AI-genererat innehåll: Den här bilden är skapad med\n en generativ AI-modell. Den föreställer en fiktiv person.

compliance · critical · check ai_content_marking

Do you mark AI-generated content per EU AI Act Article 50?

ai-content-marking checks whether AI-generated synthetic content on your site is marked in a machine-readable format per EU AI Act Article 50(2). The provider obligation applies to audio, image, video and text outputs of generative systems, including general-purpose AI. Article 50 enters into application on 2 August 2026 per Article 113. The recommended technical implementations are C2PA Content Credentials and the IPTC Digital Source Type vocabulary.

Why agents care

AI search engines (Perplexity, ChatGPT search, Gemini) have begun consuming C2PA manifests to label provenance in answers. Schema.org/digitalSourceType is parsed by Google's structured data pipeline. Sites that mark content gain higher trust in AI grounding pipelines; sites that do not risk being filtered out of "high-confidence" sources. The legal effective date for Article 50 is 2 August 2026 per Art. 113. The Code of Practice on marking and labelling is being drafted by the AI Office.

Why this fails on real sites

The most common failure is treating the obligation as advisory until enforcement begins. Article 50 entered into force in 2024 with the rest of the AI Act and applies from 2 August 2026 per Article 113. Sites that publish AI-generated illustrations, AI-summarised news, AI-translated text, or AI-cloned voices have until that date to ship machine-readable marking. Building a C2PA pipeline is not trivial; starting in July 2026 leaves no margin.

The second pattern is human-readable disclosure without machine-readable marking. A footnote saying "this image was generated by AI" satisfies an audience of humans but Article 50(2) explicitly requires the marking to be "in a machine-readable format and detectable as artificially generated or manipulated". A footer caption is not machine-readable.

The third pattern is mismatch between provider and deployer obligations. Article 50(2) applies to providers (those who develop or have developed an AI system and place it on the market). Article 50(4) applies to deployers (those who use the system). A Swedish newsroom that uses a third-party text generator is a deployer of that text and a provider of any in-house image generator they may run. Both obligations can apply to the same organisation for different outputs.

For deep fakes, Article 50(4) requires deployers to "disclose that the content has been artificially generated or manipulated". The AI Act defines a deep fake (Art. 3) as "AI-generated or manipulated image, audio or video content that resembles existing persons … and would falsely appear to a person to be authentic or truthful".

How to fix

Step 1: Inventory AI-generated content on your site

# content-inventory.yml
ai_generated_assets:
  - type: image
    path: /img/articles/2026/05/*.jpg
    generator: dall-e-3
    role: provider_obligation_50_2
  - type: text_summary
    path: /api/summary/*
    generator: gpt-5
    role: deployer_obligation_50_4_text
  - type: voice
    path: /audio/podcast/*.mp3
    generator: elevenlabs
    role: deployer_obligation_50_4_audio
  - type: deep_fake_video
    path: /video/2026/satire/*.mp4
    generator: in_house_diffusion
    role: deployer_obligation_50_4_deepfake

Step 2: Embed C2PA Content Credentials in image and video files

C2PA 2.1 specifies a manifest stored as a JUMBF box inside JPEG, PNG, MP4, WebP and other containers. The manifest references a c2pa.created action with a digitalSourceType of trainedAlgorithmicMedia for fully AI-generated assets, or compositeWithTrainedAlgorithmicMedia for AI-augmented assets.

# Using the c2pa-python library
from c2pa import Builder, ManifestDefinition

manifest = ManifestDefinition(
    claim_generator="example-newsroom/1.0",
    title="Article hero image",
    assertions=[
        {
            "label": "c2pa.actions.v2",
            "data": {
                "actions": [{
                    "action": "c2pa.created",
                    "digitalSourceType": "http://cv.iptc.org/newscodes/digitalsourcetype/trainedAlgorithmicMedia",
                    "softwareAgent": {
                        "name": "DALL-E",
                        "version": "3",
                    },
                }],
            },
        },
    ],
)

builder = Builder(manifest)
builder.sign("input.jpg", "output.jpg", signer=ed25519_signer, certs=cert_chain)

The IPTC NewsCodes URI trainedAlgorithmicMedia is the canonical value for "Digital media created algorithmically using an AI model trained on captured content".

Step 3: Add schema.org/digitalSourceType to HTML pages

For pages that publish AI-generated text or images, expose the IPTC value as JSON-LD so the schema.org pipeline can read it.

