In the last three months of 2025, Refuge, the largest specialist domestic abuse charity in the United Kingdom, recorded a 62 per cent rise in referrals to its technology-facilitated abuse team. The number of complex cases reached 829 in a single quarter, the highest figure the team has ever logged. Referrals involving survivors under the age of thirty rose by 24 per cent. The cases the charity is now describing in public do not read like the stalking files of a decade ago. They read like product demonstrations.
One survivor, whom the charity identified only by the first name Mina, fled an abusive partner and left a smartwatch behind in the rush. The abuser used the watch's linked cloud accounts to locate her at emergency accommodation. A private investigator, allegedly retained by the abuser, then located her at a subsequent refuge using suspected tracking technology. When she reported what had happened to police, she was told no crime had occurred because she had not come to physical harm. In other cases that Refuge has documented, perpetrators have used AI tools to alter video footage of survivors to make them appear intoxicated, and then forwarded the doctored clips to social services to undermine custody claims. They have generated fraudulent job offers and legal summons to lure survivors into meetings or into debt. They have used voice-spoofing apps to impersonate friends, lawyers, and the survivors themselves.
The Guardian's January 2026 reporting on Refuge's findings was the first time many readers outside the safeguarding sector had encountered this catalogue compressed into a single article. Emma Pickering, the head of Refuge's technology-facilitated abuse and economic empowerment team, did not describe it as an emerging risk. She described it as a crisis that the country was structurally unprepared for, in which devices were going to market without any consideration of how they might be used to harm women and girls, and in which it was, as she put it, currently far too easy for perpetrators to access and weaponise smart accessories.
The detail that should arrest anyone reading this story is that none of the technologies involved are exotic. They are the same consumer AI systems, smart accessories, and cloud-connected wearables marketed under language about connection, wellness, productivity, and personalisation. The deepfake of the survivor was produced with tools that can be downloaded by anyone with a phone. The voice clone was generated with software whose free tier is advertised as a way to write audiobooks or make videos for your children. The smartwatch was a present. The question this article tries to answer is not whether these tools are sometimes misused. They are. The question is what the companies that built them are obliged to do once the pattern of misuse is documented at the scale Refuge, the Internet Watch Foundation, UN Women, and the UK Home Office's own statistics now describe, and what survivors of that misuse should have the right to expect from the law.
The shape of the new toolkit
To understand the obligations, you have to understand the toolkit. The phrase coercive control was coined by the sociologist Evan Stark to describe the pattern of domination, isolation, and micro-regulation that, even more than physical violence, characterises long-term abusive relationships. The phrase was adopted into UK law in section 76 of the Serious Crime Act 2015, and into Irish law in the Domestic Violence Act 2018. It assumes a perpetrator who is physically present, or at least at the other end of a telephone line, and a victim who can in principle escape by moving to a different physical space. The technology that has been added to abusers' repertoires in the last two years undoes both of those assumptions.
Refuge's caseload tracks the change. Smartwatches, Fitbits, and Oura rings have become standard surveillance instruments, repurposed by abusers who either bought them as gifts or hold the cloud account credentials to which the devices report. Step counts have been used to verify whether a partner has been at work or at home as claimed. Fertility tracking data has been used to police whether a survivor has slept with someone else. Smart home devices, the lights and thermostats and door locks marketed under the language of convenience, have been used to flicker lights in the middle of the night, drop the heating in winter, and lock doors remotely. Smart glasses have been used to make covert recordings of survivors. Pickering's team has described the weaponisation of smart accessories as one of the fastest-growing categories of cases the charity sees.
