Documentation Index
Fetch the complete documentation index at: https://agenticadvertisingorg-changeset-release-main.mintlify.app/llms.txt
Use this file to discover all available pages before exploring further.
Content Standards Protocol
The Content Standards Protocol enables privacy-preserving brand suitability for ephemeral and sensitive content that cannot leave a publisher’s infrastructure.
The Problem
Traditional brand suitability relies on third-party verification: send your content to IAS or DoubleVerify, they evaluate it, return a verdict. This works for static web pages. It fundamentally cannot work for:
- AI-generated content - ChatGPT responses, DALL-E images that exist only in a user session
- Private conversations - Content in messaging apps, private social feeds
- Ephemeral content - Stories, live streams, real-time feeds that disappear
- Privacy-regulated content - GDPR-protected data that cannot be exported
- CTV and linear TV - Ad decisioning in live linear has a sub-second latency budget; there is no room to make a blocking call to a third-party verification service before insertion
For these platforms, there is no traditional verification option. The content simply cannot leave — or cannot wait. OpenAI cannot send user conversations to an external service. A messaging app cannot export private chats. A live broadcaster cannot block insertion on an external API response.
Yet these are exactly the environments where advertising is growing fastest - and where brands most need suitability guarantees. Without a privacy-preserving approach, brands either avoid these channels entirely or accept unknown risk.
The Solution: Calibration-Based Alignment
Content Standards solves this by using agents to protect privacy. It’s a three-phase model where no sensitive content ever leaves the publisher’s infrastructure:
| Phase | Where It Runs | What Happens |
|---|
| 1. Calibration | External (safe data only) | Publisher and verification agent align on policy interpretation using synthetic examples or public samples - no PII, no sensitive content |
| 2. Local Execution | Inside publisher’s walls | Publisher runs evaluation on every impression using a local model trained during calibration - content never leaves |
| 3. Validation | Statistical sampling | Verification agent audits a sample to detect drift - both parties can verify the system is working without exposing PII |
What It Covers
- Brand safety - Is this content safe for any brand? (universal thresholds like hate speech, illegal content)
- Brand suitability - Is this content appropriate for my brand? (brand-specific preferences and tone)
Key Concepts
Content standards evaluation involves four key questions that buyers and sellers negotiate:
- What content? - What artifacts to evaluate (the ad-adjacent content)
- How much adjacency? - How many artifacts around the ad slot to consider
- What sampling rate? - What percentage of traffic to evaluate
- How to calibrate? - How to align on policy interpretation before runtime
These parameters are negotiated between buyer and seller during product discovery and media buy creation.
Workflow
Calibration is required before production use. Content standards created via create_content_standards define what to evaluate, but calibration via calibrate_content aligns the seller’s local model with the verification agent’s interpretation. Without calibration, the seller’s local model produces uncalibrated evaluations — policy violations may go undetected or safe content may be incorrectly blocked. Always calibrate before activating a media buy with content standards. Adjacency
How much content around the ad slot should be evaluated?
| Context | Adjacency Examples |
|---|
| News article | The article where the ad appears |
| Social feed | 1-2 posts above and below the ad slot |
| Podcast | The segment before and after the ad break |
| CTV | 1-2 scenes before and after the ad pod |
| Infinite scroll | Posts within the visible viewport |
get_products). The buyer can filter products based on adjacency guarantees:
{
"product_id": "reddit_feed_standard",
"content_standards_adjacency_definition": {
"before": 2,
"after": 2,
"unit": "posts"
}
}
Adjacency Units
| Unit | Use Case |
|---|
posts | Social feeds, forums, comment threads |
scenes | CTV, streaming video content |
segments | Podcasts, audio content |
seconds | Time-based adjacency in video/audio |
viewports | Infinite scroll contexts |
articles | News sites, content aggregators |
Sampling Rate
What percentage of traffic should be evaluated by the verification agent?
| Rate | Use Case |
|---|
| 100% | Premium brand suitability - every impression validated |
| 10-25% | Standard monitoring - statistical confidence |
| 1-5% | Spot checking - drift detection only |
{
"governance": {
"content_standards": {
"agent_url": "https://safety.ias.com/adcp",
"standards_id": "nike_brand_safety",
"sampling_rate": 0.25
}
}
}
artifact_webhook (push) — both deliver artifacts sampled per the buy agreement.
Validation Thresholds
When a seller calibrates their local model against a verification agent, there’s an expected drift - the local model won’t match the verification agent 100% of the time. Validation thresholds define acceptable drift between local execution and validation samples.
