Online Safety Act 2023 · AI governance · Public accountability
The Online Safety Act 2023 has changed the legal position for regulated online services, but it was not designed as a complete AI governance code. As generative and multimodal systems become ordinary infrastructure for text, image, audio, search, recommender systems and synthetic media, the practical question is no longer whether online safety law matters. It is whether the present framework can see, test and regulate the AI systems that now shape online harm.
Publication snapshot
The Act places legal responsibility on in-scope services to assess and manage online risks, with Ofcom supervising compliance. That remains significant. The difficulty is that online risk is now increasingly mediated by AI systems that generate content, rank attention, automate moderation, personalise feeds and produce synthetic media. A statute built around service duties can still be effective, but only if its implementation is capable of interrogating the AI layer beneath the user interface.
Reader note: this article is public-interest commentary and practical legal education. References to regulatory gaps, platform design, AI-generated material and online-safety enforcement are criticism and analysis. They should not be read as findings of unlawful conduct, misconduct, dishonesty or professional wrongdoing by any named person, firm, regulator, platform or public body unless established by a competent court, regulator, ombudsman, inquiry, audit report or official decision.
Why the reform question matters
The Online Safety Act 2023 was enacted to move online safety away from voluntary platform promises and towards legal responsibility. That shift matters. It recognises that large digital services are not passive noticeboards. They are designed environments. Their systems decide what is recommended, what is removed, what is amplified, what is ignored and how users are funnelled through information.
The original policy problem was often described through familiar categories: illegal content, child sexual exploitation and abuse, cyberbullying, pornography, hate speech, disinformation, suicide and self-harm content, and risks to children. Those categories have not disappeared. What has changed is the machinery through which content is created, distributed and made persuasive.
Generative AI does not merely add another content type. It changes production costs, scale, realism and speed. Synthetic text can be generated in volume. Images can be fabricated or altered. Voice and video can be simulated. Chatbots can hold long, persuasive conversations. Recommendation and ranking systems can learn how to keep users engaged even where the engagement pathway is harmful. Moderation systems can also rely on AI, meaning the same family of technologies is used both to create risk and to control it.
That is why the central reform question should be framed carefully. The issue is not that the Act is useless because AI exists. Nor is it that every AI risk requires a new criminal offence or a separate regulator. The better question is whether the Act, Ofcom’s codes and the wider UK AI framework give enough practical control over the AI systems that now sit behind online safety outcomes.
What the Act already does
The Act creates a regulated framework for user-to-user services, search services and certain services involving pornographic content. Providers within scope must assess risks, maintain records, operate safety measures, protect children where the children’s duties apply, and respond to illegal content duties. Ofcom’s public compliance guidance summarises this as a set of practical steps: check whether the Act applies, carry out an illegal content risk assessment, complete a children’s access assessment, and, where required, carry out a children’s risk assessment and adopt appropriate safety measures.
This is a systems-based model. It does not require the regulator to prove every individual harmful post before the service has any responsibility. It asks whether the service has understood the risks created by its own design, scale, features and user base. That is the right starting point for online safety, because harm online is often cumulative and architectural rather than isolated and accidental.
The enforcement structure is also material. Ofcom guidance states that serious non-compliance may lead to fines of up to 10% of qualifying worldwide revenue or £18 million, whichever is greater. That gives the regime commercial force. Where the law applies, safety duties are not a public-relations choice.
Scope
Is the service within the user-to-user, search or pornography provisions, and does it have UK users?
Assessment
Has the service assessed illegal content risk, child access and children’s risk where those duties apply?
Controls
Are the service’s design, moderation, reporting, age-assurance and governance measures effective in practice?
The strength of that model is that it can, in principle, adapt to new technology. A service that uses AI to recommend content, moderate content or interact with children cannot treat the AI layer as legally irrelevant simply because the Act does not list every model architecture by name. The weakness is that a systems-based regime only works if the risk assessment is technically literate, independently testable and capable of looking inside the relevant systems.
The AI layer the Act must confront
GPT-4o is a useful marker, not because it is the latest model in 2026, but because it made the regulatory point visible. OpenAI described it in 2024 as a model able to reason across audio, vision and text in real time, accepting combinations of text, audio, image and video and generating text, audio and image outputs. That is not merely a faster chatbot. It is a signpost towards multimodal systems that can interpret, generate and respond across formats that online-safety law has traditionally treated separately.
