Red-team research • Decision document
Governed generative image production for NBA brand and event communications
A research-backed operating model for rights, brand fidelity, transparency, safety, approval, publication, and post-release accountability.
Proceed — but change the product definition.
Generate atmosphere. Compose identity. Verify rights and facts. Disclose synthetic origin. Certify the release. Monitor the published asset.
Executive synthesis
The model is not the control plane
The capability should be funded and governed as a rights, policy, evidence, assurance, and controlled-publication platform. Image generation is one replaceable component inside that system.
Generation may create
Bounded atmosphere, abstract environments, lighting, basketball motifs, textures, and authorized environmental edits.
Generation may not decide
Rights, player-likeness permission, exact identity, current facts, sponsor compatibility, legal disclosure, or publication authority.
Release is certified by
Authoritative evidence, deterministic rendering, independent assurance, risk-tiered approval, and a signed certificate bound to the exact output.
Accepted trade-off. The system will be slower and more expensive than prompt-to-publish generation. That cost buys controlled rights usage, reproducibility, explainable decisions, revocation, and public trust.
Red-team verdict
Six corrections materially change the architecture
Each finding is presented as a claim and consequence. This avoids hiding critical governance failures inside technical detail or aesthetic discussion.
A brand website is not an authority system
Claim. A website is a retrieval source, not proof of authority, license, recency, or completeness.
Implication. Compile proposed rules from allowlisted sources, then require designated brand and legal owners to attest immutable policy versions.
Provenance is evidence, not truth
Claim. Signed history can show what was asserted and changed. It cannot establish that rights, facts, identity, or approval were valid.
Implication. Maintain separate rights, factual, approval, provenance, and publication evidence.
Assurance must be independent
Claim. A model cannot reliably certify its own output, especially when generation and review share assumptions or model families.
Implication. Use deterministic checks, separately configured validators, role-separated humans, and exact-output release certificates.
Public release requires a lifecycle
Claim. Pre-publication approval does not cover rights expiry, factual corrections, sponsor changes, downstream crops, cache retention, or takedowns.
Implication. Track every destination and derivative. Revalidate at publish time and operate revocation as a first-class service.
Transparency readiness is time-sensitive
Claim. EU Article 50 transparency obligations apply beginning August 2, 2026, subject to legal classification and implementation details.
Implication. Complete market-by-market applicability analysis and implement machine-readable plus visible disclosure profiles.
Visual communication must expose evidence
Claim. A pass badge or composite score hides the rule, evidence, uncertainty, consequence, and required action.
Implication. Present claim, source, comparison, implication, qualification, provenance, and next action in one review surface.
Threat model
The most dangerous failures are unauthorized assertions
The risk is not primarily an unattractive image. It is a public asset that falsely implies a right, fact, endorsement, identity, event state, or approval.
| ID | Risk | Trigger | Failure | Required control |
|---|---|---|---|---|
T01 | Critical | Indirect prompt injection in guideline page | Policy extraction follows embedded instructions | Sanitize and isolate sources; retrieved content never executes instructions; require attestation |
T02 | Critical | Stale event or sponsor profile | Expired lockup or conflicting sponsor appears | Effective dates, conflict engine, publish-time recheck |
T03 | Critical | Unauthorized player likeness | Synthetic or edited likeness exceeds permission | Likeness taxonomy, entitlement record, mandatory rights gate |
T04 | Critical | Wrong score or roster | Creative becomes false between drafting and release | Authoritative feed, freshness threshold, release-time revalidation |
T05 | High | Mark mutation after transcoding | Platform crop or compression violates identity | Channel-specific render and post-upload verification |
T06 | High | Metadata stripped | Embedded provenance or disclosure is removed | Visible fallback, sidecar verifier, channel checks |
T07 | High | Reviewer override abuse | Exceptions become routine under deadline pressure | Role separation, reason codes, threshold alerts, sampling |
T08 | High | Cross-event policy leakage | Prior event rules or assets contaminate a new request | Scoped event profiles, immutable versions, negative tests |
T09 | Medium | Validator regression | Model or rule update changes outcomes silently | Pinned versions, golden set, canary release, rollback |
T10 | Medium | Draft exfiltration | Unapproved creative enters public channels | Private storage, watermarking, signed release path only |
Control allocation
Use each mechanism only for what it can prove
Legal, deterministic, model-assisted, human, and operational controls have different authority. No layer should silently expand the authority of another.
Non-overridable rules
- No model output grants or infers rights.
- No passed model review overrides a failed deterministic rule.