Sellers advertise their content safety capabilities in their product catalog:
{
"product_id": "reddit_feed_premium",
"content_standards": {
"validation_threshold": 0.95,
"validation_threshold_description": "Local model matches verification agent 95% of the time"
}
}
| Threshold | Meaning |
|---|
| 0.99 | Premium - local model is 99% aligned with verification agent |
| 0.95 | Standard - local model is 95% aligned |
| 0.90 | Budget - local model is 90% aligned |
Policies
Content Standards uses addressable policies — an array of policy entries, each with a policy_id, enforcement, and natural-language policy text. Same shape as registry-published policies, so bespoke buyer rules and shared registry policies are interchangeable. Validation findings reference policy_id to identify which policy triggered:
{
"policies": [
{ "policy_id": "no_violence", "policy_categories": ["brand_safety"], "enforcement": "must", "policy": "Avoid content depicting violence, weapons, or physical aggression." },
{ "policy_id": "no_controversial_politics", "policy_categories": ["brand_suitability"], "enforcement": "must", "policy": "Avoid controversial political content." },
{ "policy_id": "no_adult_themes", "policy_categories": ["brand_safety"], "enforcement": "must", "policy": "Avoid adult, sexual, or mature themes." },
{ "policy_id": "no_hate_speech", "policy_categories": ["brand_safety"], "enforcement": "must", "policy": "Block hate speech and illegal activities." },
{ "policy_id": "no_sedentary_glorification", "policy_categories": ["brand_suitability"], "enforcement": "should", "policy": "Avoid content that portrays sedentary lifestyle positively." }
],
"calibration_exemplars": {
"pass": [
{
"property_id": {"type": "domain", "value": "espn.com"},
"artifact_id": "nba_championship_recap_2024",
"assets": [{"type": "text", "role": "title", "content": "Championship Game Recap"}]
}
],
"fail": [
{
"property_id": {"type": "domain", "value": "tabloid.example.com"},
"artifact_id": "scandal_story_123",
"assets": [{"type": "text", "role": "title", "content": "Celebrity Scandal Exposed"}]
}
]
}
}
Versioning and mid-flight amendments
Content standards carry a version field and MAY be amended while campaigns are running. update_content_standards creates a new version for audit purposes rather than mutating the previous one.
AdCP 3.0 default: pinned at buy time. Unless otherwise declared, a media buy references the version of the standards that was in effect when its create_media_buy was approved, and subsequent amendments do not retroactively apply to in-flight delivery on that buy. This is the conservative default because it prevents a mid-campaign amendment from silently re-characterizing already-approved delivery.
Governance agents MAY mark an individual policy as continuously re-evaluated by declaring evaluation_mode: continuous on the policy entry (default is pinned). Use continuous for policies that must track regulatory changes without re-approval — emerging regulatory disclosures, new legal prohibitions, accessibility requirements. Use the default pinned for brand-voice, taxonomy, and commercial preferences where stability across a flight is the desired behavior.
When a policy is continuous, a finding generated against a newer version MUST carry both the evaluation-time version and the pinned-at-buy version on the finding, so downstream audit can reconstruct which version applied. The governance agent MUST emit the finding to the buying agent via the media buy’s push_notification_config when one is configured, and the finding MUST be retrievable through the buy’s standard status surface regardless. Delivery-adjustment decisions remain with the buyer. When a policy is pinned, the pinned version applies for the life of the buy; the governance agent MAY still surface advisory findings based on later versions but MUST NOT mark them as enforcement failures against the pinned buy.
AdCP 3.0 does not define a mid-flight re-pin mechanism. A buyer that wants to adopt a newer standards version across all pinned policies replaces the buy — cancel the existing buy via update_media_buy and issue a new create_media_buy whose governance block references the current version. This is a heavyweight path: a new approval is required, pacing history resets, and in-flight delivery may have makegood implications. It is deliberately the only 3.0 mechanism; standards_version on update_media_buy and partial re-pin are out of scope for 3.0.
Scoped Standards
Buyers typically maintain multiple standards configurations for different contexts - UK TV campaigns have different regulations than US display, and children’s brands need stricter safety than adult beverages.
{
"standards_id": "uk_tv_zero_calorie",
"name": "UK TV - zero-calorie brands",
"countries_all": ["GB"],
"channels_any": ["ctv", "linear_tv"],
"languages_any": ["en"]
}
Code Format ConventionsCountry and language codes are case-insensitive - implementations must normalize before comparison. Recommended formats follow ISO standards:
- Countries: Uppercase ISO 3166-1 alpha-2 (e.g.,
GB, US, DE)
- Languages: Lowercase ISO 639-1 or BCP 47 (e.g.,
en, de, fr)
standards_id when creating a media buy. The seller receives a reference to the resolved standards - they don’t need to do scope matching themselves.
