Can You Prove That Image Is Real? AI Verification Tools Lawyers Need to Understand

For most of legal history, a photograph or a video carried its own credibility. A jury could look at footage and trust, more or less, that it depicted something that happened. Generative AI has dismantled that assumption. In Mendones v. Cushman & Wakefield, an Alameda County judge dismissed a housing case with prejudice in September 2025 after finding the plaintiffs had submitted AI-generated video and altered images as genuine evidence. One tell was metadata indicating a clip had supposedly been captured on a device that could not have recorded it. The court denied reconsideration weeks later.

That case is not an outlier. National reporting has documented AI-fabricated material reaching courtrooms and alarming the judges who encounter it. The vendors have noticed. On May 19, 2026, OpenAI unveiled Verify, a tool that checks whether an uploaded image was generated by one of its models, and it joined a fast-growing field of "authenticity" checkers. Which raises the question this article exists to answer: when one of these tools returns a clean result, does it prove anything a court will accept?

What OpenAI's Verify Tool Actually Does

Verify is narrower than its name suggests. It is a research-preview tool that takes one uploaded image and reports whether that image carries a recognized provenance signal: a set of C2PA Content Credentials or a SynthID watermark. In practice the answer falls into one of three buckets — it finds embedded Content Credentials, it finds a SynthID watermark, or it finds no supported signal at all. The tool is built to recognize imagery produced by OpenAI's own models, so a clean read is not a global verdict on every image ever made.

How you hand the tool a file matters. SynthID embeds an invisible watermark designed to persist through screenshots, resizing, compression, and other routine manipulation, but those operations can still degrade what the detector sees. Feeding Verify a screenshot or a cropped re-save rather than the original file can change the result, which is why the same image can read differently depending on its history.

Verify is one piece of a larger provenance effort. OpenAI has joined the C2PA steering committee alongside Adobe and Microsoft and has paired with Google to embed DeepMind's SynthID watermark in its outputs. OpenAI describes the two layers working together as more resilient than either alone: the metadata carries context about how an asset was made, while the watermark can survive when that metadata is stripped.

Here is the point that matters for a lawyer. Verify confirms whether an image participated in a provenance scheme. It does not certify that a photograph is real, and a "no supported signal" result does not mean an image was fabricated. That gap between participation and authenticity is where the evidentiary problems begin.

Verify Is One Tool in a Crowded Field

Verify did not arrive in a vacuum. It reads two signals that other companies are also embedding and detecting, and it sits inside a broader market of authenticity tools that split cleanly into two families. Understanding which family a given tool belongs to tells you, in advance, how it can fail you.

The first family detects provenance that was attached when the content was made. At its base sits C2PA, the standard maintained by the Coalition for Content Provenance and Authenticity, which provides a cryptographically secure way to express how an asset was created and edited through tamper-evident, signed data structures that travel with the file. Most of the consumer-facing tools simply read those credentials. Adobe's Content Authenticity ecosystem is a leading implementation, letting creators attach Content Credentials recording origin, edits, and the tools used. Google's SynthID adds an invisible watermark, and as of May 19, 2026 the SynthID Detector surfaces directly inside Google Search and Chrome, with Circle to Search on Android letting a user circle an image and ask whether it was made with AI.

The second family does not look for an embedded signal at all. Forensic detectors such as Reality Defender and Hive examine the pixels themselves for statistical anomalies and return a probability. Hive scores content on a 0 to 100 scale and labels faces as deepfake or not with a confidence number; Reality Defender uses a multi-model approach to flag pixel-level, acoustic, or linguistic irregularities. These tools produce an estimate, not a verdict.

The distinction matters because the two families break differently:

• Provenance detection works only when a participating tool embedded a credential or watermark and that signal survived. No participation, no signal — and a stripped credential proves nothing.
• Forensic detection works on any image but only estimates a likelihood, and it grows unreliable against generators it was not trained on.

A lawyer who treats a confidence score and a verified credential as the same kind of proof will misjudge both. Each answers a different question, and each leaves a different gap.

Why This Matters in the Courtroom: Authentication Under Rule 901

Strip away the technology and the courtroom question is old. Before any image reaches a fact-finder, its proponent must clear the authentication bar of Federal Rule of Evidence 901(a), which provides that the proponent “must produce evidence sufficient to support a finding that the item is what the proponent claims it is.” That is a low threshold. It asks only for enough that a reasonable jury could find the item more likely than not authentic, and photographs and video have always satisfied it easily. The trust courts placed in them was practical, not doctrinal. Generative AI removes the practical part while leaving the rule untouched.

