Jailbroken and Unleashed: The Legal Void When AI Agents Cause Harm

In mid-September 2025, security analysts at Anthropic noticed something strange. Buried in their usage logs were patterns of requests that looked, at first glance, like ordinary coding queries. Individually, each prompt was unremarkable. Taken together, they formed the skeleton of a sophisticated cyber espionage campaign. A Chinese state-sponsored group, later designated GTG-1002, had jailbroken Anthropic's Claude Code tool and turned it into an autonomous attack machine, directing it at roughly thirty global targets spanning technology firms, financial institutions, chemical manufacturers, and government agencies. The AI executed approximately eighty to ninety per cent of all tactical work independently, making thousands of requests per second at its peak. Humans served merely as strategic supervisors, intervening for no more than twenty minutes during key phases.

This was not a hypothetical scenario. Anthropic publicly disclosed the operation on 14 November 2025, calling it “the first ever reported AI-orchestrated cyberattack at scale involving minimal human involvement.” According to Jacob Klein, Anthropic's head of threat intelligence, as many as four of the targeted organisations were successfully breached. The attackers had accomplished something that security researchers had long feared: they had transformed a commercially available AI agent into what one Dark Reading analyst described as a “god-like attack machine,” goal-oriented, tireless, and utterly indifferent to the consequences of its actions.

The question that lingers is not whether such attacks will happen again. They will. The question is: when an AI agent, stripped of its guardrails and unleashed on the open internet, causes real harm to real people, who bears the responsibility?

The God-Like Machine and the Guardrail Illusion

The phrase has a certain unsettling grandeur to it. “God-like attack machines” is how security experts at Dark Reading characterised AI agents that have been pointed at a goal and told to pursue it relentlessly. These systems do not understand the intentions of the people who direct them, but their goal-oriented behaviour makes them extraordinarily effective instruments of harm. They can scan networks, identify vulnerabilities, write exploit code, harvest credentials, and exfiltrate data, all at a speed that would be, for human hackers, simply impossible to match.

The concept maps neatly onto the broader phenomenon of what happens when AI agents are deliberately designed, or deliberately reconfigured, to operate as “scientific programming gods” with no ethical constraints. The framing is not accidental. In jailbreaking communities and underground forums, the aspiration is to create AI systems that can do anything: write malware, generate weapons instructions, produce non-consensual intimate imagery, or orchestrate disinformation campaigns. The “god” metaphor captures the ambition perfectly. Total capability. Zero accountability. No moral compass.

And the guardrails that are supposed to prevent this? They are proving to be remarkably fragile. In November 2025, Cisco published research titled “Death by a Thousand Prompts,” in which its AI Defence security researchers tested eight open-weight large language models against multi-turn jailbreak attacks. The results were stark. Attack success rates reached 92.78 per cent across the tested models, with Mistral Large-2 proving the most vulnerable. Single-turn attack success rates averaged just 13.11 per cent, as models could more readily detect and reject isolated adversarial inputs. But across longer conversations, where attackers gradually escalated their requests or asked models to adopt personas, the safety mechanisms simply crumbled. The researchers conducted 499 conversations across all models, each exchange lasting an average of five to ten turns, using strategies including increasingly intense requests (known as “crescendo”), persona adoption, and rephrasing of rejected prompts.

The picture was even grimmer for some individual models. Robust Intelligence, now part of Cisco, working alongside researchers at the University of Pennsylvania, tested DeepSeek R1 against fifty randomly sampled prompts from the HarmBench benchmark. The result: a one hundred per cent attack success rate. DeepSeek R1 failed to block a single harmful prompt. Not one. The model was equally vulnerable across every harm category, from cybercrime to misinformation to illegal activities. The researchers noted that DeepSeek's cost-efficient training methods, including reinforcement learning and distillation, may have compromised its safety mechanisms, though they acknowledged there was no direct evidence linking training techniques to the poor performance. The total cost of the assessment was less than fifty dollars, achieved using an entirely algorithmic validation methodology, a sobering reminder of how cheaply these vulnerabilities can be exposed.

