An AI-generator watermark is a signal embedded in synthetic media at the moment of generation, by the generator itself. The defender's leverage is that the producer cooperates: instead of trying to detect a generator's output post hoc by its statistical fingerprints, the detector looks for an intentional signal the generator inserted. When the generator complies, detection becomes a near-reliable operation. When it does not, the watermark provides nothing.
This page covers the dominant generator-side schemes in production as of mid-2026, the technical principles they share, the EU AI Act marking obligation that is reshaping the regulatory landscape, and the open interoperability questions that limit what watermarks can collectively achieve. The general engineering of invisible watermarking is covered separately; this page is specifically about generator-embedded schemes and their public-policy context.
SynthID
SynthID is Google DeepMind's watermarking system, first announced in August 2023 for image generators and subsequently extended to text, audio, and video. The image variant is deployed in Google's Imagen line and in the consumer-facing Bard/Gemini image generation. The text variant is deployed in selected Gemini text outputs. The audio variant is used by Google's Lyria music model.
For images, SynthID embeds a learned watermark during the generation process. The published technical material describes the scheme as operating in a learned feature space that is robust against typical post-processing operations (re-encoding, resizing, contrast adjustment). The watermark survives many compounds of these operations but is not claimed to survive determined adversarial scrubbing. Google's detection service is available for partners and through Google's own tooling; third-party detection requires the published detector or one trained against SynthID outputs.
SynthID's design choices reflect the cooperative-detection threat model. The capacity is small — enough to indicate "generated by SynthID-marking model" with optional model identification — and the robustness target is moderate post-processing rather than adversarial scrubbing. This is appropriate for the use case it was designed for: marking commercially produced content to give downstream detectors a reliable signal in the common path.
Stable Signature
Stable Signature is Meta's watermarking approach for latent-diffusion-model outputs, published as a paper in 2023 (Fernandez et al., "The Stable Signature: Rooting Watermarks in Latent Diffusion Models"). The scheme works by fine-tuning the decoder of a latent diffusion model so that its outputs naturally carry an extractable watermark, with negligible quality cost. The watermark is not added as a post-processing step; it is baked into the model.
The advantage of the in-model approach is that the watermark cannot be removed without also degrading the model output, making it more robust against trivial post-processing. The disadvantage is that the watermark is bound to a specific decoder; a user who replaces the decoder defeats the scheme. For open-weights deployments, this is a serious limit: anyone running the model on their own hardware can swap the decoder. Stable Signature has been most useful in Meta's own deployments, where Meta controls the decoder.
OpenAI's approach
OpenAI's image generators (DALL·E 3, Sora) have used C2PA manifests as the primary provenance signal since 2024, with watermarking as a complementary layer. The watermark scheme used in OpenAI's images is documented to survive moderate post-processing and to be detectable by OpenAI's own tooling; the scheme details have not been publicly specified at the level of full reproducibility, which is a recurring complaint from the academic community that wants to audit these systems.
The OpenAI position, articulated in several 2024 and 2025 blog posts, is that watermarking is one layer among several and that the combination of C2PA marking, watermarking, and detection-classifier deployment is more effective than any single approach. The C2PA manifest carries a high-fidelity record of generation parameters; the watermark serves as the soft-binding fallback when the manifest is stripped. This is consistent with the C2PA durable credentials architecture.
Other commercial schemes
Adobe Firefly embeds C2PA manifests and also includes a watermark for soft-binding lookup. Microsoft's image generators in Copilot use a similar layered approach. Anthropic's image generation, on public release, included C2PA marking from the start; watermarking integration was added as a separate layer. The IFRC's Coalition for Content Identification proposed a generator-watermark standard in 2024 that has not yet achieved cross-vendor adoption but remains a reference point in discussions.
| Scheme | Producer | Used by | Open detector |
|---|---|---|---|
| SynthID | Google DeepMind | Imagen, Gemini, Lyria | Partial (partner-access detector) |
| Stable Signature | Meta AI | Meta internal deployments | Paper-published |
| OpenAI watermark | OpenAI | DALL·E 3, Sora | No |
| Firefly watermark | Adobe | Firefly | No |
| Tree-ring | Academic (Wen et al.) | Research | Open-source |
| Gaussian Shading | Academic | Research | Open-source |
The EU AI Act marking obligation
The EU AI Act (Regulation (EU) 2024/1689) entered into force on 1 August 2024. Its Article 50 imposes transparency obligations on providers of generative AI systems, including a requirement that outputs constituting synthetic content be marked in a machine-readable format detectable as artificially generated. These obligations apply from 2 August 2026.
