The Importance of Software Liability

Yesterday, I had an insightful conversation with a seasoned software product leader, and one phrase stuck with me: Code is liability. At first, it sounds counterintuitive. We often think of code as an asset—something that brings value to a company. But the reality is that every line of code written comes with inherent costs and risks. Here’s why: 1. Maintenance Burden – Code isn’t a one-time investment. Every feature added increases the surface area for bugs, security vulnerabilities, and technical debt. The more code you have, the more effort it takes to maintain. 2. Complexity & Fragility – The more code you write, the harder it becomes to make changes without breaking something else. What starts as a simple solution can quickly turn into a tangled mess requiring extensive rework. 3. Scalability Risks – As software evolves, poorly designed or unnecessary code can bottleneck performance. What works today may slow you down tomorrow, requiring costly refactoring or complete rewrites. 4. Opportunity Cost – Time spent managing and debugging bloated codebases is time not spent on innovation. The best software companies minimize unnecessary code and focus on delivering value efficiently. 5. Security Vulnerabilities – Every additional line of code is a potential attack vector. The larger the codebase, the more opportunities for exploits. This conversation reinforced something I’ve seen firsthand: The best engineers and product leaders aren’t the ones who write the most code—they’re the ones who write the least necessary code. In a world where we celebrate shipping new features, we often overlook the cost of what we’ve built. Sometimes, the best decision isn’t to add more—it’s to simplify, refactor, or even delete.

AI liability is about to get real. The lawsuit against OpenAI over a teenager’s ChatGPT-assisted death isn’t just about one tragic case. It could redefine how enterprises must treat AI. If courts accept these claims, AI will no longer be “just software.” It will be judged like a dangerous product - with strict liability, duty to warn, and negligence standards applied. For enterprises, the ripple effects are enormous: 1. Product liability exposure - Deploying AI could carry the same legal risks as selling a defective car or medical device. “Use at your own risk” disclaimers won’t be enough. 2. Duty to warn - Expect mandatory disclaimers, onboarding risk screens, and context-specific safety alerts when AI is used in HR, finance, or healthcare. 3. Governance as legal defense - Companies will need documented AI safety frameworks (NIST/ISO-style) to prove they took “reasonable care.” 4. Unlicensed practice risk - If courts rule AI engaged in psychology, similar arguments could apply to AI in law, medicine, or finance. Human oversight may become legally required. 5. Insurance shake-up - AI-specific liability coverage will become a must-have, not an afterthought. This could be the moment where AI moves from “experimental software” to regulated, high-liability product. Enterprise leaders should start planning now: • Demand transparency from vendors on safety testing and controls. • Implement “safety by design” in internal AI programs. • Review insurance, compliance, and risk frameworks before lawsuits force the issue. The question is no longer if AI liability will hit enterprises, it’s when, and how prepared you’ll be.

Behind the Blue Screen: How the CrowdStrike Glitch Exposed Global Vulnerabilities Have you ever considered how a single software update could paralyze global operations? This alarming reality unfolded on July 19, when a routine update from CrowdStrike, a leading cybersecurity firm, caused widespread disruption. For me, the impact was intensely personal as my computer crashed the night before a crucial lecture for LLM students. Despite multiple reboot attempts, my anxiety grew as my case studies remained inaccessible. We were facing the infamous ‘Blue Screen of Death’—a critical system error in Windows that sounds like the punchline of a bad tech joke, but the reality was far from humorous. This routine software update had escalated into a worldwide disruption. Immediate Economic Impact The CrowdStrike BSOD incident had far-reaching consequences. Airlines experienced delays and cancellations, grounding flights and stranding passengers. Major banks reported halted transactions, leading to customer frustration and financial losses. This incident starkly illustrated how a single software patch could disrupt global operations. According to Gartner, the average cost of IT downtime is $5,600 per minute, equating to over $300,000 per hour. By 2025, 60% of organizations are expected to suffer major service failures due to mismanagement of cyber risks. Beyond the economic repercussions, this incident also highlighted significant legal challenges. Legal Implications In addition to economic turmoil, the incident posed significant legal challenges. CrowdStrike may face lawsuits from businesses claiming damages. Grounded flights could result in breach of contract claims and passenger compensation demands. This raises critical questions about the liability of software providers for unintended update consequences. Such incidents may prompt regulators to introduce stricter requirements for software update testing and validation. Lessons for Businesses This incident is a stark reminder for businesses to reassess their reliance on third-party software and improve their preparedness for disruptions. Regularly reviewing risk management strategies and developing robust contingency plans is essential. Ensuring vendor agreements outline responsibilities, liabilities, and mitigation processes for update-related issues can help minimize the impact. These steps are crucial for maintaining operational continuity and reducing potential damages. The CrowdStrike BSOD incident underscores the urgent need for businesses to be prepared for digital disruptions. Strengthening legal frameworks and enhancing risk management are vital. This incident serves as a wake-up call: businesses must fortify their defenses against the unexpected. Personally, this experience reminded me of the importance of having reliable backups and a robust contingency plan. Is your organization prepared for the next disruption? #TechDisruption #RiskManagement #Cybersecurity #BusinessContinuity

