Why embedded metadata fails. How four protection layers preserve verification paths across real-world publishing workflows. And what decision-makers should understand before August 2, 2026.
| 01 | The Problem: AI Images in the Wild | 3 |
| 02 | Why Metadata Alone Fails — Test Results | 4 |
| 03 | The EU AI Act: What Publishers Must Do | 5 |
| 04 | Four Layers of Protection | 6 |
| 05 | How the Marking Works — Step by Step | 7 |
| 06 | Watermark Robustness: Real Test Data | 8 |
| 07 | The Proof Product: Verification Anyone Can Use | 10 |
| 08 | What Survives If MarkMyAI Disappears? | 11 |
| 09 | Getting Started | 12 |
| 10 | Selected References | 13 |
| 11 | FAQ for Decision-Makers | 14 |
Embedded provenance alone often fails in real publishing workflows. MarkMyAI combines four independent layers to preserve verification paths when images are compressed, resized, redistributed, or stripped of metadata.
Publishers mark images through one API call or dashboard workflow. Verifiers can then check whether an image's origin is still verifiable — free, with no account required.
Proof PDFs and public proof references support independent verification and make provenance usable for compliance, editorial, legal, and operational review.
Every day, AI-generated images are published online. In many common publishing workflows, their machine-readable origin signals are quickly lost.
When a tool like DALL·E or Adobe Firefly generates an image, it typically embeds a Content Credential — a machine-readable provenance record following the C2PA open standard. This record identifies the AI tool as the creator. Some major tools, including Midjourney and open-source Stable Diffusion, have been slower to adopt this, though coverage is expanding.
But here's what happens next:
DALL·E generates a PNG with embedded C2PA metadata identifying OpenAI as the signer.
The image is saved to a local folder. C2PA metadata is still intact.
WordPress, Shopify, and many CMS workflows generate thumbnails and new file variants. In these re-encoding steps, embedded C2PA metadata is often stripped or lost.
WhatsApp, Instagram, and X typically re-encode uploaded images. In many cases, the original embedded signature no longer survives.
The original embedded proof may already be gone by step 3, leaving no reliable publisher-side verification path.
This isn't a theoretical edge case. It is a common outcome across many major publishing and sharing workflows.
In our internal tests, we applied 10 common transformations to a signed image. In this test set, C2PA survived none of them.
We took a MarkMyAI-signed PNG image (1408 × 768 px) with a valid embedded C2PA publisher manifest and subjected it to 10 transformations common in real publishing workflows.
| # | Transformation | C2PA Intact? | mark_id Found? |
|---|---|---|---|
| 1 | PNG Re-compression | DESTROYED | NO |
| 2 | Resize to 50% | DESTROYED | NO |
| 3 | Crop (center 80%) | DESTROYED | NO |
| 4 | Rotate 90° | DESTROYED | NO |
| 5 | Rotate 15° (arbitrary) | DESTROYED | NO |
| 6 | Convert to JPEG (Q90) | DESTROYED | NO |
| 7 | Convert to JPEG (Q50) | DESTROYED | NO |
| 8 | Convert to WebP (Q80) | DESTROYED | NO |
| 9 | Metadata Strip | DESTROYED | NO |
| 10 | Social Media Pipeline | DESTROYED | NO |
Article 50 of the EU AI Act increases transparency obligations around AI-generated and manipulated content. For many publishing workflows, August 2, 2026 is a key operational milestone.
The EU AI Act (Regulation 2024/1689), specifically Article 50,[1] introduces transparency obligations around synthetic and manipulated content. In practice, this increases the importance of machine-readable marking and detectability for AI-generated image outputs.
For publishers, agencies, and organizations distributing AI-generated visuals, the practical issue is not only whether marking happens at creation time, but whether that transparency survives through real publishing workflows.
The transparency gap is structural: AI providers may fulfill their obligation at creation time, but embedded provenance often does not survive downstream publishing workflows.
The practical question for publishers is no longer whether transparency matters, but how to preserve it through real publishing workflows.
