The Invisible Stamp

There is a quiet war being fought inside every AI-generated image you’ve ever seen. It’s a war between provenance and plausible deniability, between the impulse to mark something as synthetic and the ease of stripping that mark away. The weapons are metadata and watermarks. The stakes are whether we can maintain any verifiable relationship between images and their origins.

Two approaches dominate, and understanding their differences is essential to understanding why this problem is so hard.

The Coalition for Content Provenance and Authenticity—C2PA—is a Linux Foundation project with over three hundred participating organizations, including Adobe, Microsoft, the BBC, and a growing roster of news agencies and tech companies. Its approach is metadata-based: attach a cryptographically signed manifest to an image that records how it was created, what tools were used, and what edits were applied. Think of it as a passport for images—a verifiable chain of custody.

C2PA 2.1, released in 2025, strengthened these “Content Credentials” with digital watermarks that create a durable link between assets and their provenance. Versions 2.2 and 2.3 followed. The specification is being considered for adoption as an ISO international standard and is under examination by the W3C for browser-level implementation. If that happens—if your browser natively displays content provenance—the infrastructure for trust becomes invisible and universal.

The strength of C2PA is its comprehensiveness. It doesn’t just mark AI-generated images. It can track any image through its entire lifecycle: capture, edit, publish, share. A photojournalist’s image carries credentials proving it was taken at a specific time and place by a specific camera. An AI-generated marketing image carries credentials proving it was generated by a specific model with a specific prompt. Both carry their history. Both are verifiable.

The weakness of C2PA is fragility. Take a screenshot and the metadata is gone. Upload to a social media platform that strips EXIF data and the credentials vanish. Save as a new file and the chain breaks. C2PA solves the provenance problem for images that remain within systems that respect the standard. It does nothing for images that leave those systems—which is to say, most images on the internet.

This is where Google’s SynthID enters. Developed by DeepMind, SynthID takes a fundamentally different approach: instead of attaching metadata to an image, it embeds a watermark directly into the pixels themselves. The watermark is imperceptible to the human eye but detectable by purpose-built classifiers. It’s designed to survive cropping, filtering, compression, and screenshot—the operations that destroy metadata.

SynthID is now integrated into Gemini for text, Imagen for images, Lyria for audio, and Veo for video. The unified SynthID detector released in May 2025 can identify the watermark across modalities. Over ten billion pieces of content have been watermarked to date. When Google launched Gemini 3 Pro Image in November 2025, SynthID was baked in from day one.

The strength of SynthID is durability. The watermark persists through the transformations that kill metadata. It travels with the image regardless of platform, format, or context. In theory, you can always determine whether an image was generated by a Google model, no matter how many times it’s been screenshotted and re-uploaded.

The weakness of SynthID is specificity. It only works for images generated by Google’s models. An image from Midjourney, FLUX, or Stable Diffusion carries no SynthID watermark. And because the detector is proprietary, there’s no open standard for other companies to adopt. Google has watermarked ten billion pieces of content. The industry as a whole generates three billion images per month. The math doesn’t work unless everyone participates.

The regulatory pressure to make everyone participate is building. The EU AI Act, Article 50, becomes enforceable on August 2, 2026. It requires mandatory disclosure for AI-created content, with penalties of up to thirty-five million euros or seven percent of global revenue. The first draft of the Code of Practice, published December 17, 2025, provides frameworks for compliance including guidance on labeling, watermarking, and technical measures.

In the United States, the approach is characteristically fragmented. No federal standard exists. Twenty-six states have enacted various laws regulating political deepfakes. The TAKE IT DOWN Act, effective May 2026, requires platforms to remove nonconsensual intimate imagery within forty-eight hours of a victim’s request—a measure triggered in part by the Grok crisis. The NSA—yes, that NSA—published guidance in January 2025 endorsing Content Credentials and urging their adoption across government and military communications.

When the NSA tells you to watermark your images, the threat model has moved beyond academic concern.

The Norwegian news agency NTB embedded C2PA into its editorial photography workflow in 2025. Adobe and Digimarc partnered on durable, interoperable credentials. Google’s “About this image” feature displays C2PA metadata showing whether images were created or edited with AI tools. The infrastructure is being built, piece by piece, standard by standard.

But here’s the honest assessment from the detection side. Watermarking is necessary and insufficient. It works when generators cooperate. It fails when they don’t. It persists through casual sharing. It can be defeated by adversarial actors who know how to target the specific watermarking algorithm. Open-source models—Stable Diffusion, FLUX Dev—can be run locally with watermarking disabled entirely.

The future, if it works, looks like a layered defense: C2PA for images within cooperating ecosystems. SynthID-style watermarks for durability across platforms. And forensic detection—what we do—for everything else. For the images with stripped metadata, removed watermarks, and no provenance chain. For the images that exist in the wild, untethered from their origins, carrying nothing but their pixels and whatever artifacts our models can find.

The invisible stamp is a beautiful idea: that every AI-generated image carries within itself the proof of its origin, visible only to those who know how to look. The reality is messier. Some images will carry stamps. Some won’t. Some stamps will survive. Some won’t. And in the gap between the ideal and the real, detection systems like ours will remain the last line of verification.

That’s not a comfortable position. But it’s an honest one.