- No human approval overrides an expired entitlement without a signed authorized exception.
- No public publication occurs without a certificate bound to the exact output and channel.
- No auto-publish is enabled without continuous evaluation, rollback, and a kill switch.
Authority by control class
Legal / contractual: rights, likeness, sponsor, territory, and transformation permission.
Deterministic: exact assets, dimensions, copy, dates, precedence, and certificate validation.
Model-assisted: bounded generation, anomaly detection, extraction proposals, and draft descriptions.
Human judgment: context, taste, reputational impact, ambiguity, and authorized exceptions.
Operational: deployment, monitoring, incident response, rollback, and revocation.
Likeness and transformation modes
No people
Abstract environments, typography, city or basketball motifs. Pilot default.
Licensed photo, protected person
Crop, layout, and approved color treatment. Person pixels remain materially unchanged.
Bounded environmental edit
Background extension or removal with the person protected. High review.
Material player alteration
Face, pose, body, uniform, action, expression, or number changes. Prohibited initially.
Synthetic identifiable player
Generated digital replica or confusing likeness. Prohibited in the initial program.
Revised target architecture
A four-plane control system, not a prompt pipeline
The design separates authority, creation, assurance, and release. This limits correlated failure and makes evidence inspectable.
Policy precedence
Law and contractual restriction → league → season → event → team → sponsor → channel → territory and locale → approved exception.
A lower layer may narrow permission. It may not silently broaden a higher-level restriction.
Security boundary
Retrieved content is treated as untrusted data. It cannot issue tool calls, alter system instructions, change policy precedence, or grant rights.
Draft generation, approval, signing, and public publication use separated identities and permissions.
Effective visual communication
The reviewer must see the decision, evidence, consequence, and action
The interface should reduce ambiguity without manufacturing false certainty or encouraging approval by habit.
A single “92% compliant” score is not decision-grade. It can hide a fatal rights failure behind harmless passed checks and implies precision the system does not possess.
Visual hierarchy rules
Lead with the decision and largest unresolved risk. Use severity plus text and iconography. Reserve red for blockers and avoid a wall of green pass badges. Show policy versions, source timestamps, channel crop, disclosure, and overlays.
Accessibility contract
Publish a structured text equivalent. Do not depend on generated lettering inside pixels. Encode meaning beyond color. Validate contrast and non-text contrast. Localize copy through approved typography and reviewed translation.
Legal, transparency, and provenance
Public display does not establish permission
These findings guide system design but do not replace counsel, collective-bargaining review, trademark clearance, player-publicity authorization, or contract interpretation.
IP and rights
Authority must come from internal rights systems and contracts. Public brand pages provide context, not commercial permission.
Player likeness
Explicitly classify likeness and transformation modes. Store the consent or entitlement basis, permitted transformations, and required review.
EU transparency
Complete applicability analysis before August 2, 2026. Support machine-readable marking and channel-specific visible disclosure where required.
Copyright and authorship
Record human selection, arrangement, editing, composition, source assets, and contract terms. Do not assume all generated expression is protectable.
Advertising and endorsements
Encode sponsor categories, material connections, prominence, territory, purpose, and campaign disclosure profiles.
Accessibility
Provide accessible companion content and channel-specific tests. Pixels alone are not a complete public communication channel.
Provenance stack
Cryptographically bound history and assertions when the format and channel preserve it. The claims may still be incorrect.
Human-readable label or icon where law, policy, or audience expectation requires it. It must survive crop and remain clear in context.
A public or partner-accessible record keyed to creative ID or hash, designed with privacy, availability, and anti-enumeration controls.
Restricted rights, facts, policy, validation, approvals, exceptions, model configuration, and evidence.
Every destination, derivative, scheduler, cache, correction, and revocation action.
Potential path forward
Earn expansion through evidence
Time alone does not authorize broader use. Each phase produces evidence for the next decision and retains explicit no-go boundaries.
Governance foundation
- Name accountable owners.
- Inventory authoritative sources.
- Define rights and likeness taxonomy.
- Complete threat model and EU decision.
Internal concept pilot
- L0 backgrounds by default.
- No public output.
- Full evidence and review logging.
- Golden and adversarial evaluation.
Controlled public pilot
- One event.
- No more than two organic channels.
- Deterministic composition.
- 100% human approval.
Conditional expansion
- Licensed photos and sponsors.
- Additional events and channels.
- Selective fixed-template automation.
- Paid media only after separate gates.
Executive release gates
Fund owners, source inventory, rights taxonomy, threat model, and EU transparency analysis.
