Glossary / Governance & Risk

Content Provenance (C2PA)

The open standard for cryptographically tagging media with origin info. Adopted by Adobe, Microsoft, the major camera makers, and most frontier AI providers. The piece of AI governance that's actually working.

Governance & Risk

The Technical Definition

C2PA — the Coalition for Content Provenance and Authenticity — is an open technical standard for attaching cryptographically signed metadata to media files. The standard was founded in 2021 by Adobe, Microsoft, Arm, BBC, Intel, and Truepic, and has since added signatories including OpenAI, Google, Meta, and the major camera manufacturers.

A C2PA manifest records the chain of how a piece of content was produced and edited. A camera with C2PA support signs the original capture. An editor that opens the file and changes it adds a new signed entry recording who edited and what tool they used. An AI generation tool signs its output as machine-produced. The manifest travels with the file, and any verifier can check the signatures and read the history. If someone strips the manifest, that’s detectable too — the file no longer has a verifiable lineage.

The standard is not a watermark. It’s metadata. The two are complementary: watermarks survive when metadata is stripped, metadata records detail watermarks can’t.

What This Actually Means for Your Business

Of all the AI governance technologies on offer, C2PA is the one with real adoption and a credible trajectory. Sony, Nikon, Canon, and Leica ship cameras with C2PA support. Adobe Photoshop and Lightroom write C2PA manifests by default in current versions. OpenAI signs DALL-E and Sora outputs with C2PA. Microsoft signs AI-generated content across Copilot products. Google has committed to broader C2PA support across its image and video tools.

What this means for a CEO: within the next 24 months, you can expect platforms, regulators, and major customers to start asking for C2PA-signed media as a baseline trust signal. News organizations are already piloting C2PA-only sourcing for verified imagery. Government bodies in the EU and UK are referencing C2PA in their authenticity guidance. Insurance companies handling claims with photo evidence are evaluating it.

If your company produces visual content at any scale — marketing, product photography, claims documentation, medical imaging, real estate listings, anything where a customer or regulator might later ask “is this real?” — C2PA is going to be part of the answer. The companies getting ahead of this are the ones that make C2PA-signed capture and edit the default in their content pipelines now, not after a customer demands it.

Reality Check

What the vendor says: “Our platform is fully C2PA-compliant for end-to-end content authenticity.”

What that means in practice: The platform writes a C2PA manifest on outputs. It probably does not preserve the manifest perfectly through every editing step, every export format, and every social platform that re-encodes images. The standard works best when the entire pipeline supports it. A single tool in the chain that strips metadata breaks the chain. Audit your actual workflow, not the vendor’s marketing.

What Operators Actually Do

The companies treating this as an operational priority audit their content pipeline end to end. Where does the file enter? What tool created it, and does that tool sign C2PA? What’s the editing path? Does Photoshop preserve the manifest? Does the marketing automation tool that distributes the asset strip the metadata when it resizes for social? Does the CDN re-encode and lose the signature?

Most pipelines have at least one stage that breaks C2PA today. The fix is incremental: replace the worst offenders, configure the rest to preserve manifests where they can, document the gaps, and require vendors to commit to C2PA preservation in their next release as a procurement criterion.

For inbound content — vendor-supplied imagery, partner-submitted media, claims documentation — smart teams are starting to require C2PA on contracts where authenticity matters. The provision reads roughly: media submitted under this agreement must include a valid C2PA manifest from a recognized capture or generation tool, and any edits must preserve manifest history. That’s not a standard clause yet. It will be.

The mistake to avoid: treating C2PA as a compliance checkbox for AI-generated content only. The standard is more useful as a positive signal for human-captured content. A photo from a C2PA-signed camera, edited only in C2PA-aware tools, with an unbroken manifest, is verifiably more trustworthy than the same photo without a manifest. That’s the asymmetry to set up your operation around.

The Questions to Ask

  1. What in our content pipeline writes C2PA manifests today, and what strips them? Map it end to end. The first time you do this, expect to find at least three stages that silently destroy the chain of trust.

  2. Are our AI vendors signing outputs with C2PA, and is it on by default? If a vendor’s C2PA support is opt-in or behind a settings toggle, find out who at your company has the authority to flip it, and confirm it’s flipped.

  3. What’s our policy for verifying C2PA on inbound content in high-stakes paths? Wire instructions with attached photos, executive headshots used in press, claims documentation with image evidence — somewhere in your operation, photo authenticity already matters. C2PA is the verification you weren’t doing before.

Get the next Brief

One operator. Every other Wednesday.

Plus the AI Glossary and the Failure Museum.
Real names. Real numbers. Honest analysis.