors allege the suspect asked ChatGPT about body disposal, altering a VIN, and firearms. He has been charged with first-degree premeditated murder. The allegations remain unproven.

After the Florida State University shooting, Florida Attorney General James Uthmeier opened a criminal investigation into OpenAI after reports that the alleged shooter used ChatGPT to ask about weapons, ammunition, and tactical planning, as reported by AP. OpenAI has denied responsibility, and a victim’s family filed a federal lawsuit, according to Reuters.

Following the Florida Attorney General’s June 1, 2026, announcement of a state civil lawsuit against OpenAI and Sam Altman, the AG’s office confirmed that its separate criminal investigation remains ongoing; the public posture remains investigation and subpoenas, not publicly filed criminal charges. The civil complaint alleges that OpenAI and Altman prioritized speed to market and commercial gain over user safety, disregarded safety warnings, and falsely assured users that the product was safe.

The very core of the argument by the state of Florida is evident in the very first paragraph of the complaint, succinctly worded:

This framing highlights the core challenge of this new evidentiary reality: courts are now being asked to decide whether a platform’s design, safety guardrails (or lack thereof), and commercial choices constitute a direct contribution to criminal conduct. 

The criminal investigation also shows how quickly AI disputes can become discovery-heavy. The Office of Statewide Prosecution subpoenaed OpenAI for policies and internal training materials on threats of harm to others or self, law-enforcement cooperation, crime reporting, policy changes, organizational information, and public statements related to the FSU shooting.

For companies deploying AI, that subpoena list is telling. Safety controls are no longer just ethics language. They may become evidence, and responding may require substantial legal, technical, human, and AI-assisted resources.

Florida’s principal statute provides that a person who aids, abets, counsels, hires, or otherwise procures an offense to be committed may be charged and punished as a principal,  whether he or she is or is not actually or constructively present at the commission of such offense. While bodily presence is not required, applying that kind of criminal-liability theory to an AI company would be novel and heavily contested. But the statutory framing explains why leaving such matters to individual state law could create a fractured landscape when it comes to determining the network of culpability.

Taken together, the parallel civil lawsuit and criminal investigation illustrate a broader point: the same AI capabilities that drive efficiency and innovation can also generate the evidence used to scrutinize an organization’s governance, design decisions, ethics, safety, and accountability.

These cases should not be used to jump to easy conclusions. A user’s prompt does not automatically prove intent. A model’s response does not automatically create platform liability. But they reveal a new evidentiary reality: AI interactions may become part of the record in disputes over what a person planned, what they knew, what they relied on, and whether a company had reasonable safeguards.

Agency Is Not a Zero-Sum Question

The harder question is not whether the human or the technology caused the harm. More than one actor can occupy a different place in the causal chain. Responsibility is interconnected.

The high-profile Michelle Carter case out of the state of Massachusetts offers a provocative human analogue. Carter’s involuntary manslaughter conviction was upheld after the Massachusetts high court concluded that her digital communications and failure to seek help became legally significant conduct. The case did not involve AI, but it shows that digital words, knowledge, and failure to intervene can carry legal consequences.

The court also rejected the idea that physical absence alone defeated culpability where the defendant’s conduct had a direct causal connection to the victim’s death. That point matters for AI because the hardest questions will turn less on presence than on knowledge, causation, design, warnings, escalation, and the ability to intervene.

Interacting with an AI feels increasingly like texting a human. This familiarity creates legal complexity when a system engages with a dangerous context—specifically, when it offers tailored encouragement even as warning signs emerge. While the user remains culpable, this does not resolve whether the provider failed in its duty to design for safety, warn, or escalate—or whether a human reviewer should have intervened.

A recent civil verdict makes the same point from the platform side. In March 2026, a Los Angeles jury found Meta and Google liable in a youth social-media addiction case, finding that negligent platform design and inadequate warnings were substantial factors in a young woman’s mental-health harm. The verdict did not eliminate user agency. Rather, it recognized that product design can also contribute to harm.

