Skip to main content
When a creative arrives with a provenance claim, the receiving party needs to decide whether to trust it. This page describes how AdCP handles that decision: provenance claims travel with the creative from buyer to seller, and each enforcement point — the publisher, the SSP, the verification vendor — runs its own independent check. No single party’s attestation is taken at face value. This separation between declaration and verification is what makes the system work when the parties involved have competing incentives.

Three-moment lifecycle

AI provenance flows through three distinct moments, each handled by existing AdCP tasks. Each moment is independent. A buyer can declare provenance without any verification having occurred. A seller can verify without requiring a declaration. Enforcement can happen with or without both.

What buyers can declare

Provenance carries three families of evidence. Each survives a different set of supply-chain operations. embedded_provenance carries a structured provenance record (the chain of custody). watermarks encode an identifier (who generated it, who owns it). A single asset may carry both; pick the right field for what you actually attached.

The verifier contract: seller publishes, buyer represents, seller confirms

Earlier drafts of this work imagined buyers nominating verification endpoints unilaterally. That pattern shipped SSRF risk, vendor sprawl, and a fundamentally wrong trust model: the seller is the verifier-of-record because the seller bears the regulatory liability for what it publishes. The protocol now reflects that. The contract is three steps, each with a clear actor:
  1. Seller publishes the governance agents it accepts on creative_policy.accepted_verifiers[] (returned by get_products). Each entry carries agent_url, optional feature_id (which feature the seller will request against the agent), and optional providers[] (which provider labels the agent covers). The seller has already vetted these endpoints; calls to them are inside the seller’s allowlist.
  2. Buyer represents which of those agents was used by attaching a verify_agent: { agent_url, feature_id? } pointer on each embedded_provenance[] or watermarks[] entry. The buyer’s agent_url MUST match (canonicalized) one of the seller’s published accepted_verifiers[].agent_url. This is buyer-supplied evidence, not buyer-driven routing.
  3. Seller confirms by cross-checking the buyer’s verify_agent.agent_url against the published list (rejecting off-list URLs with PROVENANCE_VERIFIER_NOT_ACCEPTED before any outbound call), then invoking get_creative_features against the matching on-list agent and reconciling the result against the buyer’s claim. The seller MAY use a different on-list agent than the buyer nominated; the seller is the verifier-of-record. When it does substitute, error.details carries both the agent it called and substituted_for so the buyer can audit.
Sellers MUST NOT call URLs that are not in accepted_verifiers — that closes the buyer-controlled-URL trust gap. Buyers that omit verify_agent (e.g., on a self-verifiable C2PA text manifest with a public key the seller already trusts) leave the agent selection entirely to the seller’s discovery.

What sellers can require

Sellers express what they need on creative_policy, returned by get_products so buyers see requirements before submitting: Sellers that publish a requirement MUST enforce it on sync_creatives — that’s the structural-rejection contract. The truth-of-claim contract (does the buyer’s digital_source_type actually match the content?) lives in get_creative_features and surfaces as PROVENANCE_CLAIM_CONTRADICTED.

Rejection error codes

When sync_creatives rejects a creative for provenance reasons, the per-creative result carries a structured error with one of: Buyers receiving these codes can self-correct without negotiating with the seller — the failure is machine-readable. Auto-retry without correction will not pass.

Audit observations, not rejections

Some provenance claims deserve audit routing even when the verifier has not refuted them. The canonical case is provenance.human_oversight set to edited or directed while provenance.disclosure.required is false. That combination may be legitimate when the declaring party invokes an editorial-responsibility carve-out, but the verifier cannot adjudicate the legal prerequisites from schema fields alone. Governance agents SHOULD surface that claim combination on successful get_creative_features responses as OVERSIGHT_DISCLOSURE_CARVEOUT_CLAIMED. The observation is claim-driven: verifier observations such as observed_value and confidence are useful audit context when available, but they are not required for the observation to fire. field anchors the risky claim side of the multi-field combination, so the canonical path is creative_manifest.provenance.disclosure.required.
This observation is not PROVENANCE_CLAIM_CONTRADICTED, and it is not grounds for rejection on its own. Sellers MAY accept the creative while retaining the observation for audit, routing it to a human reviewer, or asking the declaring party for corroborating evidence out of band. As with contradiction errors, audit_observations[].details is limited to the audit-safe allowlist { agent_url, feature_id, claimed_value, observed_value, confidence, substituted_for }; for OVERSIGHT_DISCLOSURE_CARVEOUT_CLAIMED, claimed_value is { human_oversight, disclosure_required }, with disclosure_required as the flattened alias for creative_manifest.provenance.disclosure.required. Sellers MUST NOT copy arbitrary verifier extension fields, detail_url, or cross-tenant report data into their own buyer-facing responses.

AI detection via get_creative_features

AI detection is a creative governance feature, evaluated by specialist agents through get_creative_features — the same task used for security scanning, creative quality, and content categorization. AI detection does not require a separate protocol or workflow.

