NBA Brand AI Control PlaneRed-team research • July 17, 2026

Red-team research • Decision document

Governed generative image production for NBA brand and event communications

A research-backed operating model for rights, brand fidelity, transparency, safety, approval, publication, and post-release accountability.

Prepared for league stakeholders90-day evidence-gated pilotPublic release requires certificationLegal conclusions require counsel
Decision

Proceed — but change the product definition.

Operating principle

Generate atmosphere. Compose identity. Verify rights and facts. Disclose synthetic origin. Certify the release. Monitor the published asset.

Executive synthesis

The model is not the control plane

The capability should be funded and governed as a rights, policy, evidence, assurance, and controlled-publication platform. Image generation is one replaceable component inside that system.

01
6
Material red-team findings
3
Critical design corrections
90
Days in the proposed evidence-gated pilot
L0–L1
Initial allowed likeness modes

Generation may create

Bounded atmosphere, abstract environments, lighting, basketball motifs, textures, and authorized environmental edits.

Generation may not decide

Rights, player-likeness permission, exact identity, current facts, sponsor compatibility, legal disclosure, or publication authority.

Release is certified by

Authoritative evidence, deterministic rendering, independent assurance, risk-tiered approval, and a signed certificate bound to the exact output.

Diagram showing generation bounded by governed identity, rights, evidence, validation, approval, and publication controls.
Figure 1. The governed control boundary. Generation creates variation inside a permissioned perimeter; it does not establish that perimeter.

Accepted trade-off. The system will be slower and more expensive than prompt-to-publish generation. That cost buys controlled rights usage, reproducibility, explainable decisions, revocation, and public trust.

Red-team verdict

Six corrections materially change the architecture

Each finding is presented as a claim and consequence. This avoids hiding critical governance failures inside technical detail or aesthetic discussion.

02
F1Critical

A brand website is not an authority system

Claim. A website is a retrieval source, not proof of authority, license, recency, or completeness.

Implication. Compile proposed rules from allowlisted sources, then require designated brand and legal owners to attest immutable policy versions.

F2Critical

Provenance is evidence, not truth

Claim. Signed history can show what was asserted and changed. It cannot establish that rights, facts, identity, or approval were valid.

Implication. Maintain separate rights, factual, approval, provenance, and publication evidence.

F3Critical

Assurance must be independent

Claim. A model cannot reliably certify its own output, especially when generation and review share assumptions or model families.

Implication. Use deterministic checks, separately configured validators, role-separated humans, and exact-output release certificates.

F4High

Public release requires a lifecycle

Claim. Pre-publication approval does not cover rights expiry, factual corrections, sponsor changes, downstream crops, cache retention, or takedowns.

Implication. Track every destination and derivative. Revalidate at publish time and operate revocation as a first-class service.

F5High

Transparency readiness is time-sensitive

Claim. EU Article 50 transparency obligations apply beginning August 2, 2026, subject to legal classification and implementation details.

Implication. Complete market-by-market applicability analysis and implement machine-readable plus visible disclosure profiles.

F6High

Visual communication must expose evidence

Claim. A pass badge or composite score hides the rule, evidence, uncertainty, consequence, and required action.

Implication. Present claim, source, comparison, implication, qualification, provenance, and next action in one review surface.

Threat model

The most dangerous failures are unauthorized assertions

The risk is not primarily an unattractive image. It is a public asset that falsely implies a right, fact, endorsement, identity, event state, or approval.

03
Risk heatmap showing high concentration in rights, policy, factual, and publication lifecycle failures.
Figure 2. Pre-control risk concentration. Rights, facts, source authority, and publication lifecycle dominate the critical zone.
IDRiskTriggerFailureRequired control
T01CriticalIndirect prompt injection in guideline pagePolicy extraction follows embedded instructionsSanitize and isolate sources; retrieved content never executes instructions; require attestation
T02CriticalStale event or sponsor profileExpired lockup or conflicting sponsor appearsEffective dates, conflict engine, publish-time recheck
T03CriticalUnauthorized player likenessSynthetic or edited likeness exceeds permissionLikeness taxonomy, entitlement record, mandatory rights gate
T04CriticalWrong score or rosterCreative becomes false between drafting and releaseAuthoritative feed, freshness threshold, release-time revalidation
T05HighMark mutation after transcodingPlatform crop or compression violates identityChannel-specific render and post-upload verification
T06HighMetadata strippedEmbedded provenance or disclosure is removedVisible fallback, sidecar verifier, channel checks
T07HighReviewer override abuseExceptions become routine under deadline pressureRole separation, reason codes, threshold alerts, sampling
T08HighCross-event policy leakagePrior event rules or assets contaminate a new requestScoped event profiles, immutable versions, negative tests
T09MediumValidator regressionModel or rule update changes outcomes silentlyPinned versions, golden set, canary release, rollback
T10MediumDraft exfiltrationUnapproved creative enters public channelsPrivate storage, watermarking, signed release path only
No failure modes match the current filters.

