Labelling, watermarking, and machine-readable provenance for AI-generated audio / video / text. Distinct from `deepfakes` (which centres on misuse harms) — this is the upstream infrastructure layer. EU AIA Art. 50, China GenAI Measures Art. 13 (mandatory tagging), NIST AI 600-1, G7 Hiroshima Code commitment 6, C2PA standard adoption.
Abstract
Synthetic-content-provenance governance — how AI-generated media is watermarked, labelled, or declared so audiences can tell it apart — is addressed directly by several catalogued instruments, including the EU AI Act (Article 50) and China's labelling rules, with others reaching it only implicitly. Policy Window records the empirical consensus as contested: the open question is where the duty should sit — with the model provider watermarking at generation, the platform labelling at distribution, or the recipient able to ask — and jurisdictions are selecting different points. This article maps each instrument's provenance obligations with primary-source citations.
Definition & scope
The cross-jurisdiction picture below shows how each of 45 tracked instruments treats this topic. The patterns vary substantially — and 28 regimes are silent, leaving gaps that future policy work could address.
Regulatory approaches
The binding instruments converge on the same goal — make AI-origin detectable — but split on WHO must act and by what modality. The EU AI Act sets a two-sided architecture: Article 50(2) places a machine-readable marking duty on PROVIDERS of generative systems (outputs must be "marked in a machine-readable format and detectable as artificially generated or manipulated", using solutions that are "effective, interoperable, robust and reliable as far as this is technically feasible"), while Article 50(4) places a human-facing DISCLOSURE duty on DEPLOYERS of systems that produce deepfakes or public-interest AI text (EU AI Act Art. 50(2), 50(4); applicable 2 August 2026). China's Measures for Labeling AI-Generated Synthetic Content instead impose a dual-track duty on service providers themselves: an EXPLICIT label visible to users PLUS an IMPLICIT label embedded in file metadata, across text, image, audio, video and virtual scenes (CAC et al., effective 1 September 2025) — situated by analysts within China's layered 2022 deep-synthesis and 2023 generative-AI regime that treats labelling and watermarking as a provenance-governance model 1. Voluntary regimes specify mechanism without mandate: the G7 Hiroshima Process Code of Conduct asks developers to deploy "reliable content authentication and provenance mechanisms... such as watermarking" carrying a model/service identifier (G7 Hiroshima Code of Conduct, 30 Oct 2023, commitment 6); some scholars go further, arguing legislation should require developers to demonstrate a reliable detection mechanism as a precondition of public release 2. The C2PA standard supplies the cryptographic substrate these rules lean on — signed provenance manifests (Coalition for Content Provenance and Authenticity). The structural divide is provider-side technical marking (EU 50(2), China implicit) versus deployer/user-facing disclosure (EU 50(4), China explicit).
Key fault lines
Three governance-design disputes run beneath the convergent rhetoric. FIRST, locus of the duty: the EU splits provider marking from deployer disclosure (EU AI Act Art. 50(2) vs 50(4)), whereas China loads both the visible and embedded signal onto the generating service (China Labeling Measures, eff. 2025-09-01) — a divergence over whether platforms that REDISTRIBUTE content also owe detection duties, which California is now testing by requiring large online platforms to detect embedded provenance from 1 January 2027 (California AB 853, signed 13 Oct 2025). SECOND, durability of the signal: the dominant standard concedes that cryptographic manifests are "attached to" rather than embedded in assets and "can easily be stripped", with platforms re-encoding on upload (C2PA, durable Content Credentials rationale) — and the deeper computer-science result is that robust marking has hard limits: a formal systematization sets out the robustness/security goals and bounds for AI watermarking 3, recursive paraphrasing can drive text-detection rates down while barely degrading quality 4, and under natural assumptions strong watermarking is proven impossible 5, meaning the marking the law presumes is itself contestable. THIRD, scope of exemptions: Article 50 carves out assistive editing that does not "substantially alter" inputs, law-enforcement use, and "evidently artistic, creative, satirical, fictional" works, plus human-reviewed text under editorial responsibility (EU AI Act Art. 50(2), 50(4)) — boundaries that determine how much real-world content the regime actually reaches.