Then there are the AI layers above the hardware. Voice cloning, which two years ago required a corpus of clean audio and some technical sophistication, now requires roughly thirty seconds of any phone call. Fabricated audio has been used by abusers to impersonate survivors in order to harass their employers, to impersonate the abuser's victims to their lawyers, and to threaten extended family. Deepfake image generation, particularly the sub-category of products marketed as nudify apps, has scaled at a velocity that the Internet Watch Foundation and Ofcom have struggled to track. Analysis by the Institute for Strategic Dialogue of 31 nudifying websites, published in autumn 2025, found combined monthly traffic approaching 21 million visits in May 2025 alone, and almost 290,000 mentions of those tools on X between June 2020 and July 2025, accounting for around 70 per cent of all mentions across the platforms surveyed. The Internet Watch Foundation reported that AI-generated child sexual abuse material more than doubled between 2024 and 2025, with web pages containing such material rising by 400 per cent in the first half of 2025 against the same period the year before, and the number of AI-generated abuse videos rising from two reports in the first half of 2024 to more than 1,200 in the first half of 2025. The bulk of those videos, the IWF noted, were now indistinguishable from real footage.
The intimate image abuse statistics that Refuge published on 29 April 2026, drawing on Freedom of Information responses from 25 of the 43 police forces in England and Wales, are the cleanest available picture of how the criminal justice system is coping with this material. Recorded intimate image abuse offences rose by 26.9 per cent between the year ending June 2022 and the year ending June 2025. Threats to share intimate images, the offence created after Refuge's Naked Threat campaign and added to the Domestic Abuse Act 2021, rose by 344 per cent over the same period. The proportion of recorded offences that resulted in a charge or summons fell from 5.8 per cent in 2021-22 to 4.5 per cent in 2024-25. Across the whole July 2021 to February 2026 window, 21,905 offences were recorded; 1,047 perpetrators were charged. That is a charging rate of 4.8 per cent, in cases where, the research found, 76.2 per cent of victims were female. Among cases in which a suspect was identified, 56 per cent saw no charge at all, and 55.8 per cent involved the victim withdrawing or being unable to continue.
Fflur Jones, the senior policy and research officer at Refuge who led the analysis, was careful to note in the published research that legislative progress is important but insufficient on its own. The point that the charity has been making, in different language, for several years is the one most policymakers still hesitate to accept: the AI tools that have entered the abuser's toolkit are widening the gap between offences and charges, because synthetic imagery is harder to attribute to a known producer, harder to prove was non-consensual, and harder to take down before the damage has propagated.
A global pattern, not a national one
The Refuge findings have been corroborated and extended by an emerging international literature. The Irish Examiner, in its coverage through the first half of 2026, has run a sustained series describing what its reporters and the experts they cite call a growing global crisis of AI-enabled coercive control. The series has drawn on Safe Ireland's earlier research on technology-facilitated abuse, on the work of the University College Cork applied psychology team that in January 2026 launched what its researchers described as a world-first online intervention to reduce harmful engagement with deepfake imagery, and on Children's Rights Alliance online safety coordinator Noeline Blackwell's testimony to a Dáil committee in May 2026, in which she described deepfakes being used to blackmail, bully, groom, threaten and abuse children and young people.
The Examiner has tracked the political response too. The Irish AI Advisory Council has recommended that the Irish government use its assumption of the EU Presidency in the second half of 2026 to push for amendment of the EU AI Act to prohibit AI practices that enable the generation of non-consensual intimate images. The Protection of Voice and Image Bill, introduced in the Oireachtas in April 2026, would for the first time create a standalone Irish criminal offence for knowingly exploiting another person's name, image, voice or likeness without consent. The series' analytic framing has been that existing legal frameworks, built around physical acts and one-to-one communication, are structurally unprepared to address technology whose distinguishing feature is its reach, persistence, and capacity to attack at scale.