1. Do our AI-generated images retain their machine-readable provenance after going through our CMS, CDN, and social media channels?
2. If someone questions whether a published image is AI-generated, can we provide verifiable proof?
3. Does our proof survive independently — even if the marking provider disappears?
Not sure if your workflow has this gap?
Email us a short description of how your team publishes AI-generated images. We'll help you identify where your provenance chain is likely to break and what it may take to strengthen it. Free, 20 minutes, no commitment.
hello@markmyai.com
No single technology can guarantee provenance across all scenarios. MarkMyAI combines four independent layers so that verification can still be supported even when individual layers fail.
A digital signature following the open C2PA standard, embedded directly in the image file. Machine-readable by any C2PA-compatible tool (Adobe, Google, Microsoft). Identifies the publisher, not just the AI tool.
Fragile — commonly lost during re-encoding and derivative file generation
A signal embedded directly in the pixel data using TrustMark[3] (MIT-licensed, developed by Adobe Research). Invisible to the human eye but detectable by software.
Robust — Designed to survive many common transformations such as JPEG compression, resize, moderate crop, and format conversion
A perceptual fingerprint (visual hash) stored in an external database. Even substantially modified images may still be re-identified through visual similarity matching.
External — Independent of embedded data
A public, timestamped anchor on Polygon that supports independent verification of key proof data. Sensitive publisher fields such as creator and model are pseudonymized before anchoring.
Permanent — Cannot be altered or deleted
| Scenario | C2PA | Watermark | Fingerprint | Blockchain | Proof? |
|---|---|---|---|---|---|
| Original image, untouched | ✅ | ✅ | ✅ | ✅ | FULL |
| Shared via WhatsApp | ❌ | ✅ | ✅ | ✅ | YES |
| Uploaded to Instagram | ❌ | ✅ | ✅ | ✅ | YES |
| JPEG compressed to Q30 | ❌ | ✅ | ✅ | ✅ | YES |
| Resized to 50% | ❌ | ✅ | ✅ | ✅ | YES |
| Cropped 20% | ❌ | ✅ | ✅ | ✅ | YES |
| Screenshot of screen | ❌ | ❌ | ~ | ✅ | PARTIAL |
| Heavy manipulation combo | ❌ | ❌ | ~ | ✅ | PARTIAL |
Each layer independently contributes to the proof. The combination is designed to preserve verification paths across many common real-world scenarios, even when individual signals are lost.
Scenario labels reflect representative workflow assumptions based on internal tests. Exact outcomes depend on platform-specific processing pipelines, image content, and transformation parameters.
Reference: TrustMark (Bui, Agarwal & Collomosse, 2025)[3] provides the research basis for robust, pixel-level invisible watermarking used in Layer 2.
One API call. Four protection layers applied automatically. Here's what happens when you mark an image with MarkMyAI.
The image pixels are modified imperceptibly. A compact payload is embedded using the TrustMark neural watermarking model. The watermark encodes a cryptographic reference linked to the image's unique mark_id. In our tests, visual quality remained imperceptible to the human eye (PSNR > 40 dB).
A C2PA manifest is embedded into the image file. This machine-readable provenance record identifies the publisher, records the timestamp, and marks the action as "published." It follows the C2PA v2 open standard, readable by Adobe Content Credentials, Google, Microsoft, and others.
A visual fingerprint (perceptual hash) and a cryptographic SHA-256 hash are computed and stored in a tamper-evident audit log. The fingerprint supports re-identification across many common modifications, including compression, resizing, cropping, and format conversion.
A zero-value transaction is written to the Polygon blockchain. This creates a timestamped public record containing key proof data needed for independent verification. Creator and model fields are pseudonymized on-chain for GDPR compliance.
| Method | Best for | Effort |
|---|---|---|
| REST API | Developers, automation pipelines | 1 API call |
| Web Dashboard | Marketing teams, individual publishers | Drag & drop |
| WordPress Plugin | WordPress sites, content teams | Install & activate BETA |
| Chrome Extension | Readers, compliance teams, editors | Browser layer |
In our internal tests, the watermark survived 10 of 11 common transformation scenarios.
