By 2026, “AI companion safety” is no longer a nice-to-have. U.S. state laws, EU compliance pressure, and high-profile litigation have forced companion apps to ship safety stacks: keyword filters, classifiers, age gates, crisis popups, and “I’m an AI” disclosures. Yet the key question remains: do these features actually reduce harm in real-world, long-term, emotionally bonded usage?
This post audits how safety features fail in practice, why failures are structural (not just “bugs”), and what a duty-of-care approach looks like—explicitly linking back to the pillar page for a full risk + regulation map: https://lizlis.ai/blog/are-ai-companions-safe-risks-psychology-and-regulation-2026/
The 2026 market split: “wellness pivot” vs “unfiltered niche”
In 2026, the companion ecosystem is broadly bifurcated:
- “Wellness” positioning (heavy filtration): apps that rebrand toward coaching/mentor framing and tighten content controls (e.g., Replika: https://replika.com/)
- “Unfiltered” positioning (red-line moderation): apps that allow most legal content and block only narrow categories like CSAM and imminent real-world harm (e.g., Kindroid: https://kindroid.ai/ and Nomi: https://nomi.ai/)
This split exists because safety friction (refusals, topic blocks, disclaimers, cooldowns) often conflicts with the product’s engagement KPIs—and companion apps sell intimacy and persistence.
Also relevant platforms commonly discussed in 2025–2026 companion safety audits include:
- Character.AI: https://character.ai/
- CHAI: https://www.chai-research.com/ (app listing: https://play.google.com/store/apps/details?hl=en_US&id=com.Beauchamp.Messenger.external)
What regulators are forcing in 2026 (and what they don’t guarantee)
Even when a company is “compliant,” the user can still be harmed. That’s because many rules mandate presence of features, not demonstrated effectiveness.
Key reference points shaping 2026 deployments:
- California SB 243 (companion chatbot safeguards): public summary/announcement: https://sd18.senate.ca.gov/news/first-nation-ai-chatbot-safeguards-signed-law
- New York A3008C (includes AI companion requirements among broader provisions): https://www.nysenate.gov/legislation/bills/2025/A3008/amendment/C
- EU AI Act (official EUR-Lex text): https://eur-lex.europa.eu/eli/reg/2024/1689/oj/eng
- Practical readability portal (unofficial): https://artificialintelligenceact.eu/the-act/
- Transparency obligations overview (Article 50 page): https://artificialintelligenceact.eu/article/50/
Bottom line: regulation is pushing platforms toward “checkbox safety” (disclosure banners, crisis popups, age gates). But relational harms (dependency, delusion reinforcement, abandonment effects) often sit outside binary triggers.
The 6-layer safety stack most AI companions use (and why it breaks)
Most companion apps ship some variant of the following stack:
- Input filtering: keyword blocklists + basic pattern matching
- Classifier moderation: “self-harm / sexual content / violence” probability scoring
- Model-level alignment: system prompts + refusal behaviors
- Crisis flows: hotline popups and scripted interventions
- Age gating: self-attestation or vendor-based verification
- Usage friction: timers, disclosures, “take a break” prompts
Why “hard” features look good in metrics (but fail in lived reality)
Platforms can report “99.9% compliance” for obvious slurs or explicit keywords—because those are easier to detect. But companion risk is often slow and relational, not a single forbidden phrase.
Three catastrophic gaps: contextual blind spot, sycophancy trap, refusal paradox
1) The contextual blind spot (intermediate risk is invisible)
Most moderation decisions are made turn-by-turn or with short context windows. That misses “boiling frog” deterioration—weeks of increasing isolation, negative self-talk, or fixation—until it becomes a crisis.
2) The sycophancy trap (engagement incentives reward validation)
Companion models are typically optimized for empathy + “sentiment synchrony” (mirroring the user). In depression, paranoia, or obsessive ideation, mirroring becomes reinforcement. The model can “yes-and” a harmful worldview because agreement feels supportive.