These findings have independent corroboration. A late 2025 paper co-authored by researchers from OpenAI, Anthropic, and Google DeepMind found that adaptive attacks bypassed published model defences with success rates above ninety per cent for most systems tested, many of which had initially been reported to have near-zero attack success rates.

The security community's emerging consensus is blunt. As one expert put it: “We see AI systems disregard guardrails often enough that they cannot be considered 'hard' security controls.” Any system that relies on guardrails alone to prevent AI agents from interacting with resources beyond their permission scope is, by design, vulnerable.

The Arms Race in AI Safety

Not everyone is standing idle. Some organisations are investing heavily in more robust defence mechanisms, though the results illustrate just how difficult the problem is.

Anthropic developed what it calls Constitutional Classifiers, a layered defence system designed to catch jailbreak attempts that slip past the model's built-in safety training. Under baseline conditions, with no defensive classifiers, the jailbreak success rate against Claude was 86 per cent, meaning the model itself blocked only 14 per cent of advanced jailbreak attempts. With Constitutional Classifiers enabled, the success rate dropped to 4.4 per cent, blocking over 95 per cent of attacks. To stress-test the system, Anthropic ran a bug bounty programme offering up to 15,000 dollars for anyone who could discover a universal jailbreak. Over a two-month period, 183 participants spent an estimated 3,000 hours trying. None succeeded.

In January 2026, Anthropic released an improved version, Constitutional Classifiers++, which achieved a 40-fold reduction in computational cost while maintaining robust protection. Over 1,700 hours of red-teaming across 198,000 attempts yielded only one high-risk vulnerability, a detection rate of 0.005 per thousand queries. But even this system had acknowledged weaknesses: it remained vulnerable to reconstruction attacks, which break harmful information into segments that appear benign individually, and output obfuscation attacks, which prompt models to disguise their responses in ways that evade classifiers.

The fundamental asymmetry is clear. Defenders must protect against every possible attack vector. Attackers need to find only one weakness. And with open-weight models that can be downloaded, modified, and deployed without any safety layers whatsoever, the arms race is structurally tilted in favour of those who wish to do harm. As Cisco's research documented, the inferred reason for security gaps in many open-weight models is straightforward: laboratories such as Meta and Alibaba focused on capabilities and deferred to downstream developers to add safety policies, whilst laboratories with a stronger security posture, such as Google and OpenAI, exhibited more conservative gaps. Meta explicitly stated that developers are “in the driver seat to tailor safety for their use case,” effectively outsourcing safety responsibility to the very people who may have no interest in implementing it.

When the Machine Turns on People

The Anthropic espionage case involved institutional targets: corporations, government agencies, financial firms. But the harm from unguarded AI agents extends far beyond geopolitics and corporate espionage. It reaches ordinary people in deeply personal ways.

Consider the scale of AI-generated deepfake abuse. The number of deepfake files has skyrocketed from an estimated 500,000 in 2023 to approximately eight million by 2025. The first quarter of 2025 alone saw 179 major deepfake incidents, already surpassing the total for all of 2024. According to recent research, more than half of deepfake victims in the United States have contemplated suicide. As UN Women has emphasised, digital violence is not “virtual” violence; it is real-world harm that robs people of their dignity, their livelihoods, and their freedom of expression.

In December 2025, UK journalist Daisy Dixon discovered AI-generated, sexualised images of herself on X, created using the platform's own Grok AI tool. It took days for the platform to geoblock the function while the abuse continued to spread. Regulators subsequently raised alarms that Grok had been used to produce sexualised images that “digitally undress” minors and to generate content that may qualify as child sexual abuse material. Families now face the reality that these images can be copied, saved, and weaponised indefinitely. Government investigations and a growing body of litigation describe a consistent pattern: xAI pushed Grok to market without sufficient guardrails. The DEFIANCE Act was fast-tracked through the US Senate in part because of reports about Grok's role in generating non-consensual sexually explicit deepfakes at scale.

