Three-moment lifecycle
AI provenance flows through three distinct moments, each handled by existing AdCP tasks.
Each moment is independent. A buyer can declare provenance without any verification having occurred. A seller can verify without requiring a declaration. Enforcement can happen with or without both.
What buyers can declare
Provenance carries three families of evidence. Each survives a different set of supply-chain operations.embedded_provenance carries a structured provenance record (the chain of custody). watermarks encode an identifier (who generated it, who owns it). A single asset may carry both; pick the right field for what you actually attached.
The verifier contract: seller publishes, buyer represents, seller confirms
Earlier drafts of this work imagined buyers nominating verification endpoints unilaterally. That pattern shipped SSRF risk, vendor sprawl, and a fundamentally wrong trust model: the seller is the verifier-of-record because the seller bears the regulatory liability for what it publishes. The protocol now reflects that. The contract is three steps, each with a clear actor:- Seller publishes the governance agents it accepts on
creative_policy.accepted_verifiers[](returned byget_products). Each entry carriesagent_url, optionalfeature_id(which feature the seller will request against the agent), and optionalproviders[](whichproviderlabels the agent covers). The seller has already vetted these endpoints; calls to them are inside the seller’s allowlist. - Buyer represents which of those agents was used by attaching a
verify_agent: { agent_url, feature_id? }pointer on eachembedded_provenance[]orwatermarks[]entry. The buyer’sagent_urlMUST match (canonicalized) one of the seller’s publishedaccepted_verifiers[].agent_url. This is buyer-supplied evidence, not buyer-driven routing. - Seller confirms by cross-checking the buyer’s
verify_agent.agent_urlagainst the published list (rejecting off-list URLs withPROVENANCE_VERIFIER_NOT_ACCEPTEDbefore any outbound call), then invokingget_creative_featuresagainst the matching on-list agent and reconciling the result against the buyer’s claim. The seller MAY use a different on-list agent than the buyer nominated; the seller is the verifier-of-record. When it does substitute,error.detailscarries both the agent it called andsubstituted_forso the buyer can audit.
accepted_verifiers — that closes the buyer-controlled-URL trust gap. Buyers that omit verify_agent (e.g., on a self-verifiable C2PA text manifest with a public key the seller already trusts) leave the agent selection entirely to the seller’s discovery.
What sellers can require
Sellers express what they need oncreative_policy, returned by get_products so buyers see requirements before submitting:
Sellers that publish a requirement MUST enforce it on
sync_creatives — that’s the structural-rejection contract. The truth-of-claim contract (does the buyer’s digital_source_type actually match the content?) lives in get_creative_features and surfaces as PROVENANCE_CLAIM_CONTRADICTED.
Rejection error codes
Whensync_creatives rejects a creative for provenance reasons, the per-creative result carries a structured error with one of:
Buyers receiving these codes can self-correct without negotiating with the seller — the failure is machine-readable. Auto-retry without correction will not pass.
Audit observations, not rejections
Some provenance claims deserve audit routing even when the verifier has not refuted them. The canonical case isprovenance.human_oversight set to edited or directed while provenance.disclosure.required is false. That combination may be legitimate when the declaring party invokes an editorial-responsibility carve-out, but the verifier cannot adjudicate the legal prerequisites from schema fields alone.
Governance agents SHOULD surface that claim combination on successful get_creative_features responses as OVERSIGHT_DISCLOSURE_CARVEOUT_CLAIMED. The observation is claim-driven: verifier observations such as observed_value and confidence are useful audit context when available, but they are not required for the observation to fire. field anchors the risky claim side of the multi-field combination, so the canonical path is creative_manifest.provenance.disclosure.required.
PROVENANCE_CLAIM_CONTRADICTED, and it is not grounds for rejection on its own. Sellers MAY accept the creative while retaining the observation for audit, routing it to a human reviewer, or asking the declaring party for corroborating evidence out of band. As with contradiction errors, audit_observations[].details is limited to the audit-safe allowlist { agent_url, feature_id, claimed_value, observed_value, confidence, substituted_for }; for OVERSIGHT_DISCLOSURE_CARVEOUT_CLAIMED, claimed_value is { human_oversight, disclosure_required }, with disclosure_required as the flattened alias for creative_manifest.provenance.disclosure.required. Sellers MUST NOT copy arbitrary verifier extension fields, detail_url, or cross-tenant report data into their own buyer-facing responses.
AI detection via get_creative_features
AI detection is a creative governance feature, evaluated by specialist agents throughget_creative_features — the same task used for security scanning, creative quality, and content categorization. AI detection does not require a separate protocol or workflow.