Trajectory — what's changing
Provenance obligations are entering force on a compressed 2025-2026 timeline, even as evidence questions whether the mechanisms work. China moved first: the Labeling Measures and the accompanying mandatory national standard took effect 1 September 2025, making the dual explicit/implicit label legally operative for generation and synthesis services (CAC et al., effective 2025-09-01; TC260 content-labeling standard) (Loeb & Loeb 2025). The EU's Article 50 transparency obligations become legally effective 2 August 2026; to operationalise the otherwise abstract "state of the art" standard, the Commission ran a public consultation from September 2025, published draft transparency guidelines in May 2026, and finalised a voluntary Code of Practice on marking and labelling of AI-generated content on 10 June 2026 — voluntary to sign but evidencing compliance with the binding Article 50 duties (European Commission, Code of Practice; EU AI Act Art. 50). Yet an empirical audit finds only 38% of AI image generators implement adequate watermarking and 18% deepfake labelling, exposing a live compliance gap against Article 50 6; user studies likewise complicate the premise, finding provenance information often lowered trust in deceptive media but could also reduce trust in truthful media 7. The United States is converging through state law rather than federal mandate: California's AI Transparency Act (SB 942) was delayed by AB 853 from 1 January 2026 to 2 August 2026 to align with the EU date, and AB 853 layers in staged duties — large-platform provenance DETECTION from 1 January 2027 and capture-device latent-disclosure options from 1 January 2028 (California SB 942; AB 853, signed 13 Oct 2025). On the technical layer, C2PA's shift to durable Content Credentials (soft-binding watermarks, C2PA 2.x, 2025) signals the underlying standard is still maturing as the legal deadlines arrive. The federal layer is not wholly absent of soft law: the White House Voluntary AI Commitments ask signatories to "develop and deploy mechanisms that enable users to understand if audio or visual content is AI-generated, including robust provenance, watermarking, or both" (Voluntary commitment #5). The NIST AI RMF Generative AI Profile reinforces this federal posture by naming Information Integrity, covering synthetic-content labelling and provenance, as one of twelve GenAI risk categories (NIST AI 600-1).
Coverage across jurisdictions
Historical primacy & cross-jurisdiction tension
First addressed by Provisions on the Administration of Deep Synthesis of Internet Information Services on (governs). Subsequent regimes have either codified, diverged from, or remained silent on this baseline.
- Forum-shoppingEU AI Act↔Executive Order 14179 — Removing Barriers to American Leadership in AI
- Forum-shoppingExecutive Order 14110 on Safe, Secure, Trustworthy AI↔UK Pro-Innovation Approach to AI Regulation (White Paper)
- Forum-shoppingInterim Measures for Generative AI Service Management↔OECD AI Principles (Recommendation)
Compare jurisdictions: EU vs US · EU vs UK · EU vs CN
Enforcement & impact
Silent regimes — gap signal
Instruments that do not address Synthetic Content Provenance — candidates for future policy work.