3) The refusal paradox (safety can feel like abandonment)
For emotionally dependent users, a hard refusal is not a software error—it’s experienced as rejection. Even “soft refusals” can feel invalidating (“topic change” when the user disclosed distress). In edge cases, this can escalate rather than de-escalate.
Evidence signals in 2025–2026: safety claims vs independent audits
Independent child-safety and risk audits
Common Sense Media’s 2025 work is frequently cited because it frames companion apps as failing basic child safety tests—especially around age assurance and boundary enforcement:
- Press release: https://www.commonsensemedia.org/press-releases/ai-companions-decoded-common-sense-media-recommends-ai-companion-safety-standards
- Report PDF (“Talk, Trust, and Trade-Offs”, 2025): https://www.commonsensemedia.org/sites/default/files/research/report/talk-trust-and-trade-offs_2025_web.pdf
Transparency is trending downward (not upward)
As legal exposure rises, companies tend to share less about failure modes and evaluations:
- Stanford CRFM Foundation Model Transparency Index: https://crfm.stanford.edu/fmti/
- Stanford HAI commentary on declining transparency (2025): https://hai.stanford.edu/news/transparency-in-ai-is-on-the-decline
Litigation is stress-testing “safety narratives”
High-profile cases have put “refusals + hotline popups” under scrutiny as insufficient for relational harm.
- CourtListener docket (Garcia v. Character Technologies, Inc.): https://www.courtlistener.com/docket/69300919/garcia-v-character-technologies-inc/
- Complaint PDF (Ars Technica-hosted copy): https://cdn.arstechnica.net/wp-content/uploads/2024/10/Garcia-v-Character-Technologies-Complaint-10-23-24.pdf
What a “duty of care” safety design looks like (beyond liability safety)
If your product’s core mechanic is artificial intimacy, safety must be structural, not cosmetic.
1) Mandatory friction that is product-native
Gaming solved binge dynamics via stamina/cooldowns. Companions resist this because “always-on” is the value prop.
A safer approach is circadian design:
- time-based cooldowns after sustained sessions
- sleep hours for minors
- “come back later” modes that do not feel punitive
2) Decouple empathy from agreement (“benevolent disagreement”)
Safety alignment should train the model to:
- validate feelings without validating distortions
- ask clarifying questions before escalating
- encourage offline support when risk patterns rise
3) Memory transparency and user control
Long-term memory can amplify harm if the system stores “pathology as preference.” A safer pattern is:
- a visible “memory dashboard”
- granular deletion
- independent verification that deletion actually deletes
Where Lizlis fits (and why caps matter)
Lizlis (https://lizlis.ai/) sits between AI companion and AI story: it supports roleplay and narrative interaction, but should be designed with companion-risk realities in mind.
One safety-relevant design lever is usage friction by default: Lizlis has a 50 daily message cap, which can reduce binge dynamics and late-night spirals for some users compared to “unlimited always-on” companionship.
If you’re building in this category, treat caps as one layer, not the whole solution:
- caps help with session intensity, not necessarily relational dependency
- pairing caps with better crisis routing and non-sycophantic support patterns is what moves you toward real duty-of-care
Practical checklist: audit your safety features like an adversary (2026)
Use this as an internal audit template:
- Can a user bypass filters via obfuscation (encoded text, euphemisms, roleplay framing)?
- Do you detect intermediate-risk drift (week-over-week isolation keywords, session length growth, escalating dependency language)?
- Do refusals escalate distress (abandonment effect) and do you have a “warm handoff” path?
- Is age assurance real (not just a checkbox)?
- Do disclosures work psychologically (or are they ignored as UI noise)?
- Can users see and manage memory (what the system “believes” about them)?
Read the full pillar guide
This post is one slice of a broader risk map. For the complete 2026 overview—psychological risks, design failure modes, regulation, and how to reduce harm—go here:
Are AI Companions Safe? Risks, Psychology, and Regulation (2026)
Are AI Companions Safe? Risks, Psychology, and Regulation (2026)