Govern-Output Swarm · Claims-Substantiation Agent · Claims- Allowlist + Substantiation-File Skill · Build pillar · Published September 12, 2026

How to build a claims-allowlist + substantiation file for AI-generated marketing

A 4-skill bundle (Catalog + Match + Block + Substantiate) layered above the existing OpenAI + Anthropic + Google + Mistral + Cohere + Meta + AWS Bedrock + Azure OpenAI + Vertex AI LLM-provider ecosystem + the Pinecone + Weaviate + Qdrant + Chroma + Milvus + pgvector + Vespa + LanceDB RAG vector substrate + the LangSmith + Weights & Biases + Arize + WhyLabs + Helicone + Langfuse observability substrate + the Lakera Guard + Robust Intelligence + HiddenLayer + CalypsoAI + Protect AI + Garak AI-safety substrate + the OPA Rego + AWS Cedar + Casbin + Cerbos + Oso + Styra DAS + Permit.io policy-as-code substrate + the iManage + NetDocuments + Worldox + OpenText + DocuWare + M-Files + Box + SharePoint document-management substrate + the AWS S3 Object Lock + GCS retention + Azure Blob immutable WORM substrate. Anchored on FTC Section 5 + FTC substantiation doctrine (Pfizer 1972 + Reasonable-Basis) + FTC Endorsement Guides 16 CFR Part 255 + FTC Fake Review Rule 16 CFR Part 465 (October 2024) + FTC Made-in-USA Labeling Rule 16 CFR Part 323 + Lanham Act 15 USC 1125(a) + per-state UDAP + per-industry regulators (FDA + FAA + DOT + USDA + EPA + FCC + FERC + FINRA 2210 + CFPB UDAAP + SEC + DOL + state insurance) + EU Unfair Commercial Practices Directive 2005/29/EC + EU DSA + EU AI Act + NIST AI RMF + ISO 42001 + CCPA + CPRA + state- comprehensive-privacy + GDPR.

Start with the AI Readiness Assessment Engage the Fractional CMO with AI Swarm Take the 3-question scope quiz

The 4-skill bundle on the claims-substantiation agent

Claims-allowlist + substantiation file is one skill on the claims-substantiation agent. The skill decomposes into four operationally distinct sub-skills, each with its own success criteria and its own handoff to the next.

1. Catalog

Operator-defined allowlist of claim categories in versioned registry. Per entry: claim category (performance + effectiveness + comparison + Made-in- USA + health + financial-services + endorsement + warranty + price + availability + geographic-scope); claim text patterns (template strings + regular expressions + semantic embeddings + per-jurisdiction variations); substantiation evidence (test report + clinical trial + survey methodology + accounting evidence + supplier audit + license + endorser disclosure agreement); substantiation date + expiration; per-jurisdiction scope; document- management pointer (iManage + NetDocuments + Worldox + OpenText + DocuWare + M-Files + Box + SharePoint + Google Workspace); operator-counsel sign-off (specific counsel identity + sign-off date + comments).

2. Match

Process every AI-generated output before publish. Per-claim detection via claim-pattern + semantic- embedding similarity against Catalog patterns. Per- claim classification: allowlist entry or outside. Per-claim jurisdiction-tag for per-banner + per- location + per-channel. Per-claim substantiation- pointer extraction. LLM-assisted Match under NIST AI RMF + ISO 42001 + EU AI Act + per-vendor zero- retention augments pattern + embedding for nuanced cases but is NEVER sole gating mechanism — pattern + embedding + LLM ensemble votes feed Block decision. False-negative routes to operator review rather than auto-pass.

3. Block

Non-matching outputs routed to operator review + prevented from auto-publish. Content with detected claim that does not match Catalog allowlist held in queue with specific claim text + failure reason + recommended resolution. Operator counsel decides: substantiate the new claim (add to Catalog) or rewrite content to remove the claim. AUTO-PUBLISH NEVER HAPPENS for content with unmatched claims.

4. Substantiate

Emit per-published-output substantiation record at publish time: output text + detected claim list + per-claim Catalog-entry pointer + per-claim substantiation-file SHA-256 fingerprint + publish destination + timestamp. Record retains per operator -counsel-documented retention window (FTC general 7-year + per-industry-regulator window + per-state UDAP statute of limitations 3-6 years) via handoff to versioned-history-regulatory-defense skill. When inquiry lands years later, operator answers from substantiation file rather than reconstructed inference.