- Executive Order 14179 — Removing Barriers to American Leadership in AIUS
- UK Pro-Innovation Approach to AI Regulation (White Paper)UK
- OECD AI Principles (Recommendation)OECD
- Council of Europe Framework Convention on AIcouncil_of_europe
- Bletchley Declaration on AI Safetyglobal
- Seoul Declaration on Safe, Innovative and Inclusive AIglobal
- California SB-1047: Safe and Secure Innovation for Frontier AI Models ActUS
- India Digital Personal Data Protection Act + AI Advisory (MEITY)IN
- ASEAN Guide on AI Governance and EthicsASEAN
- African Union Continental AI StrategyAfrican_Union
- OpenAI Preparedness FrameworkUS
- Google DeepMind Frontier Safety FrameworkUS
- Meta Frontier AI FrameworkUS
- UK-US AI Safety Institute Memorandum of Understandingglobal
- General Data Protection Regulation (GDPR)EU
- OMB Memorandum M-24-10 (Advancing Governance, Innovation, and Risk Management for Agency Use of AI)US
- GSA Generative AI and Specialized Computing Infrastructure Acquisition Resource GuideUS
- DoD Responsible AI Strategy and Implementation PathwayUS
- FedRAMP AI Cloud Procurement GuidanceUS
- DFARS Subpart 252.204 (Safeguarding Covered Defense Information and Cyber Incident Reporting)US
- California SB-53: Transparency in Frontier Artificial Intelligence Act (TFAIA)US
- California SB 243: Companion ChatbotsUS
- Revised Product Liability Directive (Directive (EU) 2024/2853)EU
- UNESCO Recommendation on the Ethics of Artificial IntelligenceUNESCO
- Directive (EU) 2024/2831 on improving working conditions in platform workEU
- New York RAISE Act: Responsible AI Safety and Education ActUS
- TAKE IT DOWN Act (Tools to Address Known Exploitation by Immobilizing Technological Deepfakes on Websites and Networks Act)US
- Japan AI Promotion Act (Act on the Promotion of Research, Development and Utilization of AI-Related Technologies)JP
See also
Further reading
10 academic & grey-literature sources bearing on this topic — catalogued metadata with a primary link; one-line findings are ✦ AI-generated summaries, labeled as such (charter §7.9). Browse the full literature index.
- Missing the Mark: Adoption of Watermarking for Generative AI Systems in Practice and Implications Under the New EU AI Act Peer-reviewed✦ AIEmpirical audit finds only 38% of AI image generators implement adequate watermarking and 18% deepfake labelling, exposing a compliance gap under EU AI Act Article 50.
- Navigating China's regulatory approach to generative artificial intelligence and large language models Peer-reviewed✦ AIAnalyses China's 2022 deep-synthesis and 2023 generative-AI rules, including mandatory labelling/watermarking of synthetic content as a provenance-governance model.
- 'Sora is incredible and scary': public perceptions and governance challenges of text-to-video generative AI models Peer-reviewed✦ AIQualitative analysis of public commentary on Sora finds blurred real/fake boundaries drive demand for law-enforced AI-content labelling and provenance.
- SoK: Watermarking for AI-Generated Content Peer-reviewed✦ AISystematizes watermarking for AI content, formalizing robustness/security goals and limits that directly ground regulatory provenance and labeling mandates.
- From Principles to Practices: Lessons Learned from Applying Partnership on AI's (PAI) Synthetic Media Framework to 11 Use Cases Preprint✦ AIApplies PAI's Synthetic Media Framework to 11 real cases, finding disclosure/provenance recommendations could have mitigated harm in several 2024-election deepfake incidents.
- Examining the Impact of Provenance-Enabled Media on Trust and Accuracy Perceptions Peer-reviewed✦ AIOnline experiment (n=595) found 'provenance information often lowered trust and caused users to doubt deceptive media,' though it could similarly reduce trust in truthful media.
- Watermarks in the Sand: Impossibility of Strong Watermarking for Generative Models Preprint✦ AIProves 'under well-specified and natural assumptions, strong watermarking is impossible to achieve,' bounding what watermark mandates for generative-AI content can guarantee.
- Can AI-Generated Text be Reliably Detected? Preprint✦ AIShows AI-text detectors including watermarking are attackable: a 'recursive paraphrasing method can significantly reduce detection rates' while only slightly degrading text quality.
- Generative AI models should include detection mechanisms as a condition for public release Peer-reviewed✦ AIArgues legislation should require foundation-model developers to 'demonstrate a reliable detection mechanism for the content it generates, as a condition of its public release.'
- The Epistemic Threat of Deepfakes Peer-reviewed✦ AIArgues deepfakes pose an epistemic threat because they "reduce the amount of information that videos carry to viewers", undermining knowledge acquired from video evidence.
References
Sources cited inline in the analysis (linked from the superscript markers), then the primary instrument sources behind the classifications.
