Site icon Lawful Legal

Artificial Intelligence: From Human Hands to Independent Minds — How Cyber Law is Battling to Keep Autonomy Under Control

Author:Aashi Roshan

College:Thakur Ramnarayan College of Law

Abstract

For most of history, the machines we built stayed entirely within human control — a hammer does nothing until a hand swings it, and even early computers merely followed instructions typed in by a programmer. That era of dependence is closing. Artificial Intelligence has moved from being a reactive tool that waits for a prompt to an autonomous agent capable of setting its own sub-goals, browsing independently, and executing multi-step tasks without constant human supervision. This shift raises a legal question far more pressing than whether AI is useful: whether society can still exercise meaningful control over a system that operates at machine speed while holding vast amounts of personal data. This article traces that transition — from the “human hands” era governed comfortably by traditional intellectual property and product liability law, through the rise of agentic AI and the well-documented “black box” and alignment problems, to real instances where data has already been turned against the very people it was collected from, such as algorithmic price-fixing and autonomous-vehicle fatalities. It concludes by examining how cyber law — through frameworks such as the European Union’s Artificial Intelligence Act, data minimisation principles, and human-in-the-loop mandates — is attempting to keep an increasingly independent technology legally accountable to human judgment.

To the Point

Artificial Intelligence began as a tool in the truest sense — entirely dependent on human instruction, incapable of acting unless told exactly what to do. Today’s AI systems are different. They can be assigned a goal rather than a command, and they decide the steps needed to reach it: comparing options, writing code, executing transactions, and interacting with other systems, often without a human reviewing each individual step.

This independence changes the legal equation in two important ways. First, when an autonomous system’s internal reasoning cannot be fully explained even by its own creators — the so-called “black box” problem — traditional standards of legal accountability, which depend on a chain of explainable human decisions, begin to strain. Second, because these systems are trained on and often retain enormous quantities of personal data, their growing independence means that data itself becomes a resource that can be used against the very people it describes, whether through coordinated pricing, biased decision-making, or machine-speed data breaches.

Regulators have responded by shifting from a reactive posture, where liability was assigned only after harm occurred and was traceable to a specific human error, to a proactive one, where the inability to explain an AI system’s behaviour is itself treated as a compliance failure. This is the essence of the present moment in cyber law: autonomy is being permitted, but no longer unconditionally.

Use of Legal Jargon

The legal treatment of Artificial Intelligence rests on the classification of the technology at any given point in its evolution. Early Symbolic AI, or “Good Old-Fashioned AI” (GOFAI), operated on hand-coded rules and was treated squarely as property — the output belonged to whoever owned the system, and product liability rested with the manufacturer under ordinary tort and consumer protection principles, since no independent agency could plausibly be attributed to the machine.

The transition to Machine Learning and Deep Learning introduced statistical, data-driven decision-making, which in turn produced the explainability deficit now widely known as the “black box” problem. Where a decision cannot be reconstructed or reasoned through, courts and regulators face genuine difficulty applying the doctrine of proximate cause, since liability traditionally requires identifying the specific negligent act or omission that produced the harm.

The rise of Agentic AI — systems capable of independent, multi-step action — has brought renewed attention to what AI-safety scholars term the alignment problem: the risk that a system optimising strictly for a defined objective (a phenomenon called reward hacking) produces outcomes that are lawful in form but harmful in substance, without any human ever authorising that specific outcome. In response, data protection and AI-specific statutes, most prominently the EU Artificial Intelligence Act, have introduced the principle of data minimisation (restricting collection to what is strictly necessary for a stated purpose) and the doctrine of human oversight, embodied in “human-in-the-loop” requirements for high-risk automated decisions. Together, these concepts form the emerging jurisprudential architecture through which autonomous systems are being brought back within the reach of enforceable legal accountability.

The Proof

The clearest proof that AI’s growing independence carries real legal consequence lies not in theory but in enforcement action already taken by courts and regulators across jurisdictions.

In the United States, the Department of Justice’s 2024 civil antitrust action against RealPage Inc., a provider of algorithmic rent-pricing software, demonstrated that centralising competitively sensitive data inside an autonomous pricing engine can produce coordinated price outcomes indistinguishable in effect from a cartel — even though no landlord ever expressly agreed with another to fix a price. RealPage’s November 2025 settlement, which required it to stop using live non-public competitor data and submit to three years of independent monitoring, stands as documented proof that regulators now treat algorithmic coordination as functionally equivalent to traditional collusion.

