AI content provenance registers for UK marketing teams

AI Trust & Governance

8 May 2026 | By Ashley Marshall

Generative AI has made content production faster. It has also made the audit trail more important than the asset itself.

Why provenance has become a marketing governance problem

UK marketing teams are no longer experimenting with generative AI at the edge of the business. They are using it to brief campaigns, generate variants, adapt images, draft customer emails, produce sales enablement, localise video scripts and summarise customer research. That scale changes the risk. The question is not simply whether a final asset looks good. The question is whether the organisation can later explain how it was made, what source material was used, who approved it and why the audience was or was not told that AI was involved.

A content provenance register is the operational answer. It is a structured record, usually held in Airtable, Notion, a DAM, a CMS workflow, SharePoint, Monday.com, Bynder, Aprimo or a purpose-built governance tool, that tracks the origin and approval history of AI-assisted assets. It should connect a campaign asset to the prompt, model, source evidence, human reviewer, legal sign-off, disclosure decision, rights status, publication channel and retention date. It is not a theoretical ethics document. It is a production control.

The practical pressure is already visible in public sector content. The Department for Business and Trade described how an AI overview surfaced outdated government information about incorporation fees, creating a damaging user experience even though the current GOV.UK guidance was correct. DBT noted that in February 2024 there were 700,000 published pages on GOV.UK, and later identified 150 low-view, unowned, outdated pages for redirect or retirement as part of a misinformation prevention programme.

For marketing and communications, the same pattern applies. AI tools can revive old claims, repeat superseded pricing, remix expired testimonials, invent product capabilities or blur the difference between source evidence and creative interpretation. What this means in practice is simple: if a campaign team cannot trace the asset back to its inputs and approvals, it cannot reliably defend the asset when a customer, journalist, regulator, client procurement team or board director asks what happened.

What the UK advertising position actually says

The common misconception is that every AI-assisted advert in the UK must carry a large AI label. That is not the current position. The ASA and CAP have been clear that the CAP and BCAP Codes do not contain AI-specific rules, and that existing advertising rules apply regardless of how content is generated, edited or targeted. In its 2025 guidance on AI disclosure, CAP said there is no blanket legal requirement in the UK to disclose the use of AI in ads. That does not make disclosure irrelevant. It makes the decision contextual.

CAP recommends asking two useful questions. First, is the audience likely to be misled if the use of AI is not disclosed? Second, if there is a danger of the audience being misled, does the disclosure clarify the ad's message or contradict it? That is exactly why a provenance register matters. The disclosure decision should not sit in a Slack thread or in a producer's memory. It should be recorded against the asset with the reason, reviewer and context.

There is a difference between using Adobe Firefly or Photoshop Generative Fill to remove a background cable from a product image, and using a synthetic customer, synthetic influencer or AI-generated before and after image to imply real-world results. CAP warns that disclosure alone is unlikely to mitigate a fundamentally misleading message. A provenance register helps teams separate harmless production assistance from content that changes the likely consumer impression.

What this means in practice for a UK marketing team is that the register should contain a disclosure assessment, not just an AI yes or no field. Useful fields include AI role, materiality, depiction of real people, claims affected, audience vulnerability, platform requirements, reviewer, decision, final wording and evidence link. For agencies, the register should also identify whether the client approved the AI use and whether the contract permits it. For regulated sectors, it should map to sector review. The register becomes the audit trail behind the marketing judgement.

The register needs to track more than the final file

Most teams start in the wrong place. They ask whether they can watermark the final image or add a line saying AI assisted. Those may help, but they do not solve the governance problem. Provenance is broader than labelling. A useful register tracks the chain of custody: where the brief came from, what evidence was supplied, which AI system was used, what prompts or reference assets were used, how outputs were edited, who reviewed the work, what claims were approved and which version was published.

The Coalition for Content Provenance and Authenticity, known as C2PA, describes its work as technical standards for certifying the source and history of media content. C2PA manifests and Content Credentials can record provenance information inside or alongside media files. Adobe, Microsoft, the BBC and others have supported content authenticity initiatives, and tools such as Adobe Content Credentials are becoming more familiar to creative teams. Google has also promoted SynthID for watermarking AI-generated content. These technologies are useful, but they are not a complete register.

The reason is that marketing provenance includes business context that a file manifest may not know. A C2PA manifest might help show a file's technical origin and edit history. It will not necessarily explain that a product claim was checked against the April pricing sheet, that a synthetic voice was approved for a radio script, that a celebrity likeness was rejected, or that the social team changed the caption after legal review. The register should link technical provenance to commercial governance.

A practical register can be simple. Create one record per campaign asset, not one record per prompt. Capture the campaign, channel, asset owner, external supplier, model or tool, source materials, claim evidence, personal data status, copyright status, disclosure decision, approver and publication URL. Add an incident field for later complaints or takedowns. If the team already uses a DAM or CMS, build these fields into the workflow rather than adding another spreadsheet. The goal is traceability at the moment of use, not bureaucracy after the fact.

Copyright, data and supplier risk belong in the same record

AI provenance is not only a brand trust issue. It sits across copyright, data protection, supplier management and client accountability. A campaign asset may contain training-derived style risk, personal data in prompts, customer transcripts, staff likenesses, third-party photography, synthetic voices or generated code snippets. If those decisions are scattered across email, agency decks and tool histories, nobody has a reliable view of the exposure.

