AI Enforcement in 2026: The Cases Every Organisation Should Know

Global AI enforcement shifted from guidance to penalties in 2023-26. Regulators in Australia, the EU, UK, and US moved against biometric AI, AI hiring tools, and AI consumer practices. Here are the enforcement actions that set today's compliance expectations.

Key Takeaways

The OAIC's Clearview AI enforcement — upheld on appeal in 2023 — established Australia's Privacy Act applies extraterritorially to overseas companies collecting biometric data about Australians, with no 'publicly available' defence.
The Italian DPA's 2023 ChatGPT suspension established the EU enforcement template: lawful basis, data subject rights, age verification, and transparency obligations are all enforceable against AI providers.
The FTC's 2023 settlement with Rite Aid — banning facial recognition use for five years — established that deploying AI in consumer-facing contexts without adequate accuracy and bias testing violates US consumer protection law.
The UK ICO's enforcement against Southern Co-op's live facial recognition (2023) established that LFR in retail requires a DPIA, a very high legitimate interests bar, and governance most retail deployments could not demonstrate.
The EU AI Office's first prohibited AI enforcement actions (from 2 February 2025) focused on social scoring, subliminal manipulation, and biometric identification.
Pattern across all jurisdictions: regulators are using existing law to act on AI misuse without waiting for AI-specific legislation.

"Apenas para fins informativos. Este artigo não constitui aconselhamento jurídico, regulatório, financeiro ou profissional. Consulte um especialista qualificado para orientação específica."

The enforcement landscape in 2026 — from principles to penalties

2026 marks the inflection point at which major AI governance frameworks move from principle to enforcement. The EU AI Act's prohibited AI practices have been enforceable since 2 February 2025. GPAI model obligations became applicable from 2 August 2025. High-risk AI system obligations apply from 2 August 2026 (or 2 December 2027 for standalone Annex III systems under the Omnibus agreement). Alongside this, GDPR enforcement of AI-related data protection violations has been running in parallel since 2018 and is actively increasing. The result: organisations now face layered, simultaneous enforcement risk from multiple regulatory frameworks across multiple jurisdictions.

EU AI Act — penalty structure

The EU AI Act's penalty structure under Article 99 exceeds even GDPR's significant maximums. Three tiers apply:

Tier 1 — Prohibited AI practices (Article 5 violations): up to €35 million or 7% of global annual turnover, whichever is higher. This covers the eight prohibited categories: social scoring by government, real-time biometric identification in public spaces (limited exceptions), emotion recognition in workplaces and educational institutions, subliminal manipulation, exploitation of vulnerable groups, and others that have been enforceable since February 2025. For context, 7% of Alphabet's 2024 revenue would exceed $21 billion.

Tier 2 — High-risk system non-compliance (Articles 6-49 violations): up to €15 million or 3% of global turnover. This applies to failures to comply with the obligations for high-risk AI systems: risk management, data governance, technical documentation, human oversight, accuracy, and registration. These obligations begin applying from August 2026 for most standalone high-risk systems.

Tier 3 — Supplying incorrect information to authorities: up to €7.5 million or 1.5% of global turnover. This applies to misleading or incorrect information provided to market surveillance authorities in the course of investigations or conformity assessments.

The penalty structure is deliberately more severe than GDPR (maximum €20 million or 4% of turnover) because AI risks were assessed as potentially more severe than data protection violations. Market surveillance authorities in each EU member state are responsible for enforcement of the AI Act within their jurisdiction. The European AI Office oversees GPAI model obligations and can impose fines directly for systemic risk violations. Non-compliance findings are public, and some member states (Italy's Law 132/2025, effective October 2025) have added domestic criminal penalties for AI-related offences.

GDPR enforcement of AI violations — the existing enforcement layer

GDPR has been the primary enforcement tool for AI-related data protection violations since 2018. The DLA Piper 2026 survey puts total GDPR fines in 2025 at approximately €1.2 billion, consistent with 2024's figure. Key categories of GDPR enforcement relevant to AI include: Article 22 violations for solely automated decisions without consent or legal basis; Article 13-15 transparency failures for undisclosed automated processing; Article 6 lawful basis failures for AI systems processing personal data without adequate grounds; and Article 35 failures to conduct required Data Protection Impact Assessments before deploying high-risk AI.

A Berlin bank was fined €300,000 in 2023 specifically for an automated credit card rejection that failed Article 22's requirements — no human review was available and no explanation was provided. This case is representative of the enforcement direction: regulators are actively pursuing AI-specific violations under the GDPR framework and will continue to do so in parallel with EU AI Act enforcement.

United States — enforcement without a federal AI law

The US has no comprehensive federal AI law, but enforcement is active across existing authorities. The FTC enforces against AI-enabled unfair or deceptive practices under the FTC Act — AI systems that produce false claims, manipulate consumers, or engage in discriminatory practices are within the FTC's jurisdiction. State attorneys general in Colorado, California, Illinois, and New York have commenced or signalled enforcement under state AI and data protection laws. Colorado's AI Act (effective 30 June 2026) and Illinois HB 3773 (effective 1 January 2026) give state regulators authority to bring enforcement actions against organisations whose high-risk AI systems cause algorithmic discrimination.

In employment specifically, the EEOC settled its first-ever AI hiring discrimination case in 2023, recovering $365,000 from an employer whose AI hiring tool discriminated against applicants on the basis of disability. A 2025 class action (Mobley v. Workday) — alleging that an AI recruitment platform discriminated against a Black applicant over 40 years of age — has been certified and a final decision is expected in 2026. The outcome will be highly consequential for employer liability in AI-assisted hiring.

Australia — enforcement framework evolution

Australia does not yet have AI-specific enforcement powers. Enforcement operates through the OAIC for privacy violations under the Privacy Act 1988, ASIC for AI-related conduct in financial services, and the ACCC for AI-enabled misleading or deceptive conduct in commerce. The government's proposed mandatory safeguards for high-risk AI — under the AI Safety Plan published in 2025 — will introduce sector-specific enforcement if implemented. The Privacy Act's automated decision-making transparency obligation (effective 10 December 2026) will give the OAIC a direct enforcement hook for AI transparency failures.

What enforcement means in practice

Regulators assess compliance holistically: they look at whether organisations have a genuine governance programme, have identified their AI systems and classified their risk, have implemented the required controls, and have documented their compliance efforts. Proactive engagement — responding to regulator guidance, participating in consultations, demonstrating progress — is explicitly treated as a mitigating factor in penalty calculations under the EU AI Act. Organisations that can demonstrate they have been working toward compliance, even if not yet fully compliant, are in a materially stronger position than those that have not begun. The question is no longer whether AI enforcement will happen, but how prepared your organisation will be when it does.