Home / Critical Brief / No. 054

Generated Until the Rightsholder Said No

The Consent-and-Provenance Gap Behind OpenAI Sora 2

Pillar 01 · Verifiable Origin Data Provenance Training Data ProvenanceAttribute Proof Bypass
Incident date
2025-10-15
Published
2026-06-13
Authors
Lemma Critical Team
Related Pack
Pack AIncident Response

TL;DR

Rather than securing the rightsholder’s permission first, the policy said: if you don’t like it, opt out afterward. That inversion of order decided what happened. In October 2025, OpenAI released the video generator “Sora 2” with a policy under which copyrighted characters could be generated unless the rightsholder explicitly opted out. Right after launch, a flood of videos including One Piece, Demon Slayer, Pokémon, and Mario circulated on social media, and criticism erupted. Within about three days OpenAI reversed to an opt-in (prior-permission) model and also halted generation of specific individuals. Japan’s IP coalition CODA (Studio Ghibli, Bandai Namco, Toei Animation, and others) and the Japanese government then formally requested prior permission (details below). The structural problem: before generation, the rights, consent, and provenance of the material used were not independently verified, and confirmation of permission was left to after-the-fact objection. We analyze this through Pillar 01 (Verifiable Origin) as a structure in which provenance and permission are not fixed at generation, framed as a division of labor with detection and after-the-fact response. It connects to Brief 008 (public ≠ training consent), 036 (training-data provenance/consent unverified at collection), 011 (the provenance marker on AI output can be stripped), and 053 (likeness provenance not fixed at generation).

Incident overview

  • Subject: OpenAI’s video generator “Sora 2” and its rights-management policy (opt-out at launch)
  • Policy at launch: At the October 2025 release, Sora 2 could generate videos including copyrighted characters unless the rightsholder explicitly opted out. Right after launch, well-known works — Pikachu, SpongeBob, full-episode-style South Park, etc. — were easily generated
  • The reversal (about three days): As copyrighted-character videos spread right after launch, broad criticism erupted, including from the U.S. Motion Picture Association (MPA) and artists. Within about three days OpenAI announced a move to an opt-in (prior-permission) model. Generating copyrighted characters would require permission in advance; Sam Altman also mentioned finer control for rightsholders and revenue sharing with those who opt in. Characters such as Family Guy and South Park became content violations thereafter, and generation of specific individuals — Martin Luther King Jr. and others — was halted following objections from estates
  • Requests from Japanese IP / government: CODA (the Content Overseas Distribution Association, including Studio Ghibli, Bandai Namco, Toei Animation, and others) then treated reproduction during training as potentially infringing and flagged outputs closely resembling One Piece, Demon Slayer, Pokémon, Mario, and the like. It noted that opt-out inverts the burden of consent and runs counter to Japan’s copyright principle (prior permission). The Japanese government also formally requested that OpenAI refrain from potentially infringing acts and seek rightsholders’ permission in advance
  • The crux: Before adjudicating infringement output-by-output after the fact, there was no layer to independently verify, before generation, the rights, consent, and provenance of the material used. The reversal from opt-out to opt-in is an attempt to place that layer before generation

Timeline

  • Late 2025-09 to early 2025-10: OpenAI releases Sora 2 with an opt-out policy. Right after launch, videos including copyrighted characters spread on social media, and criticism erupts from the MPA, artists, and others
  • 2025-10 (about three days after launch): OpenAI announces a move to an opt-in (prior-permission) model for copyrighted characters; mentions revenue sharing. Generation of specific individuals (MLK Jr., etc.) is also halted following objections from estates
  • Around 2025-10-15: CODA demands a stop to unauthorized use for training (Studio Ghibli, Bandai Namco, and others)
  • 2025-10-16 to -23: The Japanese government formally requests that OpenAI seek rightsholders’ permission in advance

Note: The “opt-out to opt-in reversal” and “halting generation of specific individuals” are based on OpenAI’s statements and international reporting. The specific composition of the training data and individual permission status are limited in public information, and we do not assert them here. Interpretation of Japanese copyright law and the final judgment of infringement are left to rightsholders, authorities, and the courts.

