Sign in Subscribe
12 min read

AI-Generated Content Labelling Is Not a Disclaimer. It Is a Trust Control.

AI-generated content labelling is no longer a cosmetic disclaimer. It is becoming a trust control. This article explains why content provenance, transparency, and accountability must become part of AI governance and the CISO’s security architecture.
Share
AI-Generated Content Labelling Is Not a Disclaimer. It Is a Trust Control.

Why the EU Code of Practice on AI-generated content marks the shift from abstract AI governance to operational digital trust

By Eckhart Mehler for CISOsCISO — a perspective on cybersecurity leadership, governance and the decisions that determine whether organizations retain control.

For a long time, the debate about AI transparency sounded deceptively simple.

We asked whether users should be informed when they interact with artificial intelligence. We discussed whether AI-generated images should be labelled. We debated deepfakes, synthetic media, chatbot disclosures, and watermarking.

All important topics.

But beneath the surface, a much larger governance question was emerging:

How do organizations protect trust in information when content can be generated, modified, translated, summarized, personalized, and distributed by AI at industrial scale?

The European Commission’s final voluntary Code of Practice on marking and labelling AI-generated content should be read in exactly this context. It is not merely another regulatory document. It is a signal that AI governance is becoming operational.

The Code is intended to help providers and deployers prepare for the transparency obligations of the EU AI Act, particularly around marking AI-generated or AI-manipulated content and labelling deepfakes, chatbot interactions, and AI-generated text on matters of public interest. The Commission describes it as a practical path for providers and deployers to label AI-generated content and deepfakes in line with the AI Act’s transparency requirements. (European Commission⁠)

For CISOs, this matters deeply.

Because once AI-generated content becomes part of business communication, public messaging, decision support, reporting, customer interaction, training, knowledge management, and internal governance, labelling is no longer a cosmetic disclaimer.

It becomes part of the organization’s trust architecture.

The Real Question Is Not Whether AI Was Used

Many organizations still approach AI transparency with the wrong question.

They ask:

“Do we have to disclose that AI was used?”

That question is too narrow.

The better question is:

“What must a recipient, user, decision-maker, auditor, citizen, customer, employee, or partner know in order to correctly assess the origin, reliability, manipulation risk, and accountability of this content?”

This is where the discussion changes.

A short AI-assisted email may not create material risk.

A synthetic video used in a public communication campaign might.

An AI-generated policy draft may be acceptable if reviewed and approved.

An AI-generated crisis statement published without provenance, review, or accountability may be dangerous.

A chatbot that gives general information may be harmless.

A chatbot that users mistake for a human expert in a sensitive process may become a governance risk.

The issue is not simply whether AI was involved.

The issue is whether the involvement of AI changes the trust assumptions around the content.

That is why AI-generated content labelling belongs on the CISO agenda.

From Confidentiality to Integrity of Meaning

Cybersecurity has traditionally focused heavily on confidentiality, availability, and technical integrity.

  • We protect systems from unauthorized access.
  • We protect data from leakage.
  • We protect services from disruption.
  • We protect files from unauthorized modification.

But AI changes the integrity question.

In an AI-enabled organization, content may remain technically unchanged while its meaning, context, origin, or perceived authority becomes ambiguous.

  • A document may be authentic but AI-generated.
  • A presentation may be formally approved but partly synthesized.
  • A chatbot answer may sound authoritative but lack institutional endorsement.
  • A deepfake may be technically convincing but entirely fabricated.
  • A report may contain AI-generated analysis without clear evidence of human validation.

This creates a new class of integrity risk: not only the integrity of data, but the integrity of meaning.

For CISOs, this is uncomfortable but unavoidable.

If people cannot determine whether information was created by a human, generated by a system, manipulated by AI, or merely assisted by automation, then the trust model of the organization becomes weaker.

And when trust becomes weaker, security becomes weaker.

The Code of Practice as a Governance Signal

The EU Code of Practice is voluntary. It does not create a separate legal obligation by itself.

But voluntary does not mean irrelevant.

In regulatory practice, voluntary codes often indicate where expectations are moving. They translate broad principles into operational patterns. They show what regulators, policymakers, and expert communities consider reasonable, practical, and auditable.

The Commission’s materials frame the Code as supporting compliance with AI Act transparency obligations related to marking and labelling AI-generated content. Earlier drafting materials also clarified the two central layers: marking and detection mechanisms for providers, and labelling duties for deployers in relevant use cases. (Digitale Strategie Europas⁠)

That distinction is important.

Providers need to support technical marking, detection, and machine-readable mechanisms.

