AI Image Generation: 4 Compliance Risks Most Teams Miss

AI image generation creates four governance risks most teams miss: the output often can't be copyrighted, it can carry someone else's trademark or copyright into your brand assets, it can trigger false-advertising rules, and from August 2026 it must be labelled under EU law. None of that shows up when a marketer types a prompt and gets a usable image in seconds. It shows up later, in a takedown notice, a regulator's letter, or a buyer's due diligence. This is a guide to governing the risk before it lands.
The tools are genuinely useful. The problem isn't the technology. It's that image generation slips into a marketing or design workflow without passing the legal and brand checks that every other asset goes through. A stock photo gets a licence check. An AI image often gets nothing.
Who owns an AI-generated image?
Often, nobody.
The US Copyright Office's January 2025 guidance is blunt on this point: a person who simply enters a prompt into a generative AI tool can't claim authorship over the result. Detailed prompts don't change that. The Office said that even where prompts are "the product of some human effort," prompting alone "does not itself yield a copyrightable work," because the user doesn't control the expressive elements the model produces (US Copyright Office, Copyright and Artificial Intelligence Part 2).
What that means for a brand: a logo, an illustration, or a campaign visual generated purely from a prompt may sit in the public domain. You can't stop a competitor reusing it. You can't enforce it. If your brand identity rests on assets nobody owns, that's a commercial exposure, not just a legal footnote.
There's a route to protection. The Office accepts copyright where a human creatively selects, arranges, or modifies AI material enough that the work as a whole shows original human authorship, judged case by case. So the governance question isn't "did we use AI?" It's "can we show the human creative contribution, and did we record it?"
| Scenario | Copyright status (US) |
|---|---|
| Image from a prompt, used as-is | Likely uncopyrightable; the AI portion gets no protection |
| AI image with substantial human edits | The human contribution can qualify, case by case |
| Human arrangement of multiple AI elements | The creative arrangement can qualify |
| Prompt-only, however detailed | No copyright from the prompt alone |
Can an AI image infringe someone else's rights?
Yes, and this is the risk that reaches your balance sheet.
The model was trained on images it didn't licence. When you ask for something "in the style of" a known brand, illustrator, or franchise, the output can reproduce protected elements: a trademark, a character, a distinctive design. You commissioned it, you published it, you carry the liability.
The Getty Images v Stability AI judgment (England and Wales High Court, 4 November 2025) shows where the line currently sits in the UK. Getty lost most of its copyright case, partly because training happened outside the UK. But the Court did find limited trademark infringement: Stable Diffusion had generated images carrying watermarks identical or confusingly similar to Getty's registered marks (Latham & Watkins analysis; full judgment, judiciary.uk).
The lesson for buyers of these tools: a generated image can carry a third party's trademark straight into your marketing. The model doesn't know it's doing it. Your review process has to.
Does AI imagery break advertising rules?
It can, fast, and the US already has a rule pointed straight at it.
The FTC's final rule on fake reviews and testimonials, in force since October 2024, bans AI-generated consumer or celebrity testimonials that misrepresent the reviewer's identity, experience, or existence (FTC press release). Synthetic "happy customer" imagery falls in scope when it implies a real person endorsed you.
Separately, ordinary false-advertising law still applies to every synthetic product shot. An AI render that shows a feature the product doesn't have, or a result it can't deliver, is a misrepresentation regardless of how it was made. The tool doesn't give you a defence. (Note: the FTC's enforcement posture has shifted under the December 2025 administration, which set aside its earlier Rytr order, so treat the agency's appetite as moving and the underlying rule as still live.)
Regulated sectors carry more. Financial promotions, health claims, and food labelling each have their own accuracy and disclosure regimes that a generated image doesn't satisfy on its own. If you sell in those markets, generated visuals need the same sign-off as any other regulated claim.
What does the EU AI Act require for AI images?
Two duties land in August 2026, and they split between the tool vendor and you.
Under Article 50(2), providers of generative AI systems must mark outputs in a machine-readable format so they're detectable as artificially generated. Under Article 50(4), deployers who use AI to generate or manipulate images, audio, or video that count as deepfakes must disclose that the content is artificially generated or manipulated (EU AI Act, Article 50).
"Deployer" includes a company using these tools for its own marketing. The disclosure has to reach the viewer when they first see the content, not in a buried terms page (Greenberg Traurig analysis). There's a narrower carve-out for clearly artistic or satirical work. Penalties for breaching the transparency duties reach up to EUR 15 million or 3% of worldwide annual turnover (Bratby Law).