This incident stems from a structure in which the rights, consent, and provenance of material are not independently verified before generation. The path by which the failure propagates into large-scale rights-infringement concern:

  1. Training and generation with unverified provenance: Copyrighted works may be in the training data, but their provenance and permission are not fixed in verifiable form. The generative AI does not show, from the provenance side, whose copyrighted work the output derives from and how much
  2. Inverting the burden of consent: Because the default is “generatable unless refused (opt-out),” a rightsholder must preemptively object to keep their work from being used. Confirmation of permission is left not to before generation but to the rightsholder’s after-the-fact objection
  3. Generation and spread: Videos including copyrighted characters are easily generated and spread at scale on social media. The judgment of infringement is made after generation and spread
  4. After-the-fact objection and correction: Rightsholders, governments, and industry object, the platform reverses the policy (to opt-in), and specific generation is halted. But this is an after-the-fact sequence operating only after mass generation and spread, and the output already spread cannot be fully recovered

Structural analysis

This incident belongs to the data-provenance category under Pillar 01 (Verifiable Origin). The central failure primitive is that in the training and generation of generative AI, the rights, consent, and provenance of the material used are not fixed in independently verifiable form before generation, and confirmation of permission is left to after-the-fact opt-out (objection). As secondary we note training-data-provenance (the provenance/consent of training data) and attribute-proof-bypass (rights/permission as an attribute presumed without provenance).

The crux is the order of “who bears the burden of consent.” Opt-out says “you may use it unless refused,” shifting confirmation of permission onto the rightsholder’s after-the-fact action. By contrast, Japan’s copyright principle requires prior permission (opt-in) and has no mechanism by which after-the-fact objection averts infringement. What CODA pointed out is exactly this inversion of order. Without a layer that confirms rights and provenance before generation, infringement can only be asked after generation and spread, and the response trails. OpenAI’s reversal from opt-out to opt-in is nothing other than a move to place the confirmation layer before generation.

It shares a root with Brief 008 (data from public channels redistributed as AI training data while public ≠ consent): “being public/obtainable” is not proof of “being usable for training/generation.” It is the generation-and-output-side cross-section of Brief 036 (personal data mixed into a top-tier public training dataset, with provenance/consent unverified at collection), and it connects to Brief 011 (the provenance marker on AI output can be stripped) and 053 (likeness provenance not fixed before generation), in that the output’s provenance is not fixed in verifiable form. What this case shows is the consequence of generative AI producing copyrighted works while lacking up-front verification of rights, consent, and provenance — and its reach is especially large for Japanese IP, where prior permission is the principle.

The gap between detection and proof

Output-by-output content-violation adjudication, rightsholder objections, the platform’s policy reversal (opt-out to opt-in), halting specific generation, and industry/government pressure are all indispensable for grasping, deterring, and correcting harm; this Brief does not deny that role. A flagging channel for rightsholders and stopping violating output are important operational responses.

At the same time, after-the-fact adjudication of output does not, at the moment of generation, independently establish “does this generation carry the rights, consent, and provenance of the material used.” The opt-out model permits generation unless the rightsholder preemptively refuses, pushing the judgment to after the fact. A content-violation filter scans for “does this output resemble a known protected work,” but that works after generation and spread. What was missing is the at-generation independent verification of “does this generation carry the rights, consent, and provenance of the material it uses,” which is a separate track from after-the-fact adjudication and objection. As long as confirmation of permission is placed after generation, the response can only trail the spread. Japan’s prior-permission principle can be seen as an institutional expression of this “confirm before generation” requirement.

Pre-execution attestation and provenance binding close this gap by inserting one step — verification of the material’s rights, consent, and provenance — into the output path of the generative AI. By fixing the provenance of training data and outputs via docHash, bound to their rightsholders and permissions, and making it possible to ask before generation “does this material carry permitted provenance for this use,” generation lacking permission can be distinguished before spread. Detecting the output (the detection-style “does this output resemble a protected work”) and the pre-execution attestation of the material’s rights and provenance (“does this generation carry permitted provenance”) are not substitutes but complements. For fixing provenance before generation see “Proof-as-Auth: Sign In Without Ever Sending Your Key” (Lemma, 2026-05); for the detection-and-proof thesis see “The Last Layer Left for Cyber Defense in the Age of AI” (Lemma, 2026-05).

