The AI document authenticity crisis
In 2026, the question 'did a human or an AI write this?' has been joined by an equally critical question: 'is this the original version, or has it been modified?' Generative AI tools can produce convincing contracts, reports, certificates, and invoices in seconds — and can modify existing documents with surgical precision, leaving no visible trace. Forensic tools designed to detect AI-generated content focus on stylistic patterns, but they are locked in an arms race with the models they try to detect. The fundamental problem is that content-based detection cannot prove integrity: it can suggest a document might be AI-generated, but it cannot prove that a specific document is the authentic, unmodified version received by a given party at a given time.
How a qualified timestamp creates an integrity anchor
A qualified electronic timestamp does not care whether a document was written by a human or an AI. It solves a different — and more legally useful — question: did this exact version of this document exist at this specific time? The timestamping process hashes the entire document, producing a fixed-length fingerprint unique to that exact byte sequence. The hash is sent to a Qualified Trust Service Provider's Time Stamping Authority, which binds it to an independently certified UTC time. If even one character of the document is changed after timestamping, the hash changes and the original timestamp becomes invalid. This makes the timestamp an immutable integrity anchor — not of who created the document, but of what it contained and when.
Provenance workflows: timestamp before you share
The simplest and most effective way to protect document integrity in an AI-rich environment is to timestamp immediately before transmission. A document management system or email gateway configured to automatically apply a qualified timestamp to every outgoing attachment creates a before-sharing proof for every document sent. Recipients can independently verify the timestamp — without contacting the sender — to confirm they received exactly what was sent. This pattern is particularly valuable for financial reports, legal submissions, technical specifications, and regulatory filings, where the authentic version must be demonstrably different from any subsequent modified version.
The EU AI Act and document authenticity obligations
The EU AI Act (Regulation 2024/1689), in force from August 2026, requires providers of certain AI systems to ensure that AI-generated content can be detected as such. Article 50 imposes obligations on providers of general-purpose AI systems to mark synthetic content with machine-readable signals. However, these signals can themselves be stripped or forged. Qualified timestamps complement — and in many cases exceed — AI Act marking requirements by providing court-admissible, QTSP-certified proof of a document's state at a given moment, regardless of who or what produced it. Organisations subject to AI Act compliance should consider qualified timestamping as part of their AI content governance framework.
Building tamper-evident document pipelines
Implementing qualified timestamps across a document pipeline is a practical, low-cost investment. Modern QTSPs offer REST APIs that accept a document hash and return a signed RFC 3161 timestamp token in under 500 milliseconds, at costs of €0.01–€0.05 per timestamp. Integration points include: email servers (timestamp all outbound attachments at send time), document management systems (timestamp on upload and on each approved revision), e-signature platforms (timestamp immediately after signing), and archiving systems (timestamp at ingestion). The resulting audit trail provides a continuous, verifiable history of every document's state at every point in its lifecycle — a defence that no AI-powered forgery can breach.