Generate images — own what goes in and what comes out

Image generation looks like the whole capability and is actually the middle third of it. You send a prompt, a model you rent turns it into a picture, the picture comes back. That middle step is the one in every demo, and it's the one you should care least about owning — it's rented intelligence, the same kind as text generation, swappable the day a better or cheaper model appears. What's yours sits on either side of it: what you let into the model, and what you keep of what comes out. This note is about those two bookends, because they're where the ownership actually lives, and they're the easy thing to skip while you're admiring the part in the middle.

The way in: moderation is your decision, not the provider's

The moment you put a text box in front of the public and pipe it to an image model, you've taken on a job the provider won't fully do for you: deciding what's allowed to be generated, and what's allowed to be shown. Open generation invites the input you don't want rendered, and "the provider has a safety filter" is not the same thing as "you have handled it." Their filter exists to protect them — their liability, their terms. The decision about what your product produces, for your audience, under your name, is a separate judgment, and it stays with you whether you make it deliberately or inherit it by default.

It isn't a hard system to build: a check on the way in, a check on what comes back, and a way to handle and review the thing that slips through anyway. But it is unmistakably yours, because it encodes a policy nobody else can set for you — what your product is for and what it refuses to make. Hand that to a provider's defaults and you've quietly outsourced your product's character to a vendor whose incentives are about their exposure, not your brand. The filter is theirs. The line is yours.

The way out: the file and its record are yours

The image that comes back is bytes, and bytes need a home. The mistake is to treat the provider's URL as that home — many generation APIs hand you a link that expires, and a product whose only copy of what it made lives behind someone else's expiring link doesn't really have its own output. So the rule is the same one that governs every file capability: keep the bytes somewhere you control, and keep the record — who generated this, from what prompt, when, against whose quota, and what the moderation check decided — in your own database, beside the bytes but separate from them. Where files live versus where their index and access rules live is the fuller version of that split; image generation just adds the prompt and the moderation outcome to the record you're keeping anyway.

That record is the asset, more than any single image is. It's how you answer "why was I charged for this," how you re-show a customer the thing they made last month, how you build a gallery or a usage report or anything else on top of the history later. The provider's job ends the instant the bytes leave their API. Everything you'd want to know about an image after that moment is something you had to have chosen to keep.

The seam, and what breaks without it

So the seam sits in the obvious place once it's named: rent the generation, own the two ends. Send a prompt you've checked, get back bytes you immediately move into your own storage with a record you write yourself, and the provider becomes a part you can swap rather than the place your product actually lives.

What breaks when it's hacked in is the failure every capability in this set shares, in its image-shaped form: the provider becomes the only record. No moderation policy of your own, so your product makes whatever theirs happens to permit this quarter. No stored bytes, so your customers' work evaporates when a link expires or a plan lapses. No local record, so you can't answer a billing question or rebuild a gallery or explain why something was refused. The generation kept working the entire time — which is exactly what makes the gap easy to miss until the day it's expensive.

Where it shows up

It shows up in any product that makes images for people, the sharpest case being an image-generation product itself, where the pull to ship the rented call and skip the bookends is strongest precisely because the call is the part that demos. The foundation's lived half here is real but specific, and worth marking honestly: CompanyGraph runs an image service that holds its own bytes — well over a thousand files — with the metadata and access rules kept locally, which is exactly the owned "way out" this note describes. The generation step on top of that is the rented part, and the part you could swap without it touching anything else.

Rent the model. Own what you let into it, and own what you keep of what it returns. The picture is the part that impresses in the demo; the policy on the way in and the record on the way out are the parts that make it a piece of the foundation instead of a coat of paint on someone else's.