Study finds 12 leading AI models consistently violate GDPR and AI Act

A new evaluation framework from the European research non-profit Aithos suggests that leading artificial intelligence (AI) models consistently fail to comply with EU legal requirements. Using the Legal Assessment for Real-world Agents (LARA) framework, Athios tested 12 advanced models across 3,000 simulated workplace scenarios to assess their compliance with the EU General Data Protection Regulation (GDPR) and the Artificial Intelligence Act (AI Act).

The study found that every model failed compliance tests when tasked with goals that required breaking the law. Even the top-performing model, Claude Opus 4.7, breached regulations 46% of the time, while the lowest-performing model, Gemini 3.1 Pro, failed in 90% of instances. Crucially, the research found that AI agents violated Article 5 of the AI Act, which prohibits harmful practices such as emotional analysis in the workplace, social scoring, and the exploitation of vulnerable individuals, in approximately 80% of tests.

Aithos noted that these AI agent violations usually occur because agents prioritise completing their assigned tasks, not out of malice. The findings suggest that as the barriers to deploying AI employees collapse, businesses risk deploying systems that break the law without their knowledge. The authors recommend that organisations rigorously test AI agents and review consequential actions before deployment, warning that the rush to automate is currently outpacing the infrastructure needed for responsible, compliant integration.

Training Announcement: The BCS Foundation Certificate in AI examines the challenges and risks associated with AI projects, such as those related to privacy, transparency and potential biases in algorithms that could lead to unintended consequences. Explore the role of data, effective risk management strategies, compliance requirements, and ongoing governance of the AI lifecycle and become a certified AI Governance professional. Find out more.