The real ecosystem this skill sits above

LLM + RAG + observability substrate

OpenAI, Anthropic, Google, Mistral, Cohere, Meta, AWS Bedrock, Azure OpenAI, Vertex AI LLM providers. Pinecone, Weaviate, Qdrant, Chroma, Milvus, pgvector, Vespa, LanceDB RAG vector stores for embedding- similarity match. LangSmith, Weights & Biases, Arize, WhyLabs, Helicone, Langfuse observability.

AI safety + policy-as-code substrate

Lakera Guard, Robust Intelligence, HiddenLayer, CalypsoAI, Protect AI, Garak AI safety for prompt- injection + hallucination defense layered alongside claims-allowlist Match. OPA Rego, AWS Cedar, Casbin, Cerbos, Oso, Styra DAS, Permit.io policy-as-code for Block gating.

Document management + WORM substrate

iManage, NetDocuments, Worldox, OpenText, DocuWare, M-Files, Box, SharePoint, Google Workspace for substantiation-file storage. AWS S3 Object Lock (Compliance mode), GCS retention, Azure Blob immutable, Wasabi immutable WORM for retention.

5-anchor compliance overlay

Anchor 1 — FTC Section 5 + FTC substantiation doctrine + Endorsement Guides + Fake Review Rule + Made-in-USA + health-claims enforcement (operationally distinctive)

Anchor 2 — Lanham Act + per-state UDAP + state-AG enforcement

Lanham Act 15 USC 1125(a) provides civil cause for false advertising — competitors + private litigants can sue. Per-state Unfair and Deceptive Acts and Practices statutes layer state enforcement; state attorneys general are increasingly active in pursuing false-advertising claims under per-state UDAP and deceptive-trade-practice statutes.

Anchor 3 — Per-industry regulators

Per-industry regulators layer industry-specific claim restrictions: FDA for food + drug + device + cosmetic claims (Federal Food, Drug, and Cosmetic Act); FAA + DOT + USDA + EPA + FCC + FERC for industry-specific claims; FINRA Rule 2210 for investment-grade communications with the public; CFPB UDAAP for consumer-finance decisioning; SEC + DOL for investment advisers; state insurance commissioners for insurance claims.

Anchor 4 — EU UCPD + EU DSA + EU AI Act

EU Unfair Commercial Practices Directive 2005/29/EC regulates B2C misleading + aggressive commercial practices in EU member states. EU Digital Services Act regulates online platforms + intermediaries including marketing surfaces. EU AI Act layers AI- specific obligations for high-risk and limited-risk AI systems including marketing.

Anchor 5 — NIST AI RMF + ISO 42001 + EU AI Act + per- vendor LLM zero-retention + CCPA + CPRA + state- comprehensive-privacy + GDPR

When LLM-assisted Match is used, NIST AI Risk Management Framework + ISO 42001 + applicable EU AI Act articles + per-vendor LLM zero-retention posture apply. LLM is NEVER sole gating mechanism — pattern + embedding + LLM ensemble votes feed Block decision. Operator + customer data handling per CCPA + CPRA + 18 state-comprehensive-privacy statutes + GDPR.

6-workstream pre-engagement-baseline reporting cycle

Catalog coverage and Block enforcement rate are what the data shows after the workflow is built, not numbers Completions promises in advance.

Catalog coverage. Per-claim-category enumeration completeness, per-category substantiation- file presence, per-category expiration tracking, per- category operator-counsel sign-off completeness, per- jurisdiction scope coverage, Catalog registry version pointer freshness.
Match quality. Per-AI-output claim- detection completeness, per-claim classification accuracy, per-claim jurisdiction-tag correctness, per- claim Catalog-pointer extraction, false-negative + false-positive route-to-review rate.
Block quality. Per-output unmatched- claim hold, per-hold operator-review routing, per-hold resolution time, per-hold counsel-decision capture, auto-publish-prevention completeness.
Substantiate quality. Per-published- output substantiation-record completeness, per-record substantiation-file SHA-256 verification, per-record retention-window adherence, per-record handoff to versioned-history-regulatory-defense skill.
5-anchor compliance posture freshness. FTC Section 5 + FTC substantiation doctrine + FTC Endorsement Guides + FTC Fake Review Rule + FTC Made- in-USA + Lanham Act + per-state UDAP + per-industry regulators (FDA + FAA + DOT + USDA + EPA + FCC + FERC + FINRA 2210 + CFPB UDAAP + SEC + DOL + state insurance) + EU UCPD + EU DSA + EU AI Act + NIST AI RMF + ISO 42001 + CCPA + CPRA + state-comprehensive- privacy + GDPR + per-vendor LLM zero-retention posture.
Audit-trail completeness. Per-Catalog entry record, per-Match decision record, per-Block decision record, per-Substantiate record.

