This article demonstrates that, at least since the adoption of the Organizational Sentencing Guidelines in 1991, the United States legal regime has been moving away from a system of strict vicarious liability toward a system of duty-based organizational liability. Under this system, organizational liability for agent misconduct is dependant on whether or not the organization has exercised due care to avoid the harm in question, rather than under traditional agency principles of respondeat superior. Courts and agencies typically evaluate the level of care exercised by the organization by inquiring whether the organization had in place internal compliance structures ostensibly designed to detect and discourage such conduct. I argue, however, that any internal compliance-based organizational liability regime is likely to fail because courts and agencies lack sufficient information about the effectiveness of such structures. As a result, an internal compliance-based liability system encourages the implementation of largely cosmetic internal compliance structures that reduce legal liability without reducing the incidence of organizational misconduct. Furthermore, a review of the empirical literature on the effectiveness of internal compliance structures suggests that many organizations have adopted precisely this cosmetic approach to internal compliance. This leads to two potential problems: first, an underdeterrence of organizational misconduct and, second, a proliferation of costly but ineffective internal compliance structures.