Plain-English definitions for the liability, review,
and evidence standards that govern AI-assisted decisions.
Automated Decision Making Technology is technology that processes personal information and uses computation to replace or substantially replace human decision-making. Under California's rules, the key question is not whether AI is present, but whether a human reviewer actually satisfies the human involvement standard.
AI liability coverage is insurance that specifically covers harm arising from AI-assisted clinical decisions where a clinician reviewed the output through a verified review process. It fills the gap between traditional malpractice policies, which were written for purely human decision-making, and the new risk introduced when AI generates recommendations a clinician signs off on.
Catch rate measures how often a clinical reviewer identifies errors in AI-generated output. It is the core metric for whether human oversight is substantive or ceremonial. A reviewer who never catches errors is either reviewing a perfect system or not reviewing at all, and regulators, buyers, and insurers need to know which.
The California Consumer Privacy Act is the state statute that authorizes the ADMT regulations. The CPPA's rulemaking on automated decision-making technology, including the human involvement standard, risk assessment requirements, and consumer notice obligations, derives its enforcement authority from the CCPA. Intentional violations can reach $7,988 per consumer per incident.
Claim defense is the evidence package assembled from the review record when an AI-assisted clinical decision is challenged. It shows what the reviewer saw, what they checked, what they changed, and whether they had authority to override. The completeness of this record is what separates a defensible decision from an exposed one.
Clinical oversight is a clinician's substantive review of AI-generated output before it influences patient care. Substantive means the clinician examined source materials, applied clinical judgment, and could have changed the outcome. A signature without engagement is not oversight. The distinction determines who bears liability when a decision is challenged.
Dwell time is the amount of time a reviewer spends on a decision record before approving, changing, or escalating it. It is not a formal safe harbor, but very short review times can be evidence that the human was ratifying the output rather than analyzing it.
Escalation is the act of routing an AI-generated output to a higher-authority reviewer when the initial reviewer identifies risk, uncertainty, or output they are not qualified to evaluate. A functioning escalation path is evidence that the review process has real safety mechanisms, not just approval buttons.
An executive attestation is the sworn submission a business must provide to the CPPA about covered risk assessments. The first ADMT-related attestation is due April 1, 2028, and is signed under penalty of perjury by executive management.
Human involvement means the reviewer understands the technology's output, reviews it alongside other relevant information, and has authority to make or change the decision. A person clicking approve inside a workflow is not enough unless the record shows all three prongs were met.
Malpractice liability in AI-assisted healthcare arises when a clinical reviewer fails to catch an error in AI-generated output and patient harm results. When AI produces the recommendation and a clinician signs off without meaningful review, the question of who bears liability depends on whether the review was substantive or ceremonial. Traditional malpractice policies do not explicitly address this question, which is why AI-specific liability coverage exists as a separate product.
No paper trail describes the evidentiary gap that emerges when a claim arises and there is no contemporaneous record of what the AI system said, who reviewed it, what they saw, and what happened next. Without that record, every other line of defense collapses. The absence of documentation is often more damaging than the underlying harm, because it prevents any reconstruction of what the AI-assisted decision actually was.
Off-label use occurs when an AI tool is applied to a decision it was not validated to support. A model validated for one population, workflow, or decision type carries no warranty outside those conditions. The moment a deployer applies it beyond its intended scope, the original validation no longer covers the use and liability can shift back to the vendor.
Override rate measures how often human reviewers change or reject the technology's output. A near-zero override rate is not automatically unlawful, but it raises the obvious question of whether reviewers are independently analyzing decisions or rubber-stamping them.
A pre-use notice tells a consumer, before ADMT is used for a covered decision, what the technology does and what rights apply. It has to be specific enough to explain the purpose, relevant inputs, outputs, and available opt-out or appeal path.
Review depth measures how thoroughly a clinician engaged with AI output before signing off. It combines time spent, source materials opened, edits made, and whether the reviewer checked information the model did not surface. Shallow review is the primary signal that oversight is ceremonial rather than substantive.
A risk assessment is the documented analysis required before deploying ADMT for significant decisions and for certain profiling activities. It covers purpose, data, logic, outputs, benefits, risks, safeguards, and who approved proceeding.
Rubber-stamping is a review pattern where a human approves model output without independent analysis. California's human involvement standard is built to catch this: the reviewer has to understand the output, check other information, and have real authority to change the decision.
A safe harbor is a regulatory provision that defines conditions under which a business is presumed compliant, shielding it from enforcement. California's ADMT rules do not create a safe harbor for any specific override rate, dwell time, or review process design. Compliance depends on whether the human involvement standard is actually met, not on whether a particular metric falls within a defined range.
Section 7001(e)(1) defines the human involvement standard for ADMT. A business only avoids the ADMT classification if the human reviewer knows how to interpret and use the output, reviews and analyzes it alongside other relevant information, and has authority to make or change the decision. All three conditions must be met for the technology not to qualify as replacing or substantially replacing the human decision-maker.
Section 7150(b)(4) triggers a mandatory risk assessment when a business uses automated processing to infer or extrapolate characteristics about a consumer based on systematic observation of that consumer acting as a job applicant, student, employee, or independent contractor. This obligation exists independently of whether the business makes a significant decision based on the inference.
Section 7153 creates direct obligations for businesses that make ADMT available to another business for significant decisions. Vendors must provide the facts their customers need for risk assessments, including logic, inputs, outputs, assumptions, and limitations.
Section 7154 gives California consumers the right to opt out of the use of ADMT for significant decisions that affect them. A business satisfies this obligation by providing a functional opt-out mechanism with at least two submission methods, or by offering a qualifying human appeal process instead. To qualify for the appeal exemption under subsection (b)(1), the appeal reviewer must understand the model's output, analyze it alongside all relevant information including what the consumer submits, and have real authority to change the decision. That is the same three-prong standard that governs whether the original review was substantive. An appeal process that confirms the original output without genuine independent analysis doesn't qualify for the exemption, and the opt-out obligation reasserts itself.
A significant decision is a covered decision involving employment, housing, credit or lending, education, or healthcare. Advertising decisions are excluded from this definition, but profiling for behavioral advertising can still trigger separate ADMT obligations.
Systematic observation is methodical, regular, or continuous observation of a person. When automated processing uses it to infer characteristics about applicants, students, employees, or contractors, a risk assessment can be required even without a final significant decision.
A validation gap arises when the real-world deployment environment diverges from the conditions under which an AI tool was tested. Population mix, workflow design, site-specific practices, integration behavior, or software versioning may all drift after go-live. When that happens, the original validation study can no longer be used to defend performance claims in the live environment.
The verification standard is the threshold Proof of Review uses to determine whether a clinician's review was substantive enough to activate coverage. It requires that the reviewer opened relevant source materials, spent enough time to plausibly evaluate the output, and either agreed with documented reasoning, overrode with rationale, or escalated. The standard is calibrated to what a plaintiff's clinical expert would consider defensible.
Write isolation means the AI system can advise, summarize, or recommend, but cannot directly write the final decision into the system of record. It preserves the separation between machine output and human decision authority.
A wrong output occurs when an AI model produces an incorrect recommendation, classification, or finding and someone acts on it before the error is discovered. Wrong output is the most visible AI failure mode, but it is only the innermost layer of deployment risk. A vendor whose model was accurate may still face liability from the other four failure modes: off-label use, rubber-stamping, validation gap, and no paper trail.