Frequently asked questions

What does a claims-allowlist + substantiation file workflow for AI-generated marketing actually solve?

AI-generated marketing content can fabricate claims the operator cannot substantiate: a performance claim that exceeds the documented test result; an effectiveness claim the operator never made; a comparison claim with no underlying benchmark; a Made-in-USA claim where partial offshoring is the truth; a health claim outside the cleared label; a financial-services claim outside the operator licensing; a third-party endorsement that was never given. When that fabricated content reaches a customer, the operator owns the FTC + state-AG + Lanham Act + per-industry-regulator exposure regardless of which LLM generated the text. The skill prevents the fabrication at the source: every claim category the operator is willing to make is catalogued with its substantiation file at the moment of cataloging; every AI-generated output is matched against the allowlist before publish; non-matching claims are blocked with the failure routed to operator review; matched claims are emitted to publish together with the substantiation pointer so the FTC + state-AG + Lanham Act + per-industry-regulator inquiry years later can be answered from the file.

Why is FTC substantiation doctrine + Endorsement Guides + Fake Review Rule + Made-in-USA + Lanham Act + per-industry regulators the operationally distinctive frame for this skill?

FTC Section 5 prohibits unfair or deceptive acts or practices. The FTC substantiation doctrine (Pfizer 1972 + Reasonable-Basis Doctrine) requires advertisers to possess a reasonable basis for objective product claims at the time the claim is made. Subsequent FTC enforcement (Pom Wonderful 2013 + Bayer Aspirin 2015) clarified that health claims require competent and reliable scientific evidence, often two well-controlled human clinical trials. FTC Endorsement Guides (16 CFR Part 255, updated 2023) govern how testimonials + endorsements + influencer disclosures + AI-generated endorsements may be presented. The FTC Fake Review Rule (16 CFR Part 465, effective October 2024) prohibits buying + suppressing + generating fake reviews. The FTC Made-in-USA Labeling Rule (16 CFR Part 323, effective 2021) governs claims of US origin. Lanham Act 15 USC 1125(a) provides civil cause for false advertising. Per-state Unfair and Deceptive Acts and Practices statutes layer state enforcement; state attorneys general are increasingly active. Per-industry regulators (FDA for food + drug + device + cosmetic claims; FAA + DOT + USDA + EPA + FCC + FERC; FINRA Rule 2210 for investment-grade communications; CFPB UDAAP for consumer-finance; SEC + DOL for investment advisers; state insurance commissioners) layer industry-specific claim restrictions. EU Unfair Commercial Practices Directive 2005/29/EC + EU Digital Services Act + EU AI Act add EU-jurisdiction layers. Operationally distinctive — every claim category in the allowlist has a documented substantiation file because every claim is a regulatory exposure if substantiation is absent.

How does the Catalog skill enumerate the operator-defined allowlist?

The Catalog sub-skill builds the operator-defined allowlist of claim categories with per-category substantiation file in a versioned registry. Each entry includes: claim category (performance claim + effectiveness claim + comparison claim + Made-in-USA claim + health claim + financial-services claim + endorsement claim + warranty claim + price claim + availability claim + geographic-scope claim); claim text patterns (template strings + regular expressions + semantic embeddings + per-jurisdiction variations); substantiation evidence (test report + clinical trial + survey methodology + accounting evidence + supplier audit + license + endorser disclosure agreement); substantiation date + expiration; per-jurisdiction scope (FTC + per-state UDAP + per-industry regulator + EU UCPD + EU DSA + EU AI Act); document-management pointer (iManage + NetDocuments + Worldox + OpenText + DocuWare + M-Files + Box + SharePoint storage location); operator-counsel sign-off (specific counsel identity + sign-off date + counsel comments). When a substantiation file expires (clinical trial methodology aged out of relevance, supplier audit window closed), the claim category is auto-flagged as not-currently-substantiable and the Block sub-skill rejects matching outputs until counsel re-substantiates.