The test was conducted on March 8, 2026, using our production TrustMark worker. The test image (800 × 450 px) was watermarked and then subjected to each transformation independently.
| # | Transformation | Watermark | mark_id Verified | CRC Valid |
|---|---|---|---|---|
| 0 | Original (baseline) | SURVIVED | ✅ | ✅ |
| 1 | JPEG Quality 90 | SURVIVED | ✅ | ✅ |
| 2 | JPEG Quality 70 | SURVIVED | ✅ | ✅ |
| 3 | JPEG Quality 50 | SURVIVED | ✅ | ✅ |
| 4 | JPEG Quality 30 | SURVIVED | ✅ | ✅ |
| 5 | Resize to 75% | SURVIVED | ✅ | ✅ |
| 6 | Resize to 50% | SURVIVED | ✅ | ✅ |
| 7 | Crop center 80% | SURVIVED | ✅ | ✅ |
| 8 | WebP conversion (Q80) | SURVIVED | ✅ | ✅ |
| 9 | PNG re-save | SURVIVED | ✅ | ✅ |
| 10 | Social Media Pipeline* | DESTROYED | ❌ | ❌ |
*Social Media Pipeline = Resize to 1080px + JPEG Q30 + Center Crop applied in combination — simulates the aggressive multi-step processing of platforms like Instagram or WhatsApp.
JPEG Q30 is extremely aggressive compression — significantly harsher than many common consumer publishing workflows. In our tests, the watermark still survived this level.
Resize to 50% halves the image dimensions. Even after losing 75% of pixels, the watermark was still reliably extractable in our test setup.
Center crop 80% removes 20% of the image area. The watermark's distributed nature means it survives even partial image loss.
Format conversion completely re-encodes the file. The watermark can persist across format conversion because it is embedded in pixel values rather than stored as file metadata.
The same image, the same transformations — dramatically different results.
| Transformation | C2PA Metadata | Invisible Watermark | Fingerprint Match |
|---|---|---|---|
| JPEG Re-compression | DESTROYED | SURVIVED | MATCH |
| Resize 50% | DESTROYED | SURVIVED | MATCH |
| Crop 20% | DESTROYED | SURVIVED | MATCH |
| Format Conversion | DESTROYED | SURVIVED | MATCH |
| Metadata Strip | DESTROYED | SURVIVED | MATCH |
| Social Media Pipeline | DESTROYED | DESTROYED | PARTIAL |
Scenario: A publisher uses the WordPress plugin on ki-welt.ch.
1. An AI-generated image is uploaded to WordPress Media Library → the MarkMyAI plugin sends it to the API.
2. The API embeds an invisible watermark (TrustMark BCH_SUPER) + C2PA signature → returns the marked file.
3. The plugin replaces both the original file and the WordPress -scaled version (if present) with the marked image. Old thumbnails are deleted. WordPress then regenerates all thumbnail sizes from the newly marked original.
4. The website serves thumbnails to visitors. Field-tested results: the TrustMark watermark survives all WordPress resizing — C2PA is stripped, but the invisible watermark remains intact in every size:
Note: WordPress creates a -scaled copy for images exceeding 2560 px. Since v1.3.2, the plugin explicitly overwrites this file to ensure the watermark is present in every frontend rendition.
| Original (1500×1043) | 626 KB | ✓ watermark + C2PA |
| Large (1024×712) | 95 KB | ✓ watermark |
| Medium (768×534) | 57 KB | ✓ watermark |
| Thumbnail (300×209) | 12 KB | ✓ watermark |
5. A reader right-clicks the image → saves it → uploads to markmyai.com/check. The checker decodes the watermark, matches the embedded token to the audit trail via reverse lookup, and returns "Verified Provenance" with a link to the proof record.
6. The publisher downloads the Proof PDF → a self-contained document with blockchain reference for audit and compliance review.
