Content Credentials vs Watermarking vs Metadata Tags: How AI Images Get Marked in 2026
When you generate an image with a major AI tool in 2026, it gets marked as AI-generated in up to three completely different ways at once. These systems are frequently confused for each other, but they work on entirely different technical principles, survive different things, and can be removed (or not) by different means. This is a plain explanation of how AI images actually get marked, what each method does, and why the question “can I remove the AI marking?” has three different answers depending on which marking you mean.
The three marking systems, defined
C2PA Content Credentials are cryptographically signed metadata attached to a file. They record provenance: what tool created the content, when, what edits were applied, and a verifiable chain of custody. C2PA is an open ISO standard (now C2PA 2.1, ratified as ISO/IEC 22144), backed by a coalition of over 6,000 members including Adobe, Google, Microsoft, OpenAI, Sony, and the BBC. The credentials are human- and machine-readable, carry rich detailed information, and are verifiable offline through cryptographic signatures. We cover the standard in depth in our explainer on C2PA and content credentials.
SynthID is an invisible watermark embedded directly into the pixels of an image. Developed by Google DeepMind, it modifies pixel values in ways imperceptible to humans but detectable by a trained classifier. The signal is distributed across the entire image rather than stored in a separate location. Because it lives in the image content itself rather than in metadata, it survives operations that strip metadata. Google has watermarked over 20 billion images with SynthID.
EXIF/XMP/IPTC metadata tags are the traditional metadata fields stored alongside image data. This includes markers like Iptc4xmpExt:DigitalSourceType set to trainedAlgorithmicMedia, xmp:CreatorTool identifying the AI platform, and various embedded generation parameters. These are the simplest markers, the easiest to read, and the easiest to remove — they predate the AI provenance era and were never designed to be tamper-resistant.
The key difference: metadata vs pixels
The single most important distinction is where the marking lives.
C2PA Content Credentials and EXIF/XMP/IPTC tags are metadata — data stored alongside the image, in the file container, separate from the actual pixels. Metadata is fragile by design. It gets stripped by screenshots, social media uploads, format conversions, re-encoding, and any editing workflow that doesn’t explicitly preserve it. When you screenshot an AI image or upload it to most social platforms, the C2PA manifest and EXIF tags usually don’t survive.
SynthID is a watermark — a signal embedded in the pixels themselves. Because it’s part of the image content, it survives the things that destroy metadata: screenshots, cropping, resizing, JPEG compression, and re-uploading to social media. This resilience is watermarking’s defining feature and the direct complement to metadata’s biggest weakness.
This is why “is this image marked as AI?” doesn’t have a simple yes/no answer. An image can have its C2PA credentials and EXIF tags stripped while still carrying an intact SynthID watermark in its pixels. The metadata layer can be gone while the pixel layer persists. It’s also why detection itself is so unreliable in the wild — a theme we dig into in our analysis of the current state of AI image detection.
Try MetaStrip — it's free.
Strip metadata from any photo in seconds. No upload, no account.
At a glance
A quick comparison of the three systems on the dimensions that matter most.
Where it lives: C2PA Content Credentials live in file metadata as a signed manifest. SynthID lives in the image pixels. EXIF/XMP/IPTC tags live in file metadata.
How much information they carry: C2PA is rich — origin, edit history, and chain of custody. SynthID is minimal — a presence signal only. EXIF/XMP/IPTC is moderate — origin, tool, and generation parameters.
What survives a screenshot or metadata stripping: Only SynthID survives both, because it’s in the pixels. C2PA and EXIF/XMP/IPTC are removed by either. C2PA and EXIF survive compression and resizing only if the metadata is explicitly preserved; SynthID survives them regardless.
How they’re verified: C2PA is verified cryptographically and works offline. SynthID requires Google’s classifier. EXIF/XMP/IPTC can be read with any metadata tool.
Open standard, and removable with metadata tools: C2PA is an open ISO standard (ISO/IEC 22144) and is removable with metadata tools. EXIF/XMP/IPTC is long-established and removable with metadata tools. SynthID is proprietary and cannot be removed with metadata tools.
Why major AI tools now use multiple layers
The big shift in 2026 is that leading AI tools stopped choosing between these systems and started using them together, because each covers the other’s weakness.
Adobe Firefly embeds C2PA Content Credentials automatically across Creative Cloud — Photoshop, Lightroom, and Firefly itself. Firefly’s approach is provenance-first: the Content Credential records that the image was AI-generated and tracks subsequent edits, giving professional workflows an auditable history. This is content credentials rather than watermarking — it’s the metadata manifest, which carries rich information but is strippable.
OpenAI announced a layered approach on May 19, 2026, becoming C2PA-conformant *and* adding SynthID watermarks to images generated by ChatGPT, the API, and Codex. OpenAI’s own framing captures the logic precisely: C2PA helps content carry detailed context, while SynthID helps preserve a signal when metadata does not survive. The two reinforce each other — the metadata provides rich provenance for anyone who receives the original file, and the watermark persists even when that metadata is stripped. OpenAI also launched a public verification tool at openai.com/verify that checks uploads for both signals.
