OpenAI's Image Watermark Plan Puts Provenance on the Toolmaker, Not the Viewer

In 73 days, two laws take effect that will reshape how AI-generated content moves through the internet. Neither the companies building AI systems nor the platforms built to host human speech are ready for what that means.

The EU AI Act and California Assembly Bill 2013 both require machine-readable provenance signals on certain AI outputs. The EU version carries fines up to €35 million or 7% of global revenue for violations. California's CAITA law imposes $5,000 per violation per day. Both rules land August 2, 2026, as documented in an analysis by developer relations engineer Marco Milone.

OpenAI announced Monday that it will embed C2PA metadata and SynthID watermarking into images generated via ChatGPT, its API, and Codex. It is a genuine technical step: C2PA is an open standard backed by Adobe, Microsoft, and Google, and adding it to ChatGPT's image output means those files will carry a cryptographic trail showing they came from an OpenAI model.

But the announcement lands against a backdrop of systemic non-compliance that makes the new requirements look less like a turning point and more like a checklist item for one company while the underlying problem remains unsolved.

A compliance audit published May 10 by Numonic Group found that only 38% of the 50 largest AI image generation systems implement any machine-readable content marking. Midjourney, one of the most widely used, was among those scoring zero on both C2PA and IPTC metadata standards. Stability AI, whose Stable Diffusion model helped define the open-source end of the market, was flagged for inconsistent output marking across its commercial tiers.

Those numbers would be a problem even if the infrastructure to read provenance signals were working reliably. It is not.

An analysis published May 22 by Marco Milone tested how major platforms handle the two main provenance standards. Instagram's algorithm reads IPTC tags but ignores C2PA metadata. LinkedIn does the opposite: it validates C2PA signals but skips IPTC. TikTok and YouTube failed to detect either standard when embedded in AI-generated images by Meta's own systems, which have supported both standards since early 2025.

The result is a verification chain with a gap at every link. A creator can mark an image correctly. A platform can strip that marking during compression or thumbnail generation. A downstream platform can read a different standard than the one used upstream. None of this requires malice; it requires the ordinary entropy of a fragmented technical ecosystem.

"We have the plumbing," said one engineer at a major social platform who asked not to be named because they were not authorized to speak publicly. "What we don't have is agreement on which pipe to connect."

OpenAI's position in this mess is structurally complicated. The company built DALL-E, which helped create the provenance problem in the first place by making photorealistic AI imagery trivially easy to produce and hard to distinguish from real photos. The company also built SynthID, which is among the more technically robust watermarking schemes available, and has now extended it with C2PA conformance. That is progress. It is also a solution to a problem OpenAI helped make.

The regulatory clock is not sympathetic to structural ironies. Regulators in Brussels and Sacramento have written rules that assume provenance signals will be readable at scale across the open internet. The technical reality is that the three largest platforms by reach have incompatible reading strategies, the majority of AI image providers have no marking infrastructure at all, and the enforcement mechanisms that would create market pressure toward compliance do not yet exist.

What would actually work is platform-level adoption of at least one open standard with consistent reading behavior across major properties. That requires technical coordination between competitors who have every reason to let the other platform bear the cost of adoption. The EU AI Act's risk-based tiering creates a graduated pressure curve rather than a cliff, which gives large platforms room to delay. California's law is narrower in scope but applies to platforms with California users, which means essentially all of them.

OpenAI's announcement is real. SynthID is not theater. C2PA conformance in ChatGPT's image output will matter for the subset of users who need verifiable provenance for legal or commercial reasons.

It does not solve the interoperability problem, and the 73-day countdown has begun on a system where the people building the signals and the people reading them are not yet speaking the same language.