IPTC 2025.1 and C2PA: The Technical Standards Behind AI Content Provenance

Every major AI content regulation of 2026—EU AI Act Article 50, California SB 942, and the emerging IAB disclosure standards—shares a common requirement: AI-generated content must carry machine-readable disclosure metadata. What none of these regulations specifies is the exact technical mechanism. That gap is where two standards bodies stepped in.

The IPTC Photo Metadata Standard 2025.1, ratified in November 2025, introduced four new XMP fields specifically for AI-generated and AI-assisted content. The C2PA specification, now at version 2.0, provides the cryptographic layer that makes those declarations tamper-evident and verifiable. Together, they form the technical foundation of AI content provenance.

This article is a technical explainer. It covers exactly what each standard does, how the two relate, when to use which, and what practical implementation looks like for creative teams in 2026.

IPTC 2025.1 — The Four AI Fields

The International Press Telecommunications Council (IPTC) is the standards body that gave the world EXIF's companion specification and the XMP metadata framework embedded in every professional image file. Since the 1990s, their photo metadata standard has been the infrastructure photographers, photo agencies, and publishers rely on for rights management, attribution, and archival.

In November 2025, IPTC published version 2025.1 of the Photo Metadata Standard. The headline addition: four new XMP fields designed explicitly for AI-generated and AI-assisted imagery. These fields live in the Iptc4xmpExt namespace and are supported by any XMP-compliant metadata reader.

The Four Fields, Explained

AISystemUsed — A text field containing the name of the AI system used to create or substantially modify the image. The value is a human-readable string: for example, "Midjourney v6.1", "Adobe Firefly Image 3", or "Stable Diffusion XL". This field maps most directly to the EU AI Act Article 50 requirement to disclose that content was AI-generated, and to SB 942's mandate that AI content carry a latent disclosure identifying the generating system.

AISystemVersionUsed — A companion text field for the version identifier of the AI system. While AISystemUsed captures the product name, AISystemVersionUsed captures the model revision: "v6.1", "2024-11-21", "SDXL 1.0". This field matters for audit trails, because model versions have materially different training datasets, capability profiles, and known limitations. An insurer or regulator asking whether a specific model version was used in a disputed output needs this field to be present and accurate.

AIPromptInformation — A text field containing the prompt or description provided to the AI system. This is the most sensitive of the four fields from a proprietary information standpoint: prompts often encode creative direction, brand voice, or competitive strategy. For this reason, the IPTC standard treats AIPromptInformation as optional and privacy-aware export pipelines may strip it from client-facing assets while retaining it in internal archives.

AIPromptWriterName — A text field identifying the person or role responsible for writing the prompt. This establishes the human-in-the-loop attribution that increasingly matters for both copyright analysis and contractual deliverable documentation. When a client asks “who created this?” the answer is not the AI model. It is the prompt author, and this field is where that answer lives in the file itself.

Where These Fields Are Stored

All four fields are stored as XMP metadata, embedded directly in the image file. XMP uses an XML-based format that is compatible with JPEG, PNG, TIFF, PDF, and most other common image formats. For JPEG files, XMP is stored in an APP1 segment. For PNG files, it is stored in an iTXt chunk. Both locations survive most standard image processing operations, though aggressive compression tools and some social media upload APIs will strip all metadata including XMP.

Reading IPTC 2025.1 fields requires a metadata tool that understands the Iptc4xmpExt namespace. ExifTool (version 12.70 or later), Adobe Bridge, and any XMP SDK-based reader will surface these fields. Most image editing applications do not yet display them in their standard metadata panels, but they do not strip them either.

Adoption Status

As of early 2026, automated injection of IPTC 2025.1 AI fields is available in a small number of platforms. Adobe Firefly embeds partial AI attribution using the related C2PA mechanism rather than raw IPTC fields. Numonic's DAM platform captures generation context at ingestion and writes all four IPTC AI fields during export. Most other tools—Midjourney, DALL-E, Stable Diffusion interfaces—produce images with no IPTC AI metadata at all, requiring post-production injection in a compliant DAM.

C2PA Content Credentials

The Coalition for Content Provenance and Authenticity (C2PA) is a joint development foundation operating under the Linux Foundation. Its founding members include Adobe, Microsoft, Google, BBC, and Intel. The C2PA specification defines a technical standard for cryptographically signed provenance records attached to digital content.

Where IPTC provides descriptive fields—declarative statements about what AI tool was used—C2PA provides cryptographic proof. A C2PA manifest is a tamper-evident record that cannot be forged or retroactively modified without invalidating the cryptographic signature. If an asset's C2PA manifest verifies as valid, you know the manifest has not been altered since it was signed.

How C2PA Manifests Work

A C2PA manifest is a structured JSON-LD document that is cryptographically signed using a certificate from a trusted authority. The manifest is bound to the asset file using a content hash: any modification to the image pixel data invalidates the signature, making tampering detectable.

