The Ad Machine: What Enterprise Marketing Teams Haven't Governed When AI Is Generating Brand Creative at Scale
Adobe Firefly has generated 9 billion+ images since launch; the Firefly Services API is in production at enterprise marketing teams including Marriott, IBM, and Gatorade. Meta Advantage+ AI now autonomously generates creative variations, image backgrounds, and text overlays within live campaigns for 4M+ advertisers. Google Performance Max gives AI control over bidding, audience targeting, and creative combinations simultaneously — removing the human-controlled ad group structure most enterprise media teams built their campaign governance around. Persado uses AI to generate emotion-optimized copy; Goldman Sachs, JPMorgan Chase, Humana, and Bayer have deployed it in production marketing at scale. The governance gaps most enterprise CMOs have not closed: AI-generated creative may lack copyright protection under current USPTO guidance, platform agreements may allow vendors to train on your brand creative, EU AI Act Article 5 prohibitions on manipulative AI techniques apply to advertising tools that optimize for psychological triggers, and FTC enforcement on AI-generated advertising claims is an active posture. Most enterprise marketing teams have no governance framework that covers all four dimensions — and most have been generating AI creative for 12–18 months already.
Key Numbers
images generated by Adobe Firefly since its March 2023 launch — making it one of the fastest-adopted generative AI platforms in enterprise creative history. The Firefly Services API, launched in 2024, extends Firefly into automated enterprise workflows: Marriott uses it to generate localized hotel creative at scale, IBM uses it for enterprise marketing content, and Gatorade has deployed it for athlete-specific campaign personalization. Enterprise marketing teams using Firefly Services have moved beyond individual prompts to automated creative pipelines that generate thousands of asset variations with minimal human review. The IP governance question — which of those assets carries copyright protection, and under what conditions — has not kept pace with the deployment speed.
advertisers using Meta Advantage+ AI campaigns, which give Meta's AI autonomous control over creative generation, audience targeting, placement, and bid optimization simultaneously. Advantage+ Shopping Campaigns, Advantage+ App Campaigns, and Advantage+ Audience now allow Meta to generate image backgrounds, text overlays, and creative variations without advertiser approval of each variation. Enterprise advertisers with established brand guidelines have discovered that Advantage+ generates variations that technically comply with asset uploads but violate brand standards in ways that human creative review would catch. The performance lift is real — Meta reports 22% lower cost per acquisition for Advantage+ campaigns — but it comes with a governance trade-off most enterprise marketing teams have not formally documented.
copyright protections automatically attached to AI-generated creative under current US law. The USPTO's February 2023 guidance and subsequent Copyright Office decisions have established a consistent standard: works created by AI without meaningful human authorship at the point of creation are not eligible for copyright protection. A creative asset generated through a text-to-image prompt, an AI copy generator, or an automated creative variation tool may be freely reproduced by competitors. Enterprise marketing teams running AI-generated campaigns have not uniformly assessed which of their active advertising assets have defensible copyright protection — and many assume platform agreements provide legal cover that the underlying copyright law does not actually deliver.
year EU AI Act Article 5 prohibited practices took effect (August 2, 2024), including the prohibition on AI systems that use subliminal techniques or exploit psychological vulnerabilities in commercial contexts. Persado-style emotion optimization tools — which analyze psychological trigger patterns and generate copy designed to activate specific emotional responses — require legal review for EU campaigns under Article 5. Most enterprise marketing legal teams have not conducted a tool-by-tool EU AI Act compliance review of their AI creative stack. For enterprises running EU campaigns with AI-optimized copy, the compliance exposure has been active for over a year.
Background
Enterprise AI creative tools did not arrive with a governance requirement. They arrived with a performance pitch: lower cost per acquisition, faster time-to-market, more variations tested at lower cost. Adobe Firefly launched in March 2023 and reached 1 billion images generated in four months. Meta Advantage+ Shopping Campaigns moved from beta to default recommendation in 2023 and now covers 4 million+ advertisers. Google Performance Max replaced Smart Shopping and Local campaigns — removing the option of the prior campaign structure entirely, not just offering AI as an upgrade. The enterprise adoption decision was made, in many cases, before the legal and governance questions were even formulated.