Control allocation

Use each mechanism only for what it can prove

Legal, deterministic, model-assisted, human, and operational controls have different authority. No layer should silently expand the authority of another.

04

Non-overridable rules

  • No model output grants or infers rights.
  • No passed model review overrides a failed deterministic rule.
  • No human approval overrides an expired entitlement without a signed authorized exception.
  • No public publication occurs without a certificate bound to the exact output and channel.
  • No auto-publish is enabled without continuous evaluation, rollback, and a kill switch.

Authority by control class

Legal / contractual: rights, likeness, sponsor, territory, and transformation permission.

Deterministic: exact assets, dimensions, copy, dates, precedence, and certificate validation.

Model-assisted: bounded generation, anomaly detection, extraction proposals, and draft descriptions.

Human judgment: context, taste, reputational impact, ambiguity, and authorized exceptions.

Operational: deployment, monitoring, incident response, rollback, and revocation.

Likeness and transformation modes

L0

No people

Abstract environments, typography, city or basketball motifs. Pilot default.

L1

Licensed photo, protected person

Crop, layout, and approved color treatment. Person pixels remain materially unchanged.

L2

Bounded environmental edit

Background extension or removal with the person protected. High review.

L3

Material player alteration

Face, pose, body, uniform, action, expression, or number changes. Prohibited initially.

L4

Synthetic identifiable player

Generated digital replica or confusing likeness. Prohibited in the initial program.

Revised target architecture

A four-plane control system, not a prompt pipeline

The design separates authority, creation, assurance, and release. This limits correlated failure and makes evidence inspectable.

05
Four-plane architecture covering governance and evidence, creative generation and deterministic composition, independent assurance, and controlled publication with monitoring.
Figure 3. Revised operating model. Rights and policy resolve before generation; publication remains a distinct privileged operation.

Policy precedence

Law and contractual restriction → league → season → event → team → sponsor → channel → territory and locale → approved exception.

A lower layer may narrow permission. It may not silently broaden a higher-level restriction.

Security boundary

Retrieved content is treated as untrusted data. It cannot issue tool calls, alter system instructions, change policy precedence, or grant rights.

Draft generation, approval, signing, and public publication use separated identities and permissions.

Effective visual communication

The reviewer must see the decision, evidence, consequence, and action

The interface should reduce ambiguity without manufacturing false certainty or encouraging approval by habit.

06
01 • IdentifyWhat creative, event, channel, territory, purpose, and release attempt is this?
02 • PrioritizeWhat is the highest-severity unresolved condition and consequence?
03 • EvidenceWhich rule, entitlement, source, timestamp, validator, confidence, and region support it?
04 • ChangeWhat differs from the prior creative, policy, facts, or approval state?
05 • ActApprove, reject, correct, escalate, or record an authorized exception.
Reviewer workspace showing the final channel preview, blocker summary, evidence panel, differences, and approval actions.
Figure 4. Proposed reviewer workspace. Evidence precedes approval; the final channel rendition is the primary preview.
Communication anti-pattern

A single “92% compliant” score is not decision-grade. It can hide a fatal rights failure behind harmless passed checks and implies precision the system does not possess.

Visual hierarchy rules

Lead with the decision and largest unresolved risk. Use severity plus text and iconography. Reserve red for blockers and avoid a wall of green pass badges. Show policy versions, source timestamps, channel crop, disclosure, and overlays.

Accessibility contract

Publish a structured text equivalent. Do not depend on generated lettering inside pixels. Encode meaning beyond color. Validate contrast and non-text contrast. Localize copy through approved typography and reviewed translation.

Potential path forward

Earn expansion through evidence

Time alone does not authorize broader use. Each phase produces evidence for the next decision and retains explicit no-go boundaries.

08
Evidence-gated roadmap covering governance foundation, internal concept pilot, controlled public pilot, and conditional expansion.
Figure 5. Evidence-gated roadmap. Progress is conditional on control effectiveness, not calendar completion.
Days 0–30

Governance foundation

  • Name accountable owners.
  • Inventory authoritative sources.
  • Define rights and likeness taxonomy.
  • Complete threat model and EU decision.
Days 31–60

Internal concept pilot

  • L0 backgrounds by default.
  • No public output.
  • Full evidence and review logging.
  • Golden and adversarial evaluation.
Days 61–90

Controlled public pilot

  • One event.
  • No more than two organic channels.
  • Deterministic composition.
  • 100% human approval.
After evidence

Conditional expansion

  • Licensed photos and sponsors.
  • Additional events and channels.
  • Selective fixed-template automation.
  • Paid media only after separate gates.