Deployers need to ensure that users receive clear, understandable information when AI-generated or AI-manipulated content is used in relevant contexts.

In plain language:

Technology must help identify the content.

Organizations must help people understand it.

Both are necessary.

Neither is sufficient alone.

A Label Without Governance Is Just Decoration

Many organizations will be tempted to solve AI transparency with a disclaimer.

  • “Created with AI.”
  • “AI-generated content.”
  • “This chatbot is powered by artificial intelligence.”

These labels may be necessary.

But they are not sufficient.

A label without governance is just decoration.

The real control question is whether the label is supported by a reliable process.

  • Who decides that the label is required?
  • Who verifies that the content is actually in scope?
  • Who ensures that labels survive editing, publication, platform transfer, translation, compression, or reuse?
  • Who reviews high-impact AI-generated content before release?
  • Who checks whether employees understand when labelling is mandatory?
  • Who documents exceptions?
  • Who monitors failures?
  • Who owns the risk?

These questions cannot be answered by a banner, watermark, or footnote alone.

They require governance.

Why CISOs Should Care

Some may argue that AI-generated content labelling is primarily a legal, communications, or ethics topic.

That is partly true.

But it is also a security topic.

CISOs should care for at least five reasons.

  1. Synthetic content is increasingly used in fraud, impersonation, phishing, social engineering, disinformation, and influence operations.
  2. Unmanaged AI-generated content can undermine internal decision-making if employees cannot distinguish reviewed organizational information from unvalidated generated output.
  3. Deepfakes and AI-manipulated media can damage reputation, trust, and crisis response capability.
  4. AI-generated content may include sensitive, incorrect, biased, or non-compliant statements that create legal, operational, or reputational exposure.
  5. The ability to trace how content was generated, reviewed, approved, and published is becoming part of auditability.

This is not about making the CISO responsible for every AI use case.

It is about recognizing that information integrity, provenance, and trust are security-relevant.

The New Control Surface: Content Provenance

In classical cybersecurity, we think about attack surfaces.

  • Endpoints.
  • Identities.
  • Cloud workloads.
  • APIs.
  • Networks.
  • Applications.
  • Suppliers.

AI expands this list.

Content itself becomes a control surface.

A video can be an attack vector.

A synthetic voice message can bypass human trust.

A screenshot can carry hidden instructions.

A document can contain manipulated context.

An AI-generated answer can influence decisions.

A chatbot interaction can create a false sense of authority.

A public-facing AI response can become an organizational statement, even if nobody intended it that way.

That means organizations need to treat content provenance as a security control.

Where did this content come from?

Was AI involved?

Was it generated, modified, summarized, translated, or merely formatted?

Was it reviewed?

Was it approved?

Was it labelled?

Can this be verified?

Can this be audited?

These are not theoretical questions. They are practical control questions.

The False Comfort of Watermarking Alone

Technical marking and watermarking are important, but organizations should avoid false comfort.

Watermarks can be fragile.

Metadata can be stripped.

Content can be copied, screenshotted, compressed, edited, translated, or transformed.

Outputs can move across platforms that do not preserve the same signals.

Research and policy discussions continue to highlight structural challenges around robustness, interoperability, detectability, and the practical limitations of marking mechanisms across heterogeneous AI systems and workflows. (arXiv⁠)

This does not mean technical marking is useless.

It means it must be part of a layered control model.

Machine-readable marking should be combined with human-facing labelling, process controls, content approval, logging, platform governance, user education, and risk-based review.

The security lesson is familiar:

One control is never enough.

Integrating AI Labelling Into the ISMS

For organizations operating an ISO/IEC 27001:2022-based ISMS, AI-generated content labelling should not be handled as an isolated compliance project.

It should be integrated into existing management system processes.

That is where it becomes sustainable.

A mature ISMS can absorb this topic through several existing mechanisms.

Scope and Context

The organization should clarify where AI-generated or AI-manipulated content is created, processed, published, or relied upon.

This includes communication departments, HR, learning platforms, customer interaction, knowledge management, software development, public affairs, procurement, policy teams, legal teams, and executive reporting.

The key question is:

Where could AI-generated content influence trust, decisions, rights, obligations, reputation, or public perception?

Risk Assessment

AI-generated content risks should be part of the formal risk assessment.

This includes deepfakes, impersonation, misinformation, incorrect AI-generated advice, unlabelled synthetic content, manipulation of public-interest communication, chatbot misrepresentation, loss of provenance, and lack of evidence for review and approval.

The risk is not only that AI produces something wrong.

The risk is that people trust it for the wrong reason.

