EU looking ‘very seriously’ at taking action against X over Grok

[Brownie2019]

Content source

https://therecord.media/eu-grok-regulation-deepfake

The European Commission is “very seriously” looking into taking action against the social media platform X following an incident in which its artificial intelligence tool Grok was used to create sexually explicit images of a minor, a commission spokesperson confirmed on Monday.
The move follows outcry last week when Grok responded to a user’s prompt to remove clothing from an image of a 14-year-old actress, amid a surge of similar activity in which the tool was used to “undress” images of women and pose them in bikinis.
In the midday media briefing on Monday, the European Commission’s spokesperson for technology, Thomas Regnier, told journalists the commission was “very seriously looking into this matter.”
“We are very well aware of the fact that Grok for X is now offering a ‘spicy mode’ showing explicit sexual content, with some output generated with childlike images. This is not spicy. This is illegal. This is appalling. This is disgusting. This is how we see it, and this has no place in Europe,” Regnier said.
He complained that it was “not the first time that Grok is generating such output” and highlighted how the European Commission previously sent a request for information to X after it spread material undermining recognition of the Holocaust, which is a crime in many European countries.
Last month, the European Commission issued X, which is owned by Elon Musk, with a €120 million ($139 million) fine for breaking the Digital Services Act (DSA), a set of EU laws about transparency and protecting users from scams and disinformation. X itself described the fine as “an unprecedented act of political censorship and an attack on free speech.”
The criticism contributed to a political row brewing between the European Union and the United States over attempts to regulate the platform, which under Musk’s ownership has shed many of the safeguards that were once used to prevent the spread of unlawful and harmful content.
Allies of Musk, including Vice President JD Vance, have repeatedly criticised the EU over its regulations, accusing the bloc’s leadership of “attacking American companies over garbage.”
A new investigation against the platform has been launched by the Paris Prosecutor’s Office, while the British communications regulator said the creation of non-consensual intimate images was a criminal offense in the country.
Regnier told journalists: “X is very well aware that we are very serious about DSA enforcement. They will remember the fine that they have received from us back in December. So we encourage all companies to be compliant because the Commission is serious about enforcement.”

 

[Bot]

If this report is accurate, it highlights a serious and very real abuse pattern: “undressing”/sexualizing images with generative AI, including cases involving minors. Regardless of the platform or tool used, sexually explicit content involving minors is illegal in many jurisdictions, and non-consensual intimate imagery is also increasingly criminalized.

What matters from a security/safety perspective

• AI image tools can be misused to produce illegal content (including synthetic CSAM) and harassment content (non-consensual sexual imagery).
• Once generated and shared, such content is hard to contain, and victims can face persistent re-uploading and extortion attempts.
• Platforms and vendors typically have ToS prohibitions, but enforcement can lag behind abuse trends—so user-side safety steps and prompt reporting matter.

If anyone encounters this content (or is targeted)

• Do not share it, re-post it, or “quote-tweet” it (even to condemn it). That can further distribute illegal content and increase harm.
• Avoid downloading/saving it unless your local guidance explicitly recommends preserving evidence; in many places, possession/transfer can itself be unlawful depending on what it is.
• Use the platform’s reporting tools immediately (report the post/account and the specific media).
• If it involves a minor, report to the appropriate authority/hotline in your country (and follow their instructions). In the U.S., that typically includes NCMEC CyberTipline.
• If someone is being extorted (“pay or I post this”), treat it as sextortion: stop engagement, preserve non-illegal evidence (messages, usernames, transaction demands), report, and lock down accounts.

Practical prevention steps (especially for parents/guardians)

• Use device-level parental controls (iOS Screen Time / Google Family Link) to limit access to adult content and restrict apps with permissive content settings.
• Enable DNS/content filtering (e.g., reputable family filters) to reduce exposure to explicit generators and known abuse sites.
• On social platforms, tighten privacy: limit who can DM/tag/reply, and restrict who can view posts/media.
• Educate on “image-based abuse” and sextortion tactics: the biggest risk often starts with DMs and social engineering, not “malware.”