Agent declares AI detection capabilities

An AI detection agent advertises its features via get_adcp_capabilities:

Seller evaluates a creative

The seller sends the creative manifest to the AI detection agent:

Agent returns detection results

Seller applies enforcement logic

The seller compares the detection result against the buyer’s provenance claim:

Multi-agent evaluation

AI detection fits naturally into the multi-agent creative governance pattern. A seller evaluating a creative can call multiple specialist agents in parallel: The orchestrator calls all agents via get_creative_features, aggregates results, and applies its requirements across all of them. AI detection is one column in the evaluation matrix, not a separate workflow.

Content standards integration

For publisher content (artifacts), provenance verification uses the content standards infrastructure: calibrate_content for alignment and validate_content_delivery for auditing.

Artifact provenance

Publishers declare provenance on artifacts the same way buyers declare it on creatives:

Calibration for AI provenance

During calibrate_content, the verification agent can evaluate whether artifact provenance claims are accurate. This uses the same calibration dialogue as brand suitability — the verification agent returns verdicts with explanations:

Post-delivery validation

Buyers can audit AI provenance in delivered content through validate_content_delivery, the same task used for brand suitability auditing:

Compliance profiles

Different regulatory environments require different levels of provenance enforcement. Here are example configurations.
These profiles are illustrative configurations, not schema-defined objects. Each seller implements enforcement logic suited to their regulatory requirements. The AdCP schemas provide the data model; the enforcement rules are implementation decisions.

For regulators

AdCP provides a machine-readable, protocol-level mechanism for AI disclosure in programmatic advertising. Every creative and content artifact in the supply chain can carry structured provenance metadata that declares the digital source type, the AI tools used, the level of human oversight, and the applicable disclosure requirements by jurisdiction — including specific regulation identifiers such as eu_ai_act_article_50, ca_sb_942, and cn_deep_synthesis. This metadata uses the IPTC digital source type vocabulary, the same classification system adopted by C2PA Content Credentials, Meta, and Google for AI content labeling. AdCP does not invent a new taxonomy. It carries an existing, widely adopted one through the advertising supply chain where it has not previously been available in structured form.

Verification is independent, not self-reported

Provenance in AdCP is explicitly a claim, not a certification. The declaring party — typically the advertiser or their agency — attaches provenance when submitting a creative. The enforcing party — typically the publisher or their supply-side platform — verifies that claim independently using AI detection services, C2PA manifest validation, or both. This verification happens through existing AdCP governance mechanisms (get_creative_features for creatives, calibrate_content for publisher content) and does not require new infrastructure. This architecture addresses a structural problem in advertising compliance: the party submitting the creative has an incentive to understate AI involvement (to avoid placement restrictions or disclosure requirements), while the party publishing the creative bears the regulatory liability for non-disclosure. By treating provenance as a verifiable claim rather than a trusted assertion, the protocol ensures that compliance does not depend on the good faith of any single participant.

Mapping to regulatory requirements

EU AI Act Article 50: Imposes obligations on the providers of generative AI systems (Art 50(2)) and on the deployers who put AI-generated content into circulation (Art 50(4)), with a user-facing disclosure obligation at first exposure (Art 50(5)). The deployer in an advertising flow is typically the advertiser or agency, not the publisher. AdCP carries the machine-readable signals that make Article 50 evidence operable — digital_source_type classifies AI involvement at the asset level, disclosure.jurisdictions carries jurisdiction-specific label text and render guidance, and human_oversight records the level of human involvement relevant to the Art 50(4) editorial-responsibility carve-out. Enforcement points can filter or flag creatives based on digital_source_type values that indicate AI generation (trained_algorithmic_media, composite_with_trained_algorithmic_media). The protocol does not perform the regulatory analysis or determine which party is the deployer. California SB 942: Imposes disclosure obligations on covered platforms (defined by MAU threshold) when content is generated or substantially modified by AI. The digital_source_type and human_oversight fields carry the factual signals the covered party uses to make its disclosure determination, and disclosure.required carries the declaring party’s resulting claim. The flag is a declared signal in the supply chain — useful as a routing and audit input — not a substitute for the covered party’s own analysis. A seller relying on disclosure.required: false without verification is relying on the buyer’s claim, not a determination the protocol made. Platform mandates (Meta, Google, TikTok): Major platforms already require AI content labeling using IPTC-aligned metadata. AdCP’s provenance structure is directly compatible with these requirements because it uses the same underlying vocabulary. AdCP does not determine which regulations apply to a given creative. It provides the structured metadata that allows each enforcement point to apply its own jurisdictional rules. The protocol carries the data; the enforcing party makes the compliance decision.

Verification flow

Implementation checklist

Buyers (brands and agencies)

Sellers (publishers and platforms)

Creative agents

Governance agents (AI detection)