Below the abstraction layer, three months on
Three developments this quarter are usually tracked separately. Read together, they describe the same convergence the Cupel manifesto argued for back in May: provenance, credentialing, and human oversight are becoming one regulatory and market problem.
Regulation.The EU AI Act's high-risk obligations, including Article 14 human oversight and Article 50 content provenance disclosure, reach their enforcement deadline in August 2026. Organisations deploying agentic AI in healthcare, credit, employment, or critical infrastructure now have a legal — not just ethical — obligation to demonstrate a human who can meaningfully oversee the system, and to disclose when content was AI-generated.
Provenance infrastructure.C2PA's content credentials continue to gain adoption across major platforms, and the IPTC 2025.1 and C2PA standards are converging as the technical answer regulators are pointing to for machine-readable AI disclosure. The plumbing for "what was AI-generated" is maturing faster than the plumbing for "who is the accountable human."
Credential integrity.Gartner's forecast that one in four candidate profiles could be entirely AI-fabricated by 2028 is no longer a distant projection — it is the direction the data has been moving since 2025, alongside a U.S. credential count that grew from 334,000 in 2018 to 1.85 million by 2025 with falling HR confidence in what any of them mean.
The obligation to disclose what AI did (provenance) is arriving faster than the ability to verify who can be trusted to check it (credentialing), and both are arriving faster than most organisations' capacity to identify that person at all. That ordering is precisely the gap this framework is built to close, and precisely why it needs to be revisited every few months rather than argued once and left alone.