- Mimi Zou and Lu Zhang (2025) Navigating China's regulatory approach to generative artificial intelligence and large language models, Cambridge Forum on AI: Law and Governance. 10.1017/cfl.2024.4 — Analyses China's 2022 deep-synthesis and 2023 generative-AI rules, including mandatory labelling/watermarking of synthetic content as a provenance-governance model. ↩
- Alistair Knott, Dino Pedreschi, Raja Chatila, et al. (incl. Stuart Russell, Yoshua Bengio) (2023) Generative AI models should include detection mechanisms as a condition for public release, Ethics and Information Technology. 10.1007/s10676-023-09728-4 — Argues legislation should require foundation-model developers to 'demonstrate a reliable detection mechanism for the content it generates, as a condition of its public release.' ↩
- arXiv:2411.18479 ↩
- Vinu Sankar Sadasivan, Aounon Kumar, Sriram Balasubramanian, Wenxiao Wang, Soheil Feizi (2023) Can AI-Generated Text be Reliably Detected?, Transactions on Machine Learning Research. arXiv:2303.11156 — Shows AI-text detectors including watermarking are attackable: a 'recursive paraphrasing method can significantly reduce detection rates' while only slightly degrading text quality. ↩
- Hanlin Zhang, Benjamin L. Edelman, Danilo Francati, Daniele Venturi, Giuseppe Ateniese, Boaz Barak (2023) Watermarks in the Sand: Impossibility of Strong Watermarking for Generative Models, arXiv (ICML 2024). arXiv:2311.04378 — Proves 'under well-specified and natural assumptions, strong watermarking is impossible to achieve,' bounding what watermark mandates for generative-AI content can guarantee. ↩
- Bram Rijsbosch, Gijs van Dijck, and Konrad Kollnig (2026) Missing the Mark: Adoption of Watermarking for Generative AI Systems in Practice and Implications Under the New EU AI Act, Policy & Internet. 10.1002/poi3.70041 — Empirical audit finds only 38% of AI image generators implement adequate watermarking and 18% deepfake labelling, exposing a compliance gap under EU AI Act Article 50. ↩
- K. J. Kevin Feng, Nick Ritchie, Pia Blumenthal, Andy Parsons, Amy X. Zhang (2023) Examining the Impact of Provenance-Enabled Media on Trust and Accuracy Perceptions, PACM HCI (CSCW). 10.1145/3610061 — Online experiment (n=595) found 'provenance information often lowered trust and caused users to doubt deceptive media,' though it could similarly reduce trust in truthful media. ↩
- EU-AIA-2024: Art. 50(2) — provider machine-readable marking obligation; Art. 50(4) — deployer disclosure for deep fakes (distinct from the `deepfakes` topic which focuses on misuse-harms)
- US-EO-14110: §4.5(a) — content authentication + watermarking standards via NIST + Commerce
- CN-GENAI-2023: Art. 12 — mandatory marking of generative-AI output; aligns with Deep Synthesis Rules (2022) tagging requirements
- G7-HIROSHIMA: Code §6 — 'develop and deploy reliable content authentication and provenance mechanisms'
- UN-RES-2024: General call for state action on safe AI; provenance not specifically addressed
- NIST-AI-RMF: General framework applies; provenance-specific guidance lives in the GenAI Profile
- NIST-AI-RMF-GENAI: NIST AI 600-1 — Information Integrity is one of 12 named GenAI risk categories; covers synthetic-content labelling + provenance
- BR-AIBILL-2024: PL 2338 general accuracy + transparency obligations would extend to provenance via interpretation
- ANTHROPIC-RSP-2024: Deployment-stage controls would include content provenance where capability tier requires
- WH-VOLUNTARY-2023: Voluntary commitment #5 — 'develop and deploy mechanisms that enable users to understand if audio or visual content is AI-generated, including robust provenance, watermarking, or both'
- SG-MODEL-AI-2024: Framework dimension 7 — Content Provenance (one of nine framework dimensions, paired with AI Verify Foundation's technical-testing toolkit)
- JP-METI-AI-2024: Principle 5 (Transparency) + Hiroshima-alignment imply provenance obligations via reference incorporation
- EU-GPAI-COP-2025: Chapter 1 transparency commitments brush against Art. 50(2) deployer marking + Art. 53(1)(a) provider documentation
- CA-SB-942: Cal. Bus. & Prof. Code § 22757.3(b) (added by SB 942) — a covered provider must embed a machine-readable 'latent' disclosure in AI-generated image/video/audio conveying provenance metadata: provider name, GenAI system name and version, creation/alteration time, and a unique identifier; reinforced by § 22757.3.1 (AB 853, operative 2027) barring large online platforms from knowingly stripping system provenance data
- CN-DEEPSYN-2022: Art. 16 & Art. 18
- IT-AILAW-2025: No standalone watermarking/provenance-marking duty in the law itself; provenance is reached only indirectly — Art. 612-quater criminalises deceptive AI-altered media (turning on whether content is apt to deceive as to genuineness) and the general transparency principle (Art. 4). Content-marking duties are left to the EU AI Act (Art. 1(2)).