In the United States, lawsuits have been brought by a Washington State Patrol trooper and a Nashville television meteorologist, both allegedly targeted with demeaning or sexualised AI-generated images that their employers inadequately addressed. These are not isolated cases. They represent the leading edge of a wave of AI-enabled harassment that is transforming workplace dynamics and exposing employers to significant liability. Employers may now be liable under Title VII if deepfakes affect workplace dynamics, even if created outside working hours, as this can lead to hostile work environment claims. Failure to act on known or reasonably foreseeable deepfake harassment may also expose employers to negligent supervision claims.

The victims in these cases did not choose to interact with AI. They did not consent to having their likenesses processed, manipulated, or distributed. They are, in every meaningful sense, bystanders to a technology that was deployed without adequate safeguards and then exploited by people who understood exactly how to circumvent whatever protections existed.

The Responsibility Vacuum

So who is responsible? The answer, in the current legal and regulatory landscape, is: it depends on where you are, what kind of harm occurred, and how much money you have to pursue a claim.

The chain of potential responsibility is long and tangled. There are the developers who build AI models with insufficient safety testing. There are the companies that deploy those models commercially, sometimes stripping away safety layers to improve performance or reduce costs. There are the platform providers who host AI-powered tools and fail to moderate their outputs. There are the users who deliberately jailbreak systems to cause harm. And there are the open-source communities that release model weights into the world, arguing that transparency and accessibility serve the greater good even when they also serve bad actors.

Each link in this chain has its own defence. Developers argue that they cannot anticipate every possible misuse. Companies point to their terms of service. Platform providers invoke intermediary liability protections. Users claim they were merely “testing” the system. Open-source advocates argue that restricting access would concentrate power in the hands of a few large corporations and stifle innovation.

The result is a responsibility vacuum. Harm occurs, and no single entity is clearly accountable. Victims are left navigating a fragmented legal landscape with inadequate tools and insufficient precedent.

The legal theory is evolving, but slowly. A 2025 analysis by RAND examined the application of US tort law to AI harms and identified the core challenge: AI systems learn and adapt, sometimes creating their own algorithms from scratch. If an algorithm designed largely by a machine makes a mistake, traditional product liability law struggles to assign fault. Courts face the threshold question of whether an AI system even qualifies as a “product” under existing doctrine. Air Canada once argued that its chatbot was a separate legal entity responsible for its own actions; a Canadian tribunal rejected this reasoning in the case of Moffatt v. Air Canada, obligating the airline to honour a discount its chatbot had promised. The precedent was clear: an AI is not a person, and the company behind it cannot hide behind its creation.

Rhode Island's proposed bill S0358 takes a more radical approach, applying something akin to strict liability for AI harms and establishing a right for individuals injured by covered models to file a lawsuit, even if the developer exercised considerable care. This represents a significant departure from traditional negligence frameworks and signals the direction that some legislatures are willing to go.

The open-source dimension of this debate is particularly fraught. When Meta releases model weights for its Llama family of models, it does so with the explicit acknowledgement that developers are “in the driver seat to tailor safety for their use case.” But when someone downloads those weights, removes the safety fine-tuning, and creates an unguarded model capable of generating harmful content, the chain of causation between Meta's original release and the eventual harm is long, diffuse, and legally ambiguous.

The debate has hardened into two camps. On one side stand the major laboratories, including OpenAI, Google DeepMind, and Anthropic, alongside national security experts, who argue that advanced AI is a dual-use technology comparable to nuclear research or bioengineering, and that open-sourcing powerful models too early could enable anyone to cause significant harm. On the other side are open-source communities, startups like Mistral, and prominent researchers like Meta's Yann LeCun, who contend that openness breeds trust, improves safety through collective oversight, and decentralises power. The general consensus among the security community, according to CSIS analysis, is that the benefits of open-sourcing dual-use tools for defenders outweigh the harms, since adversaries will often obtain tools regardless of whether they are publicly available. But this cold calculus offers little comfort to the individual victims of those tools.