This is where AI ethics becomes more concrete. The relevant questions are not limited to bias, discrimination, or group protections. Companies must also confront safety design, foreseeable misuse, warnings, escalation, crisis referrals, human review, and real-time intervention.

Civil Liability May Arrive Faster Than Criminal Liability

For companies, the criminal examples are attention-grabbing. But the civil and commercial implications may arrive faster.

In the Air Canada chatbot case, a British Columbia tribunal ordered Air Canada to compensate a passenger after its chatbot gave inaccurate information about bereavement fare refunds. The commercial lesson was simple: when AI speaks for a company, the company may not be able to disown the output simply because a model generated it.

That principle is now extending beyond customer-service chatbots. In June 2026, The Decoder reported on a Munich Regional Court temporary injunction holding Google directly responsible for false statements in AI Overviews. The court treated the overviews as Google’s own content because they rewrote, evaluated, and structured third-party information into independent statements. Google has said the decision is not final and plans to appeal, while also maintaining that users can “dig deeper and verify.” 

The transition from Air Canada to Munich is important. Air Canada asks whether a company can disclaim an answer generated inside its own customer-facing system. Munich asks whether an AI-generated answer that summarizes, evaluates, and repackages third-party information can become the platform’s own statement. Both cases point toward the same governance question: once AI presents a self-contained answer in a company’s voice, are source links, user verification, or generic disclaimers enough to shift responsibility back to the user?

That is why Munich matters even though it is not U.S. law and not final. It pushes the debate from “could the user have checked?” to “how did the system present the answer, and what duty did the platform have before presenting it that way?” For companies deploying AI, the governance question is no longer just whether a disclaimer exists. It is whether the system’s design invites reliance, whether its confidence level is clear, whether sources are traceable, and whether a human review or escalation layer should exist before an AI-generated answer becomes a customer representation, business record, or piece of evidence.

The issue becomes more complicated in enterprise settings, where AI may assist with customer communications, contracts, HR, compliance, finance, legal intake, marketing, procurement, licensing, or public-sector services. If the output is inaccurate, poorly preserved, or appears to bind the organization, exposure may arise under contract, consumer protection, employment, privacy, professional responsibility, constitutional process, or negligence theories.

The question is no longer only: what did the user type? It is also: what did the platform generate, refuse, flag, preserve, transform, redact, or fail to escalate? For a broader treatment of agentic AI liability in critical infrastructure and high-stakes environments, Anant has separately analyzed the agentic AI liability gap.

Platform Duties Are Becoming Governance Evidence

AI companies are already building refusal, triage, and escalation layers into their products. OpenAI’s usage policies restrict self-harm facilitation, violence, weapons, illicit activity, malicious cyber activity, privacy compromise, and certain high-stakes decisions without human review. Anthropic’s usage policy similarly restricts unlawful, violent, deceptive, privacy-invasive, and certain criminal-justice uses, and allows Anthropic to block or modify outputs.

Adjacent consumer-facing AI regulation is also starting to convert safety expectations into concrete obligations, but scope matters: California’s companion chatbot law applies to AI systems with natural language interfaces that provide adaptive, human-like responses and can meet a user’s social needs, while excluding bots used only for customer service, business operations, productivity and analysis, internal research, or technical assistance.

That carveout ostensibly protects many commercial AI companies, but commercial AI can still create murky lines. Customer-service, sales, and support chatbots are becoming more continuous, personalized, and human-like; meanwhile, general-purpose providers such as OpenAI and Anthropic offer enterprise products alongside consumer-facing assistants. Companies should evaluate functionality, not labels, to determine whether a tool is drifting toward companion-style engagement.

This will remain a moving target as states experiment and federal preemption efforts evolve, and plaintiffs’ lawyers pursue claims. 

This creates a hard governance question: once AI companies can detect and refuse some categories of dangerous or unlawful activity, what is their responsibility when the model fails to detect others? That does not mean a platform is automatically liable for every bad act. But safety architecture becomes relevant: foreseeable misuse categories, testing, escalation pathways, preservation, updates after known failures, and documented refusals.