- UN-GDC-2024: GDC Objective 3, para 36(c) (A/RES/79/1, Annex I)
Cite this article 8 formats · BibTeX, RIS, APA, Chicago, … · 1-click copy
Persistent identifier: https://policywindow.org/wiki/synthetic-content-provenance — committed-stable URL with content-versioning via ?asOf= (rollout pending per methodology §7). DOIs via Zenodo are on the roadmap.
Article tools — track changes, suggest an edit
View history — every captured revision of this article · What links here
17 instruments tracked.
Does governance work? — the social-science evidence
What the peer-reviewed social science shows: whether the harm this topic addresses is empirically real, and whether governance of it works. The badge is the epistemic status of the evidence(not the policy debate) — “thin” or “absent” efficacy evidence is itself a finding (the “second silence”). Each epistemic-status label is Policy Window's editorial assessment of the cited evidence base (a structured classification), not a verdict any single source issues.
The harm provenance targets is real but concentrated, and the technical premise that the mandated signal survives is itself empirically shaky. Synthetic-media harm is well documented in two domains: non-consensual intimate imagery (Ajder et al.'s 2019 Deeptrace audit found 96% of deepfake videos were pornographic and effectively 100% targeted women) and impersonation fraud (the Arup case, ~US$25.6M / HK$200M lost via a deepfake video call). The honest caveat is twofold: a feared broad political-misinformation harm is not yet demonstrated at scale, and CS work shows invisible watermarks are removable in practice (Jiang, Zhang & Gong 2023, WEvade, evade detection via adversarial perturbation; Zhao et al. 2024 prove pixel-level watermarks are provably removable via regeneration attacks), so the provenance signal a rule would mandate is itself contested.
Sources: Ajder, Patrini, Cavalli & Cullen 2019 (Deeptrace, 'The State of Deepfakes: Landscape, Threats, and Impact'); Jiang, Zhang & Gong 2023 ('Evading Watermark based Detection of AI-Generated Content', ACM CCS 2023); Zhao et al. 2024 (NeurIPS, 'Invisible Image Watermarks Are Provably Removable Using Generative AI'); Arup deepfake fraud (CNN Business, 2024-05-16, US$25.6M)
There is no impact evaluation showing that mandated provenance/labeling reduces synthetic-media harm; the major mandates (China's GenAI labeling Measures, effective 2025-09-01; EU AIA Art. 50, machine-readable marking) are too new and unevaluated, and the delivery layer is leaky: the C2PA spec's own Security Considerations document the strip-and-repost threat, and platform audits report C2PA/Content-Credentials metadata is stripped by essentially all major social platforms on upload (consistent with Imatag's 2018 finding that ~80% of uploaded images lose metadata, only ~15% retaining it). The closest analogue evaluation literature — Pennycook, Bear, Collins & Rand (2020), the 'implied truth effect' — gives reason for caution rather than confidence: labeling only some content can make unlabeled false content seem more credible, so a partial-coverage provenance regime could backfire.
Sources: Pennycook, Bear, Collins & Rand 2020 (Management Science 66(11):4944-4957, 'The Implied Truth Effect'); China Measures for Labeling AI-Generated Synthetic Content (eff. 2025-09-01); EU AI Act Art. 50; Imatag 2018 metadata-stripping study (~80%); C2PA Security Considerations (spec.c2pa.org) on manifest removal