Who's Liable When an AI Safety Platform Misclassifies an OSHA-Recordable Injury?

Who's Liable When an AI Safety Platform Misclassifies an OSHA-Recordable Injury?

Every EHS software vendor on the market is now selling the same feature: AI that reads an incident narrative and tells you whether it's OSHA-recordable. Recordable versus first aid. DART versus non-DART. Days away, restricted, or transfer. The pitch is consistent across the category — faster classification, fewer inconsistent logs, less time spent arguing about 29 CFR 1904.7 in a conference room.

What none of these vendors advertise is what happens when the model gets it wrong.

And it will get it wrong. Not often, and not dramatically — but recordability determinations sit on judgment calls that even experienced safety managers disagree on: whether a restriction counted as "restricted duty," whether first aid crossed into medical treatment, whether a case is work-related at all under the geographic-presence and causation tests in 1904.5. An AI model trained to pattern-match incident narratives against those tests will occasionally land on the wrong side of a genuinely close call. The question every safety and compliance leader evaluating these platforms should be asking isn't "how accurate is the AI" — it's "when it's wrong, who owns that."

You might also like to read: Is Cursor AI Safe for HIPAA-Compliant Healthcare App Development?

The Regulation Doesn't Care Who Made the Call

29 CFR 1904.32 requires the employer to certify the accuracy of the OSHA 300A annual summary with a company executive's signature. Not the software vendor's signature. Not the AI's confidence score. The certifying official is attesting, under their own name, that they have "reasonably determined" the log is accurate — a standard that assumes a human reviewed the substance of the determination, not just approved a workflow that a vendor built.

If OSHA opens an inspection and finds a case classified as non-recordable that a compliance officer would classify as recordable, the citation goes to the employer. There is no provision in Part 1904 for shifting that citation to a third-party software provider, no matter how the marketing materials describe the tool's role in the decision. Your vendor's terms of service will say the same thing in different words: the platform is a decision-support tool, and the employer remains responsible for the recordkeeping determination. That allocation of risk is standard in every EHS software contract, and it means the "AI-powered" part of the pitch has almost no bearing on where liability actually sits.

This matters because the sales conversation and the compliance conversation are answering two different questions. The sales conversation is about throughput — how many incident reports a safety coordinator can process in a shift, how much faster the 300 log gets built. The compliance conversation is about whether the record that gets submitted to OSHA's Injury Tracking Application will hold up when an inspector or a plaintiff's attorney in a related wage-and-hour or workers' comp dispute pulls the file eighteen months later. Speed and defensibility are not the same feature, and most procurement conversations only evaluate the first one.

You might also like to read: How Healthcare IT Teams Are Accelerating Internal App Development Without Violating HIPAA

Where the Exposure Actually Concentrates

The unreviewed AI determination. Some platforms present the AI's classification as the default and require an affirmative click to override it, rather than requiring an affirmative click to accept it. That design choice matters enormously in an OSHA inspection or a deposition. A determination that a human accepted by doing nothing looks very different, evidentially, from one a human actively reviewed and signed off on. If your platform doesn't produce a record of what the reviewer actually saw and how long they spent on it, "we have an AI-powered system" is not a defense — it may be evidence that no one was actually looking.

The training data problem. Recordability determination models are typically trained on a mix of public OSHA enforcement history and vendor customer data. Neither source is a clean map of the current rule. Enforcement patterns shift with each administration's priorities; a model trained heavily on pre-2023 cases may under-flag categories OSHA has recently started scrutinizing more closely, such as heat-related illness classification under emerging state and federal heat standards, or musculoskeletal disorders in warehouse and logistics settings. A vendor's "AI accuracy" claim is usually benchmarked against historical data, not against how OSHA is currently enforcing the standard.

The multi-establishment consolidation gap. Under 1904.30, each establishment maintains its own log, with specific rules for how travel, temporary reassignment, and remote work affect which establishment a case belongs to. AI systems built for throughput sometimes default an ambiguous case to whichever establishment created the incident report, rather than applying the establishment test correctly. For multi-site manufacturers and logistics operators, this is a more common and more consequential error than a straightforward recordable/non-recordable miss, because it can misstate the DART and TRIR rates OSHA uses to target inspections under its Site-Specific Targeting program.

The rationale gap. A growing number of platforms now generate a written rationale alongside each AI determination — a short explanation citing the relevant subpart. This is a genuine improvement over a bare classification with no reasoning attached, and it's worth asking any vendor whether their tool produces one. But a generated rationale is not the same thing as a human safety professional's judgment, and it should be treated as a starting point for review, not as the record of record. An inspector who asks a safety manager to explain a classification decision expects an answer grounded in that manager's own knowledge of the incident — not a recitation of what the software generated.

You might also like to read: Why Your AI Coding Tools Are Creating a Compliance Blind Spot — And How to Close It Before Your Next Audit

What a Defensible Workflow Actually Requires

The fix here isn't "don't use AI in your safety platform" — the throughput gains are real, and the alternative for most multi-site operations is a safety office perpetually behind on its logs, which carries its own citation risk. The fix is treating the AI's output the way you'd treat a junior analyst's first-pass recommendation: useful, fast, and never the final signature.

A defensible setup requires the reviewer to see the AI's classification and its stated rationale, actively affirm or override it rather than let it default through, and have that review — including how long it took and what, if anything, was changed — captured in a record separate from the underlying incident data. It also means asking your vendor, before you sign, exactly what their determination model was trained on and how recently it was updated to reflect current enforcement priorities, since a stale training set is a compliance gap and vendors are rarely eager to volunteer it. Multi-establishment employers should specifically test how the platform handles ambiguous establishment assignment before rollout, because that failure mode is harder to catch after the fact than a simple recordable miss. And the human who ultimately certifies the 300A needs enough visibility into the classification history to actually stand behind that certification — not a dashboard summary, but the case-level record an inspector would ask to see.

None of this is a reason to slow-walk adopting AI-assisted safety recordkeeping. It's a reason to make sure the certifying signature on your 300A means what OSHA — and, if it comes to it, a court — will assume it means: that a person, not a model, made the call.


This article is intended as general information for safety, compliance, and HR leaders evaluating AI-assisted recordkeeping tools and does not constitute legal advice. Employers should consult qualified counsel when developing or auditing OSHA recordkeeping practices.

Comments

Popular Posts

How Healthcare IT Teams Are Accelerating Internal App Development Without Violating HIPAA

Is Cursor AI Safe for HIPAA-Compliant Healthcare App Development?

Why Your AI Coding Tools Are Creating a Compliance Blind Spot — And How to Close It Before Your Next Audit

What Payroll Decision-Makers Must Know Before Configuring Payroll for Tipped Hourly Employees

How to Add Employee Wellness Check-Ins to Your Time Clock (Without Adding More Work for HR)