The liability question nobody is ready to answer
When a human assistant deletes the wrong folder, responsibility is clear. When a SaaS tool corrupts your data, you read the terms of service and find that the vendor has disclaimed most of it. Agentic AI sits in an uncomfortable middle space: it acts with apparent intent, but under someone else's instructions, on infrastructure someone else configured, using a model someone else trained.
In practice, liability will distribute across at least three parties.
The model provider sets the capability boundary and ships the defaults. If Full Access Mode is on by default, or if the confirmation step is too easy to skip, that is a product decision with consequences. OpenAI, Anthropic, Google, and every other foundation model company is making these calls right now, mostly without regulatory pressure forcing any particular answer.
The agency or studio building the product layer decides what permissions to expose, what guardrails to add, and what the user is actually told before they click confirm. If you ship a product that puts GPT-5 in Full Access Mode and your onboarding does not make the risk legible to a normal user, that is your problem. Courts and clients will eventually agree.
The end user accepted something, probably without reading it. That has always been true. What is new is that what they accepted now has physical consequences on their machine.
None of these parties are currently held to a formal standard. The EU AI Act is moving, but its provisions for high-risk systems are not designed around the specific case of an agentic tool acting autonomously on personal data. Most agencies are operating without any internal policy that distinguishes between "AI that suggests" and "AI that acts."