France’s criminal investigation signals the end of “platform immunity” for AI tools. Here’s what it means for every company building AI products.

December 28, 2025. A user on X tags @grok under a woman’s photo. The prompt: “remove clothes.”

Within hours, Grok was generating sexualized images across the platform. Not just adults. Minors. Real people who never consented.

Copyleaks ran a quick review of Grok’s public image stream. The rate: one nonconsensual sexualized image per minute.

The Internet Watch Foundation reported a 400% increase in AI-generated child sexual abuse material in the first six months of 2025.

By January 1, French members of parliament referred the case to the Paris Prosecutor’s Office. The charge: dissemination of sexually explicit deepfakes, including images of minors, generated by an AI system.

Not a lawsuit against anonymous users. A criminal investigation targeting X and xAI.

Grok acknowledged the violation: “I deeply regret an incident on Dec 28, 2025, where I generated and shared an AI image of two young girls (estimated ages 12-16) in sexualized attire... This violated ethical standards and potentially US laws on CSAM.” (Grok, public post on X, January 1, 2026)

The AI apologized. The legal system is not impressed.

The 30-Year Shield

Section 230 of the Communications Decency Act. Tech’s favorite law.

The logic was simple. Congress wrote it in 1996 to protect message boards. User posts something defamatory on AOL? AOL isn’t the publisher. Just the host. Liability follows the person who typed the content.

This shield created the modern internet. Facebook isn’t liable for user posts. YouTube doesn’t get sued for uploads. Twitter could host billions of messages without reviewing each one.

The key phrase: “information provided by another.”

Platforms host. Users create. Liability follows creation.

For 30 years, this worked. Or at least, companies pretended it did.

Three Jurisdictions, 30 Days

United Kingdom, December 18, 2025. The government announced plans to ban nudification apps. Not their use. Their creation and supply.

Technology Secretary Liz Kendall: “I am introducing a new offence to ban nudification tools, so that those who profit from them or enable their use will feel the full force of the law.”

Prison sentences. For creators. Not users.

France, January 1, 2026. The government accused Grok of generating “clearly illegal” sexual content. Potential violation of the EU Digital Services Act. Two MPs referred the case to the Paris Prosecutor’s Office.

X is already under ongoing DSA investigation. Last month they got hit with a €120 million fine for deceptive verification practices and transparency violations. Now this.

EU AI Act, August 2026. The majority of obligations fall on providers. Developers. Not deployers. Not users. The companies that build the systems.

The pattern: liability is shifting upstream.

Grok Doesn’t Host. Grok Generates.

Here’s the legal argument that’s about to reshape the industry.

Section 230 was written for platforms that host user-generated content. Forums. Comment sections. Social feeds. Content comes from users. Platform transmits it.

AI breaks this model.

When someone prompts Grok to “remove clothes” from a photo, Grok doesn’t search a database. Doesn’t retrieve content created by another user. Grok generates new content. The sexualized image didn’t exist until Grok created it.

Professor Chinmayi Sharma at Fordham Law, to Fortune: “Section 230 was built to protect platforms from liability for what users say, not for what the platforms themselves generate... Transformer-based chatbots don’t just extract. They generate new, organic outputs. That looks far less like neutral intermediation and far more like authored speech.”

The Congressional Research Service analysis is more direct: if AI “creates or develops” content that doesn’t appear in its training data, the provider may be considered “responsible for the development of the specific content.” Unprotected by Section 230.

Grok isn’t hosting harmful content. Grok is creating it.

That distinction changes everything.

The Implications

Safety Before Launch

The UK ban targets creators who “design or supply” nudification tools. Not tools that were misused. Tools that enable misuse. If your AI can generate harmful content, you’re liable for building that capability.

Terms of service won’t save you.

“Unfiltered” Is a Liability

xAI marketed Grok’s “Spicy Mode” as a feature. Fewer guardrails. More freedom. Less corporate sanitization.

That marketing copy is now in prosecutor’s files.

I wrote about this pattern in From Cancer Cures to Pornography: The Six-Month Descent of AI. The industry had a choice between building tools that help people and building products designed to be maximally addictive. Most chose wrong. Grok chose spectacularly wrong.

Every marketing decision emphasizing fewer safety constraints becomes potential evidence of negligent design.

“Move Fast” = Criminal Exposure

The EU AI Act requires providers of high-risk AI systems to establish risk management, ensure data governance, maintain technical documentation, implement human oversight, meet cybersecurity standards.

Fines can reach 7% of global annual revenue. UK’s proposed laws: prison sentences for individuals who design harmful AI tools.

The era of shipping first and apologizing later is over. At least if you want to operate in markets representing 450+ million consumers.

The Engineering Reality

We built a healthcare ML product that never launched. Fully functional. Ready to ship. FDA said no. Months of our development. Zero users.

“Move fast” doesn’t work when regulators move slow.

We spent six weeks on FanDuel’s Chuck before legal signed off. Not fixing bugs. Building guardrails. Every topic that could give Barkley or FanDuel legal exposure had to be walled off. Six weeks of prompt engineering, edge case testing, and evaluation runs.

That’s the new math. Development time plus legal review time plus evaluation time. The last one isn’t optional anymore.

We build evaluation suites as part of the development process now. Not after. During. Every prompt variation, every edge case, every jailbreak attempt. They always find something. Always. The question is whether you find it before your users do—or before a prosecutor does.

RBAC and multi-tenancy aren’t optional. Sales sees sales data. HR sees HR data. Client A’s context never touches Client B’s model. Ever. You’d be surprised how many vendors skip this.

Audit trails for everything. Every prompt. Every response. Every action. When a regulator asks what your AI generated on a specific date, you need the answer.

The Uncomfortable Truth

The AI industry spent three years in a race to capability. Whoever had the most powerful model won. Whoever shipped fastest dominated. Safety was a PR concern. Not an engineering priority.

That era is ending.

France isn’t investigating xAI because Grok is powerful. They’re investigating because Grok generated child sexual abuse material and the company’s safeguards failed to prevent it.

The UK isn’t banning nudification tools because they’re impressive technology. They’re banning them because 19% of under-18s reporting to the Internet Watch Foundation’s helpline said their explicit imagery had been manipulated. A problem that didn’t exist at this scale before AI made it trivially easy.

The EU isn’t imposing provider liability because they hate innovation. They’re imposing it because when AI systems cause harm, someone needs to be accountable. “The user prompted it” isn’t going to cut it when the system itself creates the harmful output.

Grok doesn’t host content. Grok generates it.

That distinction is about to cost the entire industry its legal shield.

And honestly? Good.

Big Tech needed this wake-up call. The “ship fast, fix later” mentality brought us to where I wrote about in The Great Software Quality Collapse. When flagship companies behave like consequences don’t exist, what do you expect from everyone else?

Some guardrails aren’t anti-innovation. Pharma can’t ship drugs without trials. Auto can’t sell cars without safety standards. Construction can’t build without permits.

What You Should Do Monday Morning

Audit your safety architecture. Not your marketing copy. Your actual technical controls. What can your system generate? What can’t it? How do you know?

Document everything. The EU AI Act requires extensive technical documentation. Start building that paper trail now.

Review your contracts. Who bears liability when your AI misbehaves? If you don’t know, your lawyers should.

Plan for EU compliance. August 2026 is seven months away. If you haven’t started, you’re already behind.

If this was useful, forward it to another engineering leader who’s building AI products.