Content Provenance for AI Outputs: C2PA, SynthID, and the Audit Trail You Will Soon Owe
A model's output used to be a string. By August 2026 it will be a signed artifact with a chain-of-custody manifest, and any team treating it as anything less will be retrofitting under deadline pressure.
That sentence sounds dramatic until you read Article 50 of the EU AI Act, which becomes fully enforceable on August 2, 2026, and requires that any synthetic content from a generative system be machine-detectable as AI-generated. The Code of Practice published in March 2026 is explicit that a single marking technique is not sufficient — providers must combine metadata embedding (C2PA) with imperceptible watermarking, and the output must survive common transformations like cropping, compression, and screenshotting. Penalties for non-compliance reach €15 million or 3% of global turnover. This is not a labeling guideline; it is a signed-artifact mandate, and it lands on every team shipping a generative feature into the EU market.
