MarkProof — disclosure ledger for EU content agencies

1. One-liner

Detects, marks, and logs every AI-generated asset an agency publishes so it survives an EU AI Act Article 50 audit.

2. Trend signal — why now?

On 2 August 2026 the transparency obligations of the EU AI Act (Article 50) become enforceable. Any image, video, audio, or text that was generated or manipulated by AI and made publicly available in the EU must carry a clear visible disclosure and a machine-readable mark, at the latest at first exposure. The legally responsible party is the deployer — the advertiser, brand, or agency that publishes the content — not the AI tool vendor. Penalties: up to €15M or 3% of worldwide turnover, plus personal liability exposure for executives in cases of gross negligence.

Two things changed in the last 90 days that make a focused tool buildable now:

1. The European Commission published draft Article 50 implementation guidelines on 8 May 2026, turning a vague principle into concrete operational requirements (inventory, machine-readable marking, audit-ready documentation).
2. The provenance plumbing went off-the-shelf: OpenAI shipped C2PA + SynthID + a public “Verify” detection tool on 19 May 2026; Adobe’s Content Authenticity API (Oct 2025) and Microsoft’s M365 C2PA tagging (Feb 2026) are live. Reading and writing provenance signals is now an API call, not an R&D project.

Every EU-facing agency law-firm advisory I read says the same thing: the advertiser/agency is on the hook, must keep an inventory of AI creative with tool provenance, and must produce proof of compliance on inquiry. Nobody is shipping a cheap tool that does this for a 12-person shop.

Provenance:

• Signal 1 (Demand): Legal/marketing advisories warn agencies are “deployers,” personally liable, and must keep AI-creative inventories + proof of disclosure — https://www.auditsocials.com/blog/eu-ai-act-article-50-advertising-compliance-2026-synthetic-content-labeling-marketer-obligations-enforcement — 2026-06
• Signal 2 (Feasibility): OpenAI shipped C2PA + SynthID + public “Verify” detection (19 May 2026); Adobe Content Authenticity API + Microsoft M365 C2PA tagging live — https://openai.com/index/advancing-content-provenance/ — 2026-05-19
• Signal 3 (Economic): Article 50 enforceable 2 Aug 2026; fines up to €15M/3% turnover; Commission draft guidelines 8 May 2026 force compliance spend — https://artificialintelligenceact.eu/article/50/ — 2026-05-08 Category: Regulatory arbitrage

3. The opportunity

The compliance burden lands on a population that has no tooling for it. The AI-governance vendors that exist today — Straiker, WitnessAI, Splunk, Centraleyes — are enterprise model-governance platforms: they inventory your models, govern your agents, map you to ISO 42001 and NIST AI RMF. They are sold to CISOs and cost five-to-six figures. None of them care about a Hamburg performance-marketing shop that pushes 400 AI-touched creatives a month across Meta, Google, TikTok, a CMS, and six client newsletters and now has to prove each one was disclosed.

That agency’s current workaround is a spreadsheet and a prayer. The pain is concrete: not “do AI governance,” but “when our biggest client’s legal team or a Datenschutzbehörde asks, can we show that every AI asset we ran for them carried the right disclosure and a machine-readable mark, with a timestamp?”

The wedge is the gap between generation and publication. Providers (Firefly, DALL·E) sign content at generation. But the disclosure obligation attaches at publication, across channels the provider never sees — a cropped export, a re-encoded reel, an email image, a CMS upload that strips metadata. Someone has to watch the published surface and keep the ledger. That’s not a model-governance problem; it’s a workflow-and-records problem an AI-first team can own.

4. Target market

• Primary customer: EU-serving digital, performance, and content marketing agencies, 5–50 staff, running paid social / display / content for multiple clients. Secondary: in-house content/brand teams at EU SMBs and mid-market companies (the legally liable “deployer”).
• Why they buy: “We’re the deployer, so we’re legally responsible for our clients’ AI disclosures, and our client contracts now push that liability onto us. If we can’t produce proof on demand, that’s a €15M-ceiling fine and a lost client — and our MD is personally exposed for gross negligence.” Compliance is no longer optional or future-tense; it has a date.
• Rough TAM reasoning: The EU has well over 100,000 marketing/communications agencies; even narrowing to ~20,000 that publish AI creative at meaningful volume for EU audiences, capturing 1–2% at €100–150/mo is a €25–45M ARR ceiling. More than enough for a 1–3 person bootstrap targeting a sub-$5M slice.
• Why now for them: The 2 Aug 2026 deadline. Agencies are running the Commission’s prescribed four-phase prep (inventory → technology → governance → operations) right now, April–July 2026, and discovering they have no tool for the inventory and proof phases.

