AI Art Compliance Checklist: What the EU AI Act and SB 942 Require from Creators

If you sell, license, or publicly share AI-generated images, two laws now apply to you. California’s SB 942 took effect in January 2026. The EU AI Act Article 50 kicks in August 2026. Both require the same thing: machine-readable metadata embedded in AI-generated content that discloses it was made with artificial intelligence.

This is not a hypothetical future risk. SB 942 is already enforceable. If you sell AI art to a California buyer, upload to a US marketplace, or license images to an American client, the law expects disclosure metadata in the file.

Most AI artists we talk to fall into one of three camps: they have never heard of these laws, they have heard of them but assume they only apply to big companies, or they know the requirements but have no idea how to comply. This article is for all three groups.

The Compliance Timeline

What the Laws Actually Require

Both laws converge on the same principle: if content was generated or substantially modified by AI, the file itself must carry metadata disclosing that fact. Not a watermark you can screenshot away. Not a text disclaimer on your website. Machine-readable fields embedded in the image file that survive copying, sharing, and re-uploading.

SB 942: The California Standard

SB 942 requires three things:

1. Latent disclosures embedded directly in the content (not external labels)
2. Disclosures must be “extraordinarily difficult” to remove (metadata stripping tools should not easily defeat them)
3. Disclosures must be detectable by the provider’s AI detection tool

The penalty structure is steep: $5,000 per violation, per day. That means every non-compliant image sold to a California customer is a separate daily violation.

EU AI Act Article 50: The European Standard

Article 50 focuses on two areas relevant to creators:

1. Providers of AI systems that generate synthetic content must ensure outputs are marked in a machine-readable format
2. Content that constitutes a deep fake must be disclosed as artificially generated or manipulated

The word “provider” is doing a lot of work here. Midjourney, Stable Diffusion distributors, and DALL-E are clearly providers. But if you fine-tune a model or run a ComfyUI pipeline that generates images for commercial clients, regulators may consider you a provider too. The safest approach is to treat yourself as one.

IPTC 2025.1: The Technical Answer to “How Do I Comply?”

Both laws require machine-readable disclosure but neither specifies exact fields or encoding. That is where IPTC 2025.1 comes in. The International Press Telecommunications Council published an updated standard in early 2025 that defines specific metadata fields for AI-generated content. This standard is rapidly becoming the de facto compliance mechanism.

The four key IPTC 2025.1 AI disclosure fields are:

A critical point: the AI Prompt Information field does not expose your actual prompt. It is a generic indicator that AI prompting was involved in creation. Your proprietary workflows, negative prompts, LoRA combinations, and seed values stay private. The standard is designed to satisfy regulatory disclosure without compromising trade secrets.

C2PA Content Credentials: The Cryptographic Layer

IPTC metadata can be stripped by anyone who knows how to use ExifTool. That is a problem for SB 942’s requirement that disclosures be “extraordinarily difficult” to remove. This is where C2PA (Coalition for Content Provenance and Authenticity) comes in.

C2PA adds a cryptographic manifest to the file. Think of it as a tamper-evident seal: if someone strips the IPTC fields, the C2PA signature breaks, and any verification tool can detect the tampering. Adobe, Google, Microsoft, and the BBC are all backing C2PA as the provenance standard.

For solo creators, C2PA adoption is still early. Few tools currently sign images with C2PA manifests. But the infrastructure is being built. Adobe Firefly and Photoshop already embed C2PA credentials. DAM tools are adding C2PA detection and re-signing capabilities. Within a year, C2PA support will likely be a baseline expectation for professional AI art tools.

What this means for you now: Start with IPTC metadata (it is available today) and plan for C2PA as tooling matures. Do not wait for the perfect solution—regulatory enforcement will not wait either.

Does This Apply to Me?

If you are generating AI art purely for personal use and never sharing or selling it, compliance is not a concern. But the moment you do any of the following, these laws likely apply:

How to Comply: Four Practical Approaches

There is no single correct way to add compliance metadata to your AI art. The right approach depends on your volume, technical comfort, and budget. Here are four options, from manual to fully automated.

1. Manual: ExifTool on the Command Line

ExifTool is free, open-source, and supports IPTC 2025.1 fields. You can write AI disclosure metadata to individual files:

exiftool -XMP-iptcExt:AISystemUsed="Midjourney v6.1" \
  -XMP-iptcExt:DigitalSourceType="trainedAlgorithmicMedia" \
  -XMP-iptcExt:AIPromptInformation="AI-prompted" \
  my_image.png

Pros: Free, full control, works on any file format.
Cons: Tedious at scale, easy to forget, no audit trail, no C2PA support.