The Persado deployment pattern is the clearest example of how governance lagged the technology at the enterprise level. Persado's AI generates copy at the sentence level, trained on behavioral response data across hundreds of millions of consumer interactions to identify which emotional triggers, word choices, and message framings produce the highest response rates for specific audience segments and contexts. Goldman Sachs deployed Persado in 2019 and reported a 450% increase in click-through rates for one tested campaign. JPMorgan Chase, Humana, Bayer, and Prudential followed. The tool is effective — and the governance questions it raises (EU AI Act Article 5, FTC deceptive practices standards, brand voice consistency, data rights over the behavioral training corpus) were not raised alongside the ROI case. The legal team saw the contract. It is unlikely they reviewed it specifically against Article 5 of a regulation that did not exist until 2024.
Adobe Firefly's enterprise positioning has been deliberate: Firefly is trained on licensed and public domain content, not scraped from the open web, which Adobe presents as the commercially safe generative AI creative option. This is a meaningful differentiator for IP risk in certain dimensions — the risk of a copyright infringement claim based on training data similarity is genuinely lower with Firefly than with tools trained on uncleared content. But the "commercially safe" positioning addresses the wrong legal question for most enterprise marketing teams. The relevant question is not whether Adobe was licensed to train on source material. The relevant question is whether the creative your team generates with Firefly has copyright protection you can enforce — and the answer, under current USPTO guidance, depends on how much human authorship is present in the creation. A prompt that generates an image is probably not enough. A prompt plus significant human curation, selection, and arrangement may be. Most enterprise marketers have not had this conversation with their IP counsel, and most are not documenting the human authorship elements in their AI creative workflows.
Google Performance Max has restructured the enterprise media team's relationship with creative governance at the campaign level. Traditional search and display campaign management gave enterprise media buyers control over ad groups, keyword bids, audience segments, and creative approval workflows. Performance Max collapses this structure: the AI controls bidding, audience targeting, placement across Search, Display, YouTube, Discover, Gmail, and Maps, and the combination of creative assets the advertiser uploads. The advertiser provides headlines, descriptions, images, and video assets; Performance Max generates the combinations. Enterprises that have migrated to Performance Max have found that the AI surfaces creative combinations that perform well on conversion metrics but conflict with brand standards, competitive positioning commitments, or legal approval requirements. The creative review process most enterprise marketing teams operate was designed for human-assembled ads — not for AI-assembled combinations of approved assets that the creative review never saw as a unit.
WPP's Open platform, launched in 2023 with a $250M+ investment, represents the agency side of the same shift. Publicis.ai, Omnicom's OMNI, and IPG's AI capabilities are each building toward the same model: AI handles creative generation, personalization, and performance optimization; the agency team handles strategy, brand governance, and client relationship. For enterprise marketers whose creative production runs through agency relationships, the practical implication is that AI is generating your brand creative through your agency partner's proprietary platform — and the data rights, IP terms, and EU compliance obligations in your agency agreement were almost certainly not written with AI creative generation in their scope.
The FTC enforcement posture on AI-generated advertising content is active but not yet characterized by specific AI creative enforcement actions at the enterprise level. The FTC's 2023 policy statement on AI impersonation and its rulemaking on deceptive endorsements both have direct implications: AI-generated testimonials, endorsements, and reviews that appear genuine require disclosure if they are not. AI-generated comparative advertising claims carry the same substantiation requirements as human-written ones. The FTC has also issued guidance on deceptive design patterns (dark patterns) in digital advertising that overlaps with AI-optimized persuasion techniques. Enterprise marketing teams have legal review processes for advertising claims — but those processes were built for human-written copy, and AI-generated copy is moving through most of them without specific AI disclosure review.
Decision Required
Your enterprise marketing team is using AI to generate ad copy, visual creative, and customer messaging at scale. The IP status of that creative is legally unsettled. Platform agreements may allow vendors to train on your brand assets. EU AI Act Article 5 prohibitions on manipulative AI techniques apply to advertising tools that optimize for psychological triggers — and those prohibitions have been in effect since August 2024. FTC enforcement on AI-generated advertising content is an active posture. What governance framework does your CMO put in place — and does it address all four dimensions, or just the one the legal team happened to flag first?
