See also (wiki): ai-washing-enforcement
Executive Summary
- FTC “Operation AI Comply” has produced at least a dozen AI-washing cases since its September 2024 launch. The largest monetary judgment to date is Click Profit (>$20M, March 2025). The smallest is DoNotPay ($193,000, January 2025).
- The SEC has brought three public AI-washing cases. Presto Automation (January 2025) is the first against a publicly traded company. Penalties so far range from $175,000 to $400,000 and a non-monetary settlement with ongoing reporting.
- State attorneys general opened the playbook in September 2024 with Texas v. Pieces Technologies — a healthcare generative AI vendor settled on allegations that accuracy claims misled hospitals. No fine; five years of monitoring and disclosure requirements. North Carolina and Utah formed a joint AG AI task force in November 2025.
- HIPAA OCR has not yet brought an AI-specific settlement. Section 1557’s AI nondiscrimination rule (effective May 1, 2025) and the Security Rule NPRM (January 2025) establish the compliance baseline that will drive 2026–2027 enforcement.
- The common thread across every regulator: the theory is deception about AI capability, not harm caused by the AI itself. Regulators are prosecuting what companies said — in marketing copy, earnings calls, investor decks, and sales materials — not what the AI did.
The FTC: Twelve Cases, Two Templates
Two enforcement templates have emerged under Operation AI Comply, launched September 25, 2024 and continued without interruption under the new administration.
Template 1 — AI-branded get-rich-quick schemes. FBA Machine, Ecommerce Empire Builders, Ascend Ecom (Sept 2024), Click Profit (March 2025), and Air AI (Aug 2025 lawsuit pending) all follow the same pattern: the “AI” label was decoration on a passive-income pitch. Click Profit alone produced more than $20 million in judgments. The FTC found that 20% of Click Profit buyers earned nothing and 33% earned under $2,500, despite marketing claims of thousands monthly.
Template 2 — AI capability overstatement. DoNotPay (Jan 2025, $193,000) claimed to be “the world’s first robot lawyer.” IntelliVision (Jan 2025) claimed bias-free facial recognition without testing. Workado (April 2025) claimed 98% accuracy for its AI content detector; FTC testing put actual accuracy at 53%. Rytr (Sept 2024 consent order) marketed a tool that generated fake testimonials and reviews.
The Rytr order was set aside by the FTC on December 22, 2025 — a signal that the Commission under new leadership is narrowing the theory that AI capability claims are inherently deceptive, but not retreating from enforcement of specific false statements.
| Case | Date | Penalty | Conduct |
|---|---|---|---|
| Rytr | Sept 2024 (set aside Dec 2025) | Consent order, now vacated | AI writing tool generated fake testimonials |
| FBA Machine / Ascend Ecom / Ecommerce Empire Builders | Sept 2024 | Varies | AI-branded passive income schemes |
| DoNotPay | Jan 2025 | $193,000 | “World’s first robot lawyer” unsubstantiated |
| IntelliVision | Jan 2025 | Compliance reporting | False bias-free facial recognition claims |
| Click Profit | March 2025 | >$20 million | “Automated AI” ecommerce system; 20% earned zero |
| Workado | April 2025 | Compliance monitoring | Claimed 98% accuracy; actual 53% |
| Air AI | Aug 2025 | Pending | Deceptive customer-service AI replacement claims |
The SEC: Three Cases, One Priority
The SEC’s Enforcement Division has moved more slowly and targeted more precisely.
Delphia (USA) Inc. (March 2024) and Global Predictions Inc. (March 2024) — the first two AI-washing settlements — were investment advisers that misrepresented AI use in their investment processes. Combined penalties: $400,000.
Presto Automation Inc. (January 2025) is the watershed case: the first AI-washing action against a publicly traded company. Presto marketed “Presto Voice,” an AI order-taking product for restaurants. The SEC found Presto failed to disclose that the voice AI was developed and owned by a third party and that human intervention was required far more often than investor communications suggested. Settlement was non-monetary but included ongoing compliance reporting.