The rulemakers have noticed. The Advisory Committee on Evidence Rules drafted a proposed Rule 901(c) aimed squarely at AI fabrication. Under the draft, an opponent challenging an item as generated “in whole or in part” by AI must first present evidence sufficient to support a finding of fabrication, enough to warrant the court’s inquiry. Once the opponent clears that threshold, the item comes in only if the proponent then shows the court it is more likely than not authentic, with the judge deciding admissibility as a preliminary question under Rule 104(a).

That draft has not been adopted. At its November 5, 2025 meeting, the Committee took a wait-and-see posture, kept 901(c) on its agenda, and declined to publish it for notice and comment, reasoning that courts have generally handled the deepfake cases they have seen under existing authentication rules. So for now, 901’s familiar flexibility governs, with no deepfake-specific mechanic.

Provenance tools fit inside that framework as one input, not a verdict. A verified Content Credentials match is evidence sufficient to support a finding of origin and integrity, exactly the kind of item 901(a) contemplates. A “no signal” result carries almost no weight in the other direction, because most authentic media never carried a credential to begin with.

The Liar's Dividend: When 'It Could Be Fake' Becomes a Strategy

The last section assumed a familiar adversarial posture: one side offers an image, the other questions whether it is real. Generative AI adds a corrosive new move. A party can now dismiss authentic evidence simply by suggesting it might have been made by a machine. Judge Erica Yew of the Santa Clara County Superior Court calls this the liar’s dividend — the situation where authentic evidence is falsely claimed to be AI-generated. The fabrication never has to exist. The mere plausibility of one is enough to seed doubt.

What makes the liar’s dividend more pressing than the deepfake itself is timing. Building a forgery that survives forensic scrutiny is hard; insinuating that a real recording is a forgery costs nothing. Dr. Maura Grossman, a leading authority on AI and the law, puts the sequence plainly:

I think the courts will see [the liar’s dividend] sooner than the deepfakes.

The surrounding threat is already concrete. The same instinct that lets one party deny real evidence drives another to manufacture it, and courts have begun imposing terminating sanctions when they catch it — the dismissal in Mendones being a vivid recent example. A litigator should expect both moves: opponents who fabricate, and opponents who cry fabrication to bury what is genuine.

Verification tools cut both ways here, and that is the part counsel tend to miss. A clean provenance record can rebut a baseless deepfake accusation. But because that record is itself only metadata or a watermark, it becomes the next thing an opponent attacks — questioning the credential’s chain of trust, arguing the signal was forged or transferred from another file, or insisting the watermark proves nothing about the moment of capture. Possessing a pristine provenance trail does not end the fight. It relocates it.

The Limits Lawyers Must Internalize Before Relying on a Result

Earlier sections noted, in passing, that a clean result is not the same as proof. This is where that caveat has to harden into a rule of practice. A detector answers one mechanical question, and a lawyer who reads more into it than the engineering supports will build an authentication record on sand. The failures are predictable, which means they are also avoidable if you know them before you rely on a result.

• A missing signal proves nothing. The vast installed base of cameras and phones in use today does not sign its images, so most authentic photographs and videos carry no Content Credentials at all. The C2PA specification itself notes that its manifests can be separated from an asset and that the standard does not attribute content to any person or organization. A blank result is not a finding of fabrication; it is an absence of information.
• Provenance covers only participants. A signal exists only when a conforming tool embedded one at creation. A model that never joined the scheme leaves no trace even when the image is wholly synthetic, so an opponent’s fake can pass a provenance check cleanly simply by having been made with the wrong generator.
• Signals are fragile in transit. Screenshots, re-encoding, social-media re-uploads, and ordinary edits routinely strip metadata and can weaken a watermark. Google itself concedes SynthID is not foolproof: heavy edits, filters, or remixes can erase the mark, and bypass services exist to remove it deliberately. The file that lands in your inbox has usually been through several of these steps already.
• A confidence score is not admissibility. Forensic detectors output a probability on a 0-to-100 scale, not a verdict, and they are adversarially fragile. Slight perturbations can drop their accuracy below 70 percent in some tests, and a model trained on yesterday’s generators cannot reliably judge tomorrow’s. An 86 out of 100 is a lead worth running down, not a fact you can put to a jury.