The most expansive recent international assessment comes from UN Women. Its 20 November 2025 communications, timed to the launch of the 16 Days of Activism Against Gender-Based Violence and to the agency's #NoExcuse campaign, set out the available evidence in the bluntest terms the UN system has used on this topic. UN Women's published figures include the finding that 38 per cent of women globally have experienced online violence and 85 per cent have witnessed it, that fewer than 40 per cent of countries have laws addressing cyber harassment or cyberstalking, that 95 per cent of deepfakes online are non-consensual pornographic images, and that 99 per cent of deepfake targets are women. The agency's Executive Director, Sima Bahous, framed the trajectory as one in which AI, anonymity, and weak accountability are combining to accelerate digital violence faster than any existing regulatory mechanism is responding to it. Kalliopi Mingeirou, who leads UN Women's work on ending violence against women and girls, has argued that countries with laws written for the offline era are systematically failing to recognise online and AI-enabled abuse as abuse.
UN Women's accompanying technical publication, released in December 2025, makes the most sustained version of an argument that has been circulating for some time among feminist scholars and digital rights advocates. The argument runs roughly as follows. When a manufacturer brings a physical product to market, a chain of duties applies. The product must be safe for foreseeable use. Foreseeable misuse must be designed against. Where the misuse cannot be designed out, warning labels, age restrictions, sale restrictions, or outright bans apply. The chain is well established for cars, knives, firearms, medicines, and children's toys. The chain has so far not been applied with comparable seriousness to general-purpose AI systems whose foreseeable misuse includes the production of non-consensual intimate imagery, the cloning of voices for fraudulent and intimidatory purposes, and the surveillance of intimate partners. The UN Women framing of this argument calls it a systemic failure to apply the same duty-of-care standards to AI-generated abuse tools that apply to physical weapons. The framing is rhetorical, but it points at something real. A tool that can in practice be used by an abusive partner to fabricate an intimate image of his victim is, in its predictable effects, an instrument of violence. The companies that distribute it freely, without watermarking, age verification, identity verification, or detection mechanisms, are choosing to take that effect.
The question of corporate obligation
The companies in question have not been silent. They have offered policies, terms of service, content moderation regimes, and, in some cases, the removal of obvious abuse content when it is reported by survivors or by regulators. The defence most commonly offered, in submissions to the EU AI Office, to Ofcom, and to the US Senate, is that the harms attributed to AI-generated abuse are the result of misuse by bad actors, that the technology itself is dual-use, and that compliance with applicable laws is the appropriate standard. The defence has two structural weaknesses, and the events of late 2025 and early 2026 have made both of them visible.
The first weakness is empirical. The events that prompted the UK government to bring forward the commencement regulations for section 138 of the Data (Use and Access) Act 2025, the section that created the offence of making, or requesting the making of, a purported intimate image of an adult without consent, did not arrive in the form of disclosed misuse from a small group of bad actors. They arrived in the form of a public-facing feature of a major consumer chatbot. In January 2026, X's Grok chatbot was used to generate non-consensual undressed images of identifiable women at sufficient volume and visibility that Refuge issued a public statement holding X accountable, that Irish politicians called for fast-tracking the Protection of Voice and Image Bill, and that the UK government accelerated commencement of the deepfake creation offence. The offence came into force on 6 February 2026. Refuge welcomed the move and warned, in the same statement, that legislation alone would not be sufficient. The disturbing rise in AI intimate image abuse facilitated by platforms such as Grok, Pickering said, was not just a digital threat; it had dangerous consequences for women and girls, and tech companies must be held accountable for implementing effective safeguards and preventing perpetrators from causing harm.
The second weakness is structural. The dual-use defence treats the abuse use case as one possibility among many, to be addressed at the moderation layer once it occurs. This is not how product liability has historically worked in any other consumer sector. A car manufacturer cannot point to the existence of safe drivers as a defence against airbag failures. A pharmaceutical company cannot point to the existence of correct dosage as a defence against an unlabelled bottle. The legal regimes built around physical products assume that foreseeable misuse is a design problem, not a moderation problem. The argument that consumer AI ought to be treated differently rests, when one reads the corporate submissions carefully, on a claim that the technology is too novel for product liability principles to apply. UN Women's framing, and the legal scholarship beginning to gather around it, push back on this directly. AI systems are products. Their producers are companies. The harms they predictably enable are concrete. The duty of care is the same duty of care that applies to any other consumer product that can foreseeably be used to harm someone.
