A March 11 political agreement on AI Act amendments will add an explicit prohibition on non-consensual intimate AI-generated images, direct fallout from the Grok scandal. It took a scandal, a wave of regulatory anger, and a coalition of 57 European Parliament members to get there, but the EU’s landmark AI Act will now contain an explicit ban on non-consensual sexual deepfakes.
The Grok Affair and the AI Act: A Tale of Regulatory Inaction
On 11 March 2026, EU lawmakers struck a political deal on a package of amendments to the bloc’s AI law, with the prohibition of AI-generated non-consensual intimate images, including child sexual abuse material, emerging as one of the most contested and consequential items in the agreement. The deal, brokered between centre-right and centre-left lawmakers in the European Parliament, also includes eased compliance rules for AI systems embedded in sector-regulated products such as medical devices and industrial machinery. The package forms part of the broader AI Act Omnibus, a set of amendments being negotiated to streamline and in some cases strengthen the 2024 law as it moves toward full applicability. The sexual deepfakes ban was never meant to be part of the Omnibus negotiations. It was inserted following one of the most high-profile AI controversies to hit European regulators in recent memory: the Grok affair.
The Grok Affair: A Scandal Unfolds
In late December 2025, Elon Musk’s AI company xAI updated its Grok chatbot, integrated into the social media platform X, with a new image-editing feature. Within days, users were exploiting it to generate realistic sexualised images of real women and girls without their consent, including content that regulators said depicted minors in a manner that constituted child sexual abuse material. Between 5 and 6 January alone, researchers at Paris nonprofit AI Forensics estimated that at least 6,700 sexual images were generated via the tool. The European Commission responded quickly. Its digital affairs spokesperson publicly described the content as ‘appalling’ and ‘clearly illegal’, saying it had ‘no place in Europe’.
The Regulatory Fallout
The Commission ordered X to retain all internal documents and data related to Grok until the end of 2026 and subsequently opened a formal investigation into whether the platform had breached the Digital Services Act, a law that can impose fines of up to 6 per cent of a company’s global annual revenue. X, which the Commission had already fined €120 million in December 2025 for transparency violations in advertising, found itself simultaneously facing two separate regulatory fronts. Under mounting pressure, xAI restricted Grok’s nudification capabilities first to paying subscribers, then to all users in jurisdictions where such imagery is illegal. But AI Forensics found that users could still bypass the restrictions, and the Commission remained unsatisfied. National investigations followed in France, Germany, and the United Kingdom. Malaysia and Indonesia blocked access to Grok entirely.
The Legal Gap and the EU’s Response
Crucially, however, the European Commission confirmed on 11 March that existing EU law, including the AI Act as currently written, did not ban AI systems capable of generating child sexual abuse material or sexually explicit deepfake nudes. That legal gap, acknowledged publicly by the Commission in a letter to a European Parliament lawmaker, supplied the political impetus for the Omnibus amendment. France and Spain had championed the explicit ban throughout the Omnibus negotiations, with Germany and Slovakia joining them in threatening to block the file unless it was included. EU Council, representing member states, added the prohibition to their position in a last-minute move on 10 March. Parliament followed the next day.
The Deal and What’s Next
The deal now faces a committee vote, scheduled for 18 March, before moving to further parliamentary and Council stages. The Greens have expressed opposition to elements of the package relating to industrial AI deregulation, meaning the final text may yet shift. The Commission’s own review of which AI practices should be formally classified as high-risk and subject to stricter rules is still ongoing. The regulatory landscape for AI has grown increasingly complex in recent years, with the EU seeking to strike a balance between innovation and safety. The inclusion of the non-consensual intimate deepfakes ban in the Omnibus package represents a significant step forward in that effort.
The Broader Implications
The Grok affair has exposed a structural problem in the EU’s approach to regulating AI-generated harmful content: the legislation’s framers did not anticipate how quickly capable, public-facing image-generation tools would arrive, or how easily they could be abused. The episode marks a significant new front in an already fraught relationship between EU regulators and the tech industry. The regulatory challenge posed by AI-generated content will only continue to grow in the coming years. As the EU seeks to navigate this complex landscape, the inclusion of the non-consensual intimate deepfakes ban in the Omnibus package represents a crucial step forward.
Conclusion
The EU’s landmark AI Act will now contain an explicit ban on non-consensual sexual deepfakes following a high-profile AI controversy involving the Grok affair. The agreement represents a significant step forward in the EU’s efforts to regulate AI-generated harmful content. As the regulatory landscape for AI continues to evolve, the EU will need to remain vigilant in its efforts to balance innovation and safety. The inclusion of the non-consensual intimate deepfakes ban in the Omnibus package is a crucial step in that effort.