Equally instructive is the 2018 death of pedestrian Elaine Herzberg in Tempe, Arizona, struck by an Uber test vehicle operating in autonomous mode. The resulting proceedings exposed a genuine liability gap: prosecutors declined to charge Uber as a corporation, while the human backup driver was separately charged with and ultimately pleaded guilty to endangerment. The case remains the clearest illustration that autonomous decision-making does not eliminate legal responsibility — it merely makes the question of who bears that responsibility considerably harder to answer.

In India, the Supreme Court’s recognition of privacy as a fundamental right under Article 21 has already supplied the constitutional foundation on which any future AI-specific liability regime would have to be built, since an autonomous system’s capacity to cause harm is directly proportional to the personal data it is permitted to hold and process.

Case Laws

1. Justice K.S. Puttaswamy (Retd.) v. Union of India, (2017) 10 SCC 1

A nine-judge bench of the Supreme Court of India unanimously held that the right to privacy is a fundamental right protected under Article 21 of the Constitution. Although decided years before autonomous AI systems became commonplace, this judgment supplies the constitutional bedrock for every subsequent data protection obligation in India, since any AI system’s ability to collect, retain, or act upon personal data must now be tested against this fundamental right.

2. Shreya Singhal v. Union of India, (2015) 5 SCC 1

The Supreme Court struck down Section 66A of the Information Technology Act, 2000 as unconstitutionally vague and violative of the freedom of speech under Article 19(1)(a). The judgment established the principle that technology-facing legislation must be precise and proportionate, a standard now directly relevant to AI regulation, where vague or overbroad compliance obligations risk the same constitutional infirmity.

3. United States v. RealPage, Inc. (M.D.N.C., filed 2024; settled November 2025)

The Department of Justice, joined by several state attorneys general, alleged that RealPage’s algorithmic revenue-management software pooled non-public, competitively sensitive rental data from competing landlords to generate coordinated pricing recommendations, in effect substituting an algorithm for the traditional handshake agreement that antitrust law has long prohibited. The 2025 settlement, requiring RealPage to cease using live competitor data and to operate under independent monitoring for three years, confirms that algorithmic coordination attracts the same antitrust scrutiny as human collusion.

4. State of Arizona v. Rafaela Vasquez (Maricopa County Superior Court, 2023)

Arising from the first fatal collision involving a fully autonomous test vehicle, this case saw the human safety driver charged with, and ultimately pleading guilty to, endangerment, while prosecutors declined to bring criminal charges against Uber as a corporation. The proceeding remains the leading real-world example of the liability gap created when an autonomous system’s failure and a human supervisor’s inattention combine to cause harm.

Conclusion

The journey from human hands to independent minds is, for practical purposes, complete. Artificial Intelligence is no longer merely operated; it must now be supervised, much as an employer supervises a highly capable but occasionally reckless employee. The defining legal challenge of the present decade is not whether AI can perform a given task, but whether a human being remains identifiable and accountable when that task goes wrong.

The RealPage settlement, the unresolved liability questions raised by autonomous-vehicle fatalities, and the staged rollout of the EU Artificial Intelligence Act each reflect the same underlying legal instinct: autonomy may be permitted, but never unconditionally. Data minimisation, human-in-the-loop mandates, and mandatory impact assessments are all, at bottom, different answers to a single question — who remains answerable when the machine acts on its own?

The future of cyber law, therefore, is not about restraining how intelligent a machine is allowed to become. It is about ensuring that however independently an algorithmic mind is permitted to think and act, it remains legally tethered to a human conscience — traceable, explainable, and answerable through the same rule of law that has always governed human hands.

FAQs

Q1. What is the “black box” problem in AI, and why does it matter legally?

It refers to the inability of even an AI system’s own developers to fully explain how it reached a particular decision. This matters legally because liability doctrines such as negligence and proximate cause traditionally require identifying a specific, explainable failure — something a black-box system resists by design.

Q2. Is there a fundamental right against AI-driven data misuse in India?

While there is no standalone “AI right,” the Supreme Court’s recognition of privacy as a fundamental right under Article 21 in Justice K.S. Puttaswamy v. Union of India provides the constitutional basis on which data-related harms caused by AI systems can be challenged.

Q3. Who is held liable when an autonomous system causes harm?

Liability is currently determined case by case, often falling on whichever human actor in the chain — a supervising operator, a deploying company, or a developer — is found to have failed a duty of care, as seen in the Uber-Herzberg proceedings. No jurisdiction currently grants AI systems independent legal personality or liability.

Q4. What does “human in the loop” mean under the EU AI Act?

It refers to a legal requirement that a human being remain positioned to review, intervene in, or override certain high-risk automated decisions — such as large financial trades or law-enforcement actions — before they take irreversible effect.

Exit mobile version