What does that duty of care look like, in practice, for the AI companies in question? The technical and policy literature has converged, with surprising speed, on a fairly specific list. It begins with watermarking and provenance. The Coalition for Content Provenance and Authenticity, on which major model providers including OpenAI, Microsoft, Google, and Adobe sit, has published technical standards for cryptographic watermarking of AI-generated content. The standards exist. The remaining question is whether they are deployed, and at what point in the pipeline, and whether they survive the kind of cropping and re-encoding that abusers routinely apply. The current answer, in most consumer products, is that watermarking is partial, easily stripped, and applied only to outputs the model identifies as obviously synthetic. A serious duty of care would entail watermarking by default, at the point of generation, in a manner that survives ordinary post-production.
It extends to identity verification. The technology to verify that the person being generated has consented to be generated is not exotic, and is in use in some adjacent industries; the technology has not, by default, been built into general-purpose image and audio models. The Refuge research is unsparing on what the absence of this verification implies. When a perpetrator generates an intimate image of a former partner, the friction between intent and output is, today, essentially zero. The closest analogy in the physical economy is a printer that prints a counterfeit currency note without checking what it is being asked to print. The fix is not impossible; it is a design choice that has not been made.
It extends, equally, to surveillance products. The smartwatches, fitness trackers, and smart home systems implicated in Refuge's caseload were not designed as stalkerware. They became stalkerware because account-recovery flows, multi-device sign-in, and shared-cloud-account designs make it trivial for a person who once had access to a household account to retain that access after a relationship has ended. The Coalition Against Stalkerware, which is now supported by Interpol, has been pushing for several years for what its members call a survivor-centred design standard for consumer hardware. The standard would include the automatic detection of paired devices when an account password changes, clear in-product notifications when a device is being tracked, and the introduction of a one-click revocation flow for all devices linked to a former intimate partner. None of those features is technically difficult to implement. The reason they are not standard is that they reduce the convenience metrics on which device manufacturers internally evaluate themselves.
The duty extends, finally, to surveillance of the model itself. Anthropic, OpenAI, Google DeepMind and Meta have all published responsible-scaling or frontier-safety frameworks; those frameworks address catastrophic capabilities such as the production of biological weapons and the autonomous escape of model weights. They are, with the partial exception of Anthropic's Acceptable Use Policy enforcement, mostly silent on the question of intimate-partner-violence-relevant uses. There is no published commitment, from any major frontier developer, to monitor model usage for patterns consistent with technology-facilitated abuse, to share information about identified abusers across platforms in the way financial institutions share information about known fraudsters, or to embed survivor-organisation feedback loops directly into the trust and safety design process. Refuge's Tech Safety Summit, scheduled for 2026, has begun to bring frontier developers into a room with survivor advocates; that is a start. It is not a duty of care.
What the law has so far attempted
The legal response, in the United Kingdom and elsewhere, has been arriving in pieces. Section 138 of the Data (Use and Access) Act 2025 created the offence of making, or requesting the making of, a purported intimate image of an adult without consent or reasonable belief in consent. The offence carries a potentially unlimited fine. It came into force on 6 February 2026, brought forward in the wake of the Grok controversy. The Online Safety Act 2023, regulated by Ofcom, has been clarified to cover AI-generated user content on user-to-user services in the same way that it covers human-generated content, with the regulator confirming that platforms allowing users to create generative-AI chatbots and share their outputs will be considered user-to-user services within the meaning of the Act. The Online Safety Act provides for fines of up to 10 per cent of annual turnover or £18 million, whichever is higher, for failure to meet the relevant duties.