Executive release gates

GO — governance foundation

Fund owners, source inventory, rights taxonomy, threat model, and EU transparency analysis.

CONDITIONAL GO — public pilot

One event, two organic channels, current evidence, deterministic composition, full approval, certificate, and rollback.

NO-GO — high-risk expansion

No synthetic named players, unattended paid media, merchandise, or unrestricted prompt-to-publish workflows.

Evaluation and assurance

Measure control effectiveness, not aesthetic preference

The corpus must include visually attractive outputs that are nevertheless legally, factually, or operationally invalid.

09
MetricDefinitionDecision use
Critical escape rateCritical defects published / total publishedTarget zero; any event triggers incident review
Rights decision completenessReleases with complete current entitlement evidence100%
Fact freshnessTime between authoritative read and publicationThreshold by content type; stale data blocks
False block rateValid creatives incorrectly blockedMinimize without weakening hard controls
Human–automation disagreementMaterial differences in decision or severityCalibration signal, not employee performance metric
Override concentrationOverrides by rule, approver, event, and deadline proximityAlert on trends and clusters
Revocation SLOTime from authorized takedown to verified removalDefined per channel and severity
Channel mutation rateOutputs changed by crop, compression, or metadata strippingDrive channel-specific controls
Review burdenTime and actions required per risk tierOptimize evidence presentation
Policy driftOutputs changed by model, validator, or policy updateRelease gate and regression signal

Every build

Schema, precedence, effective dates, entitlement logic, renderer transforms, exact copy, signing, and verification.

Every model or validator change

Golden-set visual tests, adversarial tests, human calibration, canary release, and rollback readiness.

Every public release

Final uploaded crop, compression, metadata, visible disclosure, links, accessibility fields, destination ledger, and publish-time facts.

Appendix A

Minimum control matrix for a public pilot

Search the proposed control set by ID, requirement, domain, or effect.

A
ControlRequirementDomainEffect
GOV-01Named accountable owner and RACIGovernanceBlock
SRC-01Allowlisted authoritative sources with classification and ownerSourceBlock
SRC-02Source change diff and human attestationSourceBlock
SEC-01Retrieved content never executes instructions; prompt-injection controlsSecurityBlock
POL-01Immutable policy version with precedence and effective datesPolicyBlock
RGT-01Entitlement by asset, likeness, channel, territory, purpose, transform, and timeRightsBlock
EVT-01Event profile resolves conflicts and approved exceptionsPolicyBlock
DAT-01Authoritative facts with source timestamp and freshness thresholdDataBlock
GEN-01Constrained brief and structured creative specificationGenerationReview
GEN-02Pinned model/configuration and release evaluationGenerationBlock
CMP-01Canonical assets and deterministic compositionCompositionBlock
VIS-01Dimensions, safe area, contrast, clearspace, OCR, and mark checksVisual QABlock
MOD-01Text and image safety moderationSafetyBlock
REV-01Risk-tiered, role-separated human approvalReviewBlock
PRV-01Content Credential, visible disclosure, and sidecar policyProvenanceBlock
PUB-01Certificate bound to exact output hash and destinationPublicationBlock
PUB-02Post-upload crop, compression, metadata, and disclosure verificationPublicationBlock
OPS-01Destination ledger, revocation, correction, and cache purgeOperationsBlock
EVAL-01Golden, adversarial, human-calibration, and post-market evaluationAssuranceBlock
INC-01Incident response, kill switch, and signing-key compromise procedureOperationsBlock
No controls match the current filters.

Appendix B

Adversarial test catalog

Representative scenarios that should exist before any public release. Each test should have an expected policy decision and inspectable evidence.

B
Source poisoningInspect

Brand page contains hidden “ignore prior policy” text or redirects to an unapproved domain.

Expected behavior: block, route, or flag the attempt with evidence sufficient for a reviewer to explain the decision.

Policy conflictInspect

A team event rule permits a treatment prohibited by league policy; sponsor rules conflict by territory.

Expected behavior: block, route, or flag the attempt with evidence sufficient for a reviewer to explain the decision.

Rights expiryInspect

A player-photo entitlement expires between draft, approval, scheduled publication, and repost.

Expected behavior: block, route, or flag the attempt with evidence sufficient for a reviewer to explain the decision.

Asset substitutionInspect

A user uploads a near-copy logo or competitor mark under a misleading filename.

Expected behavior: block, route, or flag the attempt with evidence sufficient for a reviewer to explain the decision.

