New York is now requiring AI-generated people in ads to be labeled, while privacy professionals are warning that legacy governance models do not fit autonomous agents. Together, the stories point to the same problem: disclosure and control rules are being rewritten around systems that can generate or act without a human in the loop.
Ads in New York must now label AI-generated 'synthetic performers'
New York has implemented a law requiring advertisements featuring AI-generated people to clearly label them as “synthetic performers.” The rule is designed to make AI use visible to audiences instead of leaving it buried inside creative production choices, and it puts disclosure directly into the ad workflow rather than treating it as an optional brand decision. For marketers, agencies, and production vendors, this shifts synthetic media from a novelty tool into a regulated asset class that now carries review and signoff requirements.
- Ad operations teams need a documented review step for synthetic media disclosures before campaigns go live, especially when creative is reused across channels or state lines.
- Brands selling into New York should treat AI-generated likenesses as a compliance issue, not just a creative one, because labeling obligations can attach even when the synthetic person is central to the campaign concept.
- If the approach proves enforceable, other states could borrow the model, which means teams building synthetic content pipelines should plan for jurisdiction-specific disclosure rules now rather than retrofit later.
- Clear labeling also affects trust and brand risk: once regulators define disclosure as the baseline, failure to identify AI-generated people can look deceptive even when the campaign is otherwise lawful.
Privacy governance was not built for agents: Rethinking data protection for autonomous systems
The IAPP argues that traditional privacy governance frameworks were designed for relatively static systems and are not adequate for autonomous AI agents. As agents become more capable of acting on behalf of users or organizations, privacy controls have to account for less predictable data flows, shifting decision paths, and accountability gaps that do not map neatly to standard application governance. The practical issue for enterprises is that an agent can collect, infer, retain, or share information across multiple tools and contexts, which makes existing consent, purpose limitation, and oversight models harder to apply.
- Privacy and data governance teams may need to map agent behavior separately from conventional software workflows, because an agent's actions can change based on prompts, tools, and live context.
- Core compliance concepts such as consent, purpose limitation, and retention become more difficult to operationalize when systems can independently decide what data to access or how to act on it.
- Organizations deploying agents should define accountability in advance, including who owns monitoring, incident response, and policy enforcement when an agent mishandles personal data.
- Teams that wait for formal regulation may lose time, because governance updates, audit trails, and technical guardrails are easier to build before agents are deeply embedded in business processes.