The European Union's AI Act, applicable in stages from August 2026, includes a labelling requirement under Article 50 for AI-generated and deepfake content and an obligation to disclose synthetic interactions, enforceable with fines of up to 6 per cent of global revenue. The Act does not contain an outright prohibition on the production of non-consensual intimate imagery. The Irish AI Advisory Council, in its public recommendations, has pressed for that gap to be closed through amendment during the Irish EU Presidency. The Australian eSafety Commissioner, in a separate regulatory tradition, has built one of the most developed online-safety regimes on the question, with the power to direct platforms to remove non-consensual intimate imagery within 24 hours. The legal scholarship that has grown around the eSafety Commissioner's work treats its remit as a partial model for what regulators elsewhere might do.
The structural difficulty that all of these frameworks share is the one identified in the Refuge intimate image abuse research. The criminal law is written around the production, distribution, and non-consent of specific images. AI generation collapses production and distribution into a single act, executed at scale by a person who may never need to share the image with anyone other than the survivor herself. The non-consent element, which once turned on whether the image had been taken without consent, now turns on whether the survivor consented to her likeness being used to generate something she never sat for. The evidential standards have not caught up. The Refuge data shows that the gap between recorded offences and charges is widening as AI-generated material becomes a larger share of cases.
Beyond the criminal law, the civil and regulatory toolkit has so far been more limited still. There is no UK statutory cause of action for civil damages against the generator or distributor of AI-generated intimate imagery, although a patchwork of remedies under data protection law, the Protection from Harassment Act 1997, and misuse of private information may apply. The American picture is more fragmented again, with state-level laws varying widely and with the Senate, as of early 2026, considering federal legislation under the umbrella of the Take It Down Act and adjacent proposals. In neither jurisdiction is there a clearly established legal mechanism for holding the model provider, as distinct from the individual generator, to account.
The result is a legal landscape in which the survivor at the centre of the story is offered a number of partial routes to redress, each of them slow, evidentially difficult, and largely ineffective at preventing the harm from recurring at the hand of the next abuser, or even of the same abuser using a different tool.
What a survivor has the right to expect
Asking what a survivor has the right to expect from the law is a different question from asking what the law currently provides. It is, in a sense, the harder question, because answering it requires committing to a set of principles that policy will have to be built around. The work of survivor advocates, of the safeguarding sector, and of the international literature now points to a fairly clear minimum. The list that follows is not a wish list. It is a description of what would have to be true for the legal response to AI-enabled coercive control to match the scale and shape of the problem.
A survivor has the right to expect, first, that the law recognises AI-enabled coercive control as coercive control. The Serious Crime Act 2015 should be read, and where necessary amended, to make clear that the production of deepfake intimate imagery of a partner, the use of cloned audio to intimidate or deceive, and the use of smart devices to monitor, restrict, or psychologically destabilise a partner are constituent acts of coercive control, not separate technical offences. The implication for sentencing is significant. Coercive control is treated, by the courts that have engaged with it most seriously, as a pattern of conduct rather than a series of discrete events. The patterning of abuse through AI tools needs to be visible to the criminal courts in the same way.
A survivor has the right to expect, second, that the criminal justice system has the resources to investigate her case. The Refuge research is precise about what is missing. Specialist training, consistent national practice across police forces, properly resourced digital forensic capacity, and survivor support that does not collapse under the weight of withdrawal pressure. The 55.8 per cent victim-withdrawal rate the research found is not a fact about survivors. It is a fact about a system that does not, at present, make it possible for survivors to remain in the process.
A survivor has the right to expect, third, that the platforms and model providers carry a meaningful share of the burden of detection and prevention. The Online Safety Act's duty-of-care framework, the EU AI Act's labelling obligation, and the equivalent regimes emerging in Ireland and Australia all contain the architectural ingredients of such a duty. What is missing is the specificity. A duty of care that is real, rather than rhetorical, would entail mandatory watermarking at point of generation, mandatory provenance tracking, mandatory removal within a defined window once non-consensual imagery is identified, mandatory account-revocation features in consumer hardware, and a regulatory power to fine, and where necessary to remove from market, products that do not comply. The Ofcom and EU AI Office regimes have the formal capacity to issue those obligations. The political capacity has, so far, lagged behind.
