Published by Narrative Industries | Updated May 2026
This post is intended to be read in the context of our post about The Fundraising Regulator’s guidance on AI. The guidance includes a an easily overlooked but significant warning: bad actors may use AI to misappropriate your fundraising content for criminal, immoral or unethical purposes.
It then mentions “Where proportionate to the risk and feasible for you, consider using appropriate methods of content credentialling (authenticating) your fundraising intellectual property to show your ownership.”
Most people have never heard of content credentials. Why would they? So this post is intended as a not-too-technical explanation of what they are, why they matter and, critically, where their limits are.
What content credentials are
Content credentials are a form of verifiable metadata embedded into a digital file. They record: who created the file, when, with what tool, and whether it has been altered since. That record is cryptographically signed, meaning it cannot be quietly changed without breaking the signature.
The underlying technical standard is called C2PA – The Coalition for Content Provenance and Authenticity. Adobe, Microsoft, Google, the BBC, Sony and others established it. It is increasingly built into mainstream creative tools and publishing platforms.
Think of it like a digital certificate of origin attached to the original file. Anyone with access to that file can verify it came from you, when, and in what state.
The problem they are intended to solve
AI tools can now generate convincing video of a person from a still photograph, clone a voice from a short audio clip, and produce imagery (practically) indistinguishable from a real photograph. The cost is low. The barrier to entry is effectively zero.
For charities, the specific risk is impersonation: a fake appeal using your CEO’s face, your brand, your donor’s trust. Fraudulent fundraising using AI-generated content is not hypothetical – For charities, the specific risk is impersonation: a fake appeal using your CEO’s face, your brand, your donor’s trust. Fraudulent fundraising, marketing, and other scams using AI-generated content is not hypothetical – It is already happening, and it will get easier.
The question is how member of the public, a donor, a journalist, a regulator, or a platform can tell the difference between content your charity actually produced and content someone made to look like it came from you.
Content credentials are part of the answer to that question. But only part.
How it works in practice
When you export an image, video, or document from a C2PA-compatible tool, credentials are embedded automatically or on request. Those credentials travel with the file.
Anyone can verify them using the Content Credentials Verify tool at contentcredentials.org. No account needed. Upload the file, and it returns the provenance record.
The main tools currently supporting C2PA credentials:
Adobe Creative Cloud (Photoshop, Lightroom, Premiere, Express): credentials can be attached on export. This is the most accessible route for charities already using Adobe tools.
Microsoft: Bing Image Creator and Designer attach credentials automatically. Azure media services support C2PA for enterprise use.
Truepic: a dedicated content authentication service used by news organisations and NGOs for field photography and video.
Leica, Nikon, Sony: select camera models now embed C2PA credentials at capture, before any editing.
The big limitation you need to be aware of
A shortcoming with C2PA that you need to know about is every major social platform – Facebook, Instagram, TikTok, X, YouTube, etc – strips metadata from files on upload, and that removes the content credentials. This is not done for malicious reasons; it is how their infrastructure works, and is done to reduce file sizes and speed downloads. But the upshot means content credentials offer no protection for content shared on social media, which is where a lot of charity fundraising content lives.
That’s not ideal. But Content credentials are still effective for:
Direct distribution: content downloaded from your own website, shared as an original file, or distributed via email. The credentials travel with the file when the file itself is what’s being shared.
Original asset verification: if someone claims a piece of content is yours, or disputes whether a circulating fake is real, you can produce the credentialled original and prove it. The presence of credentials on your master file establishes provenance; the absence of credentials on a claimed copy is itself a signal worth noting.
Internal governance: a credentialled asset library gives you a documented record of what your charity actually produced and when.
Ultimately, Content credentials are not a real-time trust signal for donors scrolling through their feed. They are a provenance record for your original assets and it may not be “proportionate to the risk and feasible” for many charities.
What the Fundraising Regulator actually expects
The guidance describes content credentials as a measure to consider “where proportionate to the risk and feasible for you.” That wording is well chosen & deliberate. The Regulator is not mandating this for every charity. They are flagging it as a tool worth knowing about & considering when relevant.
Proportionate means asking: which of our assets, if convincingly faked, would cause the most damage?
For most charities that might be: video appeals featuring named individuals, celebrities, photography used in major campaigns, and official communications asking for money. These are the master assets worth credentialing, but not every social media post, or email graphic.
What to do next
Assess your exposure. Video featuring your CEO, patron, or beneficiaries is your highest-risk asset. Major campaign imagery is next. Start there.
Check your existing tools. If your team uses Adobe Creative Cloud, content credentials are already available as an export setting. Check whether it is enabled. As of date of publishing this post, Canva has not publicly announced support for C2PA (although it does, ironically, add C2PA to its AI generated imagery).
Protect originals, not copies. The value of credentials is in your master files. Establish a practice of credentialling assets at export, before they enter any distribution channel.
Add it to your AI policy *if* proportionate to the risk and feasible. The Fundraising Regulator requires charities to have an AI policy before using AI tools for fundraising. That policy should address how your charity protects its content from AI-enabled misuse, including whether and where you apply content credentials to original assets.
Don’t oversell it to donors. Given that social platforms strip credentials on upload, avoid implying that donors can routinely verify your content in the wild. A more honest position would be: you credential your originals, and anyone who receives or downloads a file directly from you can verify it, but that does not extend to content on social media.
A note on donor data
Content credentials protect published assets – the things you put into the world. They are not a tool for protecting donor data held in your CRM or exported for analysis. Those are data security and governance questions, governed by UK GDPR and your data handling policies.
If you are using AI for donor data analysis, the questions to ask are different: which tools are approved, at what tier, with what data processing agreements in place. That is a separate conversation but an equally important one.
Where Narrative can help
We help charities develop AI policies, AI strategies, and digital governance frameworks that hold up in practice. If you want to understand what proportionate protection looks like for your organisation, including content credentials, approved tool lists, and data handling policies, get in touch.
Sources: Fundraising Regulator, Guidance for using artificial intelligence in fundraising (December 2025); C2PA specification, Coalition for Content Provenance and Authenticity; contentcredentials.org.