This works for a handful of images. It does not work for hundreds.

2. Batch Scripts: Automate ExifTool

Wrap ExifTool in a shell script that processes an entire folder. Add it to your generation pipeline so every output gets tagged automatically:

#!/bin/bash
# Tag all PNGs in output/ with IPTC AI disclosure
for f in output/*.png; do
  exiftool -overwrite_original \
    -XMP-iptcExt:AISystemUsed="ComfyUI + SDXL" \
    -XMP-iptcExt:DigitalSourceType="trainedAlgorithmicMedia" \
    -XMP-iptcExt:AIPromptInformation="AI-prompted" \
    "$f"
done

Pros: Scales to hundreds of files, reproducible, can be added to CI/CD.
Cons: Requires scripting knowledge, no per-image customisation, no audit trail, still no C2PA.

3. Export-Time Injection: DAM Tools with Compliance Presets

Some digital asset management tools inject IPTC metadata automatically when you export. Tools like Numonic, for example, write IPTC 2025.1 AI fields into PNG, JPEG, and WebP files at export time. You choose an export preset (share, portfolio, client, archive) and the compliance fields are injected without manual intervention.

This approach has a significant advantage: your proprietary workflow data (prompts, seeds, model names, LoRA configurations) can be stripped from the exported file while the compliance disclosure fields are added. You satisfy the regulation without revealing your creative process.

Pros: Automatic, privacy-aware, handles the strip-and-inject pattern, creates audit trail.
Cons: Requires a compatible DAM tool, limited to supported formats.

4. Full Provenance: C2PA Signing

The gold standard is a full C2PA provenance chain: cryptographic manifests that prove who created what, when, and with which tool. Adobe Photoshop and Firefly already do this. More tools are adding support.

For most solo creators, C2PA signing is not yet accessible outside of Adobe’s ecosystem. But it is worth understanding because marketplace requirements are moving in this direction.

Pros: Tamper-evident, satisfies the “extraordinarily difficult to remove” requirement, industry-backed.
Cons: Limited tooling for independent creators, requires certificate management, still maturing.

The Compliance Checklist

Print this out, pin it next to your monitor, and work through it. You do not need to do everything at once, but you should have a plan for each item before August 2026.

What Happens If You Don’t Comply

Let us be direct: enforcement against individual creators is unlikely to come first. Regulators will target large platforms and AI providers. But there are indirect consequences that will hit solo artists sooner:

• Marketplace rejection. Stock platforms and print-on-demand services are tightening AI content policies. Images without disclosure metadata may be rejected or delisted.
• Client requirements. Agencies and brands are adding AI disclosure clauses to contracts. If you cannot demonstrate compliance, you lose the gig.
• Reputation risk. The AI art community is self-policing. Artists who transparently disclose AI usage build trust. Those who hide it face backlash when it surfaces.
• Retroactive exposure. If you build a library of non-compliant work now, adding metadata later is expensive and error-prone. It is far easier to embed compliance from the start.

The Privacy Paradox: Disclosing Without Revealing

The biggest concern we hear from AI artists is: “If I embed metadata saying this was AI-generated, am I also revealing my prompts and workflow?”

No. And this distinction is critical.

Compliance metadata and creative metadata are two different things. The IPTC 2025.1 standard is designed so you can declare that an image was AI-generated without revealing how. The Digital Source Type field says “this was made with AI.” It does not say which LoRA you combined with which negative prompt at which CFG scale.

Smart export workflows strip the creative metadata (prompts, seeds, model hashes, ComfyUI workflow JSON) while injecting the compliance metadata (AI System Used, Digital Source Type). You satisfy the regulation and protect your trade secrets at the same time.

Common Misconceptions

What to Do This Week

You do not need to achieve full compliance in a single weekend. But you should take these three steps this week:

1. Check one image. Take your most recent AI-generated file and open it in ExifTool or an online metadata viewer. Does it contain any AI disclosure fields? If not, you have work to do.
2. Pick your method. Decide whether you will use manual ExifTool commands, a batch script, or a DAM tool with built-in compliance injection. For fewer than 50 images a month, a batch script works. Beyond that, automation pays for itself.
3. Tag your next export. Whatever you are about to share, sell, or deliver—add IPTC 2025.1 fields before it leaves your machine. Start the habit now and you will not be scrambling in August.