The practical governance questions most enterprise CMOs have not formally resolved: Which AI creative tools in your stack generate content that may lack copyright protection — and have you audited your active campaigns to identify assets with no defensible human authorship? What do your platform agreements with Adobe, Meta, and Google actually say about vendor rights to use your creative assets and performance data for model training? Have you had a EU-qualified legal review of your Persado, Jasper, or other emotion-optimization tools for Article 5 compliance on EU campaigns? Does your advertising claims review process have a checkpoint for AI-generated copy that reviews for FTC substantiation requirements specifically?
These are governance questions, not performance questions. The AI creative tools are often delivering on their performance claims. The governance gap is structural: the legal, IP, and compliance review frameworks that surround enterprise marketing were designed for human creative production, and AI-generated creative is running through them without the specific checkpoints that the AI context requires.
Options
Defensible only if you have completed a data rights audit of your AI creative platform agreements, a copyright assessment of your active campaign assets, a EU AI Act Article 5 review of your emotion-optimization tools, and an FTC compliance review of your AI-generated advertising claims process — and all four came back clean. For most enterprise marketing teams, the honest assessment is that none of these four reviews has been done, and the current posture is not a governance decision; it is an absence of one. The performance case for AI creative is strong. The governance case for proceeding without a framework is not.
The four-part framework addresses each governance dimension in sequence. IP audit: catalog active campaigns and AI creative pipelines, identify assets generated primarily by AI, assess human authorship documentation, and establish a going-forward workflow that creates and preserves the authorship evidence required for copyright protection. Data rights review: pull and review the current agreements for Adobe Firefly, Meta, Google, Persado, and any agency AI platforms; identify model training rights, data retention terms, and opt-out provisions; negotiate addenda where the current terms are unacceptable. EU AI Act assessment: review emotion-optimization and behavioral targeting tools against Article 5 for EU campaigns; obtain legal sign-off or cease EU deployment until compliance is confirmed. FTC checkpoint: add an AI disclosure review step to advertising claims approval workflow covering testimonials, endorsements, and comparative claims generated by AI.
Pausing autonomous AI creative generation — Performance Max's fully autonomous combinations, Advantage+ creative generation, fully automated Firefly pipelines — while keeping AI as a human-in-the-loop assist tool. This eliminates the copyright gap (human selection and arrangement creates authorship), the EU Article 5 risk (human review of emotion-optimized copy before deployment), and the FTC substantiation risk (human review of claims before publication). It accepts the performance cost: Advantage+ and Performance Max conversion lifts require autonomous AI control to function fully. Right for regulated industries (financial services, pharma, healthcare) where advertising compliance requirements make the risk profile of autonomous AI creative unacceptable regardless of governance framework quality.
An external audit — conducted by outside counsel with AI law expertise and/or a specialist marketing compliance firm — reviews your AI creative stack across all four governance dimensions and delivers a prioritized findings report and remediation plan. This is the appropriate posture when the internal legal team lacks AI law expertise, when the marketing team is uncertain which tools are active in agency workflows versus internal tools, or when the scale of AI creative deployment makes a self-assessment credibility risk. Expect 4–8 weeks for a thorough audit. Right for enterprises in financial services, healthcare, insurance, or any sector with elevated FTC scrutiny, and for any enterprise where the EU AI Act compliance question has not received qualified external review.
Recommendation
Start with the data rights audit — it is the fastest to complete and the results will scope the rest of the governance work. Pull the current agreements for every AI creative platform your marketing team uses: Adobe Firefly/Firefly Services, Meta Advantage+ campaign terms, Google Performance Max terms of service, Persado master service agreement, Jasper or Copy.ai enterprise terms, and any AI creative tools running inside your agency agreements. For each, identify: (1) whether the vendor has rights to use your creative inputs or outputs for model training, (2) what opt-out provisions exist and whether your account has exercised them, (3) data retention terms for your campaign assets and performance data, and (4) whether the current terms post-date your most recent campaign launch or were written before AI creative generation was a platform feature. Most enterprise marketing teams will find that at least one platform agreement grants model training rights they did not knowingly accept.
