Strategy
AI agent provenance: four guardrails after the Pentagon story
The Pentagon ran an AI propaganda mill aimed at Latin America. If your business sends AI-written email, your inbox just got harder. Here is what to change.

The invoice chase agent at a Rotterdam logistics company sent its 312th email this week. Three replies came back. Two said "please remove me from your list." One was from a journalist who wanted to know, on the record, who wrote the message. Provenance, in other words, and on a deadline.
The agent did. A small fine-tuned model behind a templating layer, polite, accurate, on brand. The operator who set it up was on holiday in Skåne. The journalist did not get a reply for a day and a half because nobody on the team could answer the provenance question quickly enough to risk a quote.
That is a normal week for a Dutch SME running outbound automation in 2026. It is also exactly the week the Pentagon got caught running an AI propaganda mill aimed at Latin America. The two facts do not look related until you read the next paragraph in the trade press: platforms will tighten, regulators will ask questions, and the burden of proving provenance lands on every operator with a queue of outbound messages.
Why a Pentagon story lands on your inbox
The short version of the disclosure: a US military programme used AI to manufacture social and email content at scale, with no labelling and no audit trail. It is the kind of story that does not change the law overnight but changes everyone's default posture toward automated outbound. Email providers ratchet down on signals they were already watching. The EU AI Act transparency obligations, already on the books for synthetic content, get a fresh political wind. Recipients start clicking "report" instead of "delete," and the provenance question lands on you.
If your business runs an email agent that chases invoices, an SDR that books meetings, a chat agent on your homepage, or a voice agent that calls leads back, you now share an operational category with the thing on the front page. Not morally. Mechanically. The plumbing is the same.
The four guardrails below are what we now wire in by default on every outbound agent we ship. They cost a few hours of engineering. They will save you a week of explaining yourself.
Content credentials on every outbound artifact
The C2PA standard (Content Credentials) is the closest thing we have to a provenance passport for generated content. Every image, PDF, and increasingly every message can carry a signed manifest that says: this was produced by model X, under operator Y, at time Z, with these inputs. The signature is cryptographic. You can verify it without trusting the publisher.
For an outbound agent that drafts proposals or sends quoted invoices, sign the artifact at generation time. For email itself you cannot yet sign the rendered HTML in a way Outlook respects, so attach a small JSON-LD block to the message and a signed PDF for any document you ship. The cost is one library and one signing key. The benefit is that when a recipient (or their lawyer) asks "did a machine write this?", the answer is a verifiable yes with a receipt, not a defensive paragraph.
{
"@context": "https://c2pa.org/ns/credential/v1",
"type": "ContentCredential",
"issuer": "did:web:abn.company",
"assertions": {
"c2pa.actions": [
{ "action": "c2pa.created", "softwareAgent": "outbound-agent v1.3.2" },
{ "action": "c2pa.translated", "languages": ["nl", "en"] }
],
"c2pa.ai_generative_use": "training-mining-prohibited",
"operator": "ops@example.com",
"campaign_id": "invoice-chase-2026-W23",
"generated_at": "2026-06-06T09:14:22Z"
},
"signature": "ed25519:5jK..."
}
An audit log you would actually show a regulator
The Pentagon story was not damaging because the content was bad. It was damaging because the provenance was missing: there was no audit trail anyone could examine. The same will be true for a Dutch B2B that ends up in a complaint to the Autoriteit Persoonsgegevens. You want the answer to "what did you send to this person, when, why, and on whose authority?" to be a one-line query.
What we log per outbound message: the inbound trigger (CRM event, replied thread, manual approval), the model and version, the system prompt hash, the rendered output, the recipient ID, the operator who authorised the campaign, and the human review state. We store it in append-only Postgres with daily off-site snapshots. We retain for 18 months. None of this is exotic. It is the same evidence chain you keep for a procurement decision, applied to messages.
One detail people miss: if your agent retries a failed send, log the retry as a distinct event with its own timestamp. The most common audit failure we see is one row in the database for what was actually three deliveries to the same recipient.
Honest disclosure inside the message
European recipients are about ten months ahead of the law on this one. They already know. The polite four-sentence English email at 07:42 with no typos reads as automated whether you label it or not. Labelling it costs you nothing and earns you the only thing that actually matters in outbound, which is replies that are not hostile.
Our default footer for an automated outbound message looks like this:
<p class="automation-disclosure">
Sent by an automated assistant on behalf of
<a href="mailto:ops@example.com">Anna van Dijk, Operations</a>.
Reply directly and a person will read it.
<a href="https://example.com/automation">How this works</a>.
</p>
The link points to a one-page explainer that names the model the agent uses, the data it has access to, the opt-out path, and the way to reach a human. We have measured this on three outbound programmes since November. Disclosed agents get a slightly lower reply rate (about 6 percent relative) and a much higher quality of reply. Hostile complaints fall to roughly a quarter of the previous baseline.
A human signature on intent, not just on send
The most expensive mistake we have watched founders make in 2026 is conflating "the agent sent it" with "the agent decided to send it." A regulator will not. A judge will not. Your customers do not.
So we separate the two. Every outbound campaign has an intent signature: a named human, with a timestamp, approving the goal of the campaign, the audience selection, and the message template. The agent then runs against that signature, which becomes the top of its provenance chain. If the campaign drifts (new audience, new template, new model), the signature is void and the agent stops. This is one row in a campaigns table with a foreign key on every message. It costs nothing. It is the difference between "automation our team set up" and "an unsupervised system," and that distinction is doing a lot of legal work over the next eighteen months.
For high-risk segments (regulated industries, journalists, civil servants) we add a second gate: the agent drafts but does not send. The drafts queue in a Slack channel for the operator to release. Yes, it is slower. Yes, it stops you ending up on the front page.
What separates a legitimate outbound agent from a propaganda mill is not the model. It is the audit trail, the disclosure, and the named human on the campaign. Build those three and the model is just plumbing.
What to ship this week
Read EU AI Act article 50 on transparency obligations for synthetic content. It is two pages. Then walk over to whatever drafts your outbound and answer four provenance questions on paper. Where is the signed artifact. Where is the audit log. What does the disclosure say. Who signed the intent.
When we built the invoice-chase agent for a Dutch logistics client (peak inbox: about 1,400 chase emails a month), the thing we ran into was that their CRM had no concept of campaign intent, so every message looked like a one-off with no provenance to point at; we solved it by adding the signature as a lightweight table next to their existing pipeline and threading the foreign key through the agent. If you want help wiring the same pattern into your own stack, that is the work we do on AI agents.
The smallest thing you could do today: pick one outbound agent and write its disclosure footer. Not the legal version. The one a customer would actually read. Put it live tomorrow.
Key takeaway
What separates a legitimate outbound agent from a propaganda mill is not the model. It is the audit trail, the disclosure, and the named human on the campaign.
FAQ
Does C2PA work for email body content yet?
Not reliably. Sign attached PDFs and add a JSON-LD block in the email body. Native email signing is moving but no mainstream client renders it as a trust signal yet.
How long should I retain the outbound audit log?
We default to 18 months. Long enough for most regulatory windows and complaint cycles, short enough to keep GDPR conversations simple. Adjust to your sector.
Will an automation disclosure footer hurt my reply rate?
A little. In three outbound programmes we measured, total replies fell about 6 percent relative, while hostile replies and complaints dropped to roughly a quarter. Net quality improves.