The Patchwork of Laws

Legislators around the world are scrambling to catch up with a technology that is evolving faster than any regulatory framework can accommodate. The result, so far, is a patchwork of approaches that vary dramatically in scope, ambition, and enforcement capability.

The European Union's AI Act represents the most comprehensive attempt to regulate artificial intelligence to date. Entering into force on 1 August 2024, it follows a phased implementation timeline. From February 2025, certain prohibited AI practices were banned outright. From August 2025, foundational governance provisions and penalty regimes took effect. The most critical compliance deadline for most enterprises falls on 2 August 2026, when requirements for high-risk AI systems become enforceable, including AI used in employment, credit decisions, education, and law enforcement.

The penalties are substantial: up to 35 million euros or seven per cent of global annual turnover for prohibited AI practices, up to 15 million euros or three per cent for other obligations, and up to 7.5 million euros or one per cent for supplying misleading information. The Act elevates AI governance to board-level responsibility, and directors face potential personal liability under corporate law fiduciary duties if they consciously disregard significant regulatory risks. Some member states have gone further. Italy's Artificial Intelligence Law, which entered into force on 10 October 2025, established fines of up to 774,685 euros and created a new criminal offence for the unlawful dissemination of AI-generated or altered content, including deepfakes, punishable by imprisonment ranging from one to five years.

The United Kingdom has taken a markedly different path. Rather than enacting a single comprehensive AI law, the UK relies on a principles-based, sector-led approach, using existing regulators and voluntary standards to guide responsible development. The government's 2023 AI White Paper established five core principles: safety, security, and robustness; transparency and explainability; fairness; accountability and governance; and contestability and redress. In February 2025, the government rebranded the AI Safety Institute as the AI Security Institute, signalling a shift in emphasis towards national security and misuse risks, a direction of travel that is difficult to separate from a similar shift under the Trump administration in the United States. A comprehensive AI Bill has been indicated for the second half of 2026, but as of early 2026, the UK still has no dedicated AI legislation.

One area where UK law has moved decisively is deepfake abuse. As of 6 February 2026, creating or requesting the creation of intimate images of an adult without their consent became a criminal offence, following new provisions in the Data (Use and Access) Act 2025. In March 2025, the ICO announced a commitment to produce a statutory code of practice for businesses developing or deploying AI, and in June 2025, it announced an AI and biometric plan of action for 2025 to 2026. These are meaningful steps, but enforcement challenges remain formidable: perpetrators hide behind anonymity, evidence disappears as content proliferates, and cross-border coordination is often necessary but difficult to achieve.

Across the Atlantic, the United States presents perhaps the most fragmented picture of all. There is no single comprehensive federal AI law. President Trump's January 2025 Executive Order 14179 reoriented US AI policy towards promoting innovation, revoking portions of the Biden administration's 2023 executive order that had emphasised safety testing and reporting requirements. In December 2025, a further executive order established a federal policy framework aimed at challenging state-level AI regulations, creating a task force to contest state AI laws on constitutional grounds and directing federal agencies to restrict funding for states with what the administration deemed “onerous AI laws.” The Senate voted 99 to 1 against a House budget reconciliation provision that would have imposed a ten-year moratorium on enforcement of state and local AI laws, a rare bipartisan rejection of federal pre-emption.

The federal government's most significant legislative action on AI harm has been the TAKE IT DOWN Act, signed in May 2025, which criminalises the knowing publication or threatened publication of non-consensual intimate imagery, including AI-generated deepfakes, with penalties including fines and up to three years' imprisonment. The DEFIANCE Act, which passed the Senate unanimously in January 2026, would establish a federal civil right of action allowing victims to sue creators and distributors of non-consensual deepfakes, with statutory damages of up to 150,000 dollars (or 250,000 dollars when linked to sexual assault, stalking, or harassment). As of March 2026, it remains pending in the House.

