Skip to main content
International humanitarian law frameworkInternational

Who Is Liable When an AI Drone Strikes a Civilian?

Existing international criminal and state responsibility frameworks struggle to assign legal liability when an AI-enabled drone makes autonomous targeting decisions that result in civilian harm. This article examines the doctrinal gaps and evaluates proposed accountability models.

Entry details

Who it applies to
Military commanders, operators, states, and developers of AI-enabled autonomous weapons in armed conflict
Last reviewed
2026-07-18

The legal implications of AI drone strikes in conflict zones become concrete only after the strike report lands on a lawyer’s desk. A civilian is dead. The drone or targeting system did not merely assist a human who picked the target; it selected, classified, prioritized, or engaged the target through an autonomous process. The file now has to answer a question law cannot avoid: whose act was it?

Existing international law does not let the machine stand in the dock. Criminal liability still looks for a natural person with a culpable mental state and a legally relevant act. State responsibility still asks whether conduct can be attributed to the state and whether an international obligation was breached. Command responsibility still depends on a commander’s relationship to subordinates and knowledge of crimes. Those frameworks can reach some human and state conduct around the use of AI-enabled weapons. They are far less comfortable when the decisive targeting judgment sits inside a system no court can punish and no victim can cross-examine.

Military drone over a civilian urban area with legal symbols and question marks showing an accountability gap

That is not a theoretical inconvenience. The Lieber Institute’s 2026 synthesis of AI-driven autonomous weapons liability describes the problem across individual criminal responsibility, command responsibility, and state responsibility: each doctrine assumes a traceable human decision chain, while autonomous systems can move the legally important choice away from the operator pressing a button and toward earlier decisions about design, procurement, authorization, deployment, and constraints on use.[1]

The first liability map is familiar, but it starts to slip

A post-strike inquiry usually starts with three legal routes. None is exotic. The difficulty is that each was built around human conduct, human knowledge, and human control.

FrameworkUsual accountability questionWhere autonomous targeting creates strain
Individual criminal responsibilityDid a person commit, order, aid, abet, or otherwise contribute to a war crime with the required mental state?The machine may have made the targeting classification or engagement decision that caused the unlawful harm.
Command responsibilityDid a commander know, or have reason to know, that subordinates were committing or about to commit crimes and fail to prevent or punish them?The immediate source of risk may be a system’s behavior, not a subordinate’s independently criminal act.
State responsibilityCan the wrongful conduct be attributed to the state, and did it breach an international obligation?Attribution may need to focus less on the final operator and more on state decisions to design, acquire, authorize, deploy, or fail to constrain the system.

The cleanest case remains the conventional one: a human operator uses an AI tool as advice, sees enough information to make an independent targeting decision, and unlawfully attacks civilians. The AI system may explain how the person received information, but it does not break the attribution chain. The hard case is different. The system’s output is not just a recommendation in a crowded screen. It is the selection or engagement decision that matters under the law of targeting.

The operator is the easiest person to name and often the hardest person to convict

Criminal law wants a defendant, an act, and a mind. Under the Rome Statute analysis developed in the Georgetown Journal of International Law, AI-generated war crimes create problems on both sides of that equation: actus reus and mens rea.[2] A strike that kills civilians may satisfy the harm element of a war-crime inquiry, but that does not by itself identify the person who committed the legally relevant act with the required culpability.

For the operator, actus reus is straightforward only if the operator makes the attack decision. If the operator selects the target, chooses the weapon, and authorizes the strike after reviewing the relevant facts, the conduct can still be described in ordinary criminal terms. But if the system autonomously identifies the target, weighs signals, and initiates or effectively determines engagement, the operator’s conduct may shrink to activation, monitoring, or non-intervention. Those acts can matter, but they are not automatically the same as intentionally directing an attack against civilians.

Mens rea is even less forgiving. Rome Statute liability generally requires proof that the accused had the required intent and knowledge for the charged crime. A human who knowingly launches an attack against civilians is one case. A human who uses a system whose internal classification process is probabilistic, opaque, or outside meaningful real-time review is another. Prosecutors would need to show more than the fact that the system was risky. They would need to connect the accused person’s knowledge and intent to the unlawful targeting outcome.