Policies and Rules

Acceptable use rules should define when AI-generated content may be used, when it must be labelled, when human review is mandatory, and when use is prohibited.

This must include professional use of generative AI, publication workflows, public-interest communication, chatbot deployment, and use of AI-generated images, audio, and video.

Supplier and Provider Management

Organizations should require AI providers and relevant platforms to support technical marking, detection, provenance, logging, and transparency capabilities.

This should become part of procurement, vendor assessment, contractual requirements, and third-party risk management.

Asset and Process Ownership

Every AI-enabled content process needs an owner.

Not just a system owner.

A content accountability owner.

This person or function must understand what the system produces, where outputs go, who relies on them, and which labelling or review rules apply.

Logging and Evidence

Where feasible, organizations should retain evidence of content generation, review, approval, publication, and labelling decisions.

This becomes especially important for public-interest communication, regulated processes, executive reporting, customer-facing content, and sensitive internal guidance.

Incident Response

Incident response playbooks should include scenarios involving AI-generated or AI-manipulated content.

What happens if an unlabelled deepfake is discovered?

What happens if an AI-generated public statement is published incorrectly?

What happens if a chatbot gives misleading guidance?

What happens if synthetic content is used for impersonation?

What happens if labels are missing, wrong, or removed?

These scenarios require coordination between Information Security, Communications, Legal, Data Protection, HR, and business owners.

Internal Audit and Management Review

AI transparency controls should be tested.

Not only documented.

Internal audit should check whether labelling rules are understood, applied, evidenced, and effective.

Management review should consider whether AI content risks are increasing, whether incidents occurred, whether controls remain adequate, and whether technology changes require updated governance.

This is how AI labelling becomes part of the management system rather than a side policy.

The Organizational Challenge: Mixed Human-AI Workflows

One of the hardest problems will be mixed authorship.

Few business documents will be purely human or purely AI-generated.

  • A human may draft a text.
  • AI may summarize it.
  • A colleague may rewrite it.
  • AI may translate it.
  • Another team may adapt it.
  • A chatbot may turn it into FAQs.
  • A communication team may publish it.
  • A platform may format it.

At what point does the content require labelling?

  • What if AI only improved grammar?
  • What if AI generated the first draft, but a human heavily revised it?
  • What if AI created an image based on human instructions?
  • What if AI summarized a human-approved policy?
  • What if AI generated public-interest analysis from internal data?

This is where simplistic rules fail.

Organizations need risk-based criteria.

Not every use of AI requires the same level of disclosure. But high-impact content, public communication, deepfakes, user interaction with chatbots, and content affecting rights, expectations, or trust relationships require stricter treatment.

The governance principle should be simple:

The more AI involvement changes the trust assumptions of the recipient, the stronger the transparency requirement should be.

Why “Public Interest” Is a Security Issue

The Code and the AI Act discussion place particular emphasis on deepfakes and AI-generated or AI-manipulated content of public interest.

For public sector bodies, international organizations, development agencies, NGOs, critical infrastructure providers, financial institutions, healthcare organizations, and large corporations, this is highly relevant.

Public-interest content carries institutional authority.

When such content is AI-generated or AI-manipulated, transparency is essential.

  • A public statement about a crisis.
  • A report on humanitarian conditions.
  • A video message from leadership.
  • A policy position.
  • A security advisory.
  • A sustainability report.
  • A financial communication.
  • A public consultation document.

If AI materially contributes to such content, labelling is not a bureaucratic detail. It is part of maintaining public trust.

The CISO perspective adds another layer:

Public-interest content is also a target.

Adversaries may manipulate, imitate, fabricate, or distort it.

Therefore, organizations must not only label their own AI-generated content. They also need the capability to detect and respond to manipulated content that impersonates them.

AI Transparency and Digital Trust

Digital trust is often used as a broad phrase.

But in practice, it depends on specific capabilities.

  • Can users trust the identity of a system?
  • Can they trust the origin of information?
  • Can they trust the integrity of content?
  • Can they understand whether they interact with a human or AI?
  • Can they challenge or verify important outputs?
  • Can the organization demonstrate accountability?

AI-generated content labelling contributes directly to these questions.

It is not the whole answer.

But it is a visible part of the trust chain.

Without transparency, users are forced to guess.

And when users must guess, trust becomes fragile.

Practical Minimum Requirements for Organizations

A pragmatic organization does not need to start with a 100-page AI transparency framework.

It can begin with a focused set of minimum requirements.

  1. Define content categories.

Separate internal drafts, internal guidance, external communication, public-interest content, customer-facing content, chatbot interactions, synthetic images, synthetic audio, synthetic video, and AI-manipulated content.