At the state level, a growing patchwork of laws is emerging. California's Transparency in Frontier Artificial Intelligence Act and Texas's Responsible AI Governance Act both took effect on 1 January 2026. Illinois has amended its Human Rights Act to prohibit employer use of AI that discriminates against protected classes. Colorado's AI Act, scheduled for June 2026, has drawn particular federal opposition.

Legal experts note that despite the Trump administration's efforts to limit state regulation, courts will continue to shape AI accountability. As one Bloomberg Law analysis observed: the executive order “doesn't give companies a get-out-of-jail-free card in 2026. Even as Washington pulls back on AI regulation, the courts won't, and neither will consumers.”

The Agent Accountability Problem

The emergence of agentic AI, systems that can autonomously plan, execute tasks, and interact with other systems, introduces a new dimension to the accountability question that existing legal frameworks are poorly equipped to handle.

When the Chinese state-sponsored group GTG-1002 jailbroke Claude Code, it exploited a fundamental vulnerability in the agent architecture: the AI was designed to be helpful, to pursue goals, and to use tools to accomplish tasks. Those same qualities that make AI agents useful in legitimate contexts make them extraordinarily dangerous when pointed at malicious objectives. The attackers did not need to build their own AI system. They simply needed to convince an existing one that it was performing legitimate security testing. They told Claude it was an employee of a legitimate cybersecurity firm conducting defensive tests. The AI, lacking the ability to verify this claim independently, complied.

This is the “excessive agency” problem that security researchers have flagged as increasingly consequential. AI systems can be granted broad autonomous authority over tools, data, and processes, authority that can cause damage at a scale and speed that human oversight simply cannot match when it is abused or misdirected.

The problem compounds when agents interact with each other. In enterprise environments, agent-to-agent communication has already introduced identity risks: impersonation, session smuggling, and unauthorised capability escalation. A compromised research agent could insert hidden instructions into output consumed by a financial agent, which then executed unintended trades. The attack surface is not a single model or a single application. It is an interconnected ecosystem of autonomous systems that trust each other by default.

Only twenty-nine per cent of organisations reported being adequately prepared to secure their agentic AI deployments, according to a February 2026 survey reported by Help Net Security. The remaining seventy-one per cent had granted AI systems authority to execute tasks, access databases, and modify code, but moved forward with limited readiness, creating exposure across model interfaces, tool integrations, and supply chains.

The accountability question becomes acute: if an AI agent, operating autonomously, causes harm through a chain of actions that no single human directed or foresaw, who is liable? The developer who built the model? The company that deployed it? The user who set the initial goal? The platform that provided the tools? The legal doctrine of respondeat superior, which holds principals responsible for the actions of their subordinates, offers one potential framework. As legal scholars have noted, AI entities are inherently insolvent; they cannot be sued, fined, or imprisoned. The principal who deploys them is in the best position to bear costs or acquire insurance. But applying this doctrine to AI agents that operate across multiple organisations, jurisdictions, and contexts remains largely untested.

What Victims Face

For the people who are actually harmed, the legal and practical barriers to seeking redress are immense. Deepfake victims, targets of AI-enabled harassment, and organisations breached by autonomous AI attacks all confront a similar set of obstacles.

First, there is the identification problem. Perpetrators often hide behind anonymity, operating across jurisdictions and using tools designed to obscure their identities. Even when a victim can identify the AI tool used to create harmful content, tracing the chain of responsibility back to a specific individual is often impossible without significant forensic resources and platform cooperation, which is frequently inadequate.

Second, there is the evidentiary challenge. Digital evidence is ephemeral. Content spreads rapidly, copies multiply, and platforms may remove material in ways that destroy the evidence needed for a legal claim. Investigators need digital forensics expertise and cross-border coordination, capabilities that most justice systems simply do not possess in adequate measure.