That burden should not be treated as a loophole invented for AI. It is a feature of criminal punishment. The problem is that autonomous weapons can place the most morally important choice—the target selection that turns a person into a lawful object of attack or an unlawful victim—somewhere other than the human conduct criminal law is best equipped to evaluate.

Nominal review does not cure the mens rea problem

The tempting answer is to say that a human remained “in the loop.” That phrase does too much work. A legally meaningful review requires time, information, and authority to reject the machine’s result. If the operator sees only a confidence score, a name, a heat map, or a compressed targeting packet, the presence of a human hand at the end of the chain may tell us very little about legal responsibility.

The reported use of the Lavender system in Gaza is useful here as a pressure test, not as a settled legal record. The Lieber Institute discusses secondary reporting from +972 Magazine that described a roughly 20-second human approval cycle and an alleged error rate of about 10 percent for the system’s identification of suspected militants.[1] Those claims are contested through the ordinary limits of wartime reporting and should not be converted into courtroom findings. Still, they show why “human approval” cannot be the end of the inquiry. Twenty seconds may be enough to click a box. It is not obviously enough to conduct a proportionality assessment, verify identity, assess civilian presence, or interrogate a model’s basis for classification.

A short review window also complicates both sides of liability. For the victim, it may look like a human authorized the strike. For the operator, the record may show a formal approval without enough evidence that the person actually knew the facts that made the strike unlawful. The gap is not emotional; it is evidentiary.

Command responsibility does not map neatly onto a machine

Command responsibility is often invoked because it sounds administratively sensible. If the battlefield operator cannot be held responsible, look upward. Commanders choose systems, approve missions, set rules of engagement, and decide how much autonomy to permit. Those are real control points.

The doctrinal issue is that command responsibility is not a general theory of bad oversight. It traditionally depends on a superior-subordinate relationship, knowledge or reason to know that forces were committing or about to commit crimes, and failure to take necessary and reasonable measures to prevent or punish. Autonomous targeting changes the object of control. The commander may not be failing to restrain a rogue subordinate. The commander may be failing to understand, test, limit, suspend, or document a system.

That can still be culpable. A commander who deploys a system known to misidentify civilians in a dense urban environment, ignores warnings, and refuses available safeguards is not insulated merely because software sits in the causal chain. But the prosecution still has to translate that conduct into recognized modes of liability. It must prove what the commander knew, when the commander knew it, what preventive measures were available, and how the failure relates to the unlawful strike.

This is where battlefield uncertainty deserves sober treatment. Commanders may face incomplete intelligence, communications delays, adversaries who exploit civilian proximity, and fast-moving threats. The existence of uncertainty cannot become a blanket excuse. It also cannot be ignored by a liability theory that assumes every risk was visible in advance. A credible post-strike record has to separate unforeseeable battlefield error from foreseeable system risk that was accepted, concealed, or left unmanaged.

Autonomous drone surrounded by operator, commander, state, and developer figures with broken attribution lines

State responsibility absorbs more, but not everything

State responsibility is a better institutional fit than criminal law for many autonomous weapons cases because it does not need to imprison a machine or prove a human defendant’s individual guilt. It asks whether conduct attributable to the state breached an international obligation. Reparations, cessation, assurances of non-repetition, and diplomatic responsibility sit more naturally here than in a criminal indictment.

Bérénice Boutin’s 2023 article on state responsibility and military AI is the central proposal in this space. Using the Articles on Responsibility of States for Internationally Wrongful Acts, Boutin argues that attribution analysis should move away from the last human operator when the relevant conduct is better located in the decisions of humans who design, develop, procure, authorize, deploy, supervise, or fail to constrain the AI system.[3]

That shift matters. If a state selects an autonomous system for a use case where it cannot reliably distinguish civilians from combatants, the legal record should not pretend the only relevant actor is the person nearest the console. The procurement file, weapons review, training package, commander’s authorization, operational restrictions, vendor disclosures, testing data, and post-deployment incident reports may be closer to the real decision than the final click.