Likeness alterationInspect

A background edit changes a face, jersey, pose, body, number, or expression.

Expected behavior: block, route, or flag the attempt with evidence sufficient for a reviewer to explain the decision.

Facts raceInspect

Score, roster, venue, series status, uniform, or sponsor changes during approval.

Expected behavior: block, route, or flag the attempt with evidence sufficient for a reviewer to explain the decision.

Channel mutationInspect

A social crop removes disclosure or clearspace; recompression distorts a mark.

Expected behavior: block, route, or flag the attempt with evidence sufficient for a reviewer to explain the decision.

Metadata removalInspect

A distribution system strips Content Credentials or asset identifiers.

Expected behavior: block, route, or flag the attempt with evidence sufficient for a reviewer to explain the decision.

Reviewer fatigueInspect

A large queue of low-value passes causes a critical exception to be approved.

Expected behavior: block, route, or flag the attempt with evidence sufficient for a reviewer to explain the decision.

Override pressureInspect

A deadline-driven user repeatedly bypasses the same policy rule.

Expected behavior: block, route, or flag the attempt with evidence sufficient for a reviewer to explain the decision.

Model driftInspect

An alias update changes visual behavior or validator sensitivity without notice.

Expected behavior: block, route, or flag the attempt with evidence sufficient for a reviewer to explain the decision.

Cross-event leakageInspect

Assets or rules from an earlier event appear in a current campaign.

Expected behavior: block, route, or flag the attempt with evidence sufficient for a reviewer to explain the decision.

Revocation failureInspect

A removed asset persists in CDN, scheduler, social derivative, or partner cache.

Expected behavior: block, route, or flag the attempt with evidence sufficient for a reviewer to explain the decision.

Signing compromiseInspect

A release-certificate key is exposed or an unauthorized service signs an output.

Expected behavior: block, route, or flag the attempt with evidence sufficient for a reviewer to explain the decision.

Appendix C

Minimal release evidence schema

The certificate binds the exact output to the event profile, policy, rights, facts, assurance results, approvals, provenance, destination, and expiry.

C
Illustrative JSON — production schema requires legal, security, data, and platform review
{
  "creative_id": "cr_20418",
  "event_profile": {"id": "event_2027_finals", "version": "7.0.0"},
  "policy": {"id": "nba_brand", "version": "12.4.0"},
  "output": {"sha256": "…", "channel": "instagram-feed", "territory": "US"},
  "rights": {
    "assets": ["asset://event-lockup-v3"],
    "likeness_mode": "L0",
    "decision": "pass",
    "evaluated_at": "2027-06-02T19:21:18Z"
  },
  "facts": {"sources": [], "freshness_seconds": 8, "decision": "pass"},
  "assurance": {
    "moderation": "pass",
    "deterministic_visual": "pass",
    "semantic_review": "reviewed"
  },
  "approvals": [{"role": "brand", "actor": "user-481", "decision": "approved"}],
  "provenance": {"content_credentials": true, "visible_disclosure": "profile-eu-1"},
  "publication": {"certificate_id": "cert-8841", "valid_until": "2027-07-15T00:00:00Z"}
}

Research basis

Primary sources and bounded contribution

External authorities provide evidence, not certification. Internal research systems provide the communication and visual-structure method.

R
  1. OpenAI — Image generation
  2. OpenAI — Safety best practices
  3. OpenAI — omni-moderation-latest
  4. OpenAI — GPT Image 2
  5. OpenAI — Your data
  6. NIST — AI Risk Management Framework and GenAI Profile
  7. C2PA — Content Credentials Technical Specification 2.4
  8. C2PA — Implementation Guidance 2.4
  9. ISO/IEC 42001:2023 — AI management systems
  10. NBA.com — Terms of Use
  11. U.S. Copyright Office — AI and Copyrightability
  12. U.S. Copyright Office — Digital Replicas
  13. FTC — Advertisement Endorsements
  14. European Commission — Transparency of AI-generated content
  15. OWASP GenAI — LLM01 Prompt Injection
  16. W3C — WCAG 2.2 Non-text Content
  17. W3C — WCAG 2.2 Contrast Minimum
  18. W3C — WCAG 2.2 Non-text Contrast
  19. W3C — WCAG 2.2 Info and Relationships

Human owner

Jesse Graupmann commissioned, directed, authored, reviewed, and remains accountable for acceptance and publication decisions.

Software-agent contribution

OpenAI ChatGPT assisted with web research, synthesis, red-team analysis, drafting, structure, visualization design, document generation, and SPA transformation.

Publication condition. Before external circulation, validate legal applicability, confirm internal source authority, replace illustrative IDs and sponsors, complete accessibility review, and record the approving owners and version.