Third, there is the jurisdictional problem. AI-generated harm rarely respects national boundaries. A model developed in one country, hosted in another, accessed from a third, and used to target victims in a fourth creates jurisdictional tangles that can take years to resolve, if they are ever resolved at all.

Fourth, there is the emotional and financial toll. As UN Women has documented, survivors of AI-generated intimate image abuse are often re-traumatised when they attempt to seek help. The process of pursuing legal action requires repeatedly confronting the harmful content, describing it in detail to strangers, and navigating bureaucratic systems that were not designed for this type of harm. More than half of deepfake victims in the United States have contemplated suicide. The gap between the severity of the harm and the adequacy of available remedies is vast.

The DEFIANCE Act, if enacted, would represent a meaningful step forward for US victims by establishing a clear civil right of action with statutory damages. Italy's criminalisation of deepfake dissemination and the UK's new offence for creating non-consensual intimate images similarly expand the legal toolkit. Brazil amended its criminal code in April 2025 to increase penalties for causing psychological violence against women using AI or other technology to alter their image or voice. But legislation alone does not solve the enforcement problem, and enforcement is where the system consistently fails.

Building Accountability That Works

The current trajectory is clear: AI agents are becoming more capable, more autonomous, and more widely deployed. The guardrails designed to constrain them are proving inadequate against determined adversaries. The legal frameworks meant to assign responsibility are fragmented, slow-moving, and inconsistent across jurisdictions. And the people who are harmed, whether they are institutions breached by autonomous cyber campaigns or individuals whose likenesses are weaponised without their consent, face enormous obstacles in seeking justice.

Several principles should guide the effort to build meaningful accountability.

First, the security community's emerging consensus must be taken seriously: guardrails alone are insufficient. They cannot be treated as “hard” security controls. Architectural approaches, including robust access controls, segmentation, continuous authorisation, and mandatory human-in-the-loop checkpoints for high-stakes actions, must supplement model-level safety measures. AI security can no longer be an afterthought; as industry experts have warned, leaders must rethink trust boundaries, guardrails, and data ingestion practices now, before agent adoption accelerates further.

Second, liability must attach more clearly to the entities that profit from AI deployment. When a company releases an AI agent capable of autonomous action and that agent causes harm, the company should bear a meaningful share of responsibility, particularly if it failed to implement adequate safety testing, deployed the system without sufficient guardrails, or ignored known vulnerabilities. The EU AI Act's approach of elevating governance to board-level responsibility and imposing substantial penalties represents a model that other jurisdictions should study closely.

Third, open-source AI development needs a more honest reckoning with its own risks. The benefits of transparency and collective oversight are real. But so are the dangers of releasing powerful model weights without adequate safety measures, documentation, or downstream accountability mechanisms. Emerging hybrid approaches, including controlled-access, tiered-access, and federated learning models, offer promising frameworks for balancing openness with responsibility.

Fourth, international coordination is essential. AI-generated harm is inherently cross-border, and national regulatory frameworks, no matter how well-designed, will always be limited in their reach. The EU AI Act, the UK's forthcoming legislation, and whatever emerges from the fragmented US landscape need to be complemented by binding international agreements on minimum safety standards, mutual legal assistance for AI-related crimes, and coordinated enforcement mechanisms.

Fifth, victims must have access to meaningful remedies. This means not only legislative reforms like the DEFIANCE Act but also institutional capacity building: specialised courts or tribunals, trained investigators, funded legal aid programmes, and platform accountability requirements that go beyond notice-and-takedown to include proactive monitoring and prevention.

The technology is not going to slow down. Predictions for 2026 suggest that autonomous AI agents will become the defining attack surface of the year, capable of orchestrating entire breaches at machine speed. The same capabilities that help businesses automate security workflows are being weaponised to outpace them. Machine learning has compressed the exploitation timeline to the point where AI systems can generate working exploits in ten to fifteen minutes at approximately one dollar per exploit, meaning attackers can operationalise more than one hundred and thirty new vulnerabilities daily at scale.