Each manifest contains one or more assertions: structured claims about the asset's provenance. The most relevant for AI content are:

• c2pa.ai.generative: Asserts that the asset was created by a generative AI system, with fields for the engine name, model version, and optional prompt reference.
• c2pa.created: Records the creation timestamp and the tool used to create the asset.
• c2pa.actions: A list of transformations applied to the asset, allowing verification of the entire editing history from creation through final delivery.
• c2pa.ingredient: Links to parent assets when the current asset was derived from or composed of other content, enabling full provenance chains across composited or edited works.

Manifests are stored in the asset file itself using a format-specific embedding mechanism. For JPEG and PNG, C2PA uses a designated metadata segment that survives most image operations. For video and audio, dedicated container segments are defined. A C2PA manifest can also be stored in a sidecar file or served from a remote manifest store, which enables provenance for formats that cannot embed metadata directly.

The Content Authenticity Initiative

The Content Authenticity Initiative (CAI) is the industry adoption body promoting C2PA implementation. While C2PA defines the technical specification, the CAI provides the tooling ecosystem: the open-source C2PA Rust library, the JavaScript SDK, the Verify tool at verify.contentauthenticity.org, and the broader adoption program for platforms and tools.

Adobe Photoshop, Adobe Lightroom, and Adobe Firefly all produce C2PA-signed assets by default when Content Credentials are enabled in the application preferences. Microsoft Designer, Bing Image Creator, and Google's SynthID-adjacent metadata systems are in various stages of C2PA adoption. The Leica M11-P was the first camera to ship with C2PA signing built into the hardware firmware, establishing that the standard is not limited to software-generated content.

IPTC vs C2PA — When to Use Each

A common misconception is that IPTC 2025.1 and C2PA are competing standards. They are not. They operate at different layers of the provenance stack and solve different problems. The question is not which to choose—it is how to use both correctly.

IPTC: Descriptive and Searchable

IPTC metadata is descriptive. It makes assertions about an asset in human-readable form. The AISystemUsed field says “this asset was created with Midjourney v6.1.” That statement is useful for search, cataloguing, rights management, and compliance reporting. But it is a declaration, not a proof. Any metadata editor can change the value of AISystemUsed after the fact.

IPTC's strength is ecosystem integration. Every professional DAM, photo agency platform, and metadata management tool understands XMP. The fields are indexed, searchable, filterable, and reportable through existing infrastructure without any new tooling investment. For workflow integration and bulk asset management, IPTC is the right layer.

C2PA: Cryptographic and Verifiable

C2PA is cryptographic. It does not just describe provenance—it proves it. A valid C2PA manifest means the asset was created by the claimed tool, has not been modified without a documented action entry, and the provenance record was signed by a party with a valid certificate at the stated time.

C2PA's strength is verification. Any party—a regulator, an insurer, a client—can independently verify a C2PA manifest without trusting the creator. The standard is designed specifically for adversarial contexts where the verifier cannot simply take the creator's word for it. For legal defense, insurance claims, and regulatory audits, C2PA is the right layer.

The Relationship Between the Two

C2PA assertions and IPTC fields are complementary. A C2PA manifest can reference IPTC fields, and an IPTC AISystemUsed field value can be drawn from the corresponding C2PA assertion during export processing. The recommended architecture is:

• Inject IPTC 2025.1 AI fields at ingestion for search, cataloguing, and reporting within your DAM.
• Create or preserve C2PA manifests for legal, insurance, and regulatory proof requirements.
• On export, apply privacy-aware stripping: remove AIPromptInformation from client-facing assets while preserving AISystemUsed, AISystemVersionUsed, and the C2PA manifest.
• Re-sign the C2PA manifest after any IPTC field injection that modifies the asset's metadata segment, to maintain cryptographic integrity.

Implementation for Creative Teams

Which AI Tools Already Embed IPTC or C2PA

The metadata embedding landscape varies significantly across tools:

• Adobe Firefly: Produces full C2PA-signed assets when Content Credentials are enabled. Does not currently auto-populate IPTC 2025.1 AI fields in XMP, though the C2PA assertion carries equivalent information.
• Midjourney: Produces images with no AI provenance metadata. No IPTC AI fields, no C2PA manifest. All provenance must be injected post-generation.
• DALL-E / ChatGPT: Generates images without IPTC AI fields. OpenAI has implemented C2PA in some API-generated content but it is not consistent across all generation interfaces.
• Stable Diffusion / ComfyUI: Embeds rich workflow data in PNG tEXt chunks but not in IPTC XMP format. The embedded data is not readable by standard compliance tools without translation. See our guide to ComfyUI PNG metadata chunks.
• Runway, Pika, Sora (video): No standardized AI provenance metadata. C2PA video support exists in the specification but is not yet implemented in consumer tools.

The practical implication: the majority of AI creative tools require post-generation metadata injection. The injection point must be automated and embedded in the ingestion workflow of your DAM. Relying on creators to manually add metadata after the fact produces near-zero compliance rates at scale.