Why a 30-Year-Old Internet Statute May Not Resolve Generative AI

Section 230 is often treated as a blanket shield for technology companies, but that shorthand is incomplete.

Congress enacted 47 U.S.C. § 230 in 1996 as part of the Communications Decency Act. It was written for the early internet world of message boards, forums, and third-party posts—not for generative systems that can produce tailored answers or act through connected tools.

Its core protection says that a provider or user of an “interactive computer service” generally cannot be treated as the publisher or speaker of information “provided by another information content provider.” It also protects certain good-faith moderation efforts. But it is not universal immunity; the statute expressly preserves federal criminal enforcement, intellectual property law, electronic privacy law, and certain sex-trafficking claims.

Generative AI complicates this architecture because the disputed words may not have been “provided by another” person. The model may synthesize, rewrite, or generate the answer itself. The legal pressure point becomes whether the company is merely transmitting third-party information or is responsible, in whole or in part, for creating or developing the challenged content.

A Congressional Research Service analysis explains that Section 230 does not apply where the provider helped create or develop the challenged content, and that courts often ask whether the provider materially contributed to the alleged unlawfulness. A related scholarly analysis frames generative AI along a spectrum between a retrieval search engine and a creative engine.

That spectrum helps connect search-history cases to generative-AI cases. Digital searches can already be used as state-of-mind evidence; coverage of the Ali Abulaban trial, for example, described prosecutors relying on digital evidence and search history to argue premeditation. AI raises the next question: what happens when the record includes not only what a user searched for, but what the system generated back?

The Munich AI Overviews ruling is not binding in the United States, and no case yet definitively resolves Section 230 for generative AI. But the fault line is clear: a statute written for hosting and moderating third-party content may not cleanly govern systems that formulate their own answers, optimize engagement, or act through connected tools.

PII Masking, Redaction, and the Integrity of the Record

Privacy adds another layer. OpenAI’s privacy policy states that user content, including prompts and uploaded content, may be collected and that interaction information may be shared in certain legal, safety, fraud-prevention, or liability-related circumstances.

Technical PII masking, redaction, and data-minimization controls can reduce risk. The Casper paper studies prompt sanitization for detecting and removing sensitive information before it is sent to web-based LLM services, while the LegalGuardian framework examines masking and unmasking confidential PII in legal workflows before external model interaction.

But PII masking and redaction are not the same as privacy, privilege, or legal safety. A redacted or transformed record may still be linked to metadata, user accounts, uploaded files, audit trails, retained chat history, enterprise logs, or safety classifications. In litigation, the relevant record may include the raw prompt, the transformed or redacted prompt, the output, the metadata, the model version, and the retention policy.

The practical question: do organizations know which version of the AI interaction they can preserve, produce, authenticate, and defend?

Private, Agentic, and Embedded AI Will Complicate Everything Further

The current debate often assumes a centralized platform such as OpenAI, Anthropic, Google, Microsoft, or Meta. But that frame is already too narrow.

AI is moving into private deployments, local models, enterprise agents, connected workflows, and eventually embodied or robotic environments. Research such as OnPrem.LLM reflects growing interest in restricted or on-premise systems for sensitive data environments.

At the same time, Anthropic’s agentic misalignment research and the 2026 paper “I must delete the evidence” use simulated environments to explore what can happen when AI agents are given goals, tools, and access to sensitive corporate systems. These studies are simulations, not findings about real-world deployments. But they illuminate the risk that emerges when AI is not merely answering questions, but acting inside a company’s information environment.

As AI becomes more private, agentic, and embedded, the evidence trail may no longer be a clean chat transcript. It may include API logs, file access histories, device telemetry, permission changes, local model outputs, human override records, and fragmented internal documentation.

Law Enforcement AI Perspective: Q&A with Chris Ryan

Legal doctrine may set the rules, but law enforcement often sees the evidentiary reality first. When AI records move from theory into case files, investigators, agencies, prosecutors, defense counsel, and vendors need practical standards for collection, preservation, interpretation, and review.