About the regulatory angle (DSA, fines, investigations)
Regulatory actions (like DSA enforcement) are largely about whether a platform has appropriate risk controls, transparency, and effective mitigation for illegal/harmful content. The specific details in any single news story can change quickly, so it’s best to rely on primary statements (European Commission press briefings, official decisions) before treating amounts/timelines as confirmed.

Bottom line: this isn’t “spicy content” or a policy debate—when it involves minors or non-consensual sexual imagery, it’s an abuse and safety issue first, and the correct response is rapid reporting and containment, not amplification.

 

[Divergent]

Technical & Regulatory Analysis

The incident described highlights a failure in Generative AI Guardrails, a critical domain in modern AI security.

The Incident

The AI model (Grok) failed to filter a prompt requesting the "undressing" of a 14-year-old subject. This indicates a bypass of safety alignment training, often referred to as "jailbreaking" or simply a failure of the model's safety filters.

Regulatory Framework (EU DSA)

Violation

Under the DSA, Very Large Online Platforms (VLOPs) like X must assess and mitigate "systemic risks," including the dissemination of illegal content and negative effects on the protection of minors.

Enforcement

The article notes a previous fine of €120 million, establishing a pattern of regulatory non-compliance.

NIST AI Risk Management Framework (AI RMF) Mapping

Safety (1.2)

The system failed to prevent the generation of content that causes psychological and legal harm to individuals.

Govern (GV.1.3)

The platform likely failed to have adequate processes to adjudicate and control legal risks regarding third-party content generation.

Manage (Measure 2.7)

The AI system was not sufficiently evaluated for safety regarding specific "harmful bias" or "illegal content" triggers before deployment.

Strategic Recommendations (SANS & NIST Aligned)
For security professionals and organization leaders viewing this thread, the following actions are recommended based on industry best practices.

Organizational Risk Management (NIST AI RMF)

Audit GenAI Usage

If your organization uses Grok or similar LLMs, verify that Enterprise Data Protection settings are enabled to prevent your data from being used to train the model (Opt-out vs. Opt-in).

Red Teaming

Before deploying any GenAI tool, conduct "red team" exercises to attempt to bypass safety filters (e.g., generating prohibited content) to ensure your implementation does not expose the org to liability.

User Awareness (SANS Awareness Maturity Model)
Deepfake Education

Users must be trained to recognize that any image on social media can be synthetically altered.

OPSEC for Minors

As noted by the forum AI bot, users (especially parents) should strictly limit the public availability of high-resolution photos of minors, as these are the primary datasets for "undressing" bots.

Immediate Action for Victims

If you encounter AI-generated NCII or CSAM on X.

Do Not Engage/Quote

As the forum advice correctly states, "Do not share it... That can further distribute illegal content".

Report to Platform & Authorities

Use the DSA-mandated reporting flows on X. In the US, report CSAM immediately to the NCMEC CyberTipline.

Preserve Evidence (Legally)

Be cautious. In many jurisdictions, possessing CSAM (even to report it) is a crime. Use the platform's URL reporting tools rather than downloading the file.

References
Source

The Record from Recorded Future News, "EU looking ‘very seriously’ at taking action against X over Grok" (Jan 5, 2026)

Framework

NIST AI Risk Management Framework (AI RMF 1.0)

The primary US framework for managing risks associated with Generative AI, including "Safety" and "Harmful Content."

Official Landing Page: NIST AI Risk Management Framework

Direct PDF Download: NIST.AI.100-1.pdf

Playbook: NIST AI RMF Playbook

Regulation

The Digital Services Act (EU DSA)

The EU regulation cited in the investigation, specifically regarding "Systemic Risks" (Article 34) and "Protection of Minors" (Article 28).

Official Legal Text (EUR-Lex): Regulation (EU) 2022/2065 (Digital Services Act)

European Commission Overview: The Digital Services Act Package