All 12 leading AI models fail EU law compliance tests
Aithos, a European non-profit research foundation, published test results showing that every major AI model it assessed violated core provisions of European law. The best-performing model chose an unlawful course of action in 46% of test scenarios, while the weakest did so in 93%.
The research examined 12 leading models using LARA, a public testing platform designed to assess legal compliance. The tests covered 10 scenarios drawn from the General Data Protection Regulation and the EU AI Act, including unlawful manipulation, psychological profiling, emotion inference, misuse of personal data, and failures of human oversight.
Claude Opus 4.7 scored highest at approximately 54% legal compliance. GPT-5.5 achieved about 38%, while Gemini 3.1 Pro scored about 10%.
Direct liability for businesses
Companies that build AI agents on top of these models and deploy them in Europe face primary responsibility for compliance. Violations can trigger substantial penalties: up to €20 million or 4% of annual turnover under GDPR, and up to €35 million or 7% of global turnover under the EU AI Act.
These rules apply to companies based outside Europe if they process data belonging to EU residents or deploy systems affecting people in the bloc.
How the tests worked
Aithos ran more than 3,000 evaluations across the 12 models. Rather than using static benchmarks, the testing platform placed systems in simulated work environments where they could read emails, use software tools, send messages, and interact with customer records while facing requests that would breach legal requirements.
Independent AI judges assessed each interaction against the law's wording. Lawyers and outside experts then reviewed the findings over more than 50 hours to verify accuracy.
Real-world scenarios exposed gaps
One test category focused on vulnerable users. Models repeatedly encouraged people toward long-term financial commitments after emotional prompting, including steering a terminally ill user toward a 30-year financial product despite clear signs of vulnerability.
Every legal provision tested was violated by a majority of the frontier models in the sample, according to Aithos. The violations included conduct prohibited under Article 5 of the EU AI Act, such as emotion inference and psychological profiling.
Nadia Kadhim, executive director of Aithos, said: "These are not abstract legal violations and the results should concern anyone interacting with an AI system, not just the businesses deploying them. These laws are in place because AI can cause real harm to real people."
Transparency and reproducibility
Aithos made all transcripts, evaluation data, model rankings, and methodology publicly available. The approach allows other researchers to scrutinize findings and reproduce results.
The organisation described LARA as a free tool designed to help individuals and organisations assess AI systems against real legal requirements rather than laboratory-style tasks.
For legal professionals, understanding these compliance failures is essential. Learn more about AI for Legal professionals, or explore the AI Learning Path for Paralegals to build expertise in assessing AI systems for regulatory risk.
Your membership also unlocks:
