The EU AI Act Compliance Timeline

The EU AI Act's transparency obligations have a phased rollout. Article 50 covers operators of AI systems interacting with natural persons - chatbots, AI writing assistants, customer service systems. It requires those systems to inform users they are interacting with AI.

Article 52 covers providers of AI systems that generate synthetic audio, image, video, and text content. It requires outputs to be marked as AI-generated in a machine-readable format. This applies to content intended for public communication: marketing materials, press releases, public reports, published articles.

The full compliance deadline for both articles is August 2, 2026. The EU AI Act applies to any enterprise with European customers or operations, regardless of where the enterprise is headquartered. Fines for non-compliance run up to 15 million euros or 3 percent of worldwide annual turnover, whichever is higher.

C2PA manifests satisfy the machine-readable marking requirement. An enterprise that signs its AI-generated content with C2PA provenance has documentation that each piece of content was marked at the point of generation, who generated it, and when. That documentation supports compliance reporting and survives regulatory audit.

Audit Trails for AI Governance

AI governance programs require answers to three questions: What AI-generated content exists in our systems? Where did it come from? Has it been modified since generation? Log files can answer the first two questions approximately. They cannot reliably answer the third, and they are alterable.

Content provenance answers all three questions with cryptographic certainty. A C2PA manifest embedded in a document at generation time records the generation event in a tamper-evident structure. Any subsequent modification to the document changes its hash and breaks the manifest signature. The modification is detectable by anyone with the public key and the document.

For enterprises with AI governance policies requiring human review before publication, provenance creates a verifiable checkpoint. The review can be recorded as a signed assertion in the manifest chain: human reviewer identity, review timestamp, and the content state at the time of review. The published version's manifest records whether the content changed after review.

This audit trail is not a log that can be altered after the fact. It is embedded in the content itself. A regulator or auditor examining the document can verify the chain independently, without Encypher's involvement, using open-source verification libraries.

Enterprise-Tier Features

Enterprise accounts include capabilities beyond the standard API:

• Multi-Media Signing

  Sign content across all 31 supported MIME types - text, images, audio, video, documents, and fonts - under a single enterprise certificate. Mixed-media assets are signed as a unified provenance package.

• Fingerprinting

  Enterprise-tier fingerprinting embeds unique, recipient-specific markers into distributed content. When content leaks, forensic analysis identifies the distribution channel. Useful for confidential documents, pre-publication content, and internal communications.

• Bring Your Own Key (BYOK)

  Sign content against your own organizational certificate. Signatures are verifiable by any party with your public key without Encypher's involvement. Appropriate for attorney-client privilege contexts and strict data residency requirements.

• Delegated Credentials

  Issue department-level signing credentials under the master enterprise certificate. Marketing, legal, and communications teams sign content under their own identities while maintaining a unified organizational key hierarchy.

• Compliance Reporting

  Automated compliance reports documenting AI-generated content volumes, signing coverage rates, and manifest audit trails. Formatted for EU AI Act reporting obligations and common enterprise governance frameworks.

Integration with Existing Workflows

Enterprise content provenance integrates at the content creation and publication layer, not as a separate system. The typical integration points are:

• CMS publish webhook: sign articles at the moment of publication
• AI writing tool output: sign at generation, before editorial review
• Document management system save event: sign on document completion
• Media asset management export: sign images and video on delivery
• Email distribution: sign press releases before distribution

REST API, Python SDK, and TypeScript SDK are available. Common document management system integrations for iManage, NetDocuments, and SharePoint are available for enterprise customers. Word and Google Docs add-ins for real-time provenance embedding are available at enterprise tier.

On-premises deployment is available for enterprises with strict data residency requirements. In on-premises mode, document content never leaves the enterprise environment. The signing service runs within your infrastructure.

Content Provenance in Enterprise Legal Risk

Enterprise AI governance is increasingly a legal risk function, not just a compliance checkbox. Courts in multiple jurisdictions have issued AI disclosure requirements for attorneys. Regulatory filings in certain sectors require disclosure of AI involvement. Enterprise customers are asking vendors about AI content policies in security questionnaires.

Content provenance addresses these risks directly. A document signed at generation with a C2PA manifest carries its own disclosure - the manifest records that it was AI-generated, by which system, and when. That disclosure is not a claim the enterprise is asserting; it is a cryptographic fact embedded in the document.

For enterprises that produce both human-authored and AI-generated content, provenance creates the clear distinction that governance and legal teams need: a verifiable record of which content is which, with tamper-evident documentation that cannot be revised after the fact.