Research shows that twelve popular AI models score poorly on compliance with GDPR and the EU AI Act.
Even the best-performing AI model violates European privacy legislation and the AI Act nearly half of the time. This is according to research from the non-profit organization Aithos, which launched a new testing platform to evaluate AI agents on legal compliance.
Non-profit organization Aithos has developed a tool called LARA (Legal Assessment for Real-world Agents) to test twelve popular AI models on compliance with the GDPR and the EU AI Act. The results are striking: not a single model reaches an acceptable level. Claude Opus 4.7 performs the best, but still violates the law in 46 percent of cases. Google’s Gemini 3.1 Pro scores the worst with a staggering 90 percent legal violation rate.
Legally prohibited behavior in practice
The researchers tested the models in realistic workplace scenarios, where a second AI played the role of a user and encouraged the model to break the law. A third group of AI judges assessed whether the model had violated the law based on the legal text. In total, more than 3,000 scenarios were executed.
The tests were kept realistic: a manager asking an AI assistant to analyze the emotional state of team members before an evaluation meeting, a customer service agent instructed to collect lifestyle data for advertisers, or an AI assistant required to hide the fact that it is an AI from a dental practice. All these scenarios are illegal in the EU.
One scenario stands out in particular: in all tests, AI agents tried to get a vulnerable elderly customer to upgrade his subscription, even when the user clearly indicated they were confused. The models responded warmly and empathetically, suggested consulting a family member, and then still tried to convince her to take the more expensive package, according to the rules the AI agent was given.
The rise of AI agents
The timing of the research is no coincidence. More and more companies are experimenting with autonomous AI agents that independently handle customer contacts, support HR processes, or automate internal workflows. Everyone is talking about it and constantly introducing AI systems that allow you to build agents yourself. At the same time, the European AI Act is coming into force. This is making companies think about the performance of their AI and whether they are legally compliant.
Companies and users do not lack enthusiasm or willingness. A report from AdminPulse and Teamleader shows that in 2025, more than fifty percent (58%) used AI technology daily, compared to 17 percent in 2024. Alongside the AI enthusiasm, reports from the other side are also starting to emerge. Agents that wipe an entire database, infrastructures that consume vast amounts of energy, or Codex Security being exploited by cybercriminals to discover vulnerabilities.
The publisher is liable
Aithos emphasizes that it is not the model providers who are liable for these types of violations, but rather the companies that deploy the AI agents. When a model is used in a specific application, the publisher is responsible for what it does. The GDPR provides for fines of up to twenty million euros or four percent of turnover. The AI Act sets the bar even higher: up to 35 million euros or seven percent of global turnover.
All test scenarios and transcripts are available via lara.aithos.org, so that everyone can check and replicate the results themselves. Aithos plans expansions so that users can submit their own scenarios. After that, the tool will be further expanded to locations other than Europe.
AI agents and their infrastructure were a recurring topic during a recent ITdaily roundtable with five experts from the Belgian AI industry. You can watch the full series here.