Transparency note: These are internal robustness tests conducted under controlled conditions on a specific test image (800×450 px, TrustMark BCH_5 Q-model). Results may vary based on image content, resolution, and transformation parameters. We publish our methodology and raw results because we believe honest communication builds trust.
Related reading: TrustMark (Bui et al., 2025)[3] for robust watermarking; HiDDeN (Zhu et al., 2018)[4] and Stable Signature (Fernandez et al., 2023)[5] for broader background on neural watermarking and provenance signals in generated images.
MarkMyAI doesn't just embed data. It produces a decision-ready proof that can support compliance, editorial, legal, and publishing workflows. No account required.
Full proof chain intact. Strong provenance signals were confirmed and aligned. This image has verifiable provenance linked to a publisher-side proof chain.
Embedded metadata lost (stripped by platform), but the image was re-identified via fingerprint matching or watermark recovery. Provenance record found in audit trail.
No embedded markers, no watermark detected, no fingerprint match. No reliable provenance path could be established for this image within our system.
Every marked image can generate a Proof PDF — an A4 document that contains everything needed to verify the image's provenance, even without access to MarkMyAI:
What's in the PDF:
• Image details (SHA-256 hash, fingerprint, creator, AI model)
• Status of all 4 protection layers
• Blockchain transaction hash + Polygonscan link
• On-chain anchor string plus verification instructions
• Step-by-step instructions for server-independent verification
Who uses it:
• Legal teams — as supporting documentation for internal and external review
• Compliance officers — for audit documentation
• Publishers — to document due diligence
• Journalists — to verify image sources
• Archivists — for long-term preservation
The MarkMyAI Chrome extension (v1.0.4) brings verification directly to the reader's browser. When a user clicks the badge on an image, the extension always runs a real fingerprint check against the actual image pixels via the MarkMyAI API (~3 seconds). If the WordPress plugin embedded data-markmyai-mark-id attributes in the HTML, those are used as a fallback only if the pixel-based check doesn't match.
The Layer Check shows explicit status labels for each detection layer: Fingerprint (MATCHED / NO MATCH), Blockchain (ANCHORED / NOT FOUND), Watermark (FOUND / NOT FOUND / NOT CHECKED), and C2PA (BROWSER N/A). An optional deep watermark check (~15 seconds) can be triggered by button to verify the TrustMark watermark in the actual pixel data. The tooltip pins open on click to allow comfortable interaction.
The POST /v1/detect endpoint is the most comprehensive detection tool in MarkMyAI. Given any image URL, it runs all four detection layers simultaneously and returns a single, unified result:
| Layer | Method | Robustness |
|---|---|---|
| C2PA | Cryptographic manifest validation via c2pa-node | Fragile — metadata stripping destroys it |
| Invisible Watermark | TrustMark BCH_SUPER pixel-level decoding | Robust — survives JPEG, resize, moderate crop |
| Perceptual Fingerprint | Visual hash + Hamming distance matching | Robust — fuzzy matching after transforms |
| Database Lookup | Audit log records with creator and AI model | External — independent of embedded data |
The response includes a single is_marked verdict, detailed results for each layer, and recovery_paths that explain which proof chains are still intact. If the watermark recovers a mark_id, the API automatically links it to the original proof record — even if C2PA metadata was stripped.
Anyone can verify an image at markmyai.com/check — no account, no login, no cost. Upload an image and the checker runs three detection methods simultaneously:
This fingerprint-based recovery is what allows the checker to identify a WordPress-resized thumbnail as the same image that was originally marked at full resolution. The result is displayed as "Recovered Provenance" with a direct link to the publisher proof.