5. Product sketch (MVP)

• Connect your surfaces: link the channels an agency already publishes to — Meta Ads, Google Ads, a CMS (WordPress/Webflow), Mailchimp/Brevo, and an asset folder (Drive/Dropbox) — per client workspace.
• AI-asset detection: for each published or queued asset, read provenance signals (C2PA / SynthID via the providers’ detection APIs) and flag likely-AI assets that lack a mark, so nothing slips out undisclosed.
• Disclosure enforcement: apply or verify the required visible label (the platform-appropriate “AI-generated” disclosure) and confirm machine-readable C2PA metadata is intact after export/re-encode.
• Per-client compliance ledger: an immutable, timestamped log — asset, client, channel, AI tool used, disclosure status, who approved — exportable as an audit-ready PDF for a client legal team or a regulator inquiry.
• Pre-flight gate: a campaign-launch checklist that blocks “publish” until every AI asset in the batch is marked and logged.
• Policy tracker: alerts when the Article 50 guidance, a platform’s labeling UI, or a member-state transposition changes what “compliant disclosure” means.
• Client-facing report: a monthly “AI disclosure compliance” summary the agency can hand to each client as a value-add (and liability shield).

6. AI angle — what’s load-bearing

Two AI jobs, both load-bearing:

1. Detection/classification. Provenance metadata is routinely stripped by re-encoding, cropping, and CMS uploads. The product must infer “this published asset is probably AI-generated and is missing its mark” using a mix of provenance-signal reading and visual/text AI classification — then re-attach the disclosure. Without the AI classifier, you’d only catch assets that already carry intact metadata, which is exactly the easy case nobody needs help with.
2. Policy interpretation. Article 50, member-state transpositions, and each platform’s own labeling mechanics are a moving, jargon-heavy target. An LLM layer that maps “here’s the asset, here’s the channel, here’s the audience” to “here’s the specific disclosure you owe and whether you’ve met it” is the difference between a checklist and a product. Remove the AI and you’re left with a spreadsheet — which is the status quo this replaces.

7. Localization angle (if any)

This is an EU-native play, and that’s the moat-by-focus. Article 50 is an EU regulation; member states transpose and enforce it differently; disclosure wording must work in 24 official languages; the liable-party logic is specific to the EU “deployer” definition. A generic global “AI content checker” can’t price or position for “we keep your German DSB-ready audit binder in German.” Pricing in € at agency-SMB tiers (€49–199/mo) where enterprise governance suites (5-figure ACVs) can’t reach is itself the arbitrage.

8. Business model — path to $1M–$5M ARR

• Pricing: €99/mo Starter (1 agency, up to 5 client workspaces, core ledger + detection), €249/mo Pro (unlimited clients, pre-flight gate, white-label client reports), €499/mo Agency+ (multi-seat, API, priority policy alerts).
• ACV: ~€1,800 blended (mix skews to Starter/Pro early).
• Rough math to $1M ARR: ~560 agencies × €150/mo × 12 ≈ €1.0M. That’s ~0.5% of a conservatively-sized EU agency base — believable inside 18 months given a hard deadline pulling demand forward.
• Rough math to $5M ARR: 2,300 agencies at a higher Pro/Agency+ mix (€180 blended), plus a usage line for high-volume asset scanning. Requires becoming the default “Article 50 evidence” tool referenced in agency–client contract templates.
• Expansion path: per-client-workspace pricing grows with the agency’s roster; add adjacent obligations as they activate (chatbot/text disclosure, member-state e-label specifics); upsell a “regulator-ready binder” export and an embeddable disclosure-status badge clients can show.

9. Go-to-market wedge — first 100 customers

• Ride the deadline, not SEO. The 2 Aug 2026 date is the campaign. Scrape the member directories of national agency associations (BVDW in Germany, AACC in France, IAB Europe member lists) — these are public lists of exactly the liable population. Cold email a 90-second Loom: “Here’s the asset your last campaign published with no AI mark. Here’s the €15M reason that matters by August. Here’s your audit binder in one click.” Personalize with a real flagged asset pulled from the prospect’s public site/ad library — expect a high reply rate when the demo is their own exposure.
• Co-sell through the people already scaring them. EU marketing-law/GDPR consultancies and DPOs are publishing Article 50 explainers and have no tool to recommend. Offer them a referral/white-label cut to hand MarkProof to every agency client they’re advising.
• Own one channel’s community first. Launch in the German agency market (clearest enforcement culture, BVDW reach, highest fine anxiety), via a webinar with one well-known agency-law firm + a Product Hunt / LinkedIn launch aimed at agency owners, then expand FR/NL/Nordics.

10. Build complexity — justification

Medium. The provenance reading (C2PA/SynthID detection), channel connectors (Meta/Google Ads APIs, CMS, email, Drive), and the ledger/export are all standard integration + web-stack work; provenance and detection are now off-the-shelf APIs. The genuinely custom pieces are the AI classifier that catches de-marked assets and the policy-mapping layer that stays current with Article 50 + member-state nuance. A focused pair can ship a credible v1 (2–3 channels, detection, ledger, pre-flight) in ~10–14 weeks, in time to sell against the August deadline.

