EU AI Act Article 50: Transparency Obligations for AI Systems Interacting with People

Article 50 of the EU AI Act applies to AI systems that interact with natural persons, AI systems that generate synthetic image, audio, video, or text content, emotion recognition systems, biometric categorization systems, and providers of GPAI systems. The obligation is to inform the person they are dealing with an AI or that the content was generated or manipulated by AI. The information has to be clear, distinguishable, in time, and accessible to persons with disabilities. The disclosure rules take effect on August 2, 2026 alongside the rest of the high-risk obligations.

The architectural requirement runs from the application UI down to the AI request boundary and to the audit trail.

I want to walk through what Article 50 actually requires in each of the named cases, where most deployments fall short, and how the disclosure obligation lands in the evidence trail the regulator expects.

Mandate

Article 50 has four operative obligations across the different categories of system.

Direct interaction with a person

Providers of AI systems intended to interact directly with natural persons must design and develop the systems so that the person is informed they are interacting with an AI system, unless that fact is obvious from the circumstances and context of use. The exemption applies only when the AI nature is genuinely obvious. A customer-service chat that uses the language and conventions of a human agent does not qualify for the exemption.

Synthetic content generation

Providers of AI systems that generate synthetic audio, image, video, or text content must ensure that the outputs are marked in a machine-readable format and detectable as artificially generated or manipulated. The marking has to use techniques that are technically feasible and effective, taking into account the prevailing techniques and the relevant industry standards. The provider, the deployer, or both, depending on the use case, have to make sure the marking happens.

Emotion recognition and biometric categorization

Deployers of emotion recognition or biometric categorization systems have to inform the natural persons exposed to the system about its operation. The information has to be given prior to the processing. The exemptions for criminal investigation under EU law apply only in narrow circumstances.

Deep fakes and AI-generated text published in the public interest

Deployers who produce or manipulate image, audio, or video content constituting a deep fake must disclose that the content has been artificially generated or manipulated. Deployers who use AI to produce text that is published with the purpose of informing the public on matters of public interest must disclose that the text has been artificially generated, unless an editorial human review has taken place and the publisher carries the editorial responsibility.

Compliance gap

Article 50 disclosures land in the user experience layer of an application. Most deployments treat the disclosure as a UX choice and stop there. The compliance gap is the absence of evidence that the disclosure was given.

The disclosure is rendered, not recorded

A bot UI that displays "I am an AI assistant" at the top of the screen has satisfied the UX side of Article 50 for a person who reads English and is looking at the right part of the screen. The disclosure is not recorded as an event that the system can produce later as evidence. When the regulator asks for proof that disclosure was given to a specific user at a specific moment, the application has no record.

Synthetic content is not marked at the generation layer

The machine-readable marking of synthetic outputs has to happen at the layer that produces the output. For LLM-generated text, that is the AI request layer. For image and audio generation, it is the same. Most production deployments generate content in one component, label it for display in another component, and do not carry the marking through the data lifecycle. A piece of AI-generated text that gets copied, forwarded, or republished loses the marking. The Article 50 obligation is on the provider to use a marking technique that is technically feasible. The current set of available techniques for text includes provenance markers in JSON metadata, structured headers, and watermarking schemes, and the marking is supposed to survive the path from generation to publication.

Deployer disclosure is missing for deep fakes

The deep fake disclosure obligation is on the deployer. A platform that hosts user-generated content where a user uploads a deep fake without disclosure has a problem the deployer's product team is supposed to solve. The architectural solution is detection at the upload boundary, the disclosure surface, and an evidence trail. Most platforms have parts of this stack and not the whole stack.

Public-interest text disclosure is missing

The text disclosure obligation hits any deployer who publishes AI-generated text on a matter of public interest. Newsrooms, marketing teams writing about regulation, advocacy groups, and government communications offices all sit in scope. The carve-out for human editorial review is narrow, and the deployer carries the burden of demonstrating that the carve-out applies.

Mandate vs Compliance

Article 50's text reads like UX requirements. The architecture that satisfies the article operates at the request boundary and produces evidence the regulator can verify.

The regulator will look for evidence

A market surveillance inspection under Article 50 will ask the deployer to produce the disclosures the system gave to a specific user on a specific date. The disclosures have to be reproducible. A UI that renders "I am an AI" dynamically based on a feature flag is not reproducible from the application's records, because the application does not record what the user saw. The marking applied to a synthetic image has to be present on the file the deployer can hand over. The pre-processing notice given to a person before an emotion recognition system runs has to be tied to the same person and event the system processed.

What surviving the inspection actually requires

A deployment that survives Article 50 inspection records the disclosure as part of the AI request lifecycle. The disclosure event is logged with the same identity context, timestamp, and decision linkage that the AI request itself produces. The synthetic content marking is applied at the request boundary, where the AI output crosses into the application's data lifecycle, and the marking is stored alongside the content. The deployer can produce, for any specific user and any specific moment, the disclosure that was given, the AI system that produced the content, and the policy under which the disclosure was triggered.

The architecture that produces this evidence also satisfies the Article 12 logging obligation for the same events. Article 50 disclosures are events. They belong in the same audit trail as the AI requests they accompany.

Vendor-supplied AI and embedded use

Article 50 applies regardless of whether the AI is built in-house or supplied by a vendor. A deployer who uses a vendor LLM to power a customer-service chat inherits the disclosure obligation. The vendor's chat widget might handle the disclosure, but the deployer is responsible for confirming that the disclosure is given, is in time, and is recorded as evidence. The disclosure produced by the vendor's widget has to land in the deployer's evidence trail for the deployer to satisfy Article 50 in front of the regulator.

DeepInspect

This is the gap DeepInspect closes between the AI request boundary and the evidence trail for Article 50 disclosures. DeepInspect sits as a stateless proxy between authenticated users or agents and the LLM endpoints. Every request and response passes through the enforcement layer. For deployments subject to Article 50, the enforcement layer records the disclosure event alongside the request that triggered it, so the deployer has a per-decision audit record showing that the AI was disclosed and what the disclosure said.

For synthetic content generation, the proxy applies the marking at the boundary where the AI output crosses into the application and records the marking action as part of the audit trail. For emotion recognition or biometric categorization use cases, the proxy enforces the pre-processing notice as a policy and records the notice event as evidence.

If you are deploying AI that falls under Article 50 and your disclosure posture is a rendered UI element with no evidence trail, the August 2 deadline turns the missing evidence into a regulator-facing exposure. Book a demo today.

Beyond Article 50

The disclosure pattern Article 50 mandates appears in adjacent regimes under different names. The California AI Transparency Act requires AI systems with more than one million monthly users to disclose AI use and provide manifest and latent disclosures on generated content. The Texas Responsible AI Governance Act requires disclosure when a person interacts with an AI system in certain contexts. The Fannie Mae LL-2026-04 framework requires lenders to disclose use of AI in mortgage processes on demand.

The architecture that satisfies Article 50 produces the evidence each of these regimes expects, in their own vocabulary. The provenance markers, the disclosure events, and the linkage from AI request to user interaction become the per-decision evidence trail the regulator can verify.