Once systems can generate persuasive text, synthetic images, voice responses, summaries, recommendations and code-like outputs, the boundary between content, interface and conduct becomes less stable. A harmful outcome may arise from a generated message, a personalised recommendation path, a synthetic image, a chatbot conversation, a model hallucination, a moderation failure or a service design that rewards escalation.
That matters because the Act’s operational focus is still largely service-facing. It asks providers to manage risks on the service. It does not, by itself, provide a full AI model governance regime for training data, model evaluation, synthetic media labelling, provenance standards, red-team reporting, foundation-model accountability or the downstream use of general-purpose models by regulated services.
The UK’s wider AI policy has, to date, preferred a principles-based and regulator-led approach. The government’s pro-innovation framework identified safety, security and robustness; transparency and explainability; fairness; accountability and governance; and contestability and redress as cross-cutting principles. Those principles are relevant to online safety. The question is whether they are being operationalised with enough force where AI systems are now central to the risk profile of regulated services.
Where the pressure points sit
The first pressure point is AI-generated content. The Act can regulate services that host or disseminate harmful material, but the most difficult future disputes may concern whether a service did enough to detect, label, reduce, remove or contextualise synthetic media. That includes deepfakes, impersonation, fabricated evidence, AI-generated sexual imagery, synthetic political messaging, fraudulent support accounts and coordinated disinformation campaigns.
The second pressure point is AI-assisted moderation. Content moderation is no longer just a human review queue supported by keywords. Many services rely on automated classification, risk scoring, ranking and triage. Those systems may be necessary at scale, but they can also fail. They may under-detect harmful material, over-remove lawful material, treat minority speech patterns unfairly, or hide the reasons for a decision from users. If an online-safety regime depends on moderation working, it must be able to test how automated moderation works.
The third pressure point is recommender design. For many users, the main risk does not come from searching for harmful material. It comes from being guided towards it. Ranking systems, autoplay, engagement optimisation, suggested accounts, infinite scroll, behavioural profiling and A/B tested interface design can all shape exposure. A modern online-safety framework has to ask how recommendation systems are audited, how child-risk pathways are identified, and whether platform incentives are aligned with safety obligations.
The fourth pressure point is accountability across the supply chain. A regulated platform may use an external model provider, an age-assurance supplier, a moderation vendor, an advertising technology stack, a search-ranking tool or a recommender system that depends on third-party infrastructure. Legal duties placed on the service provider are important, but accountability weakens if the provider cannot explain, audit or control the systems on which it relies.
Generation
Can the service identify synthetic text, image, audio or video where that matters for safety, trust or user choice?
Amplification
Does the platform know when recommendation systems are increasing exposure to harmful pathways?
Moderation
Are automated decisions explainable enough for appeal, audit, redress and regulatory scrutiny?
Risk and opportunity
A balanced reform argument should not present AI only as a threat. AI can assist online safety. It can detect known child sexual abuse material, identify repeated grooming patterns, triage reports, support human moderation, translate safety notices, improve accessibility, summarise long complaint histories and highlight coordinated abuse. Properly governed, it can make online safety interventions faster and more consistent.
The risk is that the same capabilities can be misused or poorly controlled. Synthetic media can be used to impersonate real people. Large-scale text generation can flood reporting systems, review sites or social platforms. Voice-enabled systems can create new forms of manipulation. Automated recommender systems can intensify exposure. AI-enabled nudification tools, fraud tools and malicious automation can reduce the cost of abuse. Even where there is no deliberate wrongdoing, poorly evaluated models can produce unsafe outputs or discriminatory outcomes.
The public-interest point is therefore not anti-technology. It is evidence-led governance. A serious AI safety duty would ask whether a service can explain what AI systems it uses, what risks those systems create, how those risks are tested, how failures are recorded, and how users obtain meaningful redress where automated systems affect them.
A practical reform test
Reform does not need to begin with a sweeping replacement of the Act. It can begin with a practical test: can the existing regime identify and control AI-mediated risk with the same seriousness as it identifies and controls conventional content risk?