The text of Article 50(2):
Providers of AI systems, including general-purpose AI systems, generating synthetic audio, image, video or text content, shall ensure that the outputs of the AI system are marked in a machine-readable format and detectable as artificially generated or manipulated.
The regulation does not specify the watermarking technology. The recitals note that watermarks, metadata identifications, cryptographic methods, logging, fingerprints, or other suitable techniques can satisfy the requirement, provided they are "as effective, interoperable, robust, and reliable as is technically feasible." This deliberately leaves room for the C2PA-plus-watermarking layered approach that the major commercial providers have already adopted. It also leaves enforcement uncertainty: whether a specific scheme is "robust and reliable enough" will be determined through guidance and case law over the next several years.
The obligation reaches providers placing systems on the EU market, including general-purpose AI providers. It does not reach individual users running open models on local hardware; the structural limit of producer-cooperation-based detection. The EU AI Act page covers the legal mechanics in detail.
The interoperability gap
Watermarking would be more useful if a detector could process an image and identify its source without knowing in advance which scheme to look for. In practice, every detector is tied to specific schemes, and a multi-scheme detector must run each scheme's decoder in turn. There is no standardized identifier embedded in a watermark to indicate which scheme produced it; the absence of one is one of the field's notable unsolved coordination problems.
The C2PA framework provides a partial answer by recording in the manifest which watermark scheme was used; a validator can read the manifest, find the scheme identifier, and run the appropriate detector. But this answer only works when the manifest is present, which is exactly the case where watermarking matters least. When the manifest is stripped — the watermarking use case — the consumer has no metadata indicating which scheme to attempt, and must either try all known schemes or rely on the producer being one of the small set the detector is configured for.
Several proposals through 2024 and 2025 have addressed this: a small standardized header bit pattern that every watermark would include, a public registry of scheme identifiers, and a cross-vendor detection API maintained by a neutral party. None has achieved adoption. The coordination cost is high, and no vendor has strong incentive to give up the relative position their proprietary scheme provides.
Detection accuracy in practice
Published accuracy numbers for production watermark schemes are generally strong on the transformations the schemes were trained against: detection rates above 95% under JPEG compression, modest resizing, and mild color adjustment. Accuracy degrades against transformations outside the training distribution and collapses against adversarial attacks specifically designed to defeat the scheme. The attacks page covers the academic record.
For policymakers and platform operators, the takeaway is that watermark detection rates depend critically on what the deployment population actually looks like. A commercial generator's watermark detected at high accuracy in a controlled benchmark may have very different performance against the actual distribution of post-processed images circulating on social media. Production deployments report results that are usable but not perfect, and the gap between benchmark and reality has historically been larger than vendors emphasize.
Where the field is moving
The two-year arc through 2026 and 2027 is dominated by the EU AI Act's enforcement experience. Commercial providers have implemented watermarking and C2PA marking to comply; the regulatory question is whether their implementations satisfy the "robust, reliable, interoperable" standard the recitals invoke. The first enforcement actions and the guidance from the EU AI Office will set precedents that shape what watermarking has to do to satisfy the law, which in turn shapes what the industry actually deploys.
The harder long-term question is the open-weights gap. The major commercial providers will comply with marking obligations; the open ecosystem will not, and a meaningful share of synthetic media will continue to be produced without any watermark at all. Whatever the regulatory framework, the technical answer to unmarked synthetic media will continue to be detection — classifier-based, forensic, statistical — with all the brittleness those approaches carry. Watermarking improves the cooperative case; it does nothing for the non-cooperative case. The defense in depth that this site has emphasized throughout remains the only realistic architecture.