detectai.media

Why do image detectors fail in the real world?

Image detectors are trained on curated benchmarks and deployed on everything else. Off that ground, accuracy near ninety percent falls toward a coin toss on unseen generators and compressed files.

By The detectai.media team
5 min read
Contents

Image detectors fail in the real world because they are trained on curated benchmarks and deployed on everything else. Move off the training ground, an unseen generator, a platform re-encode, a downsized upload, an unusual camera or subject, and scores that read near-perfect in the lab fall toward a coin toss. The gap between the benchmark figure and the one you get on your file is not measurement noise. It is the actual reliability of the tool.

How big is the lab-to-wild gap?

Large enough to change the answer. Corvi, Cozzolino, Zingarini et al. (ICASSP 2023) measured a spectral detector whose average accuracy fell from 70.5 percent to 52.7 percent, and its AUC from 75.2 percent to 52.7 percent, once images went through social-media-style compression and resizing. On the hardest diffusion families, the same conditions pushed its AUC to between 44 and 49 percent on ADM, Latent Diffusion, and Stable Diffusion, which is chance. A tool that looks strong on a clean benchmark can land at a coin toss on the images people actually share.

Why do unseen generators break detection?

Because a detector learns the fingerprint of the generators in its training set, and a new architecture has a different fingerprint. Ojha, Li, Lee (CVPR 2023) measured the cliff directly: a detector scoring 100 mean average precision on the GAN family it trained on dropped to 61.32 on an autoregressive model it had not seen. Corvi and colleagues showed the same wall between technology generations, where detectors built for GAN images degrade sharply on diffusion images. Because new generators ship faster than detectors retrain, the picture you care about is often from a model no detector in reach was built to read.

Why does compression make it worse?

Because most detectors read a high-frequency trace, and compression is in the business of throwing high-frequency detail away. Frank, Eisenhofer, Schönherr et al. (ICML 2020) tied the artifacts detectors read to a generator’s upsampling steps, and those artifacts live in exactly the fine detail JPEG discards first. Almost every image you encounter has already been compressed at least once, so a detector is usually reading a degraded signal before the generalization gap is even counted. That is also why Bellingcat (2023) found a popular detector called 7 of 10 compressed Midjourney images “real”: the fingerprint was gone before the tool ever looked.

Can the detector be reading the dataset instead of the image?

Often, yes, and it inflates lab scores in a way that does not transfer. Grommelt, Weiss, Pfreundt et al. (2024) found that standard detection datasets carry “biases related to JPEG compression and image size,” and that detectors “indeed learn from these undesired factors.” When they removed those biases, cross-generator accuracy shifted by more than 11 percentage points, which means the earlier numbers were partly measuring compression and resolution rather than generation. A detector that learned the quirks of its training set will read a new image’s quirks, not its origin, and there is no reason those quirks match. This is the same fragility that produces false positives on genuine photos, covered in AI image detector false positives.

Why doesn’t a harder benchmark or a better model fix it?

Because the difficulty is structural, not a matter of trying harder. Every detector family reads a trace of the generator rather than a property of reality, so each is close to blind to a generator it never saw and to a file whose trace has been stripped. Yan, Li, Cai et al. (ICLR 2025) built a multi-expert detector combining semantic and low-level patch features, reported gains of 3.5 and 4.6 percent over prior methods, and still stated plainly that detecting AI-generated images “remains far from being solved.” Better front-ends narrow the gap; they do not close it, because the signal itself is fragile by nature.

What can be built in, and what cannot?

Robustness has to be trained in ahead of time, and even then it is partial. Frank and colleagues showed that a frequency classifier scoring about 61 percent on degraded inputs recovered to about 94 percent after training on deliberately perturbed images, and Grommelt’s work shows debiasing the data buys another double-digit jump. But those fixes belong to the tool builder, not the person running a check, and none of them undo an unseen generator. A detector that was not trained for compression will not acquire the ability at the moment you hand it a compressed file.

What does this mean for trusting a result?

It means a benchmark number is a ceiling, not a promise. The lab produces the reassuring figures and the wild produces the real ones. Treat a confident verdict on an unfamiliar generator, a compressed image, or an unusual subject as weak evidence, corroborate with provenance and a second tool that reads a different signal, and reserve “undetermined” for the degraded and unverifiable cases where an honest tool cannot know. For how far these tools can be trusted overall, see are AI image detectors reliable.

Sources

  • Corvi, Cozzolino, Zingarini et al. (2023). On the Detection of Synthetic Images Generated by Diffusion Models. ICASSP 2023.
  • Ojha, Li, Lee (2023). Towards Universal Fake Image Detectors that Generalize Across Generative Models. CVPR 2023.
  • Frank, Eisenhofer, Schönherr et al. (2020). Leveraging Frequency Analysis for Deep Fake Image Recognition. ICML 2020.
  • Grommelt, Weiss, Pfreundt et al. (2024). Fake or JPEG? Revealing Common Biases in Generated Image Detection Datasets.
  • Bellingcat (2023). Testing ‘AI or Not’: How Well Does an AI Image Detector Do Its Job?
  • Yan, Li, Cai et al. (2025). A Sanity Check for AI-Generated Image Detection. ICLR 2025.
#image#reliability#detection
Last updated
2 July 2026
Category
Reliability