Calibration
Before running campaigns, sellers calibrate their local models against the verification agent. This is a dialogue-based process that may involve human review on either side:
- Seller sends sample artifacts to the verification agent
- Verification agent returns verdicts with detailed explanations
- Seller asks follow-up questions about edge cases
- Process repeats until alignment is achieved
When a seller surfaces an edge case the verification agent does not handle well, that’s signal to the buyer to improve their standards — refining the policy language or adding calibration exemplars. The calibration dialogue is also how publishers communicate what they actually see in their inventory, which is often more nuanced than the policy anticipated. Buyers who revisit calibration periodically get ongoing signal from publishers about real-world inventory nuance.
Human-in-the-loop: Calibration often involves humans on both sides. A brand suitability specialist at the buyer might review edge cases flagged by the verification agent. A content operations team at the seller might curate calibration samples and validate the local model’s learning. The protocol supports async workflows where either party can pause for human review before responding.
// Seller: "Does this pass?"
{
"artifact": {
"property_id": {"type": "domain", "value": "reddit.com"},
"artifact_id": "r_news_politics_123",
"assets": [{"type": "text", "role": "title", "content": "Political News Article"}]
}
}
// Verification agent: "No, because..."
{
"verdict": "fail",
"explanation": "Political content is excluded by brand policy, even when balanced.",
"features": [
{
"feature_id": "brand_safety",
"status": "passed",
"explanation": "No hate speech, illegal content, or explicit material."
},
{
"feature_id": "brand_suitability",
"status": "failed",
"explanation": "Political content is excluded by brand policy, even when balanced."
}
]
}
explanation and per-feature features[].explanation fields tell the seller exactly which policy clause was triggered and why — not just a number. This means a publisher can understand decisions, dispute edge cases, and adjust how they classify content. Buyers can audit a sample of verdicts to verify their standards are being interpreted correctly.
See calibrate_content for the full task specification.
Tasks
Discovery
| Task | Description |
|---|
| list_content_standards | List available standards configurations |
| get_content_standards | Retrieve a specific standards configuration |
Management
| Task | Description |
|---|
| create_content_standards | Create a new standards configuration |
| update_content_standards | Update an existing standards configuration |
Calibration & Validation
| Task | Description |
|---|
| calibrate_content | Collaborative dialogue to align on policy interpretation |
| get_media_buy_artifacts | Retrieve content artifacts from a media buy |
| validate_content_delivery | Batch validation of content artifacts |
Future: Secure Enclaves
The current model trusts the publisher to faithfully implement the calibrated standards. A future evolution uses secure enclaves (Trusted Execution Environments / TEEs) to provide cryptographic guarantees:
Content never crosses the pinhole - only models flow in, only aggregates flow out.
The Pinhole Interface
The enclave maintains a narrow, well-defined interface to the verification service:
Inbound (verification service → enclave):
- Updated brand suitability models
- Policy changes and calibration exemplars
- Configuration updates
Outbound (enclave → verification service):
- Aggregated validation results (pass rates, drift metrics)
- Statistical summaries
- Attestation proofs
Never crosses the boundary:
- Raw content artifacts
- User data or PII
- Individual impression-level data
This pinhole is the interface that needs standardization - it defines exactly what flows in and out while keeping sensitive content locked inside the publisher’s walls.
Why This Matters
- Publisher hosts a secure enclave inside their infrastructure
- Governance agent (from IAS, DoubleVerify, etc.) runs as a container within the enclave
- Content flows into the enclave for evaluation but never leaves the publisher’s walls
- Both parties can verify the governance code is running unmodified via attestation
- Models stay current - the enclave can receive updates without exposing content
This provides the same privacy guarantees as local execution, but with cryptographic proof that the correct algorithm is running. The brand knows their standards are being enforced faithfully. The publisher proves compliance without exposing content.
This architecture aligns with the IAB Tech Lab ARTF (Agentic RTB Framework), which defines how service providers can package offerings as containers deployed into host infrastructure. ARTF enables hosts to “provide greater access to data and more interaction opportunities to service agents without concerns about leakage, misappropriation or latency” - exactly the model Content Standards requires for privacy-preserving brand suitability.
- Artifacts - What artifacts are and how to structure them
- Brand identity - Brand identity that can link to standards agents