  1. Define labelling triggers.

Clarify when AI involvement must be disclosed, when human review is mandatory, and when machine-readable marking is required or expected.

  1. Define ownership.

Assign responsibility to content owners, system owners, platform owners, communications leads, AI governance, legal, data protection, and information security.

  1. Define technical requirements.

Require platforms to support provenance, metadata, watermarking where appropriate, logging, access control, retention, and detection capabilities.

  1. Define review and approval.

Create stronger review requirements for public-interest content, leadership communication, regulatory communication, customer-facing content, and high-impact internal guidance.

  1. Define evidence.

Keep records of AI use, review, labelling decisions, exceptions, and approvals where risk justifies it.

  1. Define incident handling.

Prepare for unlabelled content, mislabelled content, manipulated content, deepfake impersonation, and chatbot transparency failures.

  1. Train users.

Not with generic AI awareness, but with role-specific guidance for those who create, approve, publish, or operate AI-generated content.

This is not overengineering.

It is basic governance for a world in which content can no longer be trusted by appearance alone.

The Board-Level Message

Boards and executive committees should not see AI labelling as a niche compliance issue.

They should see it as part of organizational trust.

A useful board-level message could be:

“We need to know where AI-generated content is used in our organization, when it must be labelled, who is accountable, how labels are technically supported, and how we respond if synthetic or manipulated content damages trust.”

That is concise.

But it is powerful.

It connects regulation, reputation, cybersecurity, communication, and operational governance.

The CISO’s Responsibility

The CISO should not try to own the entire AI transparency agenda.

That would be neither realistic nor organizationally healthy.

But the CISO should insist that AI-generated content labelling is treated as a control topic.

  • Not only as a legal interpretation.
  • Not only as a communication preference.
  • Not only as an ethical statement.

The CISO should bring five capabilities to the table:

risk-based thinking,

control design,

evidence and auditability,

incident response,

and integration into the ISMS.

This is the natural contribution of information security to AI governance.

The Strategic Risk of Doing Nothing

What happens if organizations ignore this topic?

At first, probably not much.

  • A few AI-generated texts will be published without labels.
  • A few chatbot interactions will remain ambiguous.
  • A few synthetic images will be used informally.
  • A few policies will mention transparency without implementation.

Then AI use scales.

  • More teams use more tools.
  • More content is generated faster.
  • More outputs reach more people.
  • More decisions rely on AI-assisted information.
  • More synthetic media appears.
  • More content moves across platforms.
  • More accountability questions arise.

At that point, the organization may realize that it no longer knows which content was human-created, AI-generated, AI-assisted, AI-manipulated, reviewed, approved, or merely copied from an AI tool.

That is when transparency debt becomes governance debt.

And governance debt eventually becomes security risk.

The Future: Transparency by Design

The direction is clear.

AI transparency will not remain a matter of voluntary good behavior.

It will become embedded in platforms, regulation, procurement, audit, public expectations, and trust frameworks.

Organizations that act early will gain maturity.

Organizations that wait may be forced into reactive compliance.

The right approach is not to label everything blindly.

The right approach is to build transparency by design.

That means AI-generated content processes should be designed from the beginning with provenance, labelling, accountability, review, and evidence in mind.

Not added afterwards.

Not improvised after an incident.

Not delegated to individual users without support.

Conclusion: The Label Is Only the Visible Part

The most important part of AI-generated content labelling is not the label.

The label is only the visible part.

Behind it stands the real question:

Can the organization demonstrate that AI-generated or AI-manipulated content is governed, traceable, understandable, and accountable?

That is the CISO-level issue.

Because in the age of generative AI, information security is no longer only about protecting data from unauthorized access.

It is also about protecting trust in the information that organizations create, process, and distribute.

The EU Code of Practice is voluntary.

But the direction is not.

AI governance is becoming operational. Transparency is becoming auditable. And content provenance is becoming part of digital trust.
For CISOs, this is the moment to act.
Not by turning AI labelling into bureaucracy.
But by turning it into a practical trust control.

Publication Note & Disclaimer
This article was originally published on LinkedIn on June 12, 2026 and may have been edited or updated for publication on this site.

It reflects my personal professional perspective and does not represent the official policy or position of my employer. Drafting and editorial refinement may have been supported by commercially available AI-assisted tools. The analysis, conclusions and final curation are entirely my own.

For information regarding image credits, copyrights, trademarks and other intellectual property rights, please refer to the Imprint.

Published by:

Eckhart Mehler

Member discussion