The enforcement date is the planning date. If you market into the EU, the label and disclosure process needs to exist before August 2026, not after the first complaint.
How do you prove what's real? Content provenance and C2PA
This is the part that turns a policy into something you can actually audit.
C2PA (the Coalition for Content Provenance and Authenticity) is the open standard that attaches tamper-evident, cryptographically signed metadata to a file, recording how it was made and edited. Adobe's Content Credentials are the best-known implementation. By early 2026 the coalition reported over 6,000 members, with OpenAI, Google, Meta, Sony, and camera makers shipping support, and Google rolling C2PA verification across Gemini, Search, and Chrome (Content Authenticity Initiative, State of Content Authenticity 2026).
Provenance does two jobs at once. It helps you meet the EU's machine-readable marking expectation, and it gives your own teams a way to tell, months later, whether an asset was synthetic. It isn't bulletproof. Metadata can be stripped. But a signed provenance trail beats the alternative, which is asking a designer to remember what they generated in March.
How should a team govern AI image generation?
The fix isn't a ban. It's putting generated images through the checks every other asset already passes. Five controls cover most of the exposure.
| Control | What it does | Who owns it |
|---|---|---|
| Logged human contribution | Records the editing and arrangement that can support a copyright claim | Design lead |
| IP and trademark check | Catches "in the style of" outputs carrying protected marks before publication | Legal / brand |
| Accuracy review for claims | Stops synthetic product or result imagery that misrepresents | Marketing / compliance |
| Disclosure and labelling | Applies EU Article 50 disclosure and provenance marking | Compliance |
| Provenance capture | Keeps a C2PA trail so the asset is auditable later | Ops / design |
The point is to put these inside the existing approval flow, not bolt on a separate process people will route around. An asset that skips legal review isn't faster. It's just a liability that hasn't been priced yet.
This sits alongside the wider problem of content authentication becoming harder as generated work floods every workflow, and the synthetic content disclosure rules organisations now have to meet. The same governance gaps showing up across AI tooling apply here too. Image generation just makes them visible in public, on your brand.
Frequently asked questions
Can we copyright an image made with AI?
Not if it comes from a prompt alone. Under the US Copyright Office's 2025 guidance, prompt-only output isn't protected because the user doesn't control the expressive result. Substantial human editing or creative arrangement can earn protection for the human contribution, decided case by case. Record what your team actually did to the image.
Do we have to label AI-generated images in marketing?
In the EU, yes, for content that counts as a deepfake. From August 2026, Article 50(4) of the AI Act requires deployers to disclose AI-generated or manipulated image, audio, and video content, with disclosure shown at first exposure. Other markets have lighter or sector-specific rules, but EU exposure means building the label process now.
Is "in the style of [brand]" safe to use?
Treat it as high risk. The output can reproduce a trademark or protected design, as the Getty v Stability AI watermark findings showed. You publish it, you carry the liability. Style-mimic prompts should trigger a mandatory legal check before anything goes live.
What's the fastest control to add first?
A trademark and IP check on any image headed for public use, plus a log of the human edits made. The first catches the infringement risk that hits your balance sheet. The second protects whatever ownership claim you can make.
The bottom line
The teams getting this wrong aren't reckless. They're treating a generated image like a free stock photo when it's legally closer to an unlicensed one. My view: the real risk here isn't a single bad image. It's the absence of any record. When a takedown notice or a buyer's due diligence arrives, the company that can show what was generated, what was edited, and what was disclosed walks away clean. The one that can't is negotiating from zero.
Governance doesn't slow good teams down. It's the difference between using these tools with confidence and using them with your fingers crossed. Put the five controls inside your existing approval flow, capture provenance, and the creative upside is yours to keep. Skip it, and you're holding risk you haven't priced.
This is the kind of work our AI compliance and risk review handles.

Sotiris Spyrou
Sotiris Spyrou is the founder of VerityAI, a Responsible AI advisory for boards and AI-deploying businesses. With 27 years across agencies, global in-house roles, and the C-suite, he advises leaders on AI governance and risk, and on answer-engine visibility engineered without the dark patterns the rest of the industry is getting penalised for. He is the author of TRANSFORM, AI Moats, and Ethical AI.
Founder at VerityAI