AI Transparency Requirements: What Agencies Actually Need to Comply

In part 1, we examined the regulatory exposure facing agencies with undocumented AI assets. Now we need to understand what “transparency” actually means at the technical level—and why most agency tools cannot produce what regulations require.

The gap between agency workflows and regulatory requirements is not a matter of better processes. It is a matter of infrastructure. Screenshots of prompts, folder naming conventions, and Slack threads do not constitute compliance. Regulators expect machine-readable metadata embedded in the files themselves.

What “AI Transparency” Actually Means

When the EU AI Act and California's SB 942 reference transparency requirements, they are not asking for disclosure statements on agency websites. They are requiring three specific technical capabilities that most creative tools do not provide.

1. Embedded Metadata

Transparency requirements demand that AI-generated content carry metadata inside the file itself—not in a separate database, not in a folder structure, not in a project management tool. The metadata must travel with the asset.

The IPTC Photo Metadata Standard 2025.1 introduced specific fields for AI disclosure: whether AI was used in creation, what type of AI assistance was involved, and what training data constraints apply. These fields must be embedded in standard image metadata (EXIF, XMP, or IPTC-IIM) to be machine-readable by platforms, regulators, and downstream systems.

When you save an image from most ai generators IPTC 2025.1 AI disclosure fields are often not included. The generation tools focus on creation speed, not compliance metadata.

2. Cryptographic Provenance

California's SB 942 specifies that latent disclosures must be “permanent or extraordinarily difficult to remove.” The emerging standard for meeting this requirement is C2PA (Coalition for Content Provenance and Authenticity)—a technical specification developed by Adobe, Microsoft, the BBC, and others.

C2PA creates cryptographically signed manifests that establish a verifiable chain of custody. When an asset is modified, edited, or re-exported, the manifest records each transformation. This is not optional metadata that can be stripped—it is a tamper-evident record of how content was created and modified.

The practical implication: agencies need systems that can generate C2PA manifests for AI-created content. Most generation tools do not produce C2PA-compliant outputs. Most DAM systems do not preserve C2PA credentials through their workflows. Most export processes strip provenance metadata entirely.

3. Persistent Watermarks

SB 942 requires “manifest” disclosures—visible watermarks or labels that identify content as AI-generated. These are not the invisible watermarks used for copyright protection. They are visible indicators designed to inform viewers.

The challenge is not adding watermarks—any image editor can do that. The challenge is maintaining watermarks through complex creative workflows where assets are cropped, resized, color-graded, composited, and re-exported multiple times before reaching their final destination.

Why Current Agency Tools Fail

Understanding the technical requirements makes the infrastructure gap clearer. Current agency workflows fail at multiple points.

Generation Tools Do Not Create Compliant Outputs

ChatGPT, Midjourney, and most AI generation tools optimize for speed and quality, not compliance. The images they produce rarely include IPTC 2025.1 fields, C2PA manifests, or persistent watermarks. Some tools embed basic metadata (like Midjourney's prompt information in PNG chunks), but this is not the same as regulatory-grade provenance.

Even when generation tools do include metadata, it often gets stripped during the agency workflow. Download from Discord, upload to cloud storage, download to local machine, open in Photoshop, export for client review—each step risks losing the original provenance data.

Traditional DAMs Were Not Built for This

Digital Asset Management systems were designed for a different era. They organize files, manage versions, and control access. They were not designed to capture generation parameters, track prompt evolution, or maintain cryptographic provenance chains.

Retrofitting traditional DAMs for AI compliance is expensive and incomplete. The fundamental data model—files with tags—does not capture the relationship between a prompt, the model that interpreted it, the parameters that shaped the output, and the iterative variations that led to the final asset.

Manual Processes Do Not Scale

Some agencies attempt to bridge the gap with process: require creatives to log prompts in spreadsheets, screenshot generation interfaces, save metadata to project folders. These approaches fail for predictable reasons.

Before AI tools, a designer might produce 10-20 final assets per project. With AI assistance, the same designer might generate hundreds of variations to find the right direction. Manual logging at that scale is unsustainable. Compliance deteriorates under deadline pressure. Documentation becomes inconsistent across team members.

More fundamentally, manual processes produce the wrong kind of documentation. A screenshot is not embedded metadata. A spreadsheet is not a cryptographic manifest. Process discipline cannot produce technical compliance.

What Infrastructure Would Actually Solve This

Closing the compliance gap requires infrastructure specifically designed for AI-generated content. Not retrofitted file storage—purpose-built systems that treat provenance as a first-class concern.

Automatic Metadata Capture at Creation

The only reliable way to capture generation metadata is automatically, at the moment of creation. This means integrating with generation tools—not asking users to copy and paste prompts, but extracting the complete generation context: prompts, negative prompts, seeds, model versions, LoRA configurations, sampling parameters, everything that would be needed to reproduce or document the output.

For tools like ComfyUI, this means parsing the workflow graph embedded in output files. For Midjourney, it means extracting prompt data from exports. For any generation tool, it means capturing what happened without requiring workflow changes from creative teams.

Centralized Provenance Records

Once metadata is captured, it needs to persist in a system designed for provenance tracking. This is not traditional file metadata that can be stripped during editing—it is a persistent record that links assets to their complete creation history.

The system should track lineage: which asset was the parent of which variation, how prompts evolved across iterations, which model versions produced which outputs. When a regulator asks “where did this come from,” the answer should be comprehensive and verifiable.

Privacy-Aware Export

Complete transparency is not always appropriate. Agencies have legitimate reasons to share work without exposing proprietary techniques—client NDAs, competitive considerations, or simply portfolio presentation where prompt details are irrelevant.

The infrastructure should support configurable export presets—different levels of metadata disclosure for different contexts. Share to social media with minimal metadata. Deliver to clients with attribution but without prompts. Archive with complete provenance for compliance. Export with IPTC 2025.1 AI disclosure fields and C2PA credentials for regulatory requirements.

Audit Trail Generation

When compliance questions arise, agencies need to generate audit trails on demand. Not reconstruct them from scattered documentation—generate them from comprehensive records that were captured automatically during creation.

The audit trail should answer: When was this asset created? What tools and models were used? What prompts and parameters shaped the output? Who reviewed and approved it? How has it been modified since creation? Where has it been published or distributed?

The Infrastructure Investment Decision

Agencies face a choice. Continue with current workflows and accept accumulating compliance exposure. Attempt manual processes that do not scale and produce the wrong kind of documentation. Or invest in infrastructure purpose-built for AI content management.

The build-versus-buy calculation favors specialized tools. Building metadata extraction for ComfyUI workflows, Midjourney exports, and other generation tools requires deep technical expertise. Implementing C2PA credential generation requires cryptographic infrastructure. Maintaining compliance with evolving standards (IPTC 2025.1 today, whatever follows tomorrow) requires ongoing development investment.

The alternative is infrastructure designed specifically for this problem—systems that capture metadata automatically, track lineage comprehensively, export with appropriate privacy controls, and generate audit trails on demand.

What Comes Next

The regulatory timeline is fixed. EU AI Act transparency requirements are active now. California SB 942 full enforcement begins August 2026. The documentation gap cannot be closed retroactively—assets created without provenance tracking will remain undocumented.

The question is not whether to address AI transparency compliance—it is when. Every month of delay adds to the archive of undocumented assets, increases the complexity of eventual remediation, and extends the period of regulatory exposure.

Agencies that invest in compliance infrastructure now will be ready when regulators ask questions. Those that wait will be explaining why they cannot document their AI usage—and hoping the answer does not cost €35 million.