# AI IP Risk Checklist

**Creative Intellectual Property Charity**
**Version 1.0 — May 2026**
**Format: 24 control points**
**Time: Approximately one hour to apply across an AI content pipeline**

---

A twenty-four point checklist covering content ingestion, consent, NILP protections, provenance, disclosure, and contractual exposure. Designed so a single compliance lead can score their organisation in a working session and produce a remediation register from the result.

---

## How to use this checklist

For each control point, assess your organisation's current status:

- **Yes** — Control is fully implemented and documented
- **Partial** — Control is partially implemented or not yet documented
- **No** — Control is not implemented
- **N/A** — Control does not apply to your organisation

Record remediation actions for any control scored Partial or No.

---

## Section A: Content Ingestion (Control Points 1–6)

### 1. Training data inventory
Do you maintain a complete inventory of all training data sources used in your AI systems?

| Status | Notes | Remediation |
|--------|-------|-------------|
| ☐ Yes ☐ Partial ☐ No ☐ N/A | | |

### 2. Rights status mapping
For each training data source, have you mapped the rights status (copyright holder, licence type, territorial scope)?

| Status | Notes | Remediation |
|--------|-------|-------------|
| ☐ Yes ☐ Partial ☐ No ☐ N/A | | |

### 3. CDR coverage
Do your training data sources have corresponding Core Data Records in the CIP Rights Registry?

| Status | Notes | Remediation |
|--------|-------|-------------|
| ☐ Yes ☐ Partial ☐ No ☐ N/A | | |

### 4. Ingestion audit logging
Do you log every ingestion event with timestamp, asset identifier, CDR query result, licence class, and decision?

| Status | Notes | Remediation |
|--------|-------|-------------|
| ☐ Yes ☐ Partial ☐ No ☐ N/A | | |

### 5. TDM opt-out compliance
Do you check for and respect TDM opt-out declarations (cip.md, robots.txt, HTTP headers) before ingesting content?

| Status | Notes | Remediation |
|--------|-------|-------------|
| ☐ Yes ☐ Partial ☐ No ☐ N/A | | |

### 6. Pre-opt-out exposure assessment
Have you assessed your exposure from content ingested before TDM opt-out mechanisms were available?

| Status | Notes | Remediation |
|--------|-------|-------------|
| ☐ Yes ☐ Partial ☐ No ☐ N/A | | |

---

## Section B: Consent (Control Points 7–10)

### 7. Consent documentation
For each training data source, do you hold documented evidence of the rights holder's consent to AI training use?

| Status | Notes | Remediation |
|--------|-------|-------------|
| ☐ Yes ☐ Partial ☐ No ☐ N/A | | |

### 8. Consent scope verification
Does your documented consent specifically cover the type of AI use you are making (training, fine-tuning, inference, output generation)?

| Status | Notes | Remediation |
|--------|-------|-------------|
| ☐ Yes ☐ Partial ☐ No ☐ N/A | | |

### 9. Consent expiry tracking
Do you track expiry dates for time-limited consent and have a process for renewal or content removal?

| Status | Notes | Remediation |
|--------|-------|-------------|
| ☐ Yes ☐ Partial ☐ No ☐ N/A | | |

### 10. Consent withdrawal process
Do you have a documented process for handling consent withdrawal, including removal from active training sets?

| Status | Notes | Remediation |
|--------|-------|-------------|
| ☐ Yes ☐ Partial ☐ No ☐ N/A | | |

---

## Section C: NILP Protections (Control Points 11–15)

### 11. Voice rights identification
Have you identified all training data containing distinctive voice recordings and assessed NILP voice-clone rights?

| Status | Notes | Remediation |
|--------|-------|-------------|
| ☐ Yes ☐ Partial ☐ No ☐ N/A | | |

### 12. Likeness rights identification
Have you identified all training data containing identifiable likenesses and assessed NILP likeness-AI rights?

| Status | Notes | Remediation |
|--------|-------|-------------|
| ☐ Yes ☐ Partial ☐ No ☐ N/A | | |

