Contents
No. A missing watermark or Content Credential is not evidence that a human made an image. Provenance marks are applied only by cooperating providers, they are routinely stripped by ordinary file handling, and they can even be forged onto genuine files. Absence of a mark means one thing: no cooperating mark is present. It is not a clean bill of authenticity.
Only opted-in tools mark anything
The universe of marked content is small and voluntary. SynthID is applied by Google across Imagen, Gemini, and Lyria, and by OpenAI, which says “images generated with ChatGPT, Codex, and our API include both C2PA metadata and SynthID watermarks” (OpenAI 2026); what that mark does carry is covered in SynthID check: what it can and can’t tell you. C2PA credentials come from conforming cameras, editors, and generators, and reading one is set out in how to read C2PA Content Credentials. An open-weight model run locally can be configured to emit nothing at all, and even the marking duty in Article 50 of the EU AI Act binds providers of AI systems, not the private model a user runs with marking switched off (European Union 2024). A human photographer’s camera usually emits no AI marking, because there is no AI to mark. So a blank result is the default for most images in the world, real and synthetic alike. Reading “no watermark” as “human made” mistakes an opt-in signal for a universal one.
Ordinary handling strips the mark
Even when a mark was applied, everyday handling removes it. OpenAI is explicit that a clean scan does not clear a file: if no signal is found, the image “could still have been generated by OpenAI” because “the watermark was degraded,” “metadata was stripped,” or the file “came from an unsupported source.” A screenshot, a re-save, or a re-upload through a platform that does not preserve credentials is enough. Watermarks are more durable than metadata but not permanent: the SynthID-Image authors state their aim is to make attacks computationally infeasible at scale while conceding that a determined “white-box adversary” is out of scope, and they name re-generation, using another model to reconstruct an image, as a recognized way to wash a mark out (Gowal, Bunel, Stimberg et al., DeepMind 2025).
A present mark can be forged, too
The failure runs the other way as well: a mark can be placed on content that does not deserve it. The SynthID-Image designers treat this as a real threat, building defenses against “watermark exchange attacks” with “specific loss functions designed to minimize the chance that a watermark extracted from one piece of content can be successfully applied to another” (Gowal, Bunel, Stimberg et al., DeepMind 2025). That they engineered against transplant forgery is an admission that it is a live risk, not a hypothetical. For the text-side sibling of these schemes, documented by Dathathri, See, Ghaisas et al. (Nature 2024), the economics are already stark: Jovanović, Staab and Vechev (ICML 2024) showed an attacker can both scrub and spoof state-of-the-art watermarks “for under $50” with an “average success rate of over 80%.” Spoofing is forgery, making an innocent file read as machine generated, so a watermark’s presence is not conclusive on its own either.
What absence and presence actually tell you
The reading is asymmetric. A confirmed watermark or a valid credential is useful positive evidence that a cooperating tool was involved. Absence is close to no evidence at all, because the mark is optional, removable, and unevenly deployed.
| Signal on a file | Better reading | What it cannot establish |
|---|---|---|
| No watermark or credential | No cooperating mark was found | That a human made it |
| Watermark or credential present | A cooperating tool likely touched it | That it is unedited or truthful |
Collapsing the top row into “real” is the core mistake. A null result should push you toward other evidence, the source, the file’s history, a detector that reads the pixels, rather than toward relief.
Provenance is a signal, not a verdict
So “no watermark” does not mean “real,” and “has a watermark” does not mean “trustworthy.” Golaszewski, Krawetz and Sherman (2026) reach the same conclusion for the credential side: these systems provide “provenance signals, not proof of authenticity,” and C2PA “should not yet be relied upon for high-stakes uses such as financial disclosures, journalism, or legal evidence.” A watermark or credential check is worth running, but it cannot be the last word, and a clean result is the weakest of its possible outcomes. When it comes back empty, the evidence moves to the pixels, and how far that reading can be trusted is are AI image detectors reliable.
Sources
- OpenAI (2026). C2PA and SynthID in OpenAI-Generated Images. OpenAI Help Center.
- Gowal, Bunel, Stimberg et al. (2025). SynthID-Image: Image Watermarking at Internet Scale. Google DeepMind.
- Jovanović, Staab, Vechev (2024). Watermark Stealing in Large Language Models. ICML 2024.
- Golaszewski, Krawetz, Sherman (2026). Verifying Provenance of Digital Media: Why the C2PA Specifications Fall Short.
- Dathathri, See, Ghaisas et al. (2024). Scalable Watermarking for Identifying Large Language Model Outputs. Nature.
- European Union (2024). Regulation (EU) 2024/1689 (Artificial Intelligence Act), Article 50.