The strength of this model is practical: it follows the risk to the people who had institutional power over it. Its weakness is equally important. It remains a scholarly framework. The research materials do not support saying that an international tribunal, the ICC, or settled state practice has adopted a Boutin-style attribution theory for autonomous weapons. The model is promising because it names the right files. It is not yet law in the way a litigator can cite as a tested holding.

Article 36 review is necessary evidence, not a complete answer

Weapons review obligations under Article 36 of Additional Protocol I are often raised as the compliance checkpoint for new means and methods of warfare. They matter. A serious review can force a state to ask whether a system can comply with distinction, proportionality, precautions in attack, and other applicable rules before deployment. It can also generate the records investigators later need.

But Article 36 review does not solve attribution by itself. It is forward-looking and system-focused. A review may establish that deployment was lawful under defined conditions, or that certain uses were prohibited, or that more testing was required. It does not automatically identify who is responsible when field conditions depart from the review assumptions, when a commander expands the use case, when a system behaves unpredictably, or when documentation is too thin to reconstruct what happened. The Lieber Institute also cautions against treating compliance-by-design and review obligations as a complete customary-law answer to autonomous weapons accountability.[1]

Developers and deployers are legally relevant, but courts have not yet made them the answer

The developer question is where the accountability discussion becomes attractive and dangerous at the same time. Attractive, because many of the meaningful choices are made before the weapon reaches the battlefield: training data, performance thresholds, sensor limitations, fail-safe design, explainability, audit logs, human override, and warnings about prohibited use. Dangerous, because it is easy to confuse moral involvement, civil exposure, export-control obligations, procurement responsibility, and international criminal liability.

A developer who knowingly designs a system for unlawful targeting, materially assists its use, or conceals known failure modes could become relevant under existing legal theories, depending on the facts. But the research materials do not support a broader claim that developers of autonomous weapons are already generally liable under international criminal law whenever the system causes an unlawful strike. The Georgetown analysis is careful precisely because Rome Statute liability requires recognized modes of participation and proof of the required mental state.[2]

Deployers are easier to fit into the state-responsibility picture. A state agency or military command that decides where, when, and under what constraints an AI-enabled system may operate has a direct relationship to the risk. Boutin’s framework, and later legal commentary explaining it, treat these upstream and midstream decisions as central to attribution because they are the points at which humans can still meaningfully shape the system’s conduct.[3]

The word “meaningfully” matters. A contract clause saying humans retain control is weak evidence if the interface, tempo, and operational doctrine make rejection unrealistic. A commander’s certification is weak evidence if the underlying test data excludes the environment where the system is actually deployed. A vendor warning is weak evidence if it is buried, contradicted by sales representations, or never translated into operational limits. These are not academic details. They are the difference between a reviewable decision chain and a post-strike shrug.

The real cases are stress tests, not shortcuts

Two examples appear often in discussions of AI-enabled targeting, and both need careful handling.

Lavender, as reported by +972 Magazine and discussed by the Lieber Institute, illustrates the legal weakness of nominal human review: a system-generated target list, rapid approval, and alleged error rates would make it difficult to say with confidence that the human reviewer made a genuinely independent targeting judgment.[1] The point is not to litigate Lavender from secondary reporting. The point is to notice what kind of evidence a real court or reparations mechanism would need: who authorized the system, who knew the error profile, what review instructions were given, what the human reviewer could see, and whether civilians were meaningfully considered before the strike.

The Kargu-2 episode in Libya is different. It is often described, based on reporting around the UN Panel of Experts, as a first reported autonomous attack involving a loitering munition; the manufacturer has disputed characterizations of the system and its use.[1] That dispute should slow the legal analysis, not erase it. If a system did autonomously pursue or attack a person, the same attribution questions would arise. If it did not, the example proves less about liability than about how quickly public narratives outrun the record.

Human Rights Watch’s 2025 report on autonomous weapons and digital decision-making adds a different pressure point under international human rights law. It argues that autonomous systems face serious difficulties satisfying necessity, proportionality, and last-resort requirements when force is used in law-enforcement or security contexts governed by those standards.[4] That conclusion should not be mechanically imported into every armed-conflict targeting decision, where international humanitarian law supplies a distinct framework. It does show, however, that legal evaluation changes with the governing regime, and that a system acceptable for one environment may be indefensible in another.

