Operation AI Comply: What the FTC's AI Sweep Targets

In September 2025, the FTC announced Operation AI Comply, a sweep of enforcement actions against companies the agency concluded had used AI-related claims deceptively. Five actions were announced simultaneously. In the months since, additional cases have followed. The pattern of what the agency targeted — and, as importantly, what it did not — tells you something useful about the FTC’s enforcement theory and the cases it believes it can win.

The five original Operation AI Comply actions

The five September 2025 cases involved:

1. DoNotPay. The FTC’s case against DoNotPay, the subscription legal-services chatbot that marketed itself as “the world’s first robot lawyer,” settled for $193,000. The complaint alleged the company’s claims that its AI could perform at lawyer-level were not substantiated — the company had not tested the AI’s legal performance in a systematic way, and consumer outcomes from relying on the chatbot’s legal advice were not tracked. The settlement required DoNotPay to provide notices to past subscribers and prohibited AI-capability claims the company could not substantiate.

2. Evolv Technology Holdings. Evolv sold AI-powered weapons detection systems to schools and venues, marketing them with claims about their detection accuracy. The FTC’s complaint alleged the accuracy claims were not supported by independent testing under real-world conditions, and that Evolv had received internal reports of detection failures that were not reflected in its marketing materials. The settlement required disclosure of limitations, banned specific quantitative accuracy claims without qualifying data, and included a $2.5 million civil penalty.

3. A business-opportunity scheme using AI as credential. One of the five cases involved a company that marketed business-opportunity products using AI as the central selling claim — the pitch was that the purchaser would operate an AI-powered business that would generate passive income. The FTC alleged the business-opportunity framing was a cover for a scheme, and that the AI component was not the sophisticated autonomous system marketed but a basic automation layer. The settlement included a ban on business-opportunity and investment-scheme marketing.

4–5. Two additional cases against AI-powered lead generation and automated income-promise services followed a similar pattern: capability claims not substantiated, AI-branding used to lend technical credibility to what were functionally standard deceptive-marketing schemes.

The enforcement theory

The unifying theory across the Operation AI Comply actions is not “AI is uniquely dangerous” — it is “AI claims are unfair or deceptive practices when unsubstantiated.” The FTC is applying Section 5 of the FTC Act the same way it applies the Act to any capability claim: if you say your product can do X, you need a reasonable basis to believe it can do X before you make the claim.

The AI context makes this consequential because AI capability claims are unusually difficult for consumers to verify. A vacuum cleaner’s suction claim can be tested. An AI system’s claims about accuracy, autonomy, or reasoning capability require technical expertise to evaluate — which is precisely why the FTC treats unsubstantiated AI claims as a priority. The asymmetry of verifiability is the harm theory.

What the FTC has not yet brought are cases targeting AI companies for the underlying model failures — hallucination-caused harm, discrimination in model outputs, or privacy violations from training data collection. Those would require the FTC to establish a theory of harm that goes beyond “the advertising was false” to “the technology itself caused demonstrable injury.” The agency has the tools to make that argument under its unfairness authority, but has not yet done so in an AI-specific enforcement action.

What the DoNotPay case specifically established

The DoNotPay settlement is the most instructive because it involved an AI claim that was not outright fabricated — the product did use an AI chatbot — but was marketed with a capability claim (lawyer-equivalent performance) that was not tested. The complaint’s theory does not require proving that DoNotPay’s AI was useless. It requires proving only that the company made a performance claim it lacked a reasonable basis to make.

The FTC’s substantiation standard for AI capability claims, as applied in DoNotPay, requires:

• Testing relevant to the claimed use case. You cannot run benchmark tests on a general language model and then claim the model performs at human-expert level in a specific professional domain without domain-specific testing.
• Testing under conditions similar to consumer use. Laboratory or cherry-picked testing conditions that do not reflect typical user interactions are not adequate substantiation for general-consumer marketing claims.
• Known failure modes must be disclosed. If internal testing or consumer feedback reveals failure rates or accuracy limitations, continuing to market with unqualified accuracy claims is deceptive regardless of average performance.

The last point — known failures must be disclosed — is the one most organizations building on foundation models should be watching. If your internal red-team or evaluation documentation identifies specific failure modes in your AI product, and your marketing does not reflect those limitations, you have a DoNotPay problem regardless of whether anyone has complained about the failures yet.

What the Evolv case adds for enterprise AI

Evolv is the more significant precedent for enterprise AI vendors because the product was sold to institutional buyers (schools, public venues) rather than consumers. The FTC’s jurisdiction over B2B deceptive practices is more constrained than its consumer protection authority, but the case proceeded because the ultimate harm was to the public-venue attendees and students whose safety was supposedly protected by the technology.

The case also involved internal suppression of adverse data — specifically, that Evolv had internal reports indicating its detection rates in real deployments were materially lower than in controlled demos, and did not update its marketing claims accordingly. This element makes Evolv closer to a fraud theory than a simple substantiation-gap theory. The combination of a quantitative capability claim, real-world data showing the claim was not accurate, and failure to update marketing creates a strong FTC Section 5 case.

Enterprise AI vendors should treat Evolv as establishing that:

• Accuracy or performance claims made to institutional buyers are subject to FTC substantiation requirements even when individual consumers are not the direct purchaser
• Real-world monitoring data that diverges from marketing claims must be reflected in future marketing — continuing to cite pre-deployment test data after receiving divergent real-world data creates liability
• The remedy can include civil penalties (Evolv paid $2.5M) on top of the injunctive relief typical of consent orders

The cases the FTC is not yet bringing

The gap in Operation AI Comply is hiring and benefits decisions. AI systems used in employment screening — resume filtering, interview scoring, background-check aggregation, automated adverse-action notices — have been the subject of EEOC guidance and state-level legislation but have not yet generated FTC enforcement actions on discrimination or deception theories, despite the FTC’s public statements that such cases are being investigated.

The state-level action is further along on this: Illinois, Maryland, and New York City have statutes specifically addressing automated employment decision tools, with New York City’s Local Law 144 requiring annual bias audits and public disclosure of results. The FTC’s hesitation on employment AI enforcement appears to reflect a preference for letting the EEOC lead on discrimination theory while the FTC focuses on the advertising-claim cases where its legal path is clearest.

Watch for cases against AI recruitment vendors with quantitative screening-accuracy claims they cannot substantiate — that would fit the existing Operation AI Comply theory exactly, in a sector where the stakes for harm are clear.

Sources

• FTC: Operation AI Comply enforcement announcement (September 2025) ↗ — primary FTC press release with links to individual case documents.
• FTC v. DoNotPay complaint and stipulated order ↗ — the complaint is the primary source for the substantiation theory; the stipulated order’s prohibition language defines what the FTC considers adequate substantiation.
• FTC v. Evolv Technology Holdings settlement ↗ — the settlement documents establish the enterprise AI precedent and include the civil penalty.
• FTC Business Guidance: Keeping your AI claims in check (February 2023) ↗ — the FTC’s pre-enforcement guidance on substantiation for AI claims; still the clearest statement of the agency’s general theory.
• FTC Policy Statement on AI and Deceptive Advertising ↗ — the formal policy statement establishing the agency’s enforcement principles for AI-related deception.