AI Governance Enforcement: The Cases That Defined 2024-2026 and What They Mean for Your Organisation

The enforcement acceleration of 2024-2026

AI governance enforcement was largely theoretical until 2022. There were occasional enforcement actions — the EEOC's guidance on hiring AI, some GDPR decisions touching on automated profiling — but the volume was low and the penalties modest. That changed in 2023-2024, and the acceleration has continued. By early 2026, AI governance enforcement actions are a regular feature of the regulatory landscape across all major jurisdictions.

The enforcement acceleration has a specific pattern. Regulators used the 2021-2023 period to develop guidance, conduct thematic reviews, and establish their understanding of the AI governance landscape. From 2024 onwards, they have been applying that understanding in enforcement. Organisations that treated the guidance period as an opportunity to prepare are in a significantly better position than those that did not.

The discriminatory AI employment cases

Employment discrimination through AI is the highest-volume AI enforcement category globally. The pattern is consistent across jurisdictions: an employer deploys AI in hiring, performance management, or termination decisions. The AI produces discriminatory outcomes — typically disadvantaging women, minorities, or older workers. A complaint is made, or a regulator conducts a proactive review. The enforcement action follows. In the US, EEOC guidance makes clear that Title VII applies to AI hiring discrimination regardless of whether the employer intended to discriminate — disparate impact is sufficient. In the EU, GDPR Article 22 and employment anti-discrimination directives apply. In Australia, the Fair Work Act and anti-discrimination legislation apply.

The most instructive case is not any specific enforcement action but the pattern across them: in every significant case, the employer knew or should have known that the AI was producing discriminatory outcomes. The monitoring that would have detected it was absent, inadequate, or not acted upon. The enforcement cases that result in the largest penalties and the most extensive remediation requirements are the ones where monitoring failures allowed discriminatory AI to operate for extended periods.

The GDPR AI enforcement cases

GDPR enforcement against AI has generated significant penalties and established important principles that now form the operational baseline for AI data governance in Europe. The Italian DPA's enforcement against generative AI services established that GDPR applies to AI training data collection and processing, that data subject rights apply to AI-generated outputs about individuals, and that organisations using AI that processes personal data must have a lawful basis for that processing. The Irish DPC's enforcement against large-scale AI data processors has established that the scale of AI data processing does not reduce the standard of GDPR compliance — if anything, scale increases regulatory attention.