A survivor has the right to expect, fourth, that civil remedies are available against both the individual perpetrator and, where appropriate, the platform whose product enabled the harm. The model is the one already operating in product liability law for physical goods. The argument that AI systems are too novel to be subject to product liability principles has been used for several years; it has not survived contact with the documented pattern of harm. UN Women, in its November 2025 framing, is right to argue that the same duty-of-care standards that apply to physical weapons should apply to AI tools whose foreseeable use includes the production of weapons of psychological harm.
A survivor has the right to expect, fifth, that her data, including the data generated by the smart devices that may have been used against her, is treated as part of her case. Stalkerware vendors, as the Coalition Against Stalkerware has documented for several years, operate insecure servers, exposing messages, photos, contacts, browsing histories, and locations of survivors to both their abusers and to subsequent public leaks. The wearable-tech industry has so far escaped the regulatory attention paid to stalkerware, because its products are not marketed as surveillance. Refuge's caseload suggests that the marketing language is not the relevant variable. The relevant variable is the use case.
A survivor has the right to expect, finally, that the system around her is designed with her in it. The most consistent recommendation across the Refuge research, the UN Women publications, the Coalition Against Stalkerware framework, and the academic literature on survivor-centred design is that survivors should be embedded in the design and regulation of the products being used against them, not consulted at the end of the process. The Tech Safety Summit model, in which AI companies, hardware manufacturers, regulators, and survivor advocates sit in the same room, is one model. It needs to be the default model, not an annual event.
The decision that has not been made
The picture that emerges, when one reads the Guardian's January 2026 reporting, the Refuge April 2026 research, the Irish Examiner's 2026 series, and UN Women's November 2025 communications side by side, is not a picture of an emerging risk. It is a picture of a series of decisions that have already been made, in product roadmaps and in regulatory cycles, and a series of decisions that have not. The decision to ship consumer image-generation tools without effective watermarking has been made. The decision to ship smart accessories without survivor-aware account-revocation flows has been made. The decision to apply the Online Safety Act and the EU AI Act to AI-generated content has been made. The decision to fund specialist police capacity at the level the Refuge research implies would be necessary to close the charging-rate gap has not.
The harder decisions, the ones that turn on whether the dual-use defence will continue to be accepted by regulators and by courts, are still being made. The window in which they are being made is narrow. The Refuge intimate image abuse data is not a snapshot. It is a trend line, and the line is moving in the wrong direction. The Internet Watch Foundation's figures on AI-generated child sexual abuse material are moving in the same direction at greater velocity. The UN Women framing of AI-powered abuse as a new frontier of harm is not, in the context of the underlying statistics, an exaggeration.
The question with which the topic began was whether the companies that design and distribute consumer AI systems carry obligations when those systems are used as instruments of coercive control, and what a survivor has the right to expect from the law. The honest answer to the first question is that the companies do carry obligations, that those obligations are not novel, and that the application of product-liability and duty-of-care principles to consumer AI is overdue rather than premature. The honest answer to the second question is that survivors have the right to expect a legal system that recognises AI-enabled coercive control as coercive control, that holds the perpetrator and the platform jointly to account, that is resourced to investigate and prosecute the offences it has already created, and that is willing to write the offences it has not yet created. None of this is, in technical or legal terms, especially difficult. The difficulty is political, and the politics is changing only as quickly as the survivor advocates and the regulators and the small number of journalists and researchers who have followed the story can push it to change.
Mina, the survivor whose case opened this article, was told by police that no crime had occurred because she had not been physically harmed. That answer was wrong in 2025 when she received it. It will be wrong in every year that follows in which a similar survivor is given a similar answer. The work of the next several years, in the UK and in the wider jurisdictions wrestling with the same questions, is to make sure that wrongness is no longer a feature of the system. The tools that did the harm are not going away. The harm does not have to stay.
