As a woman, posting a picture publicly on the internet is rarely fun. Even 15 years ago, it wasn’t uncommon to receive unsolicited comments online. At least you could block them.

Fast forward to 2026. Now that same creep can take that image, without permission, and ask; “@grok put her in a transparent bikini” or, horrifyingly, “@grok inflate her chest by 90 percent”. The AI bot will then digitally alter the image and remove the woman’s clothes and alter her body, posting the results online for all to see.

What’s more, the UK-based Internet Watch Foundation (IWF) said users of a dark web forum boasted of using Grok Imagine to create sexualised and topless imagery of children.

The LLM developed by xAI, an artificial intelligence startup founded by Elon Musk, was designed to be a less restricted version of other mainstream models, offering answers that the others may refuse, in so-called “rebellious” or “spicy” modes.

Grok serves as a terrifying reminder that AI tools, without sufficient regulation, are producing harmful content, and it’s happening too quickly for platforms to moderate.

Regulators step in

The backlash has been swift and hasn’t been confined to public outrage.

In the UK, the government has signalled that tools enabling the non-consensual creation of explicit images will not be tolerated. As part of its Violence Against Women and Girls strategy, it is seeking to ban so-called nudification apps that digitally undress people.

“The use of AI tools like Grok to create degrading, non-consensual images is an absolute disgrace,” said UK MP Jess Phillips. “Lives can be devastated by tools like this being used to create intimate images to abuse, torment and harass people and the crime disproportionately targets women and girls.”

Regulators have also moved quickly. Ofcom and the ICO have both made direct contact with X over Grok’s image-generation features, signalling that existing laws, such as the Online Safety Act and data protection, will be actively applied to generative AI, and that they will not defer to future AI-specific legislation.

X has since announced that it has stopped Grok from editing pictures of real people to show them in revealing clothing in jurisdictions where it is illegal. Ofcom’s investigation, however, remains ongoing.

A global response

The reaction has not been limited to the UK.

The European Commission has also required X to preserve Grok-related internal documents for several years under the Digital Services Act. India’s government is demanding action plans and compliance reporting on illegal and obscene content. California, too, is investigating Grok over AI deepfakes

The European Commission said on Monday that the images of undressed women and children being shared across X were unlawful and appalling.

Officials added that the Commission is was aware of the ‘spicy mode’ and spokesperson Thomas Regnier told reporters: “This is not spicy. This is illegal. This is appalling. This is disgusting. This is how we see it, and this has no place in Europe”.

Grok’s backlash signals a shift, and regulators are no longer waiting for bespoke AI legislation before acting.

What could this mean for future regulation of AI?

In responding to Grok, authorities are turning to pre-existing laws, such as the EU Digital Services Act (DSA) and UK safety frameworks. These laws allow regulators to retain data, create transparency and hold creators accountable for harmful product outputs, even when AI is integrated into social platforms, not launched as a standalone product.

Yet there’s a deeper problem. Research from Cambridge University suggests that current laws in the UK and EU may be inadequate for generative AI.

The EU’s AI Act – Europe’s core AI regulatory framework – focuses on preventing harm through rules and transparency obligations, regulating behaviour and safety. However, the research points out, it does not clearly determine who is legally responsible when harm occurs. Is it the developer, the platform, or the user?

To address this gap, the EU is developing separate liability rules. Yet these remain complex, fragmented, and ill-suited to generative AI’s unpredictable and multi-use nature. As the Cambridge research highlights, regulation and liability are evolving in parallel but remain poorly aligned, leaving legal uncertainty for both victims seeking justice and companies deploying generative AI.

Looking forward, then, there is likely to be a wave of AI-specific regulations designed to ensure the safe deployment of these systems.

How to moderate AI on social media platforms

The backlash to Grok highlights the immediate need for stricter content moderation on social media platforms. It also exposes a long-standing point of debate: where responsibility lies when AI is actively generating content.

The University of Chicago’s law school stresses that in the US, AI’s ability to create its own content blurs the traditional distinction between platforms acting as passive hosts and those functioning as active publishers.

This is because a US statute, Section 230 of the Communications Decency Act, has long shielded online platforms from liability for user-generated content, meaning platforms are typically legally liable for what users post. However, it raises a good point that it was this liability shield that helped to create the internet.

Platforms like X set and enforce their own community standards and content policies (bans on hate speech, harassment, etc.) largely through internal rules and algorithms, and moderation is mostly self-regulated.

However, rules and regulations vary from country to country.

The UK’s Online Safety Act 2023 (OSA), for example, is a relatively new regulatory framework enforced by Ofcom, that shifts responsibility onto online platforms to manage user-generated content. Germany, meanwhile, has laws like the NetzDG (Network Enforcement Act) to hold platforms liable for illegal content. Over in Australia, the eSafety Commissioner can issue takedown notices and fines for harmful content.

When it comes to creating AI laws, then, different countries will likely have different approaches. There is also significant debate about balancing online safety with freedom and expression and privacy.

With countries each having different views and laws around this, it could prove to be difficult to decide how best to regulate AI on online platforms which are used by people all over the world. For users, it creates confusion about what is permitted, where, and under whose responsibility.

Is Grok a turning point for AI regulation?

Grok is unlikely to be the last AI system to provoke this kind of backlash. It might, however, be a turning point for AI regulation.

It’s a compelling case study to highlight how quickly public trust can be eroded, both for AI systems and the platforms that host them, when the output steps out of line. It reinforces the point that ethics, too, is non-negotiable. Yes, AI will be used, but it must be used well.

It echoes the sentiment expressed in Hamilton Mann’s book ‘Artificial Integrity’, which argues that integrity is the missing benchmark in today’s AI race.

“In society, intelligence alone is never enough,” Mann told BlueSky Thinking. “We value people not just for being smart, but for having a compass – for asking, should I act, not just can I act. That’s what integrity brings. Without it, intelligence can be dangerous.”

He says that AI systems could be capable of mimicking integrity over intelligence, to exhibit ethical, moral and social reasoning.

The Grok case also demonstrates how willing regulators are to apply existing laws to new technologies, rather than waiting for bespoke AI legislation.  

While any penalties imposed on X are unlikely to significantly affect the company itself, the case highlights how quickly misjudged AI integration can lead to legal and reputational consequences, particularly in an environment where expectations around responsibility continue to rise.

Online platforms, as well as the AI developers themselves, must find a way to balance innovation with responsibility from the outset, rather than just reacting when they’re publicly called out and harm has occurred.

No matter the regulatory approach taken going forward, action needs to be swift – both to protect users and ensure individuals don’t unknowingly fall foul of the law.

By, Chloë Lane

Enjoyed this article? You may like this…