AI detectors are statistical pattern-matchers, not oracles. They flag text whose token distributions, sentence-length variance, and stylistic uniformity look closer to a generative model’s training prior than to a human draft. That distinction matters because it sets a ceiling on what any detector — Winston, GPTZero, TruthScan, Originality, or an in-house classifier — can actually do. Treat them as oracles and you get false confidence; treat them as one signal in a layered check and they become genuinely useful.

The accuracy question is the one teams keep asking, and it is also the one most often answered badly. Vendors quote 99% on their own evaluation sets. Independent reviewers, working on out-of-distribution prose, regularly report false-positive rates in the 5–15% range and miss rates that climb sharply on lightly edited or paraphrased model output. In our experience reviewing detection deployments, the gap between vendor-quoted accuracy and real-world accuracy is the single largest source of operational pain.

How current AI detectors actually work

There is no single mechanism behind “AI detection”. What gets sold under that label is usually one of four techniques, often stacked:

• Token-probability classifiers. A reference language model scores how likely the text is under its own distribution. Human writing tends to dip into low-probability tokens more often; model output stays in the high-probability ridge. GPTZero’s “perplexity” and “burstiness” signals are the canonical example.
• Stylometric features. Sentence-length variance, punctuation rhythm, function-word frequency, and lexical diversity. These are the same features used in authorship attribution research for decades; AI detection borrowed the toolkit.
• Fine-tuned binary classifiers. A transformer (often RoBERTa-class) trained on a labelled corpus of human vs model text. Accurate inside the training distribution, brittle outside it.
• Watermarks and embedded signals. When the producing model cooperates — for example, OpenAI’s discussed but unshipped token-bias watermark, or Google’s SynthID for text and images — detection becomes a key-verification problem rather than a statistical inference one.

The first three are observed-pattern detectors: they look for the residue of how generative AI shapes language. The fourth is a cryptographic or near-cryptographic check. The two classes have very different failure modes, and a serious detection stack uses both.

What detection accuracy actually means

The single-number “accuracy” figure on a vendor landing page is almost always misleading. The numbers worth asking for are these:

Metric	What it measures	Why it matters
False-positive rate on human text	How often genuine human writing is flagged as AI	Drives unjust accusations; the dominant harm in education
Miss rate on raw model output	How often unedited GPT-4 / Claude / Gemini text passes as human	Floor of detector usefulness
Miss rate on paraphrased output	How often lightly-edited or paraphrased AI text passes	The realistic adversarial case
Out-of-distribution drift	Accuracy on text from models the detector was not trained on	Predicts how fast the detector decays
Confidence calibration	Whether 80% confidence really means 80% correct	Determines if the score is decision-grade

The peer-reviewed work that does exist — Liang et al. (Stanford, 2023) on non-native English speakers, and the OpenAI internal evaluation that led them to withdraw their own classifier in mid-2023 — points the same direction. Detectors miss a meaningful fraction of model output and disproportionately flag certain human writing styles, particularly non-native English. Treat any vendor-supplied accuracy number that does not break out these dimensions as a marketing artefact.

Where perceptual hashing fits

For images and video, the detection conversation pulls in a third technique: perceptual hashing. pHash, dHash, and the more recent neural perceptual hashes (PDQ, NeuralHash) compute a short fingerprint that survives resizing, recompression, and minor edits. They were built for content moderation — matching known images against a database — and they remain the right tool for that job.

Perceptual hashing does not detect “AI-ness”. It detects “I have seen this exact image, or a near-duplicate, before”. That makes it complementary to classifier-based image detectors: hashing handles the recirculation case (the same generated image being reposted), while a classifier or provenance check handles the novel-generation case. Treating perceptual hashing as a substitute for either is a common architectural mistake.

Why C2PA provenance is the durable path

Detection-only approaches share a structural problem: every new generation of models forces a retraining cycle for the detectors, and the gap between generator capability and detector capability widens with each cycle. The defensible long-term posture is to invert the problem — instead of trying to identify AI content after the fact, sign authentic content at the point of capture.

That is what the Coalition for Content Provenance and Authenticity (C2PA) specifies. A C2PA manifest is a cryptographically signed record of how an asset was produced and edited, attached to the file or kept in a side-channel. Adobe, Microsoft, Sony, Leica, and several Android camera vendors ship C2PA-aware tooling. The 2026 reality is uneven: coverage is strong inside the participating ecosystem (Photoshop exports, recent Leica and Sony bodies, Microsoft Designer) and effectively zero outside it. C2PA can also be stripped — the signature breaks, but the underlying pixels survive — so absence of a manifest proves nothing.

The right way to read that: C2PA does not detect AI content; it authenticates non-AI content from cooperating producers. Combined with detection, it creates a useful asymmetry — signed authentic assets clear quickly, unsigned assets get the detector treatment, and contested cases have an auditable trail.