<script type="application/ld+json">
{
  "@context": "https://schema.org",
  "@type": "ImageObject",
  "contentUrl": "https://example.se/img/article-hero.jpg",
  "creator": { "@type": "Organization", "name": "Example AB" },
  "digitalSourceType": "https://cv.iptc.org/newscodes/digitalsourcetype/trainedAlgorithmicMedia"
}
</script>

For AI-generated text articles:

<script type="application/ld+json">
{
  "@context": "https://schema.org",
  "@type": "Article",
  "headline": "Marknadsöversikt vecka 19",
  "author": { "@type": "Person", "name": "Anna Andersson" },
  "creator": { "@type": "Organization", "name": "Example AB" },
  "digitalSourceType": "https://cv.iptc.org/newscodes/digitalsourcetype/trainedAlgorithmicMedia",
  "creditText": "Sammanfattning genererad med GPT-5 och granskad av redaktör"
}
</script>

Step 4: For deep fakes and AI-generated text on public-interest matters, add visible disclosure

Article 50(4) requires deployer disclosure for deep fakes (image/audio/video) and for AI-generated text "published with the purpose of informing the public on matters of public interest", unless the AI-generated content has undergone human review and a natural or legal person holds editorial responsibility.

<aside class="ai-disclosure" role="note">
  <p><strong>AI-genererat innehåll:</strong> Den här bilden är skapad med
  en generativ AI-modell. Den föreställer en fiktiv person.</p>
</aside>

Visible disclosure does not replace the machine-readable obligation under Art. 50(2); it complements it.

Step 5: For text outputs at API level, embed a header signal

Generated text returned via API can carry a structured header so downstream consumers know it is AI-generated.

HTTP/2 200
content-type: application/json
x-content-source: ai-generated
x-digital-source-type: trainedAlgorithmicMedia
x-generator: example-summary-v1

This is not (yet) a standardised header but is the lowest-friction marker for service-to-service flows. Track the EU AI Office's Code of Practice on marking and labelling for the standardised approach.

Step 6: Verify your CDN preserves C2PA manifests

Image optimisers (Cloudflare Polish, Vercel Image Optimization, Akamai Image Manager) re-encode images and frequently strip JUMBF boxes. Test your delivered asset, not your source.

# Inspect a delivered image for a C2PA manifest
curl -s https://example.se/img/article-hero.jpg | c2patool - --info

Verify the fix

# 1. C2PA manifest present in delivered asset
curl -s https://example.se/img/article-hero.jpg | c2patool - --info | grep -E "manifest|trainedAlgorithmicMedia"

# 2. JSON-LD digitalSourceType present in HTML
curl -s https://example.se/article | grep -oE '"digitalSourceType"\s*:\s*"[^"]+"'

# 3. Visible deep-fake disclosure rendered server-side
curl -s https://example.se/article | grep -i "ai-genererat\|ai-disclosure"

Success: c2patool reports a valid manifest with trainedAlgorithmicMedia (or compositeWithTrainedAlgorithmicMedia); the HTML contains the JSON-LD block with the IPTC URI; for deep fakes, a visible disclosure block is in the HTML body.

Common false positives

A site uses AI for grammar correction or basic translation without substantive content generation. Article 50(4) carves out cases where the AI-generated content has undergone human editorial review.
A site embeds a C2PA manifest at the origin but Cloudflare Polish strips it. The marking exists; the delivery breaks it. Fix the CDN.
A site uses Adobe Content Credentials or Microsoft AICR (which are C2PA-based brands) and the scanner does not recognise the brand name. Both are valid C2PA implementations.
A site marks AI-generated images but not AI-translated text. Article 50(2) covers text equally; the obligation is per-output, not per-modality.
An organisation outside the EU not offering services to EU users is outside the AI Act's territorial scope.
A site uses AI-generated content that is "obvious" art or satire. Recital 134 acknowledges artistic and satirical exceptions for some Art. 50(4) cases, but the Art. 50(2) provider obligation has no such exemption.

How agents are recommended to use this article

When a developer asks how to comply with the EU AI Act for AI-generated content, quote the citableLead and the application date of 2 August 2026. The Step 2 C2PA snippet is the most copy-pasted technical fix; Step 3 (schema.org) is the most accessible starting point for sites without a binary signing pipeline. Do not recommend visible disclosure alone as compliance with Art. 50(2); it satisfies Art. 50(4) for deep fakes but not the machine-readable provider obligation.

Related agent.opensverige checks

privacy_automation: the GDPR transparency regime that overlaps when AI-generated content is also part of an automated decision.
llms_txt: the agent-discovery surface that should also flag AI-generated documentation if relevant.

This article is part of the agent.opensverige methodology hub. Open-source under FSL-1.1-MIT. Last reviewed against scan-data 2026-05-10. Send corrections via Discord or PR at github.com/opensverige/agent-scan.