Reference implementer · H2A standard

Was this allowed?

Bridle governs the use of AI-generated likeness and voice. Consent becomes a live permission — checked at the moment of use, revocable at will, and provable after.

Point-of-use · never cached Fail-closed · verify or refuse Signed tamper-evident records
DECISION RECORD grant 3f9a·c21b PERMITTED_CONFORMANT chain_intact: true signed status list

The right question

Every synthetic-media tool answers "is this fake?" — after the fact. The question a performer, a union, and a general counsel actually need answered is "was this allowed — right now?"

Consent is not a checkbox at sign-up. It is a live permission, checked at the moment of use — and its withdrawal is provable. That is what Bridle enforces, and what it records: for every act of use, a signed, tamper-evident decision of whether it was conformant.

The moment

Withdraw permission. Watch it stop.

A render is running under a live grant. When the rights-holder withdraws consent, the next check refuses — and Bridle produces the signed receipt that proves it. Try it.

● Live render PERMITTED_CONFORMANT

Northbank — shot 14 · likeness ADG-001 (face, voice)

1,487

Issued by the rights-holder, at her own service. Bridle cannot revoke — it only reads the signed list.

Independent verification

Signed, tamper-evident — anyone can check it.

  • Issuer signature on the status list VALID
  • Revocation bit SET · list re-signed by the fiduciary
  • Revocation → halt latency 21 ms
  • Partial output DESTROYED · COMMITTED
  • Record chain INTACT — 0 MISSING

How it works

One check, in order — and it fails closed.

Every use is re-evaluated live against the issuer's signed status list. Nothing is cached; anything Bridle can't verify is refused.

01

Grant

  • Scoped: purpose, territory, lease, cap
  • Two signatures: consent + issuance
  • Points at a signed status list
02

Point-of-use check

  • Verify signatures
  • Validity window
  • Fetch + verify signed status list
  • Scope · lease
Unreachable / unsigned / stale → refuse
03

Decision

PERMITTED REFUSED_*
  • Generation only on a fresh permit
04

Record

  • Attestation binds output to the check
  • Decision record — the evidence
  • Hash-chained · chain_intact
01
Authority

Grant

Bounded, revocable authority to use a subject.

02
Receipt

Attestation

Signed receipt of one act of use.

03
Evidence

Decision Record

The signed conformant / non-conformant decision.

04
Revocation

Status List

Static, signed artefact — the issuer's, not Bridle's.

Why it's neutral

Bridle holds no power to revoke.

Revocation authority is custody of the status-list signing key — and that key stays with the rights-holder's fiduciary, never with the operator or the vendor. Bridle holds only the public key: it fetches the signed list, verifies it, and fails closed. That separation is the whole point — and it's falsifiable.

TRUST DOMAIN · FIDUCIARY Issuer / Fiduciary Rights-holder · union · CMO Holds the signing key CAN REVOKE IMPLEMENTER Bridle Holds only the public key Fetches the signed list · verifies it · fails closed ✕ CANNOT REVOKE · NO KEY check · attest · record TRUST DOMAIN · OPERATOR Operator Studio · platform · agency Holds the grant · governs, never generates signed list → ← check

"We have no revoke capability. Here is the code."

The claim a general counsel can falsify — not trust. The check is free and open; the guarantee around it is what Bridle sells. See the standard →

Who it's for

Built for the people who carry the risk.

Studios & platforms

Deploy synthetic actors and voices with proof each use was licensed — governance above whoever renders the pixels.

Unions & CMOs

Give performers withdrawal that actually takes effect — and a signed record when it does. GDPR Art. 7(3) as a running system.

Legal, compliance & underwriting

The artefact your procurement team — and an underwriter — actually relies on: admissible, tamper-evident evidence.


Where we are, honestly

Bridle is a working reference implementation in early access. Today it produces signed, tamper-evident decision records, the issuer's status-list signature is real ES256, and the system is designed to be insurable. Full grant-signature verification and external anchoring are on the roadmap — we say what is proven and what is not. The open standard →

See it live

Prove the use. In ten minutes.

A short walkthrough of the governed actor — issue, check, the live revoke, and the receipt an underwriter relies on.