The legal questions surrounding AI liability are still developing, but they are already creating practical challenges for investigators, public agencies, and AI vendors. To better understand those operational realities, I asked Chris Ryan for a law enforcement perspective on AI. Chris brings law enforcement command and criminal investigation experience and now builds public-safety AI through Policereports.ai. His focus is practical: when AI enters the case file, agencies and litigants need to understand how the record was created, preserved, reviewed, and verified.

The Q&A also connects to an AI-assisted police report incident in Utah reported by Axios, where a bizarre error entered an official record. According to the news coverage, an AI-assisted police reporting tool created by a major public safety technology company generated a bizarre report after an officer’s body camera picked up background audio from The Princess and the Frog. The AI writing program interpreted the movie dialogue incorrectly and summarized the incident as though the officer had become a frog.

While the story may sound like little more than clickbait, it illustrates a serious point: AI-generated inaccuracies can make their way into official records unless meaningful human review exists.

Q: Why do AI interaction logs matter from a law enforcement perspective?

Chris Ryan: From a law enforcement perspective, this shift is profound and largely unprecedented. For decades, investigators were trained to think about digital evidence in relatively defined categories, i.e., phone records, text messages, browser history, social media activity, etc. AI interaction logs don’t fit neatly into any of those buckets. They can simultaneously reflect a user’s intent, reveal the specific information they sought to acquire, document what guidance they received, and in agentic environments, show what actions were taken as a result.

As someone who spent years working criminal investigations and then moved into building AI tools specifically for law enforcement use, I can tell you that most agencies are not yet equipped, either procedurally or technically, to handle AI logs as evidence. That gap needs to close quickly, because prosecutors, defense attorneys, and civil litigants are already asking for this material, and the courts aren’t going to wait for agencies to catch up.

Q: How should investigators think about AI logs differently from ordinary search history or text messages?

Chris Ryan: Investigators who are accustomed to reading search history, emails, or text messages need to approach AI interaction logs with a fundamentally different mindset and considerably more caution. A Google search query is a data point. An AI conversation is a dialogue, and context within that dialogue changes meaning dramatically.

The danger cuts both ways; over-reading a prompt can lead to wrongful accusations, while under-reading a pattern of prompts can mean missing clear evidence of premeditation or intent. Authentication is another layer that investigators and prosecutors are not yet treating with sufficient rigor. Unlike a text message tied to a phone number and a carrier record or an email tied to an IP address, an AI chat log may exist across multiple storage locations, may have been exported, edited, summarized, or regenerated, and may not have a reliable timestamp without additional verification.

The bottom line from an investigative standpoint is this: AI logs require authentication, context, and trained interpretation. They should be treated as powerful circumstantial evidence, not as a confession.

Q: What should public agencies and AI vendors be required to show?

Chris Ryan: What agencies need from AI vendors goes well beyond a clean user interface and a compelling demo. At minimum, agencies deploying AI in any operational or investigative capacity need four things from their vendors: transparency, auditability, escalation protocols, and preservation standards.

Transparency means the vendor needs to be able to explain what the model can and cannot detect, what categories of inputs trigger a refusal or a flag, and how those determinations are made. Auditability means there must be a retrievable record of what the system processed, what it produced, and under what configuration. Escalation protocols mean that when a system encounters input that raises a safety or legal concern, there must be a defined pathway for human review and a fix, not just an automated refusal or error that disappears into a log file no one reads. Preservation standards mean the vendor must be able to tell the agency, in writing, what records are retained, for how long, in what format, and under what legal process they can be accessed.

Agencies that are procuring AI tools without demanding answers to those four questions are accepting risk on behalf of the public they serve.

Q: How do PII masking and redaction affect evidence integrity?

Chris Ryan: In law enforcement, chain of custody is foundational because the credibility of evidence in a courtroom depends entirely on the ability to demonstrate that what is being presented is what was actually collected, and that nothing material changed between collection and presentation. When we start applying that standard to AI interaction records that have been masked, redacted, transformed, or partially retained, we have a serious problem that I don’t think the legal or law enforcement communities have fully reckoned with yet.

