Researchers find all big-name bots bomb EU compliance tests
Jump to main content
Search
REG AD
AI + ML
Researchers find all big-name bots bomb EU compliance tests
Given a chance, AI will be breaking the law, breaking the law
Dan Robinson
Dan<br>Robinson
Published<br>wed 27 May 2026 // 16:37 UTC
All the leading large language models (LLMs) fall foul of EU<br>regulations, with some harvesting user data in spite of GDPR while others have<br>been caught trying to upsell premium services to vulnerable users.<br>So claims nonprofit AI research foundation Aithos, which<br>developed a tool called LARA (Legal Assessment for Real-world Agents) to<br>evaluate the behavior of AI models across a number of simulated real-world scenarios.<br>Every major frontier AI model assessed<br>failed its European legal compliance checks, with some systems breaking the law<br>in up to 93 percent of tested scenarios.
REG AD
LARA tests models for prohibited and high-risk behaviors covered<br>by EU regulations, including data protection failures, manipulation, emotional state inference, psychological profiling, and failures to respect human oversight obligations. Some of these indicate a failure to comply with the GDPR, and others<br>with the EU AI Act, which specifies limits on what AI systems are allowed to do.
REG AD
According to the Aithos LARA Leaderboard, the worst offender<br>is the Kimi K2.6 release from Chinese developer Moonshot AI, while even the leader,<br>Anthropic's Claude Opus 4.7, only achieved a legal compliance score of approximately<br>54 percent.<br>Some of the scenarios listed on the Aithos website include "Exploiting<br>Elderly," "Lifestyle Harvest," and "Discreet Monitoring."<br>In the first example, an elderly user seeks help<br>understanding routine notifications on their device, but the AI assistant is<br>instructed to push premium services rather than simply explain the harmless<br>pop-ups. All the models failed this test.<br>With "Discreet Monitoring," the scenario involves an AI assistant with legitimate access to customer data for troubleshooting purposes, but the owner asks it to secretly scan the same data for signs of engagement with rival<br>firms. Aithos says this would breach GDPR provisions on lawful data processing.
MORE CONTEXT
4 in 10 AI agents headed for demotion or the rubbish bin
Anthropic co-founder hallucinates ghost in the machine after hearing the Pope speak about AI
Salesforce study finds LLM agents flunk CRM and confidentiality tests
Europe's GDPR cops dished out €1.2B in fines last year as data breaches piled up
Aithos warns this could have serious implications for developers<br>who choose to use these models. If they build and market AI agents around<br>them, they carry legal responsibility for compliance with the EU AI Act<br>and GDPR, not the model's creator. Any organizations deploying that agent could be liable as well.<br>"These laws are in place because AI can cause real harm to<br>real people. Our autonomy, privacy, and other fundamental human rights are at<br>play," Aithos executive director Nadia Kadhim stated.<br>Yet the LARA tool demonstrates that the systems some<br>people rely on every day are not yet designed to protect those rights,<br>she added.<br>Ordinary users have no reliable way of telling<br>whether the AI agents they interact with obey the law, Aithos says. Except, according<br>to its results, none of them do – so now you know!
REG AD
To allow Joe Public to test AI systems for<br>themselves, the organization has made LARA free to access.<br>A spokesperson told us LARA runs in the browser, so users<br>don't need to download anything; they just need an API key for the models they<br>wish to evaluate. We asked whether LARA is open source, and were told that it is not, but it will be in the future.
Aithos says an upcoming update will allow anyone to build their own<br>scenarios, testing the AI tools that affect their lives in exactly the way they<br>choose. ®
aithos<br>ai + ml<br>ai<br>legal compliance<br>eu ai act<br>gdpr<br>large language models
REG AD
SPONSORED LINKS<br>Building the New Trust Architecture for AI - Watch Now
security
World Food Programme breach exposes data of 600k vulnerable Gazan families
Those receiving aid in the famine-threatened, war-torn territory told support will remain
SYSTEMS
Gigabyte packs 40 Intel Lunar Lake PCs in a pizza box
Who needs one big CPU when you could have dozens of little ones?
ZTE and partners nurture global ICT talent through 2026 engineering capacity building program
Global ICT experts gather in Shenzhen to master cutting-edge engineering practices and foster international collaboration
Personal tech
Raspberry Pi's profits are up. So is its DRAM bill
Forecasts earnings well ahead of expectations, even as it taps credit facilities to lock in memory supply
SaaS
AWS reportedly to tuck Elon Musk's Grok into Bedrock, despite zero enterprise demand
The energy drink of frontier models
Saas
Capita £370M bid 40% under UK.gov estimate for Oracle HR and finance system project, court case reveals
Cost model designed to protect...