The enforcement landscape in 2026, from principles to penalties

2026 marks the inflection point at which major AI governance frameworks move from principle to enforcement. The EU AI Act's prohibited AI practices have been enforceable since 2 February 2025. GPAI model obligations became applicable from 2 August 2025. High-risk AI system obligations apply from 2 August 2026 (or 2 December 2027 for standalone Annex III systems under the Omnibus agreement). Alongside this, GDPR enforcement of AI-related data protection violations has been running in parallel since 2018 and is actively increasing. The result: organisations now face layered, simultaneous enforcement risk from multiple regulatory frameworks across multiple jurisdictions.

EU AI Act, penalty structure

The EU AI Act's penalty structure under Article 99 exceeds even GDPR's significant maximums. Three tiers apply:

Tier 1, Prohibited AI practices (Article 5 violations): up to €35 million or 7% of global annual turnover, whichever is higher. This covers the eight prohibited categories: social scoring by government, real-time biometric identification in public spaces (limited exceptions), emotion recognition in workplaces and educational institutions, subliminal manipulation, exploitation of vulnerable groups, and others that have been enforceable since February 2025. For context, 7% of Alphabet's 2024 revenue would exceed $21 billion.

Tier 2, High-risk system non-compliance (Articles 6-49 violations): up to €15 million or 3% of global turnover. This applies to failures to comply with the obligations for high-risk AI systems: risk management, data governance, technical documentation, human oversight, accuracy, and registration. These obligations begin applying from August 2026 for most standalone high-risk systems.

Tier 3, Supplying incorrect information to authorities: up to €7.5 million or 1.5% of global turnover. This applies to misleading or incorrect information provided to market surveillance authorities in the course of investigations or conformity assessments.

The penalty structure is deliberately more severe than GDPR (maximum €20 million or 4% of turnover) because AI risks were assessed as potentially more severe than data protection violations. Market surveillance authorities in each EU member state are responsible for enforcement of the AI Act within their jurisdiction. The European AI Office oversees GPAI model obligations and can impose fines directly for systemic risk violations. Non-compliance findings are public, and some member states (Italy's Law 132/2025, effective October 2025) have added domestic criminal penalties for AI-related offences.

GDPR enforcement of AI violations, the existing enforcement layer

GDPR has been the primary enforcement tool for AI-related data protection violations since 2018. The DLA Piper 2026 survey puts total GDPR fines in 2025 at approximately €1.2 billion, consistent with 2024's figure. Key categories of GDPR enforcement relevant to AI include: Article 22 violations for solely automated decisions without consent or legal basis; Article 13-15 transparency failures for undisclosed automated processing; Article 6 lawful basis failures for AI systems processing personal data without adequate grounds; and Article 35 failures to conduct required Data Protection Impact Assessments before deploying high-risk AI.

A Berlin bank was fined €300,000 in 2023 specifically for an automated credit card rejection that failed Article 22's requirements, no human review was available and no explanation was provided. This case is representative of the enforcement direction: regulators are actively pursuing AI-specific violations under the GDPR framework and will continue to do so in parallel with EU AI Act enforcement.

United States, enforcement without a federal AI law

The US has no comprehensive federal AI law, but enforcement is active across existing authorities. The FTC enforces against AI-enabled unfair or deceptive practices under the FTC Act, AI systems that produce false claims, manipulate consumers, or engage in discriminatory practices are within the FTC's jurisdiction. State attorneys general in Colorado, California, Illinois, and New York have commenced or signalled enforcement under state AI and data protection laws. Colorado's AI Act was repealed and replaced by SB 189 (effective 1 January 2027), and Illinois HB 3773 (effective 1 January 2026) gives state regulators authority to bring enforcement actions against organisations whose AI systems cause algorithmic discrimination.

In employment specifically, the EEOC settled its first-ever AI hiring discrimination case in 2023, recovering $365,000 from an employer whose AI hiring tool discriminated against applicants on the basis of disability. A 2025 class action (Mobley v. Workday), alleging that an AI recruitment platform discriminated against a Black applicant over 40 years of age, has been certified and a final decision is expected in 2026. The outcome will be highly consequential for employer liability in AI-assisted hiring.

Australia, enforcement framework evolution

Australia does not yet have AI-specific enforcement powers. Enforcement operates through the OAIC (Office of the Australian Information Commissioner) for privacy violations under the Privacy Act 1988, ASIC (Australian Securities and Investments Commission) for AI-related conduct in financial services, and the ACCC for AI-enabled misleading or deceptive conduct in commerce. The government's proposed mandatory safeguards for high-risk AI, under the AI Safety Plan published in 2025, will introduce sector-specific enforcement if implemented. The Privacy Act's automated decision-making transparency obligation (effective 10 December 2026) will give the OAIC a direct enforcement hook for AI transparency failures.

What enforcement means in practice

Regulators assess compliance holistically: they look at whether organisations have a genuine governance programme, have identified their AI systems and classified their risk, have implemented the required controls, and have documented their compliance efforts. Proactive engagement, responding to regulator guidance, participating in consultations, demonstrating progress, is explicitly treated as a mitigating factor in penalty calculations under the EU AI Act. Organisations that can demonstrate they have been working toward compliance, even if not yet fully compliant, are in a materially stronger position than those that have not begun. The question is no longer whether AI enforcement will happen, but how prepared your organisation will be when it does.

Related reading

Further reading: OECD AI Incidents Monitor