  • OpenAI: Reversed its launch opt-out policy to opt-in (prior permission) for copyrighted characters within about three days. Mentioned finer control for rightsholders and revenue sharing with those who opt in. Also halted generation of specific individuals
  • Japanese IP / government: CODA demanded a stop to unauthorized use for training and noted that opt-out runs counter to the prior-permission principle. The Japanese government formally requested correction from OpenAI. The U.S. MPA also criticized the opt-out policy
  • The provenance-and-permission question: A mechanism to fix, in verifiable form before generation and publication, the provenance/permission of training data and the rights attributes of outputs has surfaced as a complement to the limits of after-the-fact adjudication. Especially in jurisdictions where prior permission is the principle, the design question of “is opt-out enough” has come to the fore
  • Cross-industry point: There is growing discussion of shifting the center of gravity of generative-AI trust design away from depending on post-output filters and rightsholders’ after-the-fact objections, toward fixing the confirmation of rights, consent, and provenance in an independently verifiable form before generation (provenance / pre-execution attestation)

Lemma’s analysis

Against the gap this incident exposed (the rights, consent, and provenance in the training and generation of generative AI are left not to before generation but to after-the-fact objection), Lemma proposes a design that, before the act of generation, fixes the rights, consent, and provenance of the material as independently verifiable cryptographic proof.

  • Provenance binding: Bind training data and outputs to their rightsholders, permissions, and origins, and fix provenance via docHash. Make which material an output derives from, and under what permission, verifiable against after-the-fact stripping and forgery
  • Pre-execution attestation of permission (implementing opt-in): Before generation using a copyrighted work, require the rightsholder’s permission as verifiable proof. Make “it is permitted,” not “it has not been refused,” the condition for generation
  • Selective disclosure of rights attributes: Prove only the rights attribute “this material is permitted for this use” with minimal disclosure, without sending the rightsholder’s sensitive contract information outside the environment. Mechanisms like revenue sharing with opt-in rightsholders can also be made verifiable, bound to the permission evidence
  • Scoped generation: Bind the generative AI’s output to the scope of permission, so generation from material lacking permission cannot succeed without proof

Through this, proof of provenance and permission fixed at the moment of generation functions as an independently verifiable trail for “does this generation carry permitted provenance,” before spread. Detection and after-the-fact response (output filters, policy reversal, halting generation) serve to deter and correct harm, while pre-execution attestation of provenance and permission (fixing before generation) serves to distinguish generation lacking permission before the fact — each working complementarily. For the design and scope see Pillar 01 — Verifiable Origin and Pillar 04 — Regulatory Attribute Proof.

Sources

About Brief distribution

The Lemma Critical Brief is a threat-intelligence brief published by Lemma. This material is a structured analysis of public information and is not an audit, diagnosis, or recommendation for any specific organization. If you use it as a reference for decision-making, please consult your Lemma Critical contact directly.

Discovery Call → Whitepaper → ✉️ Newsletter →

(c) 2026 FRAME00, INC. — Built for decisions that matter.

Related Briefs
See all 15 in Data Provenance
No. 053 · 2026-06-12

200 Million Views of Fake Celebrities

The Likeness Provenance Gap Behind YouTube's Deepfake Detection

Data Provenance AI Decision IntegrityAttribute Proof Bypass
Brief →
No. 011 · 2026-05-31

SynthID Watermark Reverse-Engineering

How a Statistical Attack Strips the Provenance Mark from AI-Generated Content

Data Provenance AI Decision Integrity
Brief →
No. 048 · 2026-06-12

TrapDoor Plants Hidden Directives in AI Assistant Instruction Files Across npm, PyPI, and Crates.io

The configuration files that tell an AI coding tool "work this way on this project" (.cursorrules, CLAUDE.md) are now ev…

Code Provenance Agent InfrastructureAI Decision Integrity
Brief →
No. 045 · 2026-06-11

When One Laptop Meets the Multisig Threshold

Distributed Approval Collapses to a Single Custody Point (Humanity Protocol)

Bridge Config Trust Identity & Auth
Brief →
No. 038 · 2026-06-09

IronWorm

When Stolen Credentials Become Publishing Authority (npm Self-Propagating Implant)

Code Provenance Identity & Auth
Brief →
No. 036 · 2026-06-08

12.8 Billion Training Images Contained Passports, Résumés, and Faces

The Provenance and Consent of Training Data Were Never Verified at Collection

Training Data Provenance Data ProvenanceAttribute Proof Bypass
Brief →

Lemma Critical Monthly

The structural analysis of real-world risk incidents (Critical Brief) at its core, plus insight on the proof needed beyond detection, once a month.

Subscribe to the newsletter
Citation
Lemma Critical Team. (2026).
"Generated Until the Rightsholder Said No — The Consent-and-Provenance Gap Behind OpenAI Sora 2".
Lemma Critical Brief No.054. Lemma / FRAME00, Inc.
https://lemma.frame00.com/critical/briefs/054-sora2-ip-provenance-consent/