How does Match identify whether an AI-generated output makes an allowlist claim?

The Match sub-skill processes every AI-generated output before publish: per-claim detection runs claim-pattern + semantic-embedding similarity against the Catalog allowlist patterns; per-claim classification determines whether each detected claim corresponds to an allowlist entry or falls outside the allowlist; per-claim jurisdiction-tag identifies which jurisdictions the claim will surface in (per-banner + per-location + per-channel); per-claim substantiation-pointer extraction retrieves the matched-allowlist-entry substantiation file. AI-driven Match (LLM-assisted claim detection + classification under NIST AI RMF + ISO 42001 + EU AI Act + per-vendor LLM zero-retention) augments pattern + embedding match for nuanced cases, but is never the sole gating mechanism — pattern + embedding + LLM ensemble votes feed the Block decision. False-negative case (a substantiable claim the patterns missed) routes to operator review rather than auto-pass; false-positive case (a non-claim flagged as claim) is logged for Catalog refinement.

How do Block and Substantiate enforce the allowlist and produce the file for regulator inquiry?

Block routes non-matching outputs to operator review and prevents auto-publish — content with a detected claim that does not match the Catalog allowlist is held in queue with the specific claim text + failure reason + recommended resolution. Operator counsel decides whether to substantiate the new claim (adding to Catalog) or rewrite the content to remove the claim. Auto-publish never happens for content with unmatched claims. Substantiate emits the per-published-output substantiation record at publish time: the output text + the detected claim list + the per-claim Catalog-entry pointer + the per-claim substantiation-file SHA-256 fingerprint + the publish destination + the timestamp. The substantiation record retains per the operator-counsel-documented retention window (FTC general 7-year + per-industry-regulator window per applicable regime + per-state UDAP statute of limitations 3-6 years) via handoff to the versioned-history-regulatory-defense skill. When an FTC or state-AG or Lanham Act or per-industry-regulator inquiry lands years later, the operator answers from the substantiation file rather than reconstructed inference.

How does Completions report on this without fabricating KPI commitments?

Pre-engagement baseline is established in the first 30 days. Reporting cycles cover the six workstreams: Catalog coverage (per-claim-category enumeration completeness + per-category substantiation-file presence + per-category expiration tracking + per-category operator-counsel sign-off completeness + per-jurisdiction scope coverage + Catalog registry version pointer freshness), Match quality (per-AI-output claim-detection completeness + per-claim classification accuracy + per-claim jurisdiction-tag correctness + per-claim Catalog-pointer extraction + false-negative + false-positive route-to-review rate), Block quality (per-output unmatched-claim hold + per-hold operator-review routing + per-hold resolution time + per-hold counsel-decision capture + auto-publish-prevention completeness), Substantiate quality (per-published-output substantiation-record completeness + per-record substantiation-file SHA-256 verification + per-record retention-window adherence + per-record handoff to versioned-history-regulatory-defense), 5-anchor compliance posture freshness (FTC Section 5 + FTC substantiation doctrine + FTC Endorsement Guides + FTC Fake Review Rule + FTC Made-in-USA Labeling Rule + Lanham Act + per-state UDAP + per-industry regulators FDA + FAA + DOT + USDA + EPA + FCC + FERC + FINRA 2210 + CFPB UDAAP + SEC + DOL + state insurance + EU UCPD + EU DSA + EU AI Act + NIST AI RMF + ISO 42001 + CCPA + CPRA + state-comprehensive-privacy + GDPR posture), audit-trail completeness (per-Catalog entry record + per-Match decision record + per-Block decision record + per-Substantiate record).

Engage Completions

Operators publishing AI-generated marketing content to customers + prospects + franchisees need a claims- allowlist + substantiation file workflow so that every claim reaching a customer has a documented basis the operator can defend years later. Completions architects the workflow as a 4-skill bundle layered above the existing OpenAI + Anthropic + Bedrock + Vertex + Pinecone + Weaviate + OPA Rego + Cedar + iManage + NetDocuments + S3 Object Lock ecosystem. Start with the Tier 1 AI Readiness Assessment ($10k, 2-3 weeks), build with the Tier 2 Setup Sprint ($25-50k, 4-8 weeks), or engage Tier 3 Fractional CMO with AI Swarm ($15-25k per month, 6-month minimum).