Google uses both C2PA and SynthID on its AI-generated content, an approach widely described as the current gold standard. The Content Credential provides the rich provenance data; the SynthID watermark provides the durable, strip-resistant signal.
The industry consensus, echoed by Microsoft’s February 2026 Media Integrity report and the EU’s Code of Practice draft, is that no single method prevents deception on its own. Metadata is informative but fragile. Watermarking is durable but carries little information. Detection classifiers are the only retroactive option but are probabilistic and declining in reliability. The answer the industry landed on is layering all of them — the same conclusion the standards and regulatory bodies reached, which we tracked in our 2026 update on AI image detection and the EU AI Act.
Answering the common questions directly
Is Firefly using content credentials or watermarking? Adobe Firefly embeds C2PA Content Credentials — that’s the signed metadata manifest, not a pixel watermark. It records AI generation and edit history as provenance metadata. This carries rich information but can be stripped along with other metadata.
What’s the difference between AI-generated metadata and “smart tags”? AI-generation metadata (C2PA manifests, the trainedAlgorithmicMedia IPTC marker, XMP creator-tool fields) specifically marks that content was AI-produced and records its provenance. “Smart tags” usually refers to descriptive keyword metadata that AI tools add to *describe* an image’s content for search and organization (objects, scenes, colors). One marks origin; the other describes subject matter. Both are metadata, both are removable, but they serve different purposes — provenance versus cataloguing.
How are AI-enhanced images disclosed in professional workflows? Professional workflows (Adobe Creative Cloud, Microsoft 365, enterprise GenStudio) embed C2PA Content Credentials at creation or export. The credential records both that AI was involved and what edits were applied, providing an auditable disclosure trail. This is increasingly relevant given EU AI Act Article 50 enforcement beginning August 2026 and California’s SB 942, both of which require AI-generated content disclosure.
If I remove the metadata, is the image no longer marked as AI? Only the metadata layer is removed. If the image carries a SynthID pixel watermark (as Google and OpenAI images now do), that watermark remains in the pixels after metadata removal. Removing C2PA credentials and EXIF tags removes the metadata-based markers — the most common and easily-detected signals — but does not affect pixel-level watermarks.
What can actually be removed, and what can’t
This is the practical bottom line, and it’s worth being precise about because tools in this space frequently overpromise.
Removable with metadata tools: C2PA Content Credentials, XMP AI fields, IPTC DigitalSourceType markers, EXIF generation parameters. These are all metadata. A client-side metadata tool can read and remove them. This is what MetaStrip does — it strips the C2PA manifest, the XMP packets, the IPTC markers, and the broader EXIF footprint, entirely in your browser with the file never leaving your device.
Not removable with metadata tools: SynthID and other pixel-level watermarks. Because the signal is embedded in the image content rather than in metadata, no metadata tool can touch it. Removing a pixel watermark requires adversarial pixel manipulation that degrades the image and is not something a metadata stripper does or claims to do.
We’re explicit about this distinction because it matters. MetaStrip handles the metadata layer comprehensively and honestly — it does not claim to defeat SynthID or any pixel watermark, because metadata tools categorically cannot. If a tool claims to remove “all AI detection” including invisible watermarks, be skeptical: metadata removal and pixel-watermark removal are fundamentally different operations.
Why this matters for what you do
If you work with AI-generated or AI-enhanced images, understanding which marking system you’re dealing with changes what’s possible:
For privacy and provenance control — managing what’s embedded in your own files, removing creator names, generation parameters, and provenance metadata you’d rather not share — metadata tools address the layer you can actually control.
For regulatory compliance — the EU AI Act and California SB 942 require disclosure of AI-generated content, and the mechanism regulators favor is exactly these markers. Stripping disclosure markers from content the law requires to be labeled carries its own legal implications depending on where the content appears.
For understanding detection — when a platform flags your content, knowing whether it read a C2PA manifest (strippable metadata) or detected a SynthID watermark (durable pixel signal) tells you what actually happened and what your options are.
The era of a single “AI marker” you could simply remove is over. In 2026, AI images carry layered markings by design, each covering the others’ gaps. The honest, useful approach is understanding which layer is which — what each one is, where it lives, what survives, and what you can actually control. The metadata layer is yours to manage. The pixel layer mostly isn’t. Anyone telling you otherwise is selling something.
MetaStrip handles the metadata layer — C2PA manifests, XMP, IPTC, and EXIF — entirely client-side, with the source open for audit on GitHub. It gives you visibility into exactly what provenance and generation data is embedded in your files, and removes what you choose to remove. What it doesn’t do is claim to remove what metadata tools can’t. That honesty is the point.