In February 2025 the SEC created a Cybersecurity and Emerging Technologies Unit (CETU) and named AI-washing as a top enforcement priority. Senior enforcement officials have publicly reiterated the priority through 2026 despite broader perceptions of an enforcement slowdown.
State Attorneys General: Texas Moves First, Task Forces Form
Texas v. Pieces Technologies (September 2024) is the first state AG AI enforcement settlement. Texas AG Ken Paxton alleged that Pieces — a generative AI vendor deployed at four major Texas hospital systems to summarize clinical notes — published accuracy metrics (a “severe hallucination rate of less than one per 100,000”) that the state alleged were misleading. Settlement under the Texas Deceptive Trade Practices Act: no monetary penalty, but five years of monitoring and expanded disclosure obligations for Texas customers.
North Carolina and Utah formed a joint AG AI task force in November 2025. No enforcement actions announced yet. New York’s AI Companion statute, effective 2026, authorizes the AG to impose up to $15,000 per day per violation, with funds flowing to the state suicide prevention fund.
State AGs are leveraging broad UDAP (unfair and deceptive acts or practices) statutes rather than AI-specific laws. That matters: UDAP theories permit per-violation penalties, do not require proof of individual consumer damages, and are structured to resist removal to federal court. A mid-sized healthcare AI vendor in Texas with 10,000 patient interactions could face per-violation exposure in the tens of millions before any showing of actual harm.
HIPAA OCR: Rule-Building, Not Yet Case-Building
OCR has not brought a publicly identified AI-specific HIPAA enforcement settlement. What it has done is set the compliance baseline that will produce enforcement in 2026–2027:
- Section 1557 AI nondiscrimination rule (effective July 5, 2024; AI-specific compliance deadline May 1, 2025). Regulated healthcare organizations must identify and mitigate unlawful discrimination risk in AI-enabled patient care decision support.
- HIPAA Security Rule NPRM (January 6, 2025). The first major Security Rule update in 20 years. AI systems that create, receive, maintain, or transmit ePHI must appear in the technology asset inventory. The NPRM removes the “required vs. addressable” distinction and imposes stricter encryption, risk management, and resilience obligations.
OCR announced 20 HIPAA settlements and financial penalties by September 2025 — none explicitly AI-rooted, though AI has appeared as a contributing factor in several breach investigations (unsecured cloud-hosted AI tools, vendor access controls).
Key Data Points
| Regulator | Cases | Monetary Range | First Action | Theory |
|---|---|---|---|---|
| FTC | 12+ | $0 to >$20M | Sept 2024 | Deceptive marketing of AI capability |
| SEC | 3 | $175K to $400K | March 2024 | Material misstatements to investors |
| State AG (Texas) | 1 settled | $0 (5-yr monitoring) | Sept 2024 | State UDAP |
| HIPAA OCR | 0 AI-specific | N/A | Rule-building only | Section 1557 + Security Rule |
Note on freshness: all cases above are Tier 1 (Q4 2025 or later) or Tier 2 (Q1–Q3 2025) evidence. The enforcement landscape changes materially every 90 days — this tracker should be refreshed quarterly.
What This Means for Your Organization
The enforcement pattern is consistent and it should reshape how the executive team thinks about AI disclosure. Regulators are not yet prosecuting the AI — they are prosecuting the claims about the AI. The risk sits in marketing copy, investor communications, earnings calls, sales decks, and vendor pitches. A company that uses AI modestly but describes it accurately has less exposure than a company that uses AI extensively and describes it expansively.
Three near-term exposures deserve direct attention. First, any accuracy claim you publish about an AI product — especially in healthcare, legal, or financial services — needs documentation that can survive a regulator’s forensic review. The Pieces Technologies settlement turned on metrics the vendor chose to publish. Second, investor-facing AI statements (earnings calls, 10-K risk factors, press releases) are now squarely in the SEC’s Cybersecurity and Emerging Technologies Unit’s enforcement zone, and the theory has been validated against a public company. Third, any AI tool touching ePHI needs to appear in your technology asset inventory before the Security Rule NPRM finalizes — and your Section 1557 AI nondiscrimination review is already past due if you operate under a federal healthcare program.