A proof system that depends entirely on a single vendor is inherently fragile. Here's what happens to your proof if MarkMyAI's servers go offline permanently.
| Proof Element | Survives? | How? |
|---|---|---|
| Invisible Watermark | YES | Lives in the pixel data. TrustMark is open source (MIT license). Anyone can run the decoder. |
| C2PA Signature | YES | Embedded in the image file. Readable by any C2PA-compatible tool worldwide. |
| Blockchain Transaction | YES | Immutable on Polygon. The TX data contains key proof data in readable form. |
| Blockchain Proof | YES | Self-contained public anchor: key proof data can be independently checked without MarkMyAI servers. |
| Proof PDF | YES | Once downloaded, works offline forever. Contains all data for independent verification. |
| Audit Trail | NO | Database-dependent. Proof PDF serves as offline backup. |
| Fingerprint Recovery | NO | Requires database lookup. Watermark takes over as recovery path. |
| Verify API | NO | Server-dependent. Proof PDF + Blockchain TX replace this function. |
Even without MarkMyAI, anyone with a Proof PDF can still validate key parts of the provenance record independently.
Look up the TX hash on polygonscan.com. Decode the hex data field to read the anchor string.
Compute SHA-256 of the original image. Compare with the hash in the anchor string.
The anchor string contains pseudonymized publisher fields. Compare the corresponding values from the Proof PDF to validate alignment.
Run the open-source TrustMark decoder on the image. Verify the extracted hash matches.
Reference: The C2PA Specification's soft-binding guidance[2] and the TrustMark paper[3] both address the principle that embedded provenance and recovery-aware signals solve different parts of the provenance problem.
Three ways to start marking your AI-generated images today.
Go to markmyai.com/dashboard, create a free account, and upload images directly. No code required. The Free plan includes 50 marks per month.
For automated workflows, use the API. One call marks an image with all four layers:
The detect endpoint runs C2PA, watermark, fingerprint, and database lookup simultaneously:
The response returns is_marked (true/false), details for each layer (C2PA, watermark, fingerprint matches), and recovery_paths that describe which proof chains are still intact. This is the most comprehensive detection endpoint — ideal for automated compliance checks, content moderation pipelines, and editorial verification workflows.
The POST /api/check-watermark endpoint powers the public checker at markmyai.com/check. It accepts a file upload and runs C2PA extraction (via c2pa-node), watermark decoding, and perceptual fingerprint matching — all without authentication:
The response includes watermark results, C2PA fields (c2pa_claim_generator, c2pa_signer), and a fingerprint_match object with the best audit trail match (mark_id, similarity, creator, verify_url). Fingerprint matching is the key recovery path when images have been resized or re-encoded by a CMS.
The MarkMyAI WordPress plugin is available for selected early adopters. Once installed, every uploaded image can be marked automatically — no code, no manual steps. Visit markmyai.com/wordpress for details and the install guide.
| Plan | Price | Marks/Month | Blockchain | Proof PDF |
|---|---|---|---|---|
| Free | €0 | 20 | — | — |
| Starter | €19/mo | 200 | ✅ | ✅ |
| Business | €49/mo | 2,000 | ✅ | ✅ |
| Enterprise | Custom | Custom | ✅ | ✅ |
Create a free account at markmyai.com and mark your first image in under 60 seconds.
The following standards, papers, and technical guidance documents informed the ideas summarized in this guide.
Note: This guide combines internal MarkMyAI test results with external standards and research literature. External references provide background for the broader provenance, watermarking, and transparency concepts discussed throughout.