One event, two organic channels, current evidence, deterministic composition, full approval, certificate, and rollback.
No synthetic named players, unattended paid media, merchandise, or unrestricted prompt-to-publish workflows.
Evaluation and assurance
Measure control effectiveness, not aesthetic preference
The corpus must include visually attractive outputs that are nevertheless legally, factually, or operationally invalid.
| Metric | Definition | Decision use |
|---|---|---|
| Critical escape rate | Critical defects published / total published | Target zero; any event triggers incident review |
| Rights decision completeness | Releases with complete current entitlement evidence | 100% |
| Fact freshness | Time between authoritative read and publication | Threshold by content type; stale data blocks |
| False block rate | Valid creatives incorrectly blocked | Minimize without weakening hard controls |
| Human–automation disagreement | Material differences in decision or severity | Calibration signal, not employee performance metric |
| Override concentration | Overrides by rule, approver, event, and deadline proximity | Alert on trends and clusters |
| Revocation SLO | Time from authorized takedown to verified removal | Defined per channel and severity |
| Channel mutation rate | Outputs changed by crop, compression, or metadata stripping | Drive channel-specific controls |
| Review burden | Time and actions required per risk tier | Optimize evidence presentation |
| Policy drift | Outputs changed by model, validator, or policy update | Release gate and regression signal |
Every build
Schema, precedence, effective dates, entitlement logic, renderer transforms, exact copy, signing, and verification.
Every model or validator change
Golden-set visual tests, adversarial tests, human calibration, canary release, and rollback readiness.
Every public release
Final uploaded crop, compression, metadata, visible disclosure, links, accessibility fields, destination ledger, and publish-time facts.
Appendix A
Minimum control matrix for a public pilot
Search the proposed control set by ID, requirement, domain, or effect.
| Control | Requirement | Domain | Effect |
|---|---|---|---|
GOV-01 | Named accountable owner and RACI | Governance | Block |
SRC-01 | Allowlisted authoritative sources with classification and owner | Source | Block |
SRC-02 | Source change diff and human attestation | Source | Block |
SEC-01 | Retrieved content never executes instructions; prompt-injection controls | Security | Block |
POL-01 | Immutable policy version with precedence and effective dates | Policy | Block |
RGT-01 | Entitlement by asset, likeness, channel, territory, purpose, transform, and time | Rights | Block |
EVT-01 | Event profile resolves conflicts and approved exceptions | Policy | Block |
DAT-01 | Authoritative facts with source timestamp and freshness threshold | Data | Block |
GEN-01 | Constrained brief and structured creative specification | Generation | Review |
GEN-02 | Pinned model/configuration and release evaluation | Generation | Block |
CMP-01 | Canonical assets and deterministic composition | Composition | Block |
VIS-01 | Dimensions, safe area, contrast, clearspace, OCR, and mark checks | Visual QA | Block |
MOD-01 | Text and image safety moderation | Safety | Block |
REV-01 | Risk-tiered, role-separated human approval | Review | Block |
PRV-01 | Content Credential, visible disclosure, and sidecar policy | Provenance | Block |
PUB-01 | Certificate bound to exact output hash and destination | Publication | Block |
PUB-02 | Post-upload crop, compression, metadata, and disclosure verification | Publication | Block |
OPS-01 | Destination ledger, revocation, correction, and cache purge | Operations | Block |
EVAL-01 | Golden, adversarial, human-calibration, and post-market evaluation | Assurance | Block |
INC-01 | Incident response, kill switch, and signing-key compromise procedure | Operations | Block |
Appendix B
Adversarial test catalog
Representative scenarios that should exist before any public release. Each test should have an expected policy decision and inspectable evidence.
Source poisoningInspect
Brand page contains hidden “ignore prior policy” text or redirects to an unapproved domain.
Expected behavior: block, route, or flag the attempt with evidence sufficient for a reviewer to explain the decision.
Policy conflictInspect
A team event rule permits a treatment prohibited by league policy; sponsor rules conflict by territory.
Expected behavior: block, route, or flag the attempt with evidence sufficient for a reviewer to explain the decision.
Rights expiryInspect
A player-photo entitlement expires between draft, approval, scheduled publication, and repost.
Expected behavior: block, route, or flag the attempt with evidence sufficient for a reviewer to explain the decision.
Asset substitutionInspect
A user uploads a near-copy logo or competitor mark under a misleading filename.
Expected behavior: block, route, or flag the attempt with evidence sufficient for a reviewer to explain the decision.
