Policy & Regulation

What "AI Watermarking" Actually Means — and Why It's Harder Than It Sounds

Uncutly Editorial · July 15, 2026 · 8 min read

Official C2PA graphic showing a photo with a Content Credentials badge and the panel of provenance data it carries
Official social-share graphic — c2pa.org

When the EU AI Act says providers have to mark generated content in a “machine-readable format… detectable as artificially generated,” it deliberately doesn’t say how. The law names a requirement, not a technology. In practice, that requirement gets satisfied by a small number of real technical systems that have been years in development, each with genuine capability and a specific, well-documented way of falling apart. Two approaches dominate: cryptographically signed metadata standards like C2PA’s Content Credentials, and invisible signals baked directly into pixels or text, like Google DeepMind’s SynthID. Knowing how each actually works — and, more usefully, how each fails — is the difference between assuming a “watermarked” label means something durable and understanding exactly what it can and can’t promise.

Two different things get called “watermarking”

The word gets used loosely, but the two dominant approaches solve the problem in almost opposite ways. C2PA’s Content Credentials attach a signed record — who made the content, what tool, what edits happened since — as a separate data package riding alongside the file. Statistical watermarks like SynthID don’t attach anything separate at all; they perturb the actual pixel values or the token-selection probabilities at the moment of generation, so the “mark” is inseparable from the content itself. One is closer to a notarized certificate stapled to a document. The other is closer to a signature woven into the paper fibers. Both get called watermarking. They have almost nothing else in common, including how they break.

How a Content Credential actually gets attached

C2PA — the Coalition for Content Provenance and Authenticity, backed by more than 6,000 member organizations including Adobe, Google, Microsoft, Amazon, Meta, Sony, the BBC, OpenAI, and Truepic — defines a three-stage workflow. A “claim generator” (software or hardware) assembles a set of assertions about the content: capture device, editing tools used, prior manifests it descended from. Those assertions become a “claim,” which gets signed with the creator’s private key in COSE format, backed by an X.509 certificate from a trusted certificate authority. The signed bundle — the manifest — is packaged into a JUMBF container and embedded in the file, becoming what the consumer-facing brand calls a Content Credential: the small “cr” icon you may have seen in the corner of an image, which opens a panel showing when it was made, what was edited, and who signed it. Crucially, the chain is designed to survive legitimate editing — if a compliant tool opens a credentialed image, edits it, and re-signs it, the new manifest can reference the prior one, building an auditable history rather than erasing it.

Content Credentials panel showing provenance data — date, edits and activity, and signer — attached to a photo across edits

The problem: a manifest lives in the file, not the picture

C2PA offers two ways to bind a manifest to an asset, and the stronger one is also the more fragile. A “hard binding” is a cryptographic hash of the exact bytes of the file; change a single byte — recompress it, resize it, resave it in a different format — and the hash no longer matches, so validation fails. That’s by design: it’s meant to flag tampering. But it also means routine, entirely innocent handling of a file (a platform re-encoding an upload for bandwidth, an app resaving at lower quality) can break the binding just as effectively as malicious editing would. A “soft binding,” derived from a perceptual fingerprint of the content rather than its raw bytes, is more durable and can support rediscovering a manifest through a lookup service even after the embedded copy is stripped — but it’s a weaker guarantee, and it depends on that lookup infrastructure existing and being queried. And then there’s the failure mode that needs no editing tool at all: a screenshot. Screenshotting doesn’t copy a file’s bytes or its embedded JUMBF container — it re-renders pixels through the operating system’s graphics stack and captures a brand-new image with no memory of the original file’s metadata whatsoever. Add to that the well-known practice of major platforms stripping EXIF and XMP metadata from uploads by default, for privacy and bandwidth reasons that predate any of this, and a container-based credential has several completely ordinary ways to vanish before anyone tries to hide anything.