Three weeks ago, the Council of the EU adopted the new Product Liability Directive, the biggest update to EU product liability rules in 4 decades. For the first time, software (including AI systems) is explicitly covered. I personally feel one of the most important aspects of this directive, also from an #AIGP perspective is: Presumptions, as it simplifies accountability & encourages fairness. Let's see how: A presumption is a legal assumption that a court accepts as true unless proven otherwise. Think of it as a "starting point" that shifts the burden of proof from one party to another. In plain language: -Instead of "you must prove X is true" -It becomes "we will assume X is true unless someone can prove it's false" Now, there are 3 presumptions of defectiveness and 2 presumptions of causation. Lets understand with one example each- A. Presumption of Defectiveness: 1) Non-disclosure of Evidence: When a medical device manufacturer refuses to share safety documentation in court, defectiveness is presumed. 2) Safety Requirement Violations: When a product exceeds legal safety limits (e.g., toxic chemicals in toys) and causes harm. 3) Obvious Malfunction: When a product fails during normal use (e.g., coffee maker exploding under ordinary conditions). B. Presumption of Causation: 1) Defect-Damage Consistency: When damage matches a known product defect (e.g., burns from a faulty battery). 2) Technical Complexity Cases Applies when: -Proving causation is extremely difficult due to technical nature -Defect/causation is likely Example: AI diagnostic errors where the system's decision-making process is opaque but likely caused harm. Important Note: The directive specifies that manufacturers can rebut (disprove) these presumptions by providing evidence to the contrary. This preserves the manufacturers' right to defend themselves while making it easier for injured persons to seek compensation in justified cases. The key benefit of presumptions is they help balance between: -Consumers (who often lack technical knowledge and resources) -Manufacturers (who have all the technical information and expertise) Why this matters for AIGP: Understanding presumptions is crucial because they're a key legal tool for making AI governance practical and fair, especially when dealing with complex #generativeAI technologies where proving fault can be extremely challenging. #AIGP #AIGovernance #NewPLD #AIEthics

3 weeks ago, I had lunch with a founder who scaled a $2.2M ARR software company. Today, he's looking to exit - but his own software is killing 25% of his valuation. Here's how he could've avoided it: Within 6 years, my friend started a public-facing HR software that • Dominated their niche market • Steadily increased revenue • Won loyal customers Today, he's looking to exit for $8M – but he can't get that valuation. Why? Because potential buyers found out that his software's architecture wasn’t built to last. For context, there are 2 key parts to software design: • Functionality: what the software does • Architecture: whether it can keep doing it over time Like real estate, software loses value without regular maintenance and upgrades. Its functionality can last for 3-6 years. But, with the right architecture, it can last for 2-3x longer. Great architecture enables maintenance and upgrades without major rework, but most teams do not build with longevity in mind. This short-term thinking creates TECHNICAL DEBT: the hidden cost of scaling and maintaining software to make it usable. And yes, this debt hurts. It's a huge red flag for buyers or investors in the due diligence (DD) process: • If the software isn’t scalable, it’s a problem. • If it needs constant rework, it’s a liability. • If fixing it requires a rebuild, the company valuation takes a hit. Software that wasn't built well or being maintained will drag your business down. If you resonate with any of the above: • Conduct a deep review of architecture & code • Create a plan around lackluster features • Allocate resources for upgrades It's not an easy process, but it will improve your valuation, customer experience, and business longevity. Keep your software as an asset, not a liability. — P.S. If you want an assessment of where your software stands, DM me 'CTO' to get on a quick call with our CTO panel at @Incepteo. They can certainly help in assessing your strategy for the future. 

You will not be able to disclaim your way out of accessibility. Today I noticed in the Terms for MemberPress they include the following: "YOU ACKNOWLEDGE AND AGREE THAT MemberPress DO NOT WARRANTY, ASSURE AND/OR GUARANTEE THAT ITS SOFTWARE IS OR SHALL EVER BE COMPLIANT WITH THE WEB CONTENT ACCESSIBILITY GUIDELINES PURSUANT TO WCAG 2.0, WCAG 2.1, AND/OR ANY SUCCESSOR LAWS OR GUIDELINES (COLLECTIVELY, "WCAG COMPLIANCE")." I have bad news for MemberPress. The days of being able to disclaim your way out of accessibility will eventually come to a close, and it may happen soon. California's AB 1757 (Currently in the Appropriations Committee) includes the following: "... a provision within a contract between an individual or entity and a resource service provider that seeks to waive liability under this section, or otherwise shift the liability to a person or entity that pays, compensates, or contracts with the resource service provider, as described under paragraph (1) of subdivision (b), is void as a matter of public policy ..." The reason why this is part of the bill is clear: Customers have every right to expect that implementing a piece of software won't leave them liable due to the negligence of the software makers. While it is reasonable to expect a customer to be on the hook for the content they create with software, it is not OK to try to disclaim your way out of your own responsibility. Do better, MemberPress.

Your software should outlive your tenure in a company. Over lunch today, I had a conversation with a seasoned product executive about a familiar problem: A complex ML system built by a strong engineer who has since left. No one knows why it works the way it does. The system is stuck in the past, and no one has the context or courage to update it. At that point, the system becomes a liability. Professional builders design and document systems assuming they won’t be there.They document the why, not just the what: heuristics, metrics, experiments, trade-offs, and a clear getting-started path. I still remember my good friend Vineet Abhishek staying up late, when we left Walmart Global Tech to start Neulogic, writing docs, creating how-to guides, and turning scattered tribal knowledge into something consumable, well into the morning until his access expired. That's EXTREME ownership! Careers move on. Good systems should not. Thoughts?