The Advertising Association's 2026 Best Practice Guide for the Responsible Use of Generative AI in Advertising, developed under the Government and industry-led Online Advertising Taskforce, gives the sector a useful direction of travel. It sets out eight principles covering transparency, data use, fairness, human oversight, harm prevention, brand safety, environmental considerations and continuous monitoring. It also says the framework complements UK laws including UK GDPR and the Equality Act, and aligns with the ASA's co-regulatory and self-regulatory system.

Those principles are easier to evidence when each AI-assisted asset has a record. The data use field should say whether personal data, customer data or confidential client information was entered into an AI tool, and whether that tool was approved for that category of data. The rights field should say whether the output relies on licensed stock, owned photography, client-supplied assets, public domain material or model-generated imagery. The human oversight field should name the person who reviewed the output and what they checked.

For agencies, this is also a client relationship issue. Many master services agreements now include AI clauses, confidentiality obligations, IP warranties or restrictions on using client materials in public AI tools. A provenance register gives account teams a way to prove compliance without turning every campaign review into a forensic exercise. What this means in practice is that the register should be shared across creative, legal, data protection and account management. If it only lives with the AI enthusiast in the studio, it will fail at the first serious challenge.

The counterargument: will this slow creative teams down

The strongest objection is fair. Marketing teams are already overloaded. Adding a register can sound like another compliance spreadsheet that slows creative work, punishes experimentation and encourages people to hide AI use rather than declare it. If the register is designed like a legal form, that concern is justified. Bad governance creates shadow AI. Good governance makes safe work easier.

The answer is proportionality. A social image generated for an internal event does not need the same evidence pack as a national campaign using a synthetic patient, customer, child, financial claim or product demonstration. The register should use tiers. Low-risk uses can require a short record: tool, owner, publication channel and confirmation that no personal data, sensitive claims or likenesses were involved. Higher-risk uses should trigger mandatory review, rights checks, disclosure reasoning and senior approval.

Automation helps, but only if the process is designed first. Many teams can capture metadata from workflow tools. A form in Airtable, Notion, Microsoft Lists or a DAM can pre-fill campaign, owner and channel. Approved tools can be selected from a dropdown. Claim evidence can be linked to a source document. Prompt logs can be pasted or attached only where they matter. The point is to make the easiest route the approved route.

The deeper creative benefit is consistency. When a provenance register exists, teams spend less time arguing from scratch about whether AI use is acceptable. They can search previous decisions, reuse approved disclosure wording, spot recurring supplier issues and show clients a mature process. That is especially valuable for communications teams handling crisis statements, public affairs content or executive thought leadership, where trust damage is harder to repair than a missed production deadline. The register should feel like a seatbelt, not a toll booth.

How to build a register that survives real campaign pressure

Start with the smallest register that would answer a serious question six months later. If a regulator, journalist, client or board member asked how a campaign asset was made, the team should be able to retrieve the record in minutes. That means consistent fields, clear ownership and a retention policy. It does not mean capturing every casual brainstorm.

A strong first version has four layers. The first is identity: campaign, asset name, owner, agency or supplier, channel, publication date and URL. The second is AI use: tool, model where known, input materials, prompt summary, output type and level of human editing. The third is risk: claims affected, personal data, likeness, vulnerable audience, regulated product, copyright source, confidentiality status and platform rules. The fourth is governance: reviewer, approval date, disclosure decision, disclosure copy, evidence links, version history and incident notes.

Then connect it to the workflow. Add an intake question to creative briefs. Add a required register field before assets can move from draft to approved in the DAM or CMS. Add a monthly review for high-risk entries. Train agencies and freelancers to submit the same information. Make the register searchable by campaign, supplier, tool and risk type. Review a sample of published assets each quarter to test whether records are complete.

Do not treat the register as a substitute for judgement. It is a memory system for judgement. The ASA position, the Advertising Association guide, C2PA standards and government content lifecycle work all point in the same direction: trust depends on being able to explain how information was created, maintained and presented. UK marketing and communications teams that use generative AI at scale need that explanation ready before the difficult question arrives.

Frequently Asked Questions

What is an AI content provenance register?

It is a structured record showing how an AI-assisted asset was made, what source material was used, which tools were involved, who reviewed it, what rights or data risks were considered and what disclosure decision was made.

Do UK adverts have to disclose every use of AI?

No. CAP has said there is no blanket UK legal requirement to disclose AI use in ads, but marketers still need to consider whether the audience could be misled if AI use is not disclosed.

Is C2PA the same as a provenance register?

No. C2PA is a technical standard for certifying media source and history. A marketing register should also capture business decisions, claims evidence, rights checks, approvals and disclosure reasoning.

Who should own the register?

Ownership usually sits with marketing operations, content governance, brand governance or the campaign lead, with input from legal, data protection, procurement and agency partners.

Should prompts be stored for every asset?

Store prompts where they are material to risk, claims, rights or repeatability. For low-risk uses, a prompt summary and tool record may be enough. The register should be proportionate.

What tools can hold the register?

Airtable, Notion, Microsoft Lists, Monday.com, a DAM, a CMS workflow, SharePoint or specialist governance software can all work if the fields are consistent and searchable.

How does this help with agencies and freelancers?

It gives clients a consistent way to ask what AI tools were used, whether client material was entered, what rights checks were done and who approved publication.

What is the biggest mistake teams make?

They treat AI governance as a policy document rather than an operational workflow. The register only works if it is part of briefing, review, approval and publication.