Explanatory document. This white paper provides conceptual orientation to DPIF — its rationale, scope, and governance architecture. Normative requirements are defined in the Control Model v1.1 and six supporting instruments. Where this document and a normative instrument address the same requirement, the normative instrument takes precedence.
About this document
The DPIF White Paper is the explanatory entry point to the Digital Presence Integrity Framework. It sets out the governance gap DPIF addresses, the threat model underlying its control architecture, and the structure of the normative instrument suite. It is written for legal, governance, and compliance teams within organisations deploying AI-mediated representations of real persons, and for regulators, standards bodies, and platform operators evaluating DPIF for reference or adoption.
The white paper does not define normative requirements. It does not modify, extend, or supersede any normative instrument. All compliance determinations are governed by the Control Model v1.1 and the six supporting instruments listed in the instrument suite section below.
The document is published under CC BY 4.0. It may be reproduced, cited, and adapted with attribution. The full PDF and all normative instruments are available at github.com/PresenceAuthority/DPIF.
The governance gap
AI systems capable of replicating human likeness, voice, and communicative presence are in active deployment across customer communication, public affairs, executive representation, and content generation. Organisations deploying these systems do not have a consistent governance structure to ensure that the represented individual’s identity, consent, and accountability rights are protected.
Existing AI governance frameworks do not close this gap. The EU AI Act regulates AI systems by risk category but does not establish deployment-level governance requirements specifically for AI-mediated representations of real persons. The NIST AI RMF addresses AI risk at a general level but does not cover the specific failure modes of identity, consent, and authority in representation contexts. ISO/IEC 42001 operates at the organisational management system level, not the deployment level.
The gap produces four classes of failure risk: identity distortion (DRRP representations drift from the principal’s actual identity through unreviewed system changes); authority escalation (DRRPs generate commitments or positions the principal never authorised, in the absence of formally documented authority limits); consent failure (deployments expand incrementally beyond the scope, duration, or audience the principal consented to); and accountability loss (outputs cannot be traced to an accountable individual when investigation or remediation is required).
DPIF addresses each failure mode through a structured control architecture applied at the deployment level — where risk is generated, at the point of interaction between a representation and its audience.
What DPIF governs
DPIF governs the deployment-level operation of AI-mediated digital representations of real, identifiable natural persons — referred to throughout the framework as Digital Representations of Real Persons (DRRPs). The scope boundary is deliberately narrow.
- Digital avatar systems replicating the visual likeness of a real person
- Voice synthesis systems replicating the vocal characteristics of a real person
- Language model deployments simulating the communicative presence of a real, identifiable person
- Composite systems combining any of the above
- Captured content — photographs, video, or audio not involving AI mediation
- AI systems representing fictional characters or non-identifiable individuals
- Organisational voice AI without direct association to a real, identifiable individual
- Academic or research deployments without audience-facing operation
DPIF does not evaluate AI model bias, fairness, or general safety; assess output quality or productivity; replace legal counsel or compliance teams; or enforce — it is a governance standard, not a regulatory instrument.
The deployment is the primary unit of DPIF governance. A single underlying DRRP tool may support multiple independent deployments, each with its own Scope of Use, Delegated Authority, and context risk classification, and each separately assessed. This formulation reflects the practical reality of multi-context DRRP operation and ensures governance is applied where risk is generated.
White paper contents
The white paper covers the full rationale, threat model, and governance architecture of DPIF across ten sections. The framework's control architecture, assessment logic, and instrument suite are documented in detail in the Framework page and normative instruments.
- 01Executive Summary
- 02Problem Statement — The Governance Gap
- 03Scope and Definitions — DRRPs and Deployments
- 04Threat Model — Identity Distortion, Consent Failure, Accountability Loss
- 05Governance Architecture — Seven Control Categories
- 06Control Structure — CPCs, SPCs, and Non-Compensatory Logic
- 07Risk Classification Framework
- 08Regulatory Alignment — EU AI Act, NIST, ISO 42001, C2PA
- 09Instrument Suite Overview
- 10Relationship to Normative Instruments
Download the suite
Seven normative instruments. All published under CC BY 4.0 at github.com/PresenceAuthority/DPIF. For instrument descriptions and context, see the Framework page.