11. Gating checklist

Gate	Pass?	Note
Legal in target market	✅	The product enables compliance with EU law.
Ethical — no harm / dark patterns	✅	Pro-transparency; helps disclose AI honestly.
Market exists (evidence above)	✅	Hard deadline, named liable population, fines.
1–5 person team can build this	✅	Medium complexity; pair ships v1 in a quarter.
Launchable with <$50K / ₹40L	✅	API + web stack; main cost is dev time.

12. Feasibility score

Axis	Weight	Score	Notes
Problem intensity	20	15/20	Real, dated, money-and-liability-backed pain — but felt acutely only by higher-volume AI publishers; long tail can ignore it until enforcement bites.
Demand evidence	15	12/15	Multiple independent legal/marketing advisories + a hard fine; weaker on direct “agency begging for this tool” verbatim quotes.
Build feasibility	15	11/15	Provenance/detection off-the-shelf; classifier + multi-channel connectors + policy layer are the real work.
Distribution clarity	15	11/15	Named public lists (agency associations), deadline-driven cold outreach, DPO co-sell. Conversion math still unproven.
Revenue mechanics	15	11/15	Pricing fits agency wallets; €1M path needs <1% penetration. Churn risk once first audit panic passes.
Time to first revenue	10	8/10	Deadline pulls demand forward; a pre-deadline pilot can convert in weeks.
Defensibility	10	5/10	Workflow lock-in + per-client ledger history + EU policy fluency. But providers/platforms could absorb “disclosure done for you,” compressing the wedge.
Total	100	73/100

13. Qualitative modifiers

Founder-fit tags

technical-heavy · domain-expertise-required

Key assumptions to validate (3–5)

1. Assumption: EU agencies will pay €100–250/mo to prove disclosure, not just do it (i.e., the audit-trail/liability-shield is the real buy). How to test: 25 cold demos to German/French agency owners with their own flagged asset; measure how many ask “can it give me something to show a regulator/client?” unprompted and pre-order.
2. Assumption: Detecting de-marked AI assets reliably enough to be trusted is achievable with off-the-shelf provenance APIs + a classifier. How to test: build the detector on a labeled set of 500 real published creatives; target ≥90% precision on “AI, unmarked” before selling.
3. Assumption: The deployer-liability framing holds and agencies (not just brands) feel personally on the hook. How to test: interview 5 EU marketing-law/DPO advisors on who their agency clients believe is liable and whether contracts are shifting that risk onto agencies.
4. Assumption: Providers/platforms won’t fully auto-solve publication-time disclosure before launch, collapsing the wedge. How to test: monitor Meta/Google/TikTok labeling roadmaps and C2PA persistence through their pipelines for 30 days.

Risk flags

1. Platform-dependency risk: Reliant on provider detection APIs (OpenAI Verify, Adobe, SynthID) and on ad/CMS platform connectors. A pricing or access change upstream hits the core feature.
2. Provider-eats-feature risk: The biggest threat. If publishing platforms make persistent, automatic, compliant disclosure native, the “enforcement” half of the value erodes — leaving only the ledger/audit half. Lean into the per-client evidence binder, which platforms won’t build.
3. Regulatory-timing risk: EU has shown willingness to extend/soften AI Act deadlines. A slip past Aug 2026 cools the urgency that drives the cold-outreach conversion. Mitigate by selling the audit binder as useful regardless of date.
4. Demand-shallowness risk: Many small agencies may under-react until the first public enforcement action, lengthening the sales cycle for the long tail.

14. Structured verdict

Score:                  73/100
Verdict:                GO
Confidence:             Medium
Best-fit builder:       Technical founder fluent in EU compliance + ad/martech APIs, paired with an EU marketing-law advisor
Time to revenue:        8–12 weeks (deadline-pulled; pre-Aug-2026 pilots)
Capital to launch:      ₹4–8 lakh ($5–10K) — mostly dev time + API costs
Top 3 assumptions to validate first:
  1. Agencies pay for PROOF (audit binder), not just labeling — 25 cold demos with each prospect's own flagged asset
  2. ≥90% precision detecting AI, unmarked assets on 500 real creatives before selling
  3. Deployer liability genuinely lands on agencies (contracts shifting risk) — 5 DPO/martech-law interviews
Kill criteria:
  - Abandon if <10% of 50 cold-outreach demos pre-order or pilot before the August deadline
  - Abandon if major publishing platforms ship native, persistent, audit-grade disclosure that removes the enforcement need before v1
  - Abandon if EU defers Article 50 enforcement >12 months AND the standalone audit-binder pitch fails to land in pilots

15. Next step — 1-week validation sprint

• Day 1–2: Build a throwaway detector — feed 50 real EU agency ad creatives (pulled from public ad libraries) through provenance/detection APIs + a quick classifier; produce a one-page “here’s what’s AI and unmarked on your account” for 20 named agencies.
• Day 3–4: Cold-email those 20 agencies their own report with a Loom: “This is your Article 50 exposure. Want the audit binder?” Book demos.
• Day 5: Decide go / no-go on a falsifiable bar: ≥4 of 20 agencies book a paid pilot or pre-order after seeing their own flagged exposure. Below that, the proof-not-labeling thesis is wrong — revisit or kill.