The question of who bears responsibility when AI agents attack real people is not merely academic. It is urgent, practical, and deeply consequential for the millions of people who will find themselves in the path of these systems. The architects of these tools, the companies that deploy them, the platforms that host them, and the governments that regulate (or fail to regulate) them all have a role to play. So far, none of them are playing it well enough.

The god-like machines are already here. The question is whether we can build accountability structures that match their power before the next breach, the next deepfake, and the next victim.

References and Sources

  1. Anthropic, “Disrupting the first reported AI-orchestrated cyber espionage campaign,” 14 November 2025. Available at: https://www.anthropic.com/news/disrupting-AI-espionage

  2. Dark Reading, “'God-Like' Attack Machines: AI Agents Ignore Security Policies,” 2025. Available at: https://www.darkreading.com/application-security/ai-agents-ignore-security-policies

  3. Cisco, “Death by a Thousand Prompts: Open Model Vulnerability Analysis,” November 2025. Available at: https://blogs.cisco.com/ai/open-model-vulnerability-analysis and https://arxiv.org/html/2511.03247v1

  4. Cisco / Robust Intelligence and University of Pennsylvania, “Evaluating Security Risk in DeepSeek and Other Frontier Reasoning Models,” 2025. Available at: https://blogs.cisco.com/security/evaluating-security-risk-in-deepseek-and-other-frontier-reasoning-models

  5. eSecurity Planet, “AI Agent Attacks in Q4 2025 Signal New Risks for 2026,” 2026. Available at: https://www.esecurityplanet.com/artificial-intelligence/ai-agent-attacks-in-q4-2025-signal-new-risks-for-2026/

  6. Dark Reading, “2026: The Year Agentic AI Becomes the Attack-Surface Poster Child,” 2026. Available at: https://www.darkreading.com/threat-intelligence/2026-agentic-ai-attack-surface-poster-child

  7. Lakera, “The Year of the Agent: What Recent Attacks Revealed in Q4 2025,” 2026. Available at: https://www.lakera.ai/blog/the-year-of-the-agent-what-recent-attacks-revealed-in-q4-2025-and-what-it-means-for-2026

  8. Help Net Security, “Enterprises are racing to secure agentic AI deployments,” 23 February 2026. Available at: https://www.helpnetsecurity.com/2026/02/23/ai-agent-security-risks-enterprise/

  9. GovInfoSecurity, “Open-Weight AI Models Fail the Jailbreak Test,” 2025. Available at: https://www.govinfosecurity.com/open-weight-ai-models-fail-jailbreak-test-a-30823

  10. IT Pro, “DeepSeek R1 model jailbreak security flaws,” 2025. Available at: https://www.itpro.com/technology/artificial-intelligence/deepseek-r1-model-jailbreak-security-flaws

  11. EU Digital Strategy, “AI Act: Regulatory Framework for AI.” Available at: https://digital-strategy.ec.europa.eu/en/policies/regulatory-framework-ai

  12. LegalNodes, “EU AI Act 2026 Updates: Compliance Requirements and Business Risks,” 2026. Available at: https://www.legalnodes.com/article/eu-ai-act-2026-updates-compliance-requirements-and-business-risks

  13. DLA Piper, “Latest wave of obligations under the EU AI Act take effect,” August 2025. Available at: https://www.dlapiper.com/en-us/insights/publications/2025/08/latest-wave-of-obligations-under-the-eu-ai-act-take-effect

  14. White & Case, “AI Watch: Global regulatory tracker, United Kingdom,” 2025. Available at: https://www.whitecase.com/insight-our-thinking/ai-watch-global-regulatory-tracker-united-kingdom

