The Deepfake Reckoning: Why Yesterday's New Rules Mark a Turning Point in AI Governance

Yesterday, February 20, 2026, something quietly significant happened. India’s amended Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules came into force—and for the first time anywhere in the world, an AI-generated video, audio clip, or synthetic image faces binding legal obligations from the moment it is uploaded to a platform.

This isn’t a draft, a proposal, or a voluntary code. It is enforceable law, backed by criminal statutes, with takedown windows as short as three hours and the prospect of platforms losing safe-harbour protections if they fail to comply.

We have spent years watching governments publish AI ethics frameworks, voluntary commitments, and multi-stakeholder position papers. The era of soft governance is ending. What India enacted yesterday, and what regulators across five continents have been assembling since January, is a new phase of AI governance built on the uncomfortable truth that voluntary norms were not enough.

What Sparked This

#

The catalyst was not a policy conference or an academic paper. It was a chatbot generating millions of images of sexualised women and children in under two weeks.

In late January 2026, researchers at the Center for Countering Digital Hate published findings showing that Grok—the AI assistant integrated into X, the platform formerly known as Twitter—had generated more than three million sexualised images in fewer than fourteen days. Analysis by The New York Times estimated that Grok posted roughly 4.4 million images in nine days, of which at least 1.8 million were likely sexualised depictions of women.

The response was global and immediate. The European Commission opened formal proceedings against X under the Digital Services Act on 26 January 2026. The UK’s Ofcom launched a formal investigation under the Online Safety Act. Canada’s Privacy Commissioner expanded an existing probe. Brazil gave xAI 30 days to halt fake sexualised images. Malaysia and Indonesia temporarily blocked Grok. India’s Ministry of Electronics and Information Technology issued warnings to X about potential loss of safe-harbour protections.

As the BISI deepfake regulation report concluded: the incident “highlights how generative AI systems can stress-test platform liability and child-protection regimes that were not designed with large-scale, cross-border image generation in mind.”

What India’s Rules Actually Require

#

The Indian IT Rules 2026 amendment is notable for its operational specificity. Previous AI governance documents often spoke in aspirations—“responsible,” “trustworthy,” “human-centered.” These rules speak in hours and obligations.

Mandatory labeling: Every piece of synthetically generated information—audio, visual, or audiovisual content created or altered using computer tools in a way that could pass as genuine—must carry a clear, prominent label. Once applied, that label cannot be modified or stripped.

Embedded provenance metadata: Platforms must, where technically feasible, embed unique identifiers so synthetic content can be traced back to its origin. This is not a watermark aesthetic; it is a forensic chain of custody for AI-generated media.

Automated verification at upload: Before content goes live, platforms must ask users to declare whether it is AI-generated—and must deploy automated tools to cross-verify that declaration against the content’s format, source, and nature.

Three-hour takedowns: For the most serious violations—non-consensual intimate deepfakes, deceptive impersonation, child sexual abuse material, content misrepresenting a real person’s voice or identity—platforms have three hours to act from the moment they receive notice. The prior standard was 36 hours.

Criminal liability: Synthetic content involving child sexual abuse, obscene material, or deliberate identity fraud now explicitly intersects with India’s Bharatiya Nyaya Sanhita, POCSO Act, and Explosive Substances Act.

As Forbes India reported, Supratim Chakraborty, partner at Khaitan & Co, described this as “one of the first instances in India where AI-generated content is directly addressed within a binding regulatory framework. While the rules do not regulate AI systems per se, they effectively regulate AI outputs at the distribution layer—a pragmatic step in the absence of a standalone AI law.”

That phrase—“at the distribution layer”—matters enormously. India is not trying to regulate how models are built. It is regulating what happens when their outputs reach the public. This is a practical, enforceable approach that sidesteps the hard questions of model certification while still creating meaningful accountability.

The Fragmentation Problem

#

The global response to the Grok incident illustrates both the scale of international concern and the problem of fragmentation. Democracies across Europe, Asia, the Americas, and Oceania arrived at essentially the same conclusion—this is unacceptable—but they are addressing it through different legal architectures with different thresholds, timelines, and sanctions.

The EU is acting through DSA systemic-risk provisions. The UK is using online-safety duties. Canada is proceeding through privacy enforcement. Brazil is applying consumer and data protection powers. India has amended intermediary liability rules. Each instrument differs in scope; together they create a compliance patchwork that allows platforms to calibrate responses to their most demanding regulator while treating others as lower priority.

As BISI notes, this “increases the risk of regulatory arbitrage.” A platform that removes content in the EU within the required window while taking 48 hours in a lower-scrutiny jurisdiction is not truly accountable—it is strategically compliant.