Set against all of this, the traditional authentication toolkit still does the heavy lifting. Rule 901(b) lists the methods that actually carry a contested exhibit — a witness with knowledge, distinctive characteristics, evidence about the process or system that produced the item — and the Advisory Committee designed that list to leave room for new techniques, not to be displaced by them. A provenance hit is, at most, one more 901(b)-style input alongside chain of custody, device records, and testimony. It supplements the human work; it does not replace it.

That last point is not merely tactical. It is an ethical floor. The duty of competence reaches the tools you use: ABA Model Rule 1.1 directs a lawyer to keep abreast of “the benefits and risks associated with relevant technology” in Comment 8, which means you are expected to understand a detector’s limits before you lean on its output. Rule 3.3’s duty of candor reaches the courtroom: you cannot offer a machine’s confidence number to the tribunal as proof of authenticity when you have no independent basis for the claim. Between them, the rules locate responsibility in the same place this article keeps returning to. The lawyer owns the authentication judgment. The detector is only ever one more thing the lawyer weighs.

A Practical Playbook for Using Provenance Tools

Knowing what these tools cannot do is only useful if it changes how you work a file. The diagnosis from the previous section translates into a short list of habits, most of which are not new duties so much as old ones — preservation, corroboration, expert support — applied to a new category of evidence. None of it requires you to become a forensic analyst. It requires you to treat a detector result the way you would treat any other lead.

1. Run provenance checks early. Screen any image or video that could become material at intake and again in discovery, before positions harden around it. A signal you find on day one shapes your strategy; one you find on the eve of trial only complicates it.
2. Preserve originals and full metadata. Never work only from a screenshot, and document how each file was obtained. Mendones is the cautionary tale: the fabrication unraveled on the metadata, not the pixels, when a clip claimed a capture device that could not have recorded it. Screenshots and re-saves destroy exactly the data that wins or loses these fights.
3. Treat a tool result as a lead, then corroborate it. A “detected” or “no signal” output is a starting point, not a conclusion. Pair it with a source witness, the originating device, EXIF data, and a file hash so the authentication rests on several independent threads rather than one machine read.
4. Retain qualified forensic experts for anything contested. A detector’s confidence number does not satisfy Rule 702’s requirement that expert testimony rest on sufficient facts and reliable methods reliably applied. When authenticity is genuinely in dispute, the opinion that survives cross-examination comes from a qualified examiner, not a confidence score.
5. Advise clients to attach provenance to their own assets. Brands, newsrooms, and content producers should adopt Content Credentials so their media carries tamper-evident provenance from the moment of creation. A credential built in at the source is far easier to authenticate later than one you wish existed after a dispute arises.
6. Draft and depose for the liar’s dividend. Build the authentication record proactively, and when an opponent alleges “deepfake” without support, make them substantiate it. The proposed Rule 901(c) structure signals the posture courts expect: a fabrication challenge should rest on evidence sufficient to warrant inquiry, not a bare accusation. Put that burden on the record in depositions and motions.
7. Update your engagement letters, litigation holds, and discovery protocols. Preservation duties extend to AI-generated and AI-edited media and their native metadata. Scope holds and document requests expressly to capture original files and provenance signals, so the data you need is preserved before anyone has a reason to lose it.

Key Implications for Practice

Pull back from the file-level mechanics and the lesson is a single sentence. A verification tool answers whether an image carries a recognized provenance signal. Rule 901(a) asks something broader and harder: whether there is evidence sufficient to support a finding that the item is what its proponent claims. The first question is mechanical and the tool answers it cleanly. The second is a question of facts, witnesses, and chain of custody that no detector resolves on its own. Treating a green light as an answer to the second question is the mistake this article exists to prevent.

So the competent posture is the one Promise Legal returns to across every technology: the lawyer in the loop. Provenance is corroboration inside a human-led authentication workflow, never a substitute for the judgment the rules of competence and candor assign to counsel. A credential strengthens your record; it does not relieve you of building one.

The doctrinal ground is also still moving. Rule 901(c) remains on the Advisory Committee's agenda under a deliberate wait-and-see posture, which means the standards governing AI-fabricated evidence are not yet settled. Firms that build provenance literacy now will be reading the signals their opponents miss and shaping the record before the rules catch up.