Why the ICO is Investigating xAI Over Image Generation

As AI systems become increasingly sophisticated, questions about data protection and safety measures have moved to the forefront of regulatory concerns, with Elon Musk's chatbot Grok now facing multiple investigations.

The UK's Information Commissioner's Office (ICO) has launched an official investigation into Elon Musk's social media platform X and its AI offshoot xAI. The probe centres on whether adequate technological safeguards were implemented to prevent xAI's chatbot Grok from being exploited to generate non-consensual sexual imagery of individuals, including children.

Ofcom, the UK's regulatory and competition authority for broadcasting and the internet, has also revealed the next steps of its investigation into X and xAI, which was launched in January 2025.

The development highlights growing tensions between rapid AI innovation and the regulatory frameworks designed to protect users from emerging technological risks.

The technology architecture currently enables Grok users to generate sexually explicit content of individuals, including under 18s, raising fundamental questions about how AI systems should be designed and deployed.

The ICO's investigation could examine whether preventative safeguards were built into the platform's underlying technology from the outset. The watchdog is set to scrutinise how personal data is stored by content users and the platform itself, assessing the potential for technological systems to cause harm.

UK law currently prohibits sharing deepfakes of adults, and the government is set to criminalise generating and requesting non-consensual, sexually intimate images using AI.

Data protection concerns in AI deployment

William Malcolm, Executive Director of Regulatory Risk & Innovation at the ICO, says: "The reports about Grok raise deeply troubling questions about how people's personal data has been used to generate intimate or sexualised images without their knowledge or consent, and whether the necessary safeguards were put in place to prevent this."

"Losing control of personal data in this way can cause immediate and significant harm. This is particularly the case where children are involved."

The ICO's role, according to Malcolm, is to address the data protection concerns at the centre of this issue while recognising that other organisations also have important responsibilities.

The regulator is working closely with Ofcom and international regulators to ensure roles are aligned and that people's safety and privacy are protected.

Malcolm adds: "Our investigation will assess whether X Internet Unlimited Company (XIUC) and xAI have complied with data protection law in the development and deployment of the Grok services, including the safeguards in place to protect people's data rights.

"Where we find obligations have not been met, we will take action to protect the public."

Platform's technological response measures

In response to the scrutiny, X said it had implemented global measures to prevent Grok from "allowing the editing of images of real people in revealing clothing such as bikinis" – impacting all users, including paid subscribers.

The company also emphasised its "zero tolerance" for "any forms of child sexual exploitation, non-consensual nudity, and unwanted sexual content", but did not specify whether preventative technology is being deployed for this form of content.

X added: "Image creation and the ability to edit images via the Grok account on X are now only available to paid subscribers globally. This adds an extra layer of protection by helping to ensure that individuals who attempt to abuse the Grok account to violate the law or our policies can be held accountable."

The platform is also implementing geoblocking measures for the Grok app in jurisdictions where such content is illegal.

Regulatory coordination and enforcement powers

According to Ofcom, the media regulator has been in close contact with the Information Commissioner's Office and provided an update this week on its own ongoing formal investigation.

Ofcom stated that it continues to work closely with the ICO and other regulators to "ensure tech firms keep users safe and protect their privacy". The regulator said it is no longer investigating xAI but is continuing to investigate whether X has broken the law.

X is required by Ofcom to respond to legally-binding information requests in an "accurate, complete and timely way" – or face significant fines.

The watchdog will "provide updates and will be as open as possible", adding that it typically takes months for such investigations to conclude. The case could set important precedents for how AI platforms must integrate safety technologies and data protection measures during the development phase rather than as reactive additions following public concern.