Contents
Yes. A motivated adversary can remove AI watermarks, and for a large class of them the removal is provable rather than merely observed. This article reviews what the published research shows about removability as a reliability property. It is not a removal guide. Here the question is only what the literature proves about how durable these marks are.
The strongest result is a theorem
The headline is a theorem, not an experiment. Zhao, Zhang & Wang (NeurIPS 2024) prove that pixel-additive watermarks are removable by generative regeneration, then show it empirically: a variational-autoencoder round-trip followed by diffusion strips resilient schemes’ marks while holding image quality at a PSNR of 30 dB or better. The significance is that this is not a flaw in one implementation. Any watermark that adds a low-amplitude pattern to pixels is, by their argument, within reach of a generative round-trip, which is why the authors call for a shift toward semantic-preserving rather than invisible watermarks.
The picture splits by tier
Which watermarks fall depends on where the mark sits. Classical pixel-domain marks and post-hoc neural marks are both patterns laid over finished pixels, so they land in the provable-removal class of Zhao, Zhang & Wang (NeurIPS 2024). Latent designs such as Tree-Ring, which seed the mark in the noise before the image is decoded, survive a same-model round-trip but stay exposed to an attacker who regenerates the image through a different model. Container-level provenance such as C2PA survives only while the pixels are untouched, because its cryptographic binding breaks on the first edit rather than degrading, as the Content Credentials Technical Whitepaper (2025) states that “any changes to the asset will invalidate the Manifest”. No deployed design is at once invisible and stable against a regenerating adversary, which is the structural reason the answer is yes rather than sometimes. That split by tier, not any single benchmark score, is what a reliability reader should carry away.
Purification, and its ceiling
Diffusion purification generalises the point and quantifies the cost. Saberi, Sadasivan & Rezaei (ICLR 2024) show that for low-perturbation-budget watermarks, purification removes the mark “by applying minimal changes to images”, and that the defender faces a fundamental trade-off between evasion rate and false-positive rate: pushing the false-positive rate down makes the mark easier to purify away. Their result also has a limit worth stating plainly. Against high-perturbation, more visible watermarks, purification stops working, so removability is strongest exactly where the watermark is least intrusive.
Schemes built to resist still fall
Schemes engineered for robustness fall to adaptive attacks. Lukas, Diaa & Fenaux (ICLR 2024) report attacks that “break all five surveyed watermarking methods at no visible degradation in image quality”, cutting detection accuracy to “6.3% or less” in “less than 1 GPU hour”. They also show a secret watermark key is not a defence, because an attacker can train a differentiable surrogate key. Secrecy of the method is not the same as robustness of the method.
Even watermarks rooted in the model’s own weights are not exempt. Stable Signature, from Fernandez, Couairon & Jégou (ICCV 2023), fine-tunes the diffusion decoder so every image carries a user’s bits. Hu, Jiang & Guo (2024) answer it directly in Stable Signature is Unstable, removing the mark by fine-tuning the decoder on a small dataset to produce “non-watermarked” images “while maintaining the visual quality”. A tracing watermark baked into the generator can be un-baked by a downstream fine-tune.
The exception, and its limit
One structural exception proves the rule. Tree-Ring embeds its pattern in the initial noise latent before any pixels exist, and Wen, Kirchenbauer & Geiping (NeurIPS 2023) show it is “invariant to convolutions, crops, dilations, flips, and rotations”. Because there is no additive pixel pattern to purify, the simplest attacks do not apply. Yet the standardised WAVES benchmark from An, Ding & Rabbani (ICML 2024) still ranks regeneration and rinse-then-diffuse among the top attacks against it, so even the most robust deployed design is weakened, not immune, once the attacker is allowed to regenerate the image. The exception narrows the gap rather than closing it.
What removability means for trust
The real conclusion is what removability does to trust, and the vendors already price it in. Google DeepMind scopes SynthID to making black-box attacks “computationally infeasible at scale” rather than defeating “a determined white-box adversary” (Gowal, Bunel & Stimberg, 2025), and names re-generation as a threat. Removal is a cost imposed on an attacker, not a lock. That reframes what a watermark is good for. A present mark is real evidence of origin. An absent mark is not evidence of anything, because for the common pixel-additive designs removal is cheap, high in quality and, in the case of Zhao, Zhang & Wang, provable. The reliability question then becomes which family a scheme belongs to. This review is image-focused; the same question for other media is answered in can music watermarks be removed?, can voice watermarks be removed? and can text watermarks be removed?. If you want the privacy how-to instead, keeping your own media from being traced by actively stripping a mark, see can you remove SynthID from your file?.
Sources
- Zhao, Zhang, Wang (2024). Invisible Image Watermarks Are Provably Removable Using Generative AI. NeurIPS.
- Saberi, Sadasivan, Rezaei (2024). Robustness of AI-Image Detectors: Fundamental Limits and Practical Attacks. ICLR.
- Lukas, Diaa, Fenaux (2024). Leveraging Optimization for Adaptive Attacks on Image Watermarks. ICLR.
- Fernandez, Couairon, Jégou (2023). The Stable Signature: Rooting Watermarks in Latent Diffusion Models. ICCV.
- Hu, Jiang, Guo (2024). Stable Signature is Unstable: Removing Image Watermark from Diffusion Models.
- Wen, Kirchenbauer, Geiping (2023). Tree-Ring Watermarks: Fingerprints for Diffusion Images that are Invisible and Robust. NeurIPS.
- An, Ding, Rabbani (2024). WAVES: Benchmarking the Robustness of Image Watermarks. ICML.
- Gowal, Bunel, Stimberg, et al. (2025). SynthID-Image: Image Watermarking at Internet Scale. arXiv:2510.09263.
- Coalition for Content Provenance and Authenticity (C2PA) (2025) Content Credentials: C2PA Technical Whitepaper. Available at: https://c2pa.org/wp-content/uploads/sites/33/2025/10/content_credentials_wp_0925.pdf (Accessed: 27 June 2026).