How DAM Tools Handle Metadata

Not all DAM tools are equal in their metadata handling. The critical behaviours to audit:

• Preservation on ingestion: Does the DAM preserve existing XMP and C2PA metadata when ingesting assets? Some platforms transcode or reprocess images on upload, silently stripping metadata.
• Preservation on export: Does the export pipeline preserve or re-embed IPTC and C2PA fields? Standard export presets in many tools strip all metadata to reduce file size. For compliance-critical use cases, this is a regulatory violation as of August 2026.
• Injection capability: Can the DAM write IPTC 2025.1 fields into assets it manages? This capability is what enables post-generation compliance for tools like Midjourney that produce metadata-free outputs.
• C2PA re-signing: If the DAM modifies metadata (by injecting IPTC fields), does it re-sign the C2PA manifest? Without re-signing, the C2PA manifest will fail verification because the metadata modification invalidated the original signature.

Setting Up a Metadata-First Workflow

A metadata-first workflow treats provenance as a first-class concern from the moment of creation, not an afterthought added before delivery. The practical implementation has three components:

1. Capture at creation: Record generation context at the source. For API-integrated tools (Midjourney via API, DALL-E via OpenAI API), capture the full request and response including model version, seed, and parameters. For manual tools, capture whatever the tool's interface exposes.
2. Inject at ingestion: The DAM's ingestion pipeline translates captured generation context into IPTC 2025.1 AI fields and creates a C2PA manifest with a generative AI assertion. This step is automated and invisible to the creator.
3. Preserve at export: Privacy-aware export presets apply the correct stripping rules for each destination. Client delivery exports remove AIPromptInformation. Archive exports preserve all fields. Social media exports apply maximum stripping while retaining the minimum regulatory metadata required by law.

Verifying Content Credentials

The CAI operates a public verification tool at verify.contentauthenticity.org. Upload any C2PA-signed asset and the tool will display the complete manifest, all assertions, the signing certificate chain, and whether the cryptographic signature is valid. This tool is what regulators, auditors, and clients will use to verify your compliance claims.

Before delivering any C2PA-signed asset to a client or regulatory body, verify it yourself. Confirm that the AI assertion is present, that the signature validates, and that sensitive prompt information has been stripped according to the applicable export preset.

How This Satisfies Regulatory Requirements

The regulatory landscape for AI content disclosure is complex, but the technical implementation converges on the same two standards. Here is how IPTC 2025.1 and C2PA map to the primary regulatory requirements in force as of August 2026.

EU AI Act Article 50

Article 50 of the EU AI Act requires that AI-generated content be marked in a machine-readable format that allows detection and identification as AI-generated. For images, the regulation requires a latent, embedded disclosure—not merely a visible label or caption.

The IPTC AISystemUsed field satisfies the machine-readable identification requirement: any XMP-aware system can detect the field and confirm AI generation. The C2PA manifest satisfies the cryptographic integrity requirement: the disclosure cannot be retroactively altered or removed without detection. Used together, the two standards provide defense-in-depth for Article 50 compliance.

Article 50 applies to providers and deployers. For creative agencies, this means the obligation falls on the organization that deploys the AI tool to generate content delivered to end users. See our detailed analysis of EU AI Act Article 50 obligations for content creators.

California SB 942

California's SB 942, effective January 1, 2026, requires that AI-generated content include an embedded disclosure that survives the distribution lifecycle. The disclosure must be latent (machine-readable in the file), must identify the content as AI-generated, and must identify the generating system.

The IPTC AISystemUsed and AISystemVersionUsed fields directly satisfy the identification requirement. SB 942 does not require cryptographic proof, but the C2PA manifest provides the audit trail that makes regulatory defense possible if compliance is ever contested. See our complete guide to SB 942 compliance requirements.

IAB Content Taxonomy and Disclosure Thresholds

The Interactive Advertising Bureau's AI content disclosure guidance establishes a materiality threshold: incidental AI use (background removal, format conversion) does not require disclosure, while substantive generative use does. The IPTC AISystemUsed field is the correct mechanism for marking material AI use. For advertising content specifically, the IAB recommends C2PA manifests for supply-chain provenance verification in programmatic contexts.

The practical compliance checklist across all three frameworks is the same: embed AISystemUsed and AISystemVersionUsed via IPTC 2025.1, sign with a C2PA manifest, and use privacy-aware export presets that strip prompt data while preserving disclosure metadata.

Key Takeaways

• IPTC 2025.1 introduces four XMP fields for AI metadata: AISystemUsed, AISystemVersionUsed, AIPromptInformation, and AIPromptWriterName.
• C2PA Content Credentials provide cryptographic proof of provenance, making AI disclosures tamper-evident and independently verifiable.
• IPTC and C2PA are complementary: use IPTC for searchability and cataloguing, C2PA for legal proof and regulatory defense.
• Most AI tools (Midjourney, ComfyUI, Stable Diffusion) produce images with no regulatory-compliant metadata. Post-generation injection in a compliant DAM is required.
• Privacy-aware export presets must strip AIPromptInformation for client-facing assets while preserving disclosure fields and C2PA manifests.
• Re-signing C2PA manifests after IPTC field injection is a technical requirement for maintaining cryptographic integrity.