Agent declares AI detection capabilities
An AI detection agent advertises its features viaget_adcp_capabilities:
Seller evaluates a creative
The seller sends the creative manifest to the AI detection agent:Agent returns detection results
Seller applies enforcement logic
The seller compares the detection result against the buyer’s provenance claim:Multi-agent evaluation
AI detection fits naturally into the multi-agent creative governance pattern. A seller evaluating a creative can call multiple specialist agents in parallel:
The orchestrator calls all agents via
get_creative_features, aggregates results, and applies its requirements across all of them. AI detection is one column in the evaluation matrix, not a separate workflow.
Content standards integration
For publisher content (artifacts), provenance verification uses the content standards infrastructure:calibrate_content for alignment and validate_content_delivery for auditing.
Artifact provenance
Publishers declare provenance on artifacts the same way buyers declare it on creatives:Calibration for AI provenance
Duringcalibrate_content, the verification agent can evaluate whether artifact provenance claims are accurate. This uses the same calibration dialogue as brand suitability — the verification agent returns verdicts with explanations:
Post-delivery validation
Buyers can audit AI provenance in delivered content throughvalidate_content_delivery, the same task used for brand suitability auditing:
Compliance profiles
Different regulatory environments require different levels of provenance enforcement. Here are example configurations.These profiles are illustrative configurations, not schema-defined objects. Each seller implements enforcement logic suited to their regulatory requirements. The AdCP schemas provide the data model; the enforcement rules are implementation decisions.
For regulators
AdCP provides a machine-readable, protocol-level mechanism for AI disclosure in programmatic advertising. Every creative and content artifact in the supply chain can carry structured provenance metadata that declares the digital source type, the AI tools used, the level of human oversight, and the applicable disclosure requirements by jurisdiction — including specific regulation identifiers such aseu_ai_act_article_50, ca_sb_942, and cn_deep_synthesis.
This metadata uses the IPTC digital source type vocabulary, the same classification system adopted by C2PA Content Credentials, Meta, and Google for AI content labeling. AdCP does not invent a new taxonomy. It carries an existing, widely adopted one through the advertising supply chain where it has not previously been available in structured form.
Verification is independent, not self-reported
Provenance in AdCP is explicitly a claim, not a certification. The declaring party — typically the advertiser or their agency — attaches provenance when submitting a creative. The enforcing party — typically the publisher or their supply-side platform — verifies that claim independently using AI detection services, C2PA manifest validation, or both. This verification happens through existing AdCP governance mechanisms (get_creative_features for creatives, calibrate_content for publisher content) and does not require new infrastructure.
This architecture addresses a structural problem in advertising compliance: the party submitting the creative has an incentive to understate AI involvement (to avoid placement restrictions or disclosure requirements), while the party publishing the creative bears the regulatory liability for non-disclosure. By treating provenance as a verifiable claim rather than a trusted assertion, the protocol ensures that compliance does not depend on the good faith of any single participant.
Mapping to regulatory requirements
EU AI Act Article 50: Imposes obligations on the providers of generative AI systems (Art 50(2)) and on the deployers who put AI-generated content into circulation (Art 50(4)), with a user-facing disclosure obligation at first exposure (Art 50(5)). The deployer in an advertising flow is typically the advertiser or agency, not the publisher. AdCP carries the machine-readable signals that make Article 50 evidence operable —digital_source_type classifies AI involvement at the asset level, disclosure.jurisdictions carries jurisdiction-specific label text and render guidance, and human_oversight records the level of human involvement relevant to the Art 50(4) editorial-responsibility carve-out. Enforcement points can filter or flag creatives based on digital_source_type values that indicate AI generation (trained_algorithmic_media, composite_with_trained_algorithmic_media). The protocol does not perform the regulatory analysis or determine which party is the deployer.
California SB 942: Imposes disclosure obligations on covered platforms (defined by MAU threshold) when content is generated or substantially modified by AI. The digital_source_type and human_oversight fields carry the factual signals the covered party uses to make its disclosure determination, and disclosure.required carries the declaring party’s resulting claim. The flag is a declared signal in the supply chain — useful as a routing and audit input — not a substitute for the covered party’s own analysis. A seller relying on disclosure.required: false without verification is relying on the buyer’s claim, not a determination the protocol made.
Platform mandates (Meta, Google, TikTok): Major platforms already require AI content labeling using IPTC-aligned metadata. AdCP’s provenance structure is directly compatible with these requirements because it uses the same underlying vocabulary.
AdCP does not determine which regulations apply to a given creative. It provides the structured metadata that allows each enforcement point to apply its own jurisdictional rules. The protocol carries the data; the enforcing party makes the compliance decision.
Verification flow
Implementation checklist
Buyers (brands and agencies)
Sellers (publishers and platforms)
Creative agents
Governance agents (AI detection)
Related
- AI provenance and disclosure — The provenance schema reference, digital source type enum, and inheritance model
- Creative Governance — Feature-based creative evaluation via
get_creative_features get_creative_features— Task reference for creative feature evaluation- Content Standards — Privacy-preserving brand suitability for publisher content
calibrate_content— Calibration task for content standards alignmentvalidate_content_delivery— Post-delivery content validation