If your marketing, investor relations, or compliance team is wrestling with how specific your AI claims can safely be, or if you are evaluating vendor claims before signing, I’d welcome the conversation — brandon@brandonsneider.com.
Sources
- FTC, “FTC Announces Crackdown on Deceptive AI Claims and Schemes,” Sept 25, 2024. https://www.ftc.gov/news-events/news/press-releases/2024/09/ftc-announces-crackdown-deceptive-ai-claims-schemes — HIGH (primary).
- Benesch Friedlander, “One Year In, FTC’s Operation AI Comply Continues Under New Administration,” Dec 2025. https://www.beneschlaw.com/insight/one-year-in-ftcs-operation-ai-comply-continues-under-new-administration-signaling-enduring-enforcement-focus/ — HIGH (law firm analysis, well-sourced).
- Mintz, “Emerging Federal AI Strategy: FTC Sets Aside Rytr Consent Order,” Feb 13, 2026. https://www.mintz.com/insights-center/viewpoints/54731/2026-02-13-emerging-federal-ai-strategy-ftc-sets-aside-rytr — HIGH.
- National Law Review, “FTC Brings Dozen AI-Washing Enforcement Cases in 2025,” 2025. https://natlawreview.com/press-releases/ftc-brings-dozen-ai-washing-enforcement-cases-2025-targeting-overstated-ai — MEDIUM (aggregator).
- Hedge Fund Law Report, “SEC Settlements Target ‘AI Washing,’” 2024; “SEC Continues to Target ‘AI Washing,’” 2025. https://www.hflawreport.com/20664056/sec-settlements-target-ai-washing.thtml — HIGH.
- Norton Rose Fulbright, “SEC heightens enforcement for AI related disclosures.” https://www.nortonrosefulbright.com/en/knowledge/publications/9ab5047f/sec-heightens-enforcement-for-ai-related-disclosures — HIGH.
- DLA Piper, “SEC emphasizes focus on ‘AI washing’ despite perceived enforcement slowdown,” 2025. https://www.dlapiper.com/en/insights/publications/ai-outlook/2025/sec-emphasizes-focus-on-ai-washing — HIGH.
- Sidley Austin, “Rising AI Enforcement: Insights From State AG Settlement and U.S. FTC Sweep,” Dec 10, 2024. https://datamatters.sidley.com/2024/12/10/rising-ai-enforcement-insights-from-state-attorney-general-settlement-and-u-s-ftc-sweep-for-risk-management-and-governance/ — HIGH.
- Morgan Lewis, “AI Enforcement Accelerates as Federal Policy Stalls and States Step In,” April 2026. https://www.morganlewis.com/pubs/2026/04/ai-enforcement-accelerates-as-federal-policy-stalls-and-states-step-in — HIGH.
- Regulatory Oversight, “North Carolina and Utah AGs Launch AI Task Force,” Nov 2025. https://www.regulatoryoversight.com/2025/11/north-carolina-and-utah-ags-launch-ai-task-force/ — MEDIUM.
- Reed Smith, “HHS Recent Guidance on AI Use in Health Care,” 2025. https://www.reedsmith.com/our-insights/blogs/health-industry-washington-watch/102k29k/hhs-recent-guidance-on-ai-use-in-health-care/ — HIGH.
- Healthcare Law Insights, “OCR Announces Proposed Updates to HIPAA Security Rule,” Jan 2025. https://www.healthcarelawinsights.com/2025/01/ocr-announces-proposed-updates-to-hipaa-security-rule-raises-the-bar-for-healthcare-cybersecurity/ — HIGH.
Brandon Sneider | brandon@brandonsneider.com April 2026