Baking the signal into the content itself

The second approach exists specifically to survive what defeats the first. SynthID and comparable systems embed an imperceptible statistical signal directly into pixel values during image or video generation, or into token-selection probabilities during text generation — not attached alongside the content, but distributed through it. Because the signal rides in the actual visual or textual information rather than a sidecar container, it’s engineered to persist through cropping, resizing, recompression, format conversion, and — unlike a metadata manifest — screenshots, since the pixels being captured still carry the perturbation. The scale of deployment by mid-2026 is real: Google says SynthID has watermarked more than 10 billion pieces of content, it now ships by default across Gemini, Imagen, Veo, and Lyria, and as of May 2026 OpenAI partnered with Google to embed SynthID into images from ChatGPT, DALL·E, Codex, and the OpenAI API, with Kakao and ElevenLabs also signed on and rollout extending into Search and Chrome.

Robust is not the same as unbreakable

The trade-off is that verifying a statistical watermark isn’t a yes/no cryptographic check anyone can redo independently — it requires running the content through a detector, typically a proprietary one controlled by the vendor, which reports a confidence level rather than a certainty: present, absent, or uncertain. That dependence on a black-box detector is one weakness. A second is that the signal itself can be attacked directly. Text watermarks like SynthID-Text have been shown to be defeatable through paraphrasing, with sophisticated attacks reported to push detection accuracy down toward chance. For images, a “diffusion regeneration” attack — encoding the image into latent space, injecting noise, and reconstructing it through a reverse-diffusion pass — produces an output that looks visually identical to a person but no longer carries the original statistical signal, and this isn’t a theoretical exercise: maintained open-source tools built specifically to strip SynthID, C2PA credentials, and EXIF/XMP “made with AI” labels from images already exist publicly. There’s also an unavoidable engineering trade-off underneath all of it: pushing a watermark to be more robust against attack tends to visibly degrade output quality, and no current scheme has fully resolved that tension — so vendors calibrate for reasonable resilience against ordinary handling, not maximal resistance against a determined adversary.

The gap neither approach can close

Both systems share one limitation that has nothing to do with cropping or paraphrasing: watermarking is opt-in at the software level, and it only marks output from a system that chose to implement it. A locally run, open-weight generation tool can simply not include the watermarking code, and nothing about the file format, the law, or the physics of the situation can make a mark appear in content that a generator never wrote one into in the first place. That cuts both ways for anyone trying to use these marks as a trust signal: the absence of a credential or a detectable watermark is not proof that content wasn’t AI-generated, and the presence of a valid one is not proof that the content is accurate, authorized, or shown in its original context — a real photograph, genuinely edited and properly signed at every step, can still mislead. A credential proves a chain of custody, not honesty. The EU’s own AI Office Code of Practice implicitly concedes this by prescribing a multi-layer approach — metadata, invisible watermarking, and logging together — rather than endorsing any single mechanism, because regulators drafting the technical guidance know that no one layer covers every failure mode on its own.

So is the labeling requirement actually enforceable?

This is where the technical picture connects back to the legal one. The EU AI Act’s Article 50(2) machine-readable marking obligation is genuinely checkable at the source: a regulator or auditor can inspect whether a generation system attaches a manifest, an invisible signal, or both at the moment content is produced, and providers either meet that bar or they don’t — that part of the law has real technical teeth. What the law cannot do is guarantee the mark is still legible on whatever copy of that content eventually reaches a viewer, three reposts, two screenshots, and one recompression later. Nothing in the regulation reaches that far because nothing in the underlying technology reaches that far, and that isn’t a drafting oversight — it’s an honest reflection of what these systems can and can’t do. That doesn’t make the requirement pointless: a world where most AI content carries a detectable signal the moment it’s published, even an imperfect one, is a meaningfully better starting point for platforms and researchers building detection pipelines than the near-total absence of marking that existed a few years ago. But it does mean the sensible reading of a “watermarked” or “labeled” claim isn’t “this is guaranteed traceable” — it’s “this was marked when it was made, and whether that survived to reach you is a separate question the technology was never built to answer with certainty.”

Regulatory and technical details above reflect publicly available information as of mid-July 2026 — verify current specifications and requirements before making decisions that depend on them. This article is general information, not legal or technical compliance advice.