Add a human authorship documentation step to your AI creative pipeline. Under current USPTO guidance and Copyright Office decisions, AI-generated creative requires meaningful human authorship at the point of creation to qualify for copyright protection. The documentation does not need to be elaborate — but it needs to exist. For campaigns where AI generated the initial creative, document the human selection, modification, and arrangement decisions that constitute authorship. For fully autonomous AI creative (Performance Max combinations, Advantage+ variations), accept that those assets may not have copyright protection and govern accordingly: do not rely on copyright enforcement for competitively sensitive creative, and ensure that the assets you consider most distinctive involve sufficient human authorship to be defensible.
For EU campaigns, get legal sign-off on your emotion-optimization tools before the next campaign launch. Persado, Phrasee (now Jacquard), and comparable AI copy tools that optimize for emotional triggers require review against EU AI Act Article 5. The question is not whether these tools are effective — they demonstrably are. The question is whether their specific optimization mechanisms constitute the "manipulation of persons through psychological techniques exploiting weaknesses" that Article 5 prohibits. That is a legal question, and the answer depends on how each tool's optimization functions and how it is applied. Get the analysis in writing before the next EU campaign deploys. The enforcement window has been open since August 2024.
Update your advertising claims review workflow to include an AI-specific checkpoint. The FTC's substantiation requirement — that advertising claims be backed by competent and reliable evidence at the time the claim is made — applies to AI-generated claims with the same force as human-written ones. AI copy generators produce comparative claims, performance claims, and benefit claims that can fail substantiation without a human reviewer who knows to check. Add a checkpoint to your approval workflow specifically for AI-generated copy that flags (1) comparative claims against named or unnamed competitors, (2) performance or efficacy claims, and (3) any content that could be characterized as a testimonial or endorsement — and require substantiation documentation for each category regardless of whether the copy was AI-generated or human-written.
Build AI governance into your next agency review. If significant AI creative production runs through your agency relationships, the governance obligations follow the creative — not just the in-house tools. Request that your agency partners disclose which AI platforms are active in your account, what the data rights terms are for your brand assets within their proprietary platforms, and what their EU AI Act compliance posture is for campaigns targeting EU audiences. Agencies that have thought carefully about AI creative governance will give specific answers. The ones that cannot name the platforms or describe the data terms are telling you something about the governance gap in their own stack.
Enjoying this brief? The next one ships Tuesday.
One enterprise AI deployment, dissected weekly. Free during beta · No credit card · Unsubscribe anytime
Risks
Creative assets generated primarily by AI without documented human authorship may not be eligible for copyright protection under current US law. An enterprise competitor can legally reproduce your AI-generated campaign imagery, copy, or creative concepts. The risk is highest for enterprises that have been running automated AI creative pipelines — Performance Max asset combinations, Advantage+ generated variations, fully automated Firefly workflows — without a human authorship documentation process. Most enterprises have not assessed which of their active campaigns rely on AI-only creative that cannot be defended as copyright-protected intellectual property.
AI creative platform agreements frequently include rights for vendors to use creative inputs, outputs, and performance data for model training and platform improvement. Adobe Firefly's enterprise terms include opt-out provisions that require active configuration — the default position in many account types grants Adobe usage rights. Meta and Google's advertising terms grant broad rights to use campaign creative and performance data for platform optimization. Persado retains aggregate performance data. Most enterprise marketing teams signed these agreements before AI creative generation was a feature of the platforms — and the data rights terms were not written with that use case in their scope. The risk: your brand creative and campaign performance data may be training vendor models that your competitors use.
The EU AI Act's Article 5 prohibited practices include AI systems that "deploy subliminal techniques beyond a person's consciousness or other manipulative techniques that exploit psychological vulnerabilities" to impair autonomous decision-making. Enforcement scope for advertising tools is being clarified through the European AI Office's guidance process, but the prohibitions are in force. Persado, Jacquard (formerly Phrasee), and comparable tools that optimize copy for psychological trigger patterns require review against this standard for EU deployment. Enterprise marketing teams that have not obtained qualified legal review of their emotion-optimization tools for EU campaigns are running a compliance posture that has been in violation risk since August 2024.