That test points to six reforms. First, the statutory and regulatory language should be explicit enough to cover AI-generated and AI-altered content where synthetic media changes risk. Secondly, Ofcom’s codes and guidance should require service providers to address AI use in risk assessments, including recommender systems, automated moderation, chatbot functions, synthetic media controls and third-party model dependencies.
Thirdly, services should be expected to maintain usable records of AI safety testing. That does not mean publishing every trade secret. It means retaining enough evidence for regulatory scrutiny: risk assessments, red-team outcomes, incident logs, model-change records, safety thresholds, escalation pathways and user-redress data. Fourthly, synthetic media labelling and provenance should be treated as practical safety tools where user deception is a foreseeable risk.
Fifthly, the regime should require meaningful contestability where automated systems remove content, demote speech, recommend harmful pathways or affect user safety. The right to report a problem is not the same as the ability to understand and challenge an automated decision. Sixthly, the UK’s principles-based AI framework should be connected more visibly to online safety enforcement, so that transparency, fairness, accountability and redress are not left as abstract policy language.
Name the AI risk. Treat synthetic media, recommender systems and automated moderation as distinct safety issues.
Test the system. Require evidence of model evaluation, incident review and safety performance.
Preserve redress. Ensure users can challenge important automated decisions and harmful outcomes.
Audit the supply chain. Make platform responsibility meaningful even where third-party AI tools are used.
Comparative lessons
The European Union’s AI Act is not an online-safety statute, but it supplies a useful comparison. It uses a risk-based model, places obligations on providers and deployers, and includes transparency rules for certain AI-generated content. The European Commission states that providers of generative AI must ensure AI-generated content is identifiable and that certain AI-generated content, including deepfakes and text published to inform the public on matters of public interest, should be clearly and visibly labelled.
The UK has chosen a different route. Its AI framework has emphasised regulator expertise, flexibility and cross-sector principles rather than one comprehensive AI statute. That may be defensible for innovation, but it creates a coordination problem. If AI risks cut across online safety, data protection, equality, consumer protection, competition, financial services, education, policing and health, the public needs to know which regulator is responsible for which failure.
For online safety, the practical lesson is that the UK does not need to copy the EU model wholesale in order to learn from it. It can strengthen the Online Safety Act’s implementation by making AI risk assessment, transparency, labelling, auditability and contestability more concrete within Ofcom’s regime.
Source anchors
These sources support the legal and regulatory framework used in this article. They do not prove any contested allegation about any platform, developer, regulator or public body.
Ofcom compliance guide
Provider duties, risk assessments and enforcement exposure under the Online Safety Act.Ofcom children’s duties statement
Protection of children codes, risk-assessment expectations and implementation milestones.UK AI regulation framework
Cross-sector AI principles, including safety, transparency, fairness, accountability and redress.EU AI Act overview
Risk-based AI regulation and transparency rules for certain AI-generated content.GPT-4o technical marker
OpenAI’s description of multimodal input and output capabilities in GPT-4o.The Legal Lens point
The Online Safety Act is an important statutory framework, but its effectiveness will depend on whether it can keep pace with the systems that now shape online exposure and harm. In 2026, online safety is no longer just about removing individual posts after they appear. It is about understanding the technical architecture that generates, ranks, moderates and personalises what users see.
The reform task is therefore practical. The law must be able to ask disciplined questions: what AI system is being used, what risk does it create, how has that risk been tested, who is accountable for failure, and what remedy is available when users are harmed or wrongly restricted?
If those questions are treated as optional, the Act will regulate the visible surface while missing the machinery underneath. If they are built into implementation, the Act can remain a serious online-safety regime in an AI-mediated internet.
AI accountability route map
Get a free written assessment of the route
If an online-safety, AI governance or public-accountability issue needs structure, Legal Lens can help turn a broad concern into a written map of the legal route, evidence base and next practical questions.
Identify the platform, AI function, moderation process, recommender pathway or synthetic-media issue.
Separate screenshots, policies, complaints, responses, technical records and chronology from assumptions.
Consider whether the issue belongs with Ofcom, ICO, another regulator, correspondence, publication or legal advice.
Legal route, regulator route, publication route and practical constraints.
Documents, screenshots, decisions, policies, dates and missing records.
Independent Legal Lens consultancy. Legal Lens is not a regulated solicitors' firm. A preliminary assessment is not a substitute for regulated legal advice where that is needed.

