The tool vendor is liable less often than you'd think
Anyone who buys an AI system and uses it for their own purposes is legally a deployer (see module 20) - and deployers bear responsibility for the specific use, not the provider who built the system. A chatbot vendor typically isn't liable for a false promise made in your name - you deployed the system in your customer-facing operations.
What this means for using AI at your company
Any AI response that goes out in your company's name is legally treated as if you made it yourself. So the question isn't "can the AI vendor be sued" - it's "what happens if OUR AI says or does something wrong." That's exactly why control mechanisms like human approval on critical steps (see module 13) aren't bureaucracy - they're risk management.
Where responsibility shifts
There are exceptions: anyone who builds a system themselves or substantially modifies it becomes a provider (see module 20, "the trap") and takes on its obligations too. And if a provider delivers grossly defective software - a demonstrable technical defect, not a normal AI error rate - product liability for the manufacturer can come into play. That's the exception, though, not the rule.
Why this matters for you as a decision-maker
Contract clauses claiming "the AI is at fault" typically don't protect you against your own customers. If you use AI in customer-facing or business-critical processes, plan from the start: where does a human check need to happen before something goes out or takes effect?