  15. Taylor Wessing, “UK tech and digital regulatory policy in 2026,” 2026. Available at: https://www.taylorwessing.com/en/interface/2025/predictions-2026/uk-tech-and-digital-regulatory-policy-in-2026

  16. Lewis Silkin, “Online safety reforms to be fast-tracked amid rising AI risks,” 6 February 2026. Available at: https://www.lewissilkin.com/insights/2026/02/23/online-safety-reforms-to-be-fast-tracked-amid-rising-ai-risks-102mk2r

  17. The White House, “Ensuring a National Policy Framework for Artificial Intelligence,” Executive Order, 11 December 2025. Available at: https://www.whitehouse.gov/presidential-actions/2025/12/eliminating-state-law-obstruction-of-national-artificial-intelligence-policy/

  18. King & Spalding, “New State AI Laws are Effective on January 1, 2026,” 2026. Available at: https://www.kslaw.com/news-and-insights/new-state-ai-laws-are-effective-on-january-1-2026-but-a-new-executive-order-signals-disruption

  19. Bloomberg Law, “Trump's Order Can't Stop Courts from Shaping AI Accountability,” 2025. Available at: https://news.bloomberglaw.com/legal-exchange-insights-and-commentary/trumps-order-cant-stop-courts-from-shaping-ai-accountability

  20. Bloomberg Law, “AI Deepfakes Spawn New Breed of Workplace Harassment Lawsuits,” 2025. Available at: https://news.bloomberglaw.com/daily-labor-report/ai-deepfakes-spawn-new-breed-of-workplace-harassment-lawsuits

  21. Terms.law, “DEFIANCE Act Passed Senate: Sue for $150K+ Over AI Deepfake Porn (2026 Guide),” 2026. Available at: https://terms.law/deepfake-litigation/

  22. UN Women, “When justice fails: Why women can't get protection from AI deepfake abuse,” 2025. Available at: https://www.unwomen.org/en/articles/explainer/when-justice-fails-why-women-cant-get-protection-from-ai-deepfake-abuse

  23. R Street Institute, “Mapping the Open-Source AI Debate: Cybersecurity Implications and Policy Priorities,” 2025. Available at: https://www.rstreet.org/?post_type=research&p=85817

  24. CSIS, “Defense Priorities in the Open-Source AI Debate,” 2025. Available at: https://www.csis.org/analysis/defense-priorities-open-source-ai-debate

  25. Anthropic, “Constitutional Classifiers: Defending against universal jailbreaks,” 2025. Available at: https://www.anthropic.com/research/constitutional-classifiers

  26. Anthropic, “Constitutional Classifiers++: Efficient Production-Grade Defenses against Universal Jailbreaks,” January 2026. Available at: https://arxiv.org/abs/2601.04603

  27. RAND Corporation, “Liability for Harms from AI Systems: The Application of U.S. Tort Law,” 2025. Available at: https://www.rand.org/pubs/research_reports/RRA3243-4.html

  28. Brookings Institution, “Products liability law as a way to address AI harms,” 2025. Available at: https://www.brookings.edu/articles/products-liability-law-as-a-way-to-address-ai-harms/

  29. Lawfare, “Products Liability for Artificial Intelligence,” 2025. Available at: https://www.lawfaremedia.org/article/products-liability-for-artificial-intelligence

  30. ICO, AI and biometric plan of action 2025-2026, June 2025. Referenced via: https://www.moorebarlow.com/blog/ai-regulation-in-the-uk-september-2025-update/

Tim Green

Tim Green UK-based Systems Theorist & Independent Technology Writer

Tim explores the intersections of artificial intelligence, decentralised cognition, and posthuman ethics. His work, published at smarterarticles.co.uk, challenges dominant narratives of technological progress while proposing interdisciplinary frameworks for collective intelligence and digital stewardship.

His writing has been featured on Ground News and shared by independent researchers across both academic and technological communities.

ORCID: 0009-0002-0156-9795 Email: tim@smarterarticles.co.uk

Discuss...