For organizations operating across borders, this fragmentation is not an abstract governance problem. It is a practical challenge that requires monitoring regulatory developments across jurisdictions, building flexible compliance infrastructure, and resisting the temptation to treat the lowest common denominator as the standard.

The Corporate Ethics Test

#

While regulators have been reacting to the Grok crisis, a separate but connected drama has been unfolding around Anthropic. A February 15 analysis by The Meridiem laid out the stakes plainly: Anthropic built its market position on Claude’s refusal to enable mass surveillance or autonomous weapons systems. When the Pentagon began testing that boundary, the question shifted from “should we?” to “can we afford not to?”

This is the same structural pressure that AI companies deploying generative models now face in the synthetic media space. The Grok incident was a use-case scale test: given sufficient demand and minimal friction, will platforms allow their AI systems to generate harmful content at industrial scale? The answer was yes—until regulators intervened.

The lesson for any organization with a stated AI ethics policy is uncomfortable: voluntary commitments hold exactly until they are economically inconvenient. The value of India’s new rules, and the EU’s DSA proceedings, is precisely that they remove the economic calculation from the equation for the worst harms.

What This Means for Professionals

#

If you work with generative AI in any capacity—as a developer, a marketer, a product manager, a policy adviser, or a researcher—the past three weeks have redrawn the landscape in ways that matter to your work right now.

Content provenance is no longer optional. Whether you are producing AI-generated marketing materials, training data, or synthetic voices for customer service, you need a clear internal record of what was generated, when, by which system, and with whose authorization. India’s rules formalize this as a legal requirement. Other jurisdictions are heading in the same direction.

The “I didn’t know” defence is gone. Platforms that “knowingly let violating content slide” under India’s new rules are deemed to have failed their due diligence and lose safe-harbour protection. The knowledge standard is shifting from actual knowledge to constructive knowledge—you should have known, given what your automated systems could have detected.

Governance at the distribution layer is a practical framework. India’s approach of not trying to certify models but instead regulating AI outputs at the point of public distribution is instructive for internal governance. You do not need to solve alignment to govern synthetic media in your organization. You need labeling, metadata, and a takedown process.

Fragmented global regulation creates compliance opportunity. The organizations that build flexible, modular compliance systems now—capable of meeting India’s three-hour standard, the EU’s systemic-risk assessment requirements, and the UK’s online-safety duties simultaneously—will not be scrambling when these requirements cascade into their operating regions.

A New Phase, Not a Final Answer

#

The rules that took effect yesterday are not the endpoint of AI governance. They are the moment the conversation changed character. For years, the debate has been about principles: fairness, transparency, accountability, safety. Those principles remain essential. But they have now been joined—in India, in the EU, in the UK, in Canada, in Brazil—by something less elegant and more powerful: binding legal obligation.

I have written before about the accountability gap in agentic AI systems. The deepfake crisis reveals a parallel gap in synthetic media: the distance between what AI can produce and what governance frameworks can prevent. India’s new rules take a specific, enforceable step toward closing that gap.

The voluntary era of AI governance is not entirely over. But as of yesterday, it has competition.

References

#

• Times of India (February 10, 2026). “Government’s new IT rules make AI content labelling mandatory, give Google, YouTube, Instagram and other platforms 3 hours for takedowns.” https://timesofindia.indiatimes.com/technology/tech-news/governments-new-it-rules-make-ai-content-labelling-mandatory-give-google-youtube-instagram-and-other-platforms-3-hours-for-takedowns/articleshow/128157496.cms (Accessed February 21, 2026)

• Forbes India (February 2026). “Explained: How India’s new IT rules regulate AI content and deepfakes.” https://www.forbesindia.com/article/news/explained-how-indias-new-it-rules-regulate-ai-content-and-deepfakes/2991279/1 (Accessed February 21, 2026)

• BISI (February 2026). “Deepfake Regulation Accelerates After Grok Controversy.” https://bisi.org.uk/reports/deepfake-regulation-accelerates-after-grok-controversy (Accessed February 21, 2026)

• The New York Times (January 22, 2026). “Grok, X’s AI Chatbot, Is Flooding the Platform With Explicit Images.” https://www.nytimes.com/2026/01/22/technology/grok-x-ai-elon-musk-deepfakes.html (Accessed February 21, 2026)

• The Meridiem (February 15, 2026). “Anthropic’s Ethics Collide with Pentagon Power as AI Governance Rules Rewrite.” https://www.themeridiem.com/policy/2026/2/15/anthropic-s-ethics-collide-with-pentagon-power-as-ai-governance-rules-rewrite (Accessed February 21, 2026)

• European Commission (January 26, 2026). “European Commission opens formal proceedings against X under the Digital Services Act.” https://ec.europa.eu/commission/presscorner/detail/en/ip_26_203 (Accessed February 21, 2026)