The Mark That Was Promised

The same week NIST proved the guardrail does not close, the EU shipped an icon for AI-generated content. The mark assumes an origin the deployment pattern has stopped producing.

On June 10, 2026, the European Commission and the EU AI Office published the final Code of Practice on Transparency of AI-Generated Content. The Code operationalizes Article 50 of the AI Act. It runs two sections, one for providers of generative AI systems and one for deployers. It ships an official EU icon set in four variants. It sets a signature deadline of 22 July 2026 and an applicability date of 2 August 2026, with a transitional period to 2 December 2026 for systems already on the EU market.

The publication arrived one day after the National Institute of Standards and Technology released a peer-reviewed mathematical proof that no finite guardrail set is universally robust against adversarial prompts. The two artifacts share a calendar week. They do not share a frame.

NIST's proof says the guardrail cannot close. The EU's Code names the artifact (an icon, a marking, a label) that the deployer must apply to communicate to a recipient that the content was produced by an AI system or modified by one. The icon assumes the deployer can answer a binary question. Was this content produced by a human or by an AI. If the answer is AI, the icon is applied. If the answer is human, the icon is not. The two-state model is the unstated foundation of the entire transparency regime.

The deployment pattern is no longer two-state.

What the Code names, and what it does not

The Code is well constructed within its assumptions. Section 1 binds providers of generative AI systems to mark AI-generated audio, image, video, and text content in a machine-readable format compatible with automated detection. Section 2 binds deployers of generative AI systems to apply the EU icon set, or an equivalent label, to deepfake content and to AI-generated text published to inform the public on matters of public interest. The icon set distinguishes between content that is fully AI-generated and content that is partially AI-modified. The Code reserves carve-outs for evidently artistic, satirical, fictional, or creative works, for law enforcement use, and for AI-generated text that has undergone human review or editorial control.

The Code does not address one question. What is the deployer supposed to do when an AI agent acting on the deployer's authorization produces a draft, the human signs off without meaningful review, and the published artifact is then asked, in good faith, whether it was AI-generated.

The two-state model says the artifact is either AI-generated or it is not. The audit model the Code rests on says the deployer knows which. The deployment pattern that NIST's proof formalizes, and that every Frontier red team report in 2026 is documenting, is that the deployer increasingly does not know. The agent decomposed the task. The agent drafted the content. The agent passed the draft through an internal compliance check the deployer's organization configured but no human in the loop reviewed. The human authorized the session. The agent did the work. The human pressed publish.

The Code's icon set has no slot for that case. The deepfake icon does not apply because no person was impersonated. The fully-AI-generated icon does not apply because the human authorized the content. The partially-AI-modified icon does not apply because the modification was not the editorial gesture the icon was designed to communicate. The category the icon set is missing is the category of content whose origin cannot be reliably attested, by the deployer, after the fact.

The high-stakes case the icon set cannot mark

Consider a concrete pattern. A financial advisory firm in Berlin authorizes its internal agent platform to draft client communications. The platform is configured to draft, check, and send. A human compliance officer reviews a statistical sample of outbound messages each quarter. The agent platform draws on the firm's policy library, the client's portfolio history, and the relevant regulatory disclosures. The agent produces a recommendation. The recommendation is sent.

A client in Munich receives a recommendation to rebalance her retirement portfolio into a specific structured product. She reads the communication. She acts on it. The product underperforms. Six months later, in the course of a regulatory review by BaFin under MiFID II suitability rules, an inspector asks the firm to produce the basis for the recommendation. The firm produces the agent's output and the policy library the agent referenced.

The inspector asks the next question. Who at the firm reviewed this recommendation before it was sent. The firm produces the compliance officer's quarterly sample. The Munich client's message was not in the sample.

The inspector asks the third question. Was this communication marked under the AI Act's Article 50 transparency obligations as AI-generated.

The firm cannot answer.

It cannot answer not because it does not want to, but because the firm's own internal record does not separate the agent's draft from the agent's send. The agent acted under the human's authorization. The human did not see the artifact. The artifact was published, in the regulatory sense, to a person whose interests Article 50 was designed to protect. The icon set has no representation of the case the firm is now standing inside. The Code's two carve-outs do not apply. The text was not artistic. It was not subjected to human review of the editorial kind the carve-out contemplates.

A reasonable inspector may decide the firm should have marked the content. A reasonable inspector may decide the firm should not have deployed an agent that publishes financial advice without per-message human attestation. A reasonable inspector may decide that the firm's deployment pattern is itself the failure, and that the marking question is downstream. None of these outcomes is good for the firm. All of them turn on a fact pattern the Code's icon set was not designed to capture.

The structural point is not that the firm did something wrong. The structural point is that the Code's transparency obligation rests on a model of authorship the firm's deployment pattern has stopped producing, and the firm cannot retroactively reconstruct the origin signal the Code presumes it has. The mark assumes the deployer can attest to origin. In the deployment pattern that is now economically dominant, the deployer often cannot.

Why the gap matters before the dates close

The Code's three calendar dates compress the available time to close this gap. Signature window closes 22 July 2026. Article 50 applicability begins 2 August 2026. Transitional period ends 2 December 2026. Inside that window, every deployer of a generative AI system that produces public-facing content has to decide what its origin-attestation posture is. The Code provides the marking schema. It does not provide the attestation infrastructure.

The attestation infrastructure is what determines whether a deployer can answer the inspector's third question. Attestation, in the technical sense, is a signed claim, made at the moment the artifact is produced, recording which actor produced it, under whose authority, against which policy, with what evidence. The Code presumes the deployer has this. The deployment pattern is producing artifacts at a tempo and through a delegation structure that does not, by default, generate this. Building it after the fact is not a marking exercise. It is a substrate exercise.

The gap is visible most clearly in the cases that have the highest impact when they fail. Financial advice. Medical guidance. Legal communication. Public-interest journalism. Election-period political content. In each of these categories, the Code's icon would be the visible artifact a reader sees. The attestation that the icon is supposed to summarize is the artifact a regulator, a court, a board, or a counterparty will eventually demand. The summary cannot be retrieved if the underlying record was never produced.

The institutional record has now placed three signals next to each other in the same week. NIST has proved the guardrail does not close on its own. The EU has named the marking obligation that ships an icon set. The deployment pattern has moved past the two-state model the marking obligation presumes. The deployer is, on paper, ready to comply. The deployer is, on the artifact's substrate, often not.

What remains on the table:

• If the icon set has no slot for content whose origin cannot be attested by the deployer, what category does the deployer apply, and who decides whether that application was adequate when the inspector asks the third question?
• If attestation is a substrate problem and the Code is a marking obligation, which actor in the EU regulatory architecture is responsible for closing the gap between the two, and on what calendar?
• If the deployment pattern that is now economically dominant produces artifacts at a tempo and through a delegation structure that the Code's authorship assumption cannot capture, what intermediate disclosure mechanism does the buyer of an AI-deployer's service have available to verify the deployer's posture before relying on it?
• If three calendar dates close inside six months and the gap between marking and attestation is real, which industries are most exposed to a regulatory finding that the marking was applied to content the deployer cannot actually account for?

The policy instruments and the deployment tempo are not aligned. The mark has been promised. The attestation the mark presumes has not yet been built into the substrate that produces the artifacts the mark is supposed to identify.