The FTC has established an active enforcement posture on AI in advertising through its 2023 policy statement on AI impersonation, its deceptive endorsement rulemaking, and its ongoing dark patterns enforcement. AI-generated testimonials, endorsements, and comparative claims carry the same substantiation requirements as human-written ones — and the FTC has signaled it will not accept "the AI wrote it" as a mitigating factor in substantiation failures. Enterprise marketing teams whose AI copy generation workflows do not include an explicit substantiation review step are producing advertising claims at a volume and speed that outpaces the compliance review process those claims require.
AI creative generation at enterprise scale produces brand voice inconsistencies, factually inaccurate product claims (hallucination in copy generators), and regulatory-noncompliant comparative advertising at a volume and velocity that human creative review processes were not designed to catch. Performance Max's autonomous asset combinations can produce ads that technically use approved assets but create messaging combinations that the legal team would have rejected. Advantage+ image generation can alter product images in ways that create inaccurate product representations. Copy generators can produce superlatives, performance claims, and regulatory-sensitive language that passes through a general approval workflow without triggering the specific review that the claim type requires. The brand safety risk is not hypothetical — it is a function of the volume differential between AI creative generation speed and human review capacity.
Questions Your Team Should Be Answering
These are the questions that distinguish organizations that get this right from those that do not. If your team cannot answer them, that is your first deliverable.
- 1.
Which AI creative platforms in your marketing stack include rights for vendors to use your brand creative or campaign performance data for model training — and have you exercised the opt-out provisions in each platform agreement where those provisions exist?
- 2.
Which of your active campaign assets were generated primarily by AI — and do you have documented human authorship evidence sufficient to support a copyright claim if a competitor reproduces those assets?
- 3.
Have your emotion-optimization tools (Persado, Jacquard, or comparable copy AI) been reviewed by EU-qualified legal counsel for EU AI Act Article 5 compliance — and if not, are those tools currently active in campaigns targeting EU audiences?
- 4.
Does your advertising claims review workflow include a checkpoint specifically for AI-generated copy that reviews for FTC substantiation requirements on comparative claims, performance claims, and any content that could be characterized as an endorsement or testimonial?
- 5.
If Google Performance Max or Meta Advantage+ has generated creative combinations using your approved assets, has your legal team reviewed whether those AI-assembled combinations have received the advertising approvals your compliance process requires — or do your approval records reflect only the individual assets, not the combinations?
- 6.
Do your agency agreements disclose which AI creative platforms are active in your account, what the data rights terms are for your brand assets within agency AI platforms, and what your agency partner's EU AI Act compliance posture is for campaigns targeting EU audiences?
If this memo belongs in your next executive meeting or board pack, send it along. One click opens a pre-drafted email — edit or send as-is.
The Black Box Audit: What Big Four AI Tools Are Doing Inside Your Audit — and What Your Audit Committee Hasn't Asked
KPMG Clara runs analytics across 100% of journal entries. EY Astra drafts audit memo language from flagged conditions. Deloitte Omnia surfaces anomalies before the engagement team reviews them. PwC Halo processes contracts and board minutes with GenAI. All four Big Four firms have announced Microsoft Azure partnerships. Your engagement letter may predate these tools.
Read memo →deckThe Freight Intelligence Bet: What Carrier AI Routing Means for Every Logistics Director Locked Into a Contract That Assumed Human Decisions
UPS ORION routes 21M+ packages per day. FedEx committed $2B+ to its DRIVE AI network redesign. Maersk AI manages dynamic ocean freight pricing across 380+ ports. Your enterprise shipper contract was almost certainly written before AI was making routing decisions. The governance gap is real.
Read memo →deckThe Copilot Code Gap: What Engineering Leaders Haven't Decided About AI-Written Code in Production
GitHub Copilot is active across 77,000+ organizations. Independent security research finds 36–40% of AI-completed code contains at least one security-relevant flaw. Most enterprises have no policy distinguishing AI-generated from human-written code in production.
Read memo →deck