| Reference | Why it matters |
|---|---|
| [1] Regulation (EU) 2024/1689 EU AI Act, Articles 50 and 99 |
Primary legal basis for transparency obligations around AI-generated and manipulated content, including disclosure duties for deployers (Art. 50(4)) and penalties (Art. 99(4)). |
| [2] C2PA Specification v2.1 Content Provenance and Authenticity — c2pa.org/specifications, September 2024 |
Core industry standard for Content Credentials, covering embedded manifests, hosted/remote manifests, soft-binding, and recovery paths for provenance that survives downstream processing. |
| Reference | Why it matters |
|---|---|
| [3] Bui, Agarwal & Collomosse (2025) TrustMark: Robust Watermarking and Watermark Removal for Arbitrary Resolution Images ICCV 2025. (Preprint: arXiv:2311.18297, 2023.) University of Surrey & Adobe Research |
Direct research basis for the invisible watermarking used in MarkMyAI. GAN-based method trained for robustness against JPEG, resize, crop, and format conversion. MIT-licensed open source. |
| [4] Zhu, Kaplan, Johnson & Fei-Fei (2018) HiDDeN: Hiding Data With Deep Networks ECCV 2018, pp. 682–697 — arXiv:1807.09937 |
Foundational work demonstrating that neural networks can encode and recover hidden payloads in images with robustness to common distortions including JPEG, blur, and cropping. |
| [5] Fernandez, Couairon, Jégou, Douze & Furon (2023) The Stable Signature: Rooting Watermarks in Latent Diffusion Models ICCV 2023 — arXiv:2303.15435 — Meta AI Research & INRIA |
Important background for watermarking strategies in AI-generated image systems; shows robustness of invisible signatures even when images are cropped to 10% of original content. |
The questions we hear most from compliance teams, publishers, and agency leads.
Article 50 applies specifically to AI-generated and AI-manipulated content — not to all images. Here is a practical orientation:
| Image type | Example | EU AI Act scope |
|---|---|---|
| AI-generated image | DALL·E, Midjourney, Firefly output | Likely in scope |
| AI-manipulated photo | Background replaced, face swapped, deepfake | Likely in scope |
| AI-assisted editing | Generative fill, AI upscale, content-aware crop | Depends on context |
| Stock photo (unmodified) | Getty, Shutterstock — no AI manipulation | Likely out of scope |
| Original photography | Camera photo, journalist photo | Likely out of scope |
| Manual illustration | Designed in Illustrator or Figma | Likely out of scope |
This table is a practical guidance aid, not legal advice. Final assessment depends on context, workflow, and jurisdictional interpretation.
No. MarkMyAI provides verifiable provenance records about who published an image, when, and with what AI tool. We don't analyze whether an image is "real" or "fake." We provide verifiable documentation of origin.
C2PA is an excellent standard for embedding provenance at creation time. But as our internal tests show, it did not survive the real-world transformations we tested. If your images pass through a CMS, CDN, or social platform, C2PA alone may not be enough. MarkMyAI adds additional layers designed to support verification where embedded metadata is lost.
No. WordPress is simply the most familiar example for many publishers. The same failure mode appears wherever the delivered image is transformed after marking: Shopify, headless CMS stacks, CDN image optimization, messenger apps, and social platforms can all strip or break embedded provenance signals during resize, re-encode, format conversion, or metadata removal.
Our blockchain design is structured to minimize direct exposure of sensitive data and support EU-oriented privacy requirements. Since v3, creator and model fields are stored as pseudonymized SHA-256 hashes on-chain. The plaintext is only available in the database and Proof PDF — both under standard GDPR controls. Exact on-chain data handling should always be reviewed against your legal and compliance requirements.
5 of 8 proof elements survive permanently without our servers. The invisible watermark lives in the image pixels (open-source decoder), the C2PA signature is embedded in the file, and the blockchain transaction is immutable. The Proof PDF provides a complete offline backup. See Chapter 8 for details.
8–15 seconds per image via API, including all four protection layers. The WordPress plugin marks images asynchronously after upload — the upload itself completes instantly.
Yes. Upload existing images via the API or dashboard. The marking process is identical regardless of when the image was created.
In our internal tests, the watermark remained visually imperceptible across multiple image types, with PSNR values above 40 dB.
While designed for AI-generated images under the EU AI Act, MarkMyAI's provenance system works for any image. Some customers use it for product photography and editorial content to strengthen provenance and publication traceability.
Questions? We'd love to hear from you.
hello@markmyai.com
markmyai.com
Provenance that survives
the real world.
Four layers. One API call.
A proof anyone can check.
markmyai.com
© 2026 MarkMyAI · Dominic Tschan · Waltenschwil, Switzerland