Contents
AI watermarks are reliable as a deterrent against a casual user and unreliable as proof against a motivated remover. That two-sided answer is what the peer-reviewed record supports, and the gap between the two halves is where most public confusion sits. Reliability here has two requirements: the mark must survive real handling, and the detector must not fire on content that was never watermarked. Current methods can meet the first inside a narrow envelope, and cannot guarantee it against an adversary who optimises against them.
Start with measurement, because it is why older reliability claims were unstable. The WAVES benchmark was built by An, Ding & Rabbani (ICML 2024) because prior robustness numbers relied on “inconsistent image quality measures, statistical parameters, and types of attacks”, which they argue gave “an incomplete picture”. Once attacks are standardised, a clear boundary appears.
The envelope where they hold
Inside casual handling, the numbers are genuinely good. SynthID reports a 0.1% false-positive rate on worst-case transforms, and its external SynthID-O variant exceeds 99% detection on worst-case everyday transforms (Gowal, Bunel & Stimberg, 2025). The most robust image scheme by construction is Tree-Ring, which hides the mark in the initial noise latent. Wen, Kirchenbauer & Geiping (NeurIPS 2023) call it “far more robust than watermarking alternatives that are currently deployed” and report a detection rate of 0.974 averaged over attacks. Yang, Zeng & Chen (CVPR 2024) push a different direction with Gaussian Shading, a distribution-preserving latent watermark that operates at a 10^-6 false-positive rate by default while remaining statistically indistinguishable from an unwatermarked image. For ordinary resizing, compression and re-saving, a watermark is a reliable signal.
The envelope where they break
The envelope ends where a motivated remover begins. Zhao, Zhang & Wang (NeurIPS 2024) prove that pixel-additive watermarks are removable by generative regeneration, and empirically strip a resilient scheme’s marks while holding quality at a PSNR of 30 dB or better. Lukas, Diaa & Fenaux (ICLR 2024) go further, reporting attacks that “break all five surveyed watermarking methods at no visible degradation in image quality” and cut detection accuracy to “6.3% or less” in “less than 1 GPU hour”. They also show that keeping the watermark key secret is not a robustness property, because a differentiable surrogate key works. Saberi, Sadasivan & Rezaei (ICLR 2024) formalise the limit for low-perturbation watermarks: diffusion purification forces a trade-off between evasion rate and false-positive rate, so a scheme cannot keep both low. Model-rooted schemes are not exempt either. Hu, Jiang & Guo (2024), in Stable Signature is Unstable, remove the mark by fine-tuning the model’s decoder on a small dataset, producing “non-watermarked” images “while maintaining the visual quality”.
Spoofing runs the other way
There is a second failure mode, and it is worse for trust. Saberi, Sadasivan & Rezaei (ICLR 2024) also demonstrate spoofing, adding a valid-looking watermark to an image that was never watermarked. If a detector can be made to fire on clean content, a positive result is not automatic proof either. The threat is not single-source. Dong, Shuai & Ba (2025), with a system they call WMCopier, forge invisible-watermark signatures onto arbitrary clean images, inverting the threat model so a genuinely clean image reads as watermarked. Two independent results in opposite directions, removal and forgery, are why a watermark cannot by itself carry a strong claim in either direction.
The false-positive divide
The second reliability requirement, no false positives, does not fail the same way across schemes, and the split is architectural. A cryptographically bound provenance signal, which verifies a digital signature over a content hash, can push its false-match rate down to the signature’s own security level, near 2^-128, but it degrades with no grace at all: any edit to the bound asset makes verification fail outright. The detector-based neural schemes above sit near a 10^-6 false-positive rate by default (Yang, Zeng & Chen, 2024) and degrade more softly. That gap is not a footnote. Legal-grade attribution, where a false accusation is unacceptable, belongs to the cryptographic family, while soft platform flagging can live with the neural family. A reliability claim that does not say which family it comes from is underspecified.
What “reliable” actually means
The vendors draw the line in the same place. Google DeepMind frames SynthID’s goal as making black-box attacks “computationally infeasible at scale”, not defeating “a determined white-box adversary” (Gowal, Bunel & Stimberg, 2025). Read carefully, that is a reliability claim scoped to scale and to non-experts, not a claim of tamper-resistance. The conclusion is that “reliable” is not one number. A watermark is reliable enough to flag and to deter at population scale, and unreliable as courtroom-grade proof against anyone willing to spend an hour and a GPU. Reliability, in the end, is a statement about who the adversary is, not a fixed property of the mark. Whether a given mark can actually be stripped is the subject of the companion review, can AI watermarks be removed?; this review is image-focused, with the voice version of the same reliability question in are voice watermarks reliable?; and the full cross-scheme picture across image and audio sits in the pillar, do content watermarks actually work?.
Sources
- An, Ding, Rabbani (2024). WAVES: Benchmarking the Robustness of Image Watermarks. ICML.
- Gowal, Bunel, Stimberg (2025). SynthID-Image: Image Watermarking at Internet Scale. Google DeepMind.
- Wen, Kirchenbauer, Geiping (2023). Tree-Ring Watermarks: Fingerprints for Diffusion Images that are Invisible and Robust. NeurIPS.
- Yang, Zeng, Chen (2024). Gaussian Shading: Provable Performance-Lossless Image Watermarking for Diffusion Models. CVPR.
- Zhao, Zhang, Wang (2024). Invisible Image Watermarks Are Provably Removable Using Generative AI. NeurIPS.
- Lukas, Diaa, Fenaux (2024). Leveraging Optimization for Adaptive Attacks on Image Watermarks. ICLR.
- Saberi, Sadasivan, Rezaei (2024). Robustness of AI-Image Detectors: Fundamental Limits and Practical Attacks. ICLR.
- Hu, Jiang, Guo (2024). Stable Signature is Unstable: Removing Image Watermark from Diffusion Models.
- Dong, Shuai, Ba (2025). WMCopier: Forging Invisible Image Watermarks onto Arbitrary Images.