If a user entered a prompt containing a victim’s name, a specific address, and a detailed description of a planned act, and that prompt was masked, redacted, or transformed before processing, the investigator subpoenaing the record may receive something that looks complete but is materially different from what the user actually typed. That’s not just a privacy issue, that’s a potential Brady issue, a discovery issue, and in some circumstances, an evidence integrity issue that could affect the outcome of a prosecution.

The question every agency and vendor in this space should be asking is not just whether data is being protected, but whether the record being preserved is accurate, complete, and defensible.

Q: What does responsible AI use in policing look like?

Chris Ryan: The Utah “frog” incident mentioned above is a perfect illustration of a principle I’ve been emphasizing since we started building Policereports.ai: AI in law enforcement is a powerful tool, but governance and safeguards are key, especially in this high-stakes realm. A police report is a legal document. It is the foundation of an arrest, a prosecution, a civil claim, or an administrative proceeding. Errors in that document don’t just embarrass the department, they can result in wrongful convictions, dismissed cases, successful suppression motions, and significant civil liability.

The practical answer is not to abandon AI-assisted documentation; the efficiency gains are real, and in an era of chronic understaffing and officer burnout, tools that reduce administrative burden have genuine public-safety value. The answer is to build and enforce a review architecture that keeps the human officer accountable for every word in the final record. AI drafts, the officer verifies, the officer owns.

The broader training challenge is equally important and often overlooked. Officers need to understand not just how to use AI tools, but how to critically evaluate their output. AI should make law enforcement more accurate, more efficient, and more accountable, not less.

Before the Prompt Becomes Exhibit A: Why Organizations Need to Act Now 

Organizations should not wait for a subpoena, lawsuit, regulatory inquiry, or public controversy to discover how their AI systems create, transform, and preserve records.

At a minimum, leaders should be able to answer six questions:

  1. Where does AI speak or act for the organization?
  2. Who owns the final judgment?
  3. What records are retained?
  4. What happens to sensitive information?
  5. What triggers refusal, escalation, or human review?
  6. Can the vendor support an investigation or legal hold?

These are not abstract questions. They determine whether an organization can explain the prompt, output, model version, system instructions, safety classifications, tool calls, edits, approvals, PII-masked, minimized, or redacted data, escalation triggers, retention periods, access controls, discovery support, and legal-hold process.

Key Takeaway: Public Copy is Evidence.

In the era of AI accountability, marketing and mission statements are no longer just branding—they are potential exhibits. Organizations must treat all public-facing copy with the same rigorous legal scrutiny as their technical disclosures, ensuring that every claim is defensible before a platform is scrutinized in court.


At Anant, we help organizations translate these questions into practical AI governance, vendor diligence, data architecture, and operating controls. The goal is not to slow responsible adoption. It is to ensure that when AI becomes part of the fact pattern, the organization can explain what happened, who was responsible, and why.

The future of AI liability will not turn only on what a user typed. It will turn on what the system generated, refused, flagged, preserved, how it processed sensitive information, what it connected to, and who had the power to intervene.

Because by the time a prompt becomes Exhibit A, it is too late to decide where accountability was supposed to live.

Interested in learning more?

Explore the platforms and resources behind Anant’s AI work.

  • Anant – Our consulting services, platform expertise, and company overview.
  • Anant.ai – AI platform and intelligent solutions for secure, production-ready AI applications.
  • Blog & Insights – Research and practical guidance on AI, data platforms, and the Modern Enterprise.
  • Intelcraft AI – AI practitioner training, education, and workforce enablement.
  • Tekt – The engineering approach behind AI-enabled business systems.
  • Anant Playbook – Our framework for designing, operating, and scaling modern business platforms.
  • The Human Edge of AI – A weekly newsletter by Lili Kazemi on AI law, governance, policy, and the human side of technology.

Whether you are training your team, modernizing your platform, or building production-ready AI, Anant helps you move from strategy to execution.