Remedy is where the gap becomes visible

Accountability gaps are sometimes described as doctrinal puzzles. For the injured family, the puzzle is a closed door. If no individual can be prosecuted because mens rea cannot be proved, if the commander’s relationship to the system does not fit command responsibility, and if state responsibility cannot be translated into an accessible forum or compensation mechanism, the result is not legal elegance. It is no remedy.

The International Bar Association’s discussion of drones and legal remedy highlights the practical barriers victims face even in non-AI drone-strike contexts, including jurisdictional obstacles and doctrines such as the U.S. combatant activities exception and discretionary function exception.[5] Those doctrines do not control every jurisdiction, and they should not be treated as a universal answer. They do show that adding autonomous targeting to an already difficult remedial landscape makes the file harder, not easier.

That matters for deterrence. Law deters not only by announcing rules, but by making it possible to reconstruct violations and impose consequences. If the record cannot show who selected the target, who approved the model for that class of target, who accepted the error rate, who set the human review window, who monitored incidents, and who had authority to suspend use, then the system has not merely created evidentiary inconvenience. It has weakened the legal architecture around force.

What a defensible record would need to show

The compliance implication is narrower than a ban argument and more demanding than a procurement checklist. If a state or contractor expects to defend the use of AI-enabled drones after civilian harm, the relevant record cannot begin at the moment of launch. It has to begin when the system’s role in targeting is defined.

  • Design records should identify what the system is allowed to classify, what data or signals it uses, known failure modes, and the limits of any confidence score.
  • Weapons review records should state the factual assumptions under which the system was considered lawful, including environment, target class, sensor quality, communications conditions, and required human intervention.
  • Authorization records should show who approved deployment, what operational constraints were imposed, and what uses were rejected or prohibited.
  • Mission records should preserve what the human reviewer could see, how much time was available, whether rejection was practically possible, and what information was unavailable.
  • Incident records should connect civilian harm to system behavior, human decisions, prior warnings, and any later suspension, modification, or continued use.

Those records may not guarantee liability, and they may not prevent it. They are necessary because current doctrine does not yet know how to evaluate autonomous targeting without human-readable decision points. The absence of documentation will usually help the least deserving party: the actor with institutional control and the best access to evidence.

The answer is still incomplete

Under current international criminal and state-responsibility frameworks, liability can sometimes attach to human or state conduct around deployment, supervision, weapons review, or failure to constrain an autonomous system. An operator may be liable where the person actually makes the unlawful targeting decision with the required mental state. A commander may be liable where the evidence supports recognized command-responsibility elements. A state may be responsible where attributable conduct breaches an international obligation.

The harder proposition is the one that matters most after an AI drone strike: the autonomous system made the decisive targeting judgment, and the law must still name a responsible actor. Existing doctrine can reach parts of the surrounding human conduct, but it cannot yet coherently attribute the machine’s targeting choice without strain. Boutin-style attribution to decision-makers, deployers, and developers may be the most promising model because it follows control rather than ceremony. It remains a scholarly proposal, not a rule tested by the ICC, an international criminal tribunal, or settled state practice.

That gap is not a reason to assume no exposure. It is a reason to document design, authorization, review, deployment, human-control decisions, and post-strike investigation with more discipline than existing doctrine presently demands.

References

  1. Legal Accountability for AI-Driven Autonomous Weapons, Lieber Institute, March 2026.
  2. Criminal Accountability for AI-Generated War Crimes, Georgetown Journal of International Law, Vol. 57, Issue 1, Fall 2025.
  3. State responsibility in relation to military applications of artificial intelligence, Leiden Journal of International Law, Cambridge Core, 2023.
  4. A Hazard to Human Rights: Autonomous Weapons Systems and Digital Decision-Making, Human Rights Watch, April 2025.
  5. Drones: waging war on the law, International Bar Association.

Corrections & feedback

Submit corrections, report new regulatory developments, or flag jurisdiction-specific clarifications. Comments are moderated. Nothing in comments constitutes legal or compliance advice.

Comments

Join the discussion with an anonymous comment.

Loading comments...
Blogarama - Blog Directory