### 13. Deepfake prevention controls
Do you have controls preventing the generation of non-consensual deepfake content from your AI systems?

| Status | Notes | Remediation |
|--------|-------|-------------|
| ☐ Yes ☐ Partial ☐ No ☐ N/A | | |

### 14. NILP commercial use controls
Are commercial uses of NILP-protected content gated behind explicit licence verification?

| Status | Notes | Remediation |
|--------|-------|-------------|
| ☐ Yes ☐ Partial ☐ No ☐ N/A | | |

### 15. Persona rights protection
Do you have measures preventing AI-generated content that impersonates or misrepresents the persona of rights holders?

| Status | Notes | Remediation |
|--------|-------|-------------|
| ☐ Yes ☐ Partial ☐ No ☐ N/A | | |

---

## Section D: Provenance (Control Points 16–19)

### 16. Output provenance tracking
Do all AI-generated outputs carry provenance information linking back to source materials?

| Status | Notes | Remediation |
|--------|-------|-------------|
| ☐ Yes ☐ Partial ☐ No ☐ N/A | | |

### 17. Provenance Certificate generation
Do you generate CIP Provenance Certificates for AI outputs, linking to source CDRs?

| Status | Notes | Remediation |
|--------|-------|-------------|
| ☐ Yes ☐ Partial ☐ No ☐ N/A | | |

### 18. C2PA Content Credentials
Do your AI outputs carry C2PA Content Credentials or equivalent machine-readable provenance metadata?

| Status | Notes | Remediation |
|--------|-------|-------------|
| ☐ Yes ☐ Partial ☐ No ☐ N/A | | |

### 19. Rights composition tracking
For outputs derived from multiple sources, do you apply most-restrictive rights composition and document the result?

| Status | Notes | Remediation |
|--------|-------|-------------|
| ☐ Yes ☐ Partial ☐ No ☐ N/A | | |

---

## Section E: Disclosure (Control Points 20–22)

### 20. AI-generated content labelling
Is all AI-generated content labelled with machine-readable and human-visible AI disclosure?

| Status | Notes | Remediation |
|--------|-------|-------------|
| ☐ Yes ☐ Partial ☐ No ☐ N/A | | |

### 21. EU AI Act Article 50 compliance
Does your disclosure meet EU AI Act Article 50 requirements for synthetic content?

| Status | Notes | Remediation |
|--------|-------|-------------|
| ☐ Yes ☐ Partial ☐ No ☐ N/A | | |

### 22. Training data transparency
Do you meet EU AI Act Article 53 requirements for training data transparency?

| Status | Notes | Remediation |
|--------|-------|-------------|
| ☐ Yes ☐ Partial ☐ No ☐ N/A | | |

---

## Section F: Contractual Exposure (Control Points 23–24)

### 23. AI contract clauses
Do your supplier, creator, and platform agreements include the seven CIP AI contract clauses (TDM opt-out, NILP scope, biometric data, GIPL insurance, revenue waterfall, agentic execution, AI disclosure)?

| Status | Notes | Remediation |
|--------|-------|-------------|
| ☐ Yes ☐ Partial ☐ No ☐ N/A | | |

### 24. GIPL insurance coverage
Do you maintain Generative IP Liability (GIPL) coverage sufficient to cover Training Data Dividend obligations and NILP Downstream Obligations?

| Status | Notes | Remediation |
|--------|-------|-------------|
| ☐ Yes ☐ Partial ☐ No ☐ N/A | | |

---

## Scoring

| Score | Band | Interpretation |
|-------|------|---------------|
| 20–24 Yes | Strong | Organisation has mature AI IP risk controls |
| 14–19 Yes | Developing | Key controls in place; gaps to address |
| 8–13 Yes | Early | Significant remediation needed |
| 0–7 Yes | Critical | Immediate action required across all areas |

**Total Yes:** ___ / 24 (excluding N/A)
**Total requiring remediation:** ___

---

*Creative Intellectual Property Charity — creativeip.org*
*This checklist is provided for educational purposes. Seek qualified legal and compliance advice for your specific circumstances.*