A layered detection stack

For an enterprise that needs a defensible posture rather than a single product, the architecture that works in practice looks like this:

1. Provenance check first. If a C2PA manifest is present and valid, the asset is treated as authenticated. This handles the easy majority of cases at near-zero false-positive cost.
2. Perceptual hash lookup. For images and video, check against a database of known-generated and known-circulating assets. Catches recirculation cheaply.
3. Classifier ensemble. For unsigned, unmatched content, run two or three independent classifiers (different model families, different training corpora) and use their agreement as a confidence signal. A single classifier is a coin-flip on adversarial input; an ensemble degrades more gracefully.
4. Human review for high-stakes flags. Anything above a calibrated threshold and below certainty goes to a reviewer. The detector’s job is to triage, not to adjudicate.
5. Audit trail. Every decision — manifest verified, hash matched, classifier score, reviewer verdict — is logged. This is what makes the posture defensible to a regulator or a court.

The pattern generalises across modalities. Text loses the perceptual-hashing layer but gains the option of stylometric drift detection across a known author’s corpus. Audio uses spectrogram-based classifiers plus C2PA-style signed capture. Video combines frame-level image detection with temporal consistency checks.

What breaks across modalities

Detection patterns do not transfer cleanly between content types. The honest summary of where each one breaks:

• Text. Paraphrasing tools (Quillbot, Undetectable.ai, manual edit passes) defeat token-probability detectors with modest effort. Non-native English writers are systematically over-flagged. Short text (<150 words) carries too little signal for any current classifier to be reliable.
• Images. Style-transfer and inpainting on real photographs sit in a grey zone that classifiers handle poorly. Upscaling and recompression degrade the artefacts detectors rely on. Diffusion-model fingerprints from one generation rarely transfer to the next.
• Audio. Voice cloning at 24 kHz with a few minutes of reference audio is now indistinguishable to most consumer detectors. Forensic detectors that look at vocal-tract physical plausibility do better, but they are slow and specialist.
• Video. Frame-by-frame detection plus temporal consistency catches current deepfakes reliably; fully-generated short clips (Sora-class, Veo-class) erode that advantage. Provenance signatures on the capture device are the only stable answer here.

What we tell teams to do

Two things, in order. First, stop asking “is this AI?” and start asking “what is the audit trail?” — that reframing is what shifts the work from a brittle classification problem to a tractable governance one. Second, deploy detection as triage, not verdict. Calibrated confidence scores, ensembled detectors, human review on the contested band, and full logging of every decision. That posture survives the next model release; a single-vendor detector does not.

The deeper structural point sits in our companion piece on how AI detectors identify written content and in the broader image-detection and provenance treatment — detection is the inverse problem of generation, and the inverse problem gets harder every time the forward problem gets easier. Provenance reverses that asymmetry.

FAQ

How do current AI image detectors actually work — embeddings, watermarks, perceptual hashing, classifiers? Most ship a stack: a fine-tuned classifier (often a vision transformer) for novel-generation detection, perceptual hashing for known-asset matching, and where available a watermark check (SynthID, Meta’s stable-signature variants). Embeddings underlie the classifier; watermarks and hashes are separate retrieval layers. A serious deployment uses all three rather than picking one.

Can C2PA cryptographic provenance be faked, and what is its real coverage in 2026? The signature itself cannot be forged without the signing key, but it can be stripped — the manifest is removed and the pixels survive. So C2PA proves “this signed manifest came from this cooperating producer”, not “this image is or is not AI”. Coverage in 2026 is strong inside the participating ecosystem (Adobe, Microsoft, Sony, Leica, recent Android camera vendors) and effectively zero outside it.

What is the failure rate of best-in-class detectors (Winston, GPTZero, TruthScan) on real content? Vendor-quoted accuracy hovers above 99% on in-distribution evaluation sets. Independent testing on out-of-distribution prose typically reports false-positive rates of 5–15% and miss rates that rise sharply on paraphrased model output. The Stanford work by Liang et al. (2023) on non-native English speakers documented systematic over-flagging that has not been fully addressed.

Where does perceptual hashing fit in the detection stack alongside ML-based detectors? Perceptual hashing (pHash, PDQ, NeuralHash) matches against known assets — it detects recirculation, not AI-ness. It complements classifier-based detection rather than replacing it: hashing handles the “have I seen this before” case cheaply; classifiers handle the novel-generation case.

How does an enterprise deploy a layered detection, provenance, and governance stack for AI content? Provenance check first, then perceptual-hash lookup, then classifier ensemble, then human review on contested confidence bands, with full audit logging at every step. The detector triages; humans adjudicate; the audit trail is what makes the posture defensible to regulators.

Which detection patterns work for images, text, audio, and video, and where do they break? Text detection breaks on paraphrasing and short inputs, and over-flags non-native English. Image detection breaks on style-transfer hybrids and recompression. Audio detection is largely defeated by current consumer voice cloning. Video detection still works for current deepfakes via temporal consistency but erodes against fully-generated short clips; signed capture is the only stable answer.