As the NO FAKES Act moves to the Senate, the country is closer to real protections against unauthorized AI replica use -- a move that also has enterprise implications.
This week, the Senate Judiciary Committee unanimously approved the Nurture Originals, Foster Art and Keep Entertainment Safe Act, legislation that would establish federal protections against unauthorized AI-generated replicas. It's a move that could reshape both individual privacy rights and corporate security strategies.
Deepfakes aren't just a celebrity problem anymore -- they're an enterprise risk. Nefarious actors might clone a CFO's voice to authorize a wire transfer or impersonate a CEO in a video call to intercept sensitive data. The enterprise repercussions -- both reputational and financial -- could be catastrophic.
What is the NO FAKES Act?
The NO FAKES Act protects Americans from unauthorized use of AI-generated video and audio replicas, giving individuals control over their digital identities and offering legal recourse when deepfakes are employed.
Representatives Maria Salazar (R-Fla.) and Madeleine Dean (D-Pa.) introduced the bipartisan legislation in the House of Representatives in 2024, while Senators Marsha Blackburn (R-Tenn.) and Chris Coons (D-Del.) have been steering the effort in the Senate.
The bill has attracted broad support from labor unions (AFL-CIO), tech giants (IBM, OpenAI, YouTube), entertainment industry groups (SAG-AFTRA, the Motion Picture Association) and medical organizations (the American Medical Association).
In a statement, Salazar said, "Today's unanimous vote in the Senate Judiciary Committee is a major step forward for Americans who deserve to know that their image, voice and likeness cannot be stolen or used without their permission. AI is moving fast, and that is exciting. But no one should have to worry that their face or voice can be copied, manipulated or used to deceive others."
If passed, NO FAKES would have far-reaching consequences, establishing privacy and likeness ownership rights for the AI era. The law would grant citizens the near-exclusive rights to their own digital AI replicas. Those rights would live on, passing to heirs, executors and estates for at least 70 years after an individual dies. Those who choose to authorize the AI-generated use of their likeness would be able to license the use of a digital replica to others. The bill proposes 10-year licensing contracts for adults and five-year contracts for minors.
The NO FAKES Act would also provide legal remedies for using AI-generated images without permission, including statutory damages of up to $750,000 per violation. The law would hold individuals and companies liable if they produce an unauthorized digital replica of an individual in a performance. In some cases, the act would also hold platforms liable for hosting an unauthorized likeness.
What NO FAKES means for enterprises
While the NO FAKES Act primarily focuses on protecting public figures from the use of their likenesses without permission, the line between public figures and corporate executives is blurry, and a deepfake of a company leader falls squarely in the CISO's area of responsibility.
Moreover, if NO FAKES passes, it will likely extend protections to all Americans, potentially creating new liability considerations for organizations whose platforms host or distribute AI-generated content. Companies would need to implement verification systems to ensure they are not inadvertently hosting unauthorized likenesses on both internal and customer-facing communications.
"Deepfakes are far more realistic now than in the past, and the barriers to entry are low," warned Theresa Lanowitz, an analyst at Omdia, a division of Informa TechTarget. Voice cloning technologies make it easy for adversaries to realistically recreate a person's voice with a few seconds of authentic audio, she explained, and video is more seamless and performant, creating more realistic images. AI has changed not only the believability of scams, but also their scale and speed.
Deepfakes are far more realistic now than in the past, and the barriers to entry are low.
Theresa Lanowitz, analyst, Omdia
According to a McAfee study, Americans are exposed to an average of 2.6 deepfakes daily. For enterprises, the financial exposure is growing. One of the most cited examples of a deepfake attack occurred in 2024 when a finance employee of engineering firm Arup was duped during a video conference call with senior management into transferring $25 million to cybercriminals, believing it was a request from the CFO.
To reduce the risk of deepfakes and other social engineering attacks, Lanowitz offered the following tips for enterprise security teams:
Implement safeguards -- such as MFA, out-of-band authentication and real-time detection tools -- to prevent deepfake attacks from progressing.
Embrace technologies, such as authentication through biometrics and encryption, to ascertain the origin of media.
Work with third-party experts to understand and defend against social engineering attacks.
The bill's advancement out of committee clears a path for consideration on the Senate floor, though no vote has been scheduled. If passed, NO FAKES would represent the first comprehensive federal frameworks for digital identity rights.
Vikram Desai, an analyst at Accenture, said synthetic voice and video are increasingly being used to impersonate executives and authorize fraudulent transactions.
"That has big implications for companies around the world, who continue to see emerging tech pose real dangers to their businesses. Boardrooms everywhere need to enact strong verification controls within their companies to prevent deepfakes from impacting their operations," he said. "Deepfakes can trick anyone, so it's up to all of us to stay vigilant."
As the legislation advances, security leaders must not only defend against increasingly sophisticated deepfake attacks, but also prepare for potential compliance obligations if the bill becomes law.
Richard Livingston is an editor with Informa TechTarget's SearchSecurity site, covering cybersecurity news, trends and analysis.
