detectai.media

SynthID check: what it can and can't tell you

A SynthID check finds one invisible watermark from Google or OpenAI, not AI-ness. What a hit, a miss, and an OpenAI Verify result actually mean.

By The detectai.media team
5 min read
Contents

A SynthID check tells you one narrow thing: whether a specific invisible watermark, stamped at generation time by a provider that has adopted SynthID, is present in your file. It is not a general AI detector, and it says nothing about content from a model that never applied the mark. Read a hit as “a SynthID-adopting tool made this,” and read a miss as “no SynthID watermark was found,” never as proof that a human was involved.

What a SynthID check actually reads

SynthID embeds an invisible pattern into generated media. OpenAI describes it cleanly: “SynthID is an invisible watermarking technology that embeds a signal directly into generated media. Unlike metadata, the signal is part of the image itself and may persist through some edits or transformations.” The detector answers one yes-or-no question, is that pattern here, and nothing more. Gowal, Bunel, Stimberg et al. (DeepMind 2025) draw the line explicitly, noting that “establishing provenance is materially different from detecting AI-generated content.” A SynthID check is a probe for one watermark family, not a classifier that reads AI-ness out of the pixels. That distinction is the whole reason it is both strong and limited: strong inside its own trust boundary, blind everywhere else.

Which tools stamp SynthID, and which do not

Only content from providers that opted in carries the mark. Google DeepMind applies SynthID across its own generators, including Imagen and Gemini images and Lyria music, and since May 2026 OpenAI applies it too: “Images generated with ChatGPT, Codex, and our API include both C2PA metadata and SynthID watermarks.” Reading the C2PA metadata side is covered in how to read C2PA Content Credentials. A SynthID hit therefore means a SynthID-adopting provider made the file, not that Google specifically did. Everything outside that set, an open-weight Stable Diffusion checkpoint, a camera photograph, a Photoshop composite, returns “not detected.” The footprint is large but still cooperative: Gowal, Bunel, Stimberg et al. (DeepMind 2025) report SynthID-Image “has been used to watermark over ten billion images and video frames.”

ResultMost likely meaningDoes not mean
Watermark foundA SynthID-adopting tool made itThe file is unedited or truthful
Not detectedNo SynthID mark is presentA human made it, or it is not AI

Strong on detection, weaker on the fine print

On its home ground the detector is strong. In the published benchmark, an external variant reached a 99.72% true positive rate in the aggregated worst-case setting at a fixed 0.1% false positive rate (Gowal, Bunel, Stimberg et al., DeepMind 2025). But SynthID deliberately separates two questions: is this watermarked (detection), and which payload does it carry (attribution). Payload recovery is the softer number. In the same paper, recovered-payload accuracy falls to 71.86% in the worst transformation category, the combined case that stacks rotation, cropping, and JPEG. So the reading is not that SynthID is fragile, but that detection can stay strong while the finer attribution bits degrade under heavy handling.

Where you can actually check it

Access to a checker is fragmented, which is where most confusion starts. OpenAI Verify is public, but it is scoped: it “only confirms whether the image was generated by OpenAI,” and it “does not confirm that the image is accurate, unedited, legally owned, or presented in the correct context.” Google’s own SynthID Detector portal is not a universal public scanner either; it is limited to trusted testers. So one verifier may read OpenAI provenance but not Google’s, another may read C2PA but not SynthID, and a generic AI detector reads neither. The practical result is that “not detected” usually means “not detected by this tool, under this scope,” rather than “no watermark exists.”

The evidence base also differs by modality. For text, Dathathri, See, Ghaisas et al. (Nature 2024) documented SynthID-Text and assessed “nearly 20 million” Gemini responses in a live experiment. SynthID-Audio, applied to Lyria music and NotebookLM audio, has no equivalent public technical paper, so its robustness figures are vendor claims rather than independently benchmarked ones. An audio SynthID check is therefore even more provider-bound, and less publicly evidenced, than the image one.

A watermark is one signal, not a verdict

Because SynthID is cooperative, absent from most files, and, like any watermark, forgeable, a check is one input rather than a ruling. Golaszewski, Krawetz and Sherman (2026) make the general point for provenance systems: they provide “provenance signals, not proof of authenticity.” Marks can also be copied onto innocent files. For the text-side sibling of these schemes, Jovanović, Staab and Vechev (ICML 2024) showed an attacker can both scrub and spoof state-of-the-art watermarks “for under $50” with an “average success rate of over 80%,” a reminder that a present mark is not automatically trustworthy either. Treat a SynthID hit as one corroborating signal, weigh it against the file’s history and a detector that works differently, and read a miss as the absence of a cooperating mark. Why that clean result proves nothing on its own is the subject of does “no watermark” mean an image is real.

Sources

  • Gowal, Bunel, Stimberg et al. (2025). SynthID-Image: Image Watermarking at Internet Scale. Google DeepMind.
  • Dathathri, See, Ghaisas et al. (2024). Scalable Watermarking for Identifying Large Language Model Outputs. Nature.
  • OpenAI (2026). C2PA and SynthID in OpenAI-Generated Images. OpenAI Help Center.
  • Google DeepMind. SynthID Detector.
  • Golaszewski, Krawetz, Sherman (2026). Verifying Provenance of Digital Media: Why the C2PA Specifications Fall Short.
  • Jovanović, Staab, Vechev (2024). Watermark Stealing in Large Language Models. ICML 2024.
#image#audio#provenance
Last updated
15 June 2026
Category
Provenance