How Synthesia is updating its responsible AI playbook

When Synthesia was founded in 2017, generative AI and synthetic media were still fringe concepts. The company’s four founders built the first AI video products with their eyes open about how this technology could be misused, and they anchored the business around a simple internal motto: consent, control, and collaboration, which they called the 3Cs framework. 

Looking back at our 3Cs framework for synthetic media

Over time, Synthesia grew into an enterprise platform used by organizations ranging from small businesses to the Fortune 100. For the first few years, the 3Cs scaled well because they were actionable. Consent could be operationalized through explicit permission from the actors participating in the creation of Stock Avatars. Control could be implemented through proactive moderation at the point of creation. Collaboration could be expressed through engagement with regulators and industry initiatives. In an era when there were no established governance templates for synthetic media, the 3Cs acted as a compass that pointed to our North Star for responsible AI, while the underlying models became more capable. 

A broader ecosystem milestone arrived in 2024 through the Partnership on AI’s Responsible Practices for Synthetic Media, which Synthesia helped launch as a partner. For us, the PAI framework was the moment our work started to look less like the principles of one company and more like shared operational practice at the industry level. We published a case study, alongside other PAI partners, that brought to life how the implementation of our 3Cs was relevant to procurement teams, policymakers, and the press, translating high-level commitments into concrete governance patterns. 

However, we always knew that AI governance had to evolve as technologies matured. For the past year, AI video has moved at incredible speed, and we’ve realized that a rigid approach in form will not scale in substance. 

We’ve therefore started to slowly shift from a framework that is primarily principle-led to one that is explicitly risk-based and audit-ready. As a result, we became the world’s first generative AI company to be certified for ISO 42001, ISO 27001 and ISO 27701, which provided structure around AI-specific risk management, and data security and privacy, treating them as lifecycle processes that undergo continuous improvement.   

In parallel, our platform evolved, too: six years ago, most of our AI technologies were developed in house and therefore we had end-to-end control of the stack from research to production. Today, that is no longer the case: alongside the models we train ourselves, the platform also integrates best-in-class third party video and image generation models to unlock deeper avatar and scene customization. That creates real upside for customers, but it also changes the governance challenge. Our platform still needs to deliver enterprise controls, yet some safety, security, and moderation properties now originate upstream in third-party systems, which means governance becomes as much about vendor assurance as it is about internal policies and systems. 

Introducing the new 3Rs framework based on ISO 42001 governance

This is the context for how we are evolving the 3Cs into a model that fits this new multi-model world, and is easier for legal, procurement, and security teams to evaluate. The 3Cs are not being retired. They are being translated into a governance framework calibrated to risk, verifiable through audit, and designed for continuous change.

We call this updated framework the 3Rs: Review, Report, and React.

Review is the starting point because not all AI capability is equal, and not all enterprise use is equal. A good enterprise platform should be able to distinguish between low-risk internal training content and higher risk scenarios such as impersonation attempts and content designed to manipulate or harm. This is the logic that sits behind our ISO-style management systems, and it is also the logic that procurement teams already use to evaluate AI-native software platforms. In practice, Review means we treat governance as something that begins before launching a product, continues through deployment, and is updated as threat models evolve.

Report is about traceability, something that matters increasingly for enterprise risk teams and for policymakers. As higher risk capabilities become available, we are building a chain of provenance into the platform so that we can reliably know who is making a piece of content and under what organizational context, including whether it is an individual user or a company account operating under enterprise governance. These practical controls strengthen accountability, improve investigations when something goes wrong, and support enforcement that is grounded in identity and authorization rather than guesswork. Over time, provenance also becomes part of a broader view of the next-generation information ecosystem, where trust is sustained through verifiable context around how content was created and by whom, not only by judging the content after it exists.

Report is also about assigning clear accountability across the value chain of an AI product. When capability comes from third party models, responsibility cannot be assigned to a single party, it needs to be shared between Synthesia, our customers, and the third party model developer. Internally, this means clear ownership for policy, engineering controls, and enforcement operations, plus the ability to document decisions and learn from incidents in a repeatable way. Externally, it means tighter collaboration with model providers so that safety signals, moderation boundaries, and abuse patterns can be integrated into the product in a way that supports enterprise obligations. The goal is not to outsource accountability to vendors, and it is not to pretend we can rebuild every protection from scratch. For our customers, we will be transparent about our technology choices and provide the information they need to make an informed decision about the third party AI services or models available on our platform. We’re aiming to build a layered system where upstream safeguards are complemented by platform-level controls that reflect real-world enterprise misuse patterns.

React is thinking about system-level design once that system is in the hands of thousands of organizations. Resilience is what turns governance into an operating capability rather than a launch checklist. It is the ability to detect and respond when things go wrong, to correct over-enforcement when it creates friction for legitimate business use, and to keep the platform usable without trading away safety. This is why Synthesia has long emphasized moderation at the point of creation, combining technological filters and human oversight, rather than relying on reactive clean-up after distribution. Our approach also reflects a truth known by enterprise-focused companies: in a fast-evolving world, trust is sustained through evidence. We cannot expect customers to stay on top of the latest advances in AI, so when new opportunities or risks arise, we will act in their best interests, while keeping societal implications in mind. Audits, incident readiness, and continuous improvement do more to accelerate safe adoption than any standalone statement of intent or abstract principles. 

Taken together, the 3Rs are how we are developing a modern application-layer AI platform that integrates third party capabilities, while remaining accountable for enterprise outcomes. It is a framework that fits into procurement conversations because it maps naturally to what organizations already ask: what are the risks, who owns them, what controls exist, what evidence is available, and how does the system improve over time? 

Reiterating our commitment to enterprise-grade security

The important point is that this evolution is not a retreat from the principles that made the 3Cs meaningful. This represents an evolution that reinforces our governance policies rather than removing previous commitments.

Consent remains important to how we protect people against impersonation and other forms of image abuse. 

Control remains central to product design and enforces responsible AI usage at every level to help organizations meet internal governance, security protocols, and compliance requirements. 

Collaboration remains essential, whether through industry frameworks, or through direct engagement with regulators and enterprise customers such as our work to prevent non-consensual deepfake image abuse in the UK or draft workable Codes of Practice for the EU AI Act.   

Our commitment to enterprise-grade security and trust and safety has not changed. What is changing is the governance machinery behind it, because the technology landscape has evolved. We are moving from a framework that worked a decade ago to one that can be demonstrated under audit, adapted as integrations expand, and trusted in the operational reality of enterprise deployments.