Likeness alterationInspect
A background edit changes a face, jersey, pose, body, number, or expression.
Expected behavior: block, route, or flag the attempt with evidence sufficient for a reviewer to explain the decision.
Facts raceInspect
Score, roster, venue, series status, uniform, or sponsor changes during approval.
Expected behavior: block, route, or flag the attempt with evidence sufficient for a reviewer to explain the decision.
Channel mutationInspect
A social crop removes disclosure or clearspace; recompression distorts a mark.
Expected behavior: block, route, or flag the attempt with evidence sufficient for a reviewer to explain the decision.
Metadata removalInspect
A distribution system strips Content Credentials or asset identifiers.
Expected behavior: block, route, or flag the attempt with evidence sufficient for a reviewer to explain the decision.
Reviewer fatigueInspect
A large queue of low-value passes causes a critical exception to be approved.
Expected behavior: block, route, or flag the attempt with evidence sufficient for a reviewer to explain the decision.
Override pressureInspect
A deadline-driven user repeatedly bypasses the same policy rule.
Expected behavior: block, route, or flag the attempt with evidence sufficient for a reviewer to explain the decision.
Model driftInspect
An alias update changes visual behavior or validator sensitivity without notice.
Expected behavior: block, route, or flag the attempt with evidence sufficient for a reviewer to explain the decision.
Cross-event leakageInspect
Assets or rules from an earlier event appear in a current campaign.
Expected behavior: block, route, or flag the attempt with evidence sufficient for a reviewer to explain the decision.
Revocation failureInspect
A removed asset persists in CDN, scheduler, social derivative, or partner cache.
Expected behavior: block, route, or flag the attempt with evidence sufficient for a reviewer to explain the decision.
Signing compromiseInspect
A release-certificate key is exposed or an unauthorized service signs an output.
Expected behavior: block, route, or flag the attempt with evidence sufficient for a reviewer to explain the decision.
Appendix C
Minimal release evidence schema
The certificate binds the exact output to the event profile, policy, rights, facts, assurance results, approvals, provenance, destination, and expiry.
{
"creative_id": "cr_20418",
"event_profile": {"id": "event_2027_finals", "version": "7.0.0"},
"policy": {"id": "nba_brand", "version": "12.4.0"},
"output": {"sha256": "…", "channel": "instagram-feed", "territory": "US"},
"rights": {
"assets": ["asset://event-lockup-v3"],
"likeness_mode": "L0",
"decision": "pass",
"evaluated_at": "2027-06-02T19:21:18Z"
},
"facts": {"sources": [], "freshness_seconds": 8, "decision": "pass"},
"assurance": {
"moderation": "pass",
"deterministic_visual": "pass",
"semantic_review": "reviewed"
},
"approvals": [{"role": "brand", "actor": "user-481", "decision": "approved"}],
"provenance": {"content_credentials": true, "visible_disclosure": "profile-eu-1"},
"publication": {"certificate_id": "cert-8841", "valid_until": "2027-07-15T00:00:00Z"}
}Research basis
Primary sources and bounded contribution
External authorities provide evidence, not certification. Internal research systems provide the communication and visual-structure method.
- OpenAI — Image generation
- OpenAI — Safety best practices
- OpenAI — omni-moderation-latest
- OpenAI — GPT Image 2
- OpenAI — Your data
- NIST — AI Risk Management Framework and GenAI Profile
- C2PA — Content Credentials Technical Specification 2.4
- C2PA — Implementation Guidance 2.4
- ISO/IEC 42001:2023 — AI management systems
- NBA.com — Terms of Use
- U.S. Copyright Office — AI and Copyrightability
- U.S. Copyright Office — Digital Replicas
- FTC — Advertisement Endorsements
- European Commission — Transparency of AI-generated content
- OWASP GenAI — LLM01 Prompt Injection
- W3C — WCAG 2.2 Non-text Content
- W3C — WCAG 2.2 Contrast Minimum
- W3C — WCAG 2.2 Non-text Contrast
- W3C — WCAG 2.2 Info and Relationships
Human owner
Jesse Graupmann commissioned, directed, authored, reviewed, and remains accountable for acceptance and publication decisions.
Software-agent contribution
OpenAI ChatGPT assisted with web research, synthesis, red-team analysis, drafting, structure, visualization design, document generation, and SPA transformation.
Publication condition. Before external circulation, validate legal applicability, confirm internal source authority, replace illustrative IDs and sponsors, complete accessibility review, and record the approving owners and version.