How to Detect AI-Generated Images Using Metadata

Most guides on detecting AI-generated images focus on pixel-analysis classifiers like Hive AI or SynthID. Those tools work, but they're probabilistic. They give you a confidence score, not a definitive answer. Metadata-based detection is different: when the metadata is present and intact, it gives you a binary yes-or-no answer about whether an image was generated by AI.

Three layers of metadata can reveal an image's origin:

• EXIF and XMP tags: Standard image metadata fields that record the software used to create or edit a file. AI generators write their tool name, version, and sometimes the full prompt into these fields.
• IPTC DigitalSourceType: A standardized vocabulary maintained by the International Press Telecommunications Council that classifies how an image was created. The value trainedAlgorithmicMedia means the image was fully generated by a trained AI model.
• C2PA Content Credentials: A cryptographic provenance standard developed by the Coalition for Content Provenance and Authenticity. Unlike EXIF tags, C2PA manifests are digitally signed, so any tampering is detectable.

The catch is that not every generator embeds all three layers, and metadata can be stripped by social media platforms, screenshot tools, or deliberate removal. The rest of this guide shows you exactly what each major generator embeds, how to read it, and how to handle the cases where metadata is missing. Teams running AI-content audits often pair these tools with Fast.io's workspaces, where collaboration and AI-powered extraction help triage flagged images at scale.

Each AI image generator embeds a different set of metadata fields. Some sign their output cryptographically. Others rely on unsigned EXIF tags that can be edited with any metadata tool. Knowing which generator uses which approach tells you how much you can trust the metadata you find.

DALL-E 3 and ChatGPT Image Generation

OpenAI embeds C2PA Content Credentials in every image generated through DALL-E 3 and ChatGPT. The manifest identifies the content as AI-generated by OpenAI, includes a generation timestamp, and is cryptographically signed using certificates registered with the C2PA Trust List. The EXIF Software tag reads "DALL-E 3 via ChatGPT" or "OpenAI DALL-E 3" depending on the generation path.

OpenAI also sets the IPTC DigitalSourceType to trainedAlgorithmicMedia, giving you two independent signals in a single file.

Adobe Firefly

Adobe applies Content Credentials automatically to every image where 100% of the pixels are generated by Firefly. The manifest records that Adobe's generative AI contributed to the asset, identifies the specific Firefly model used, and lists the processing actions taken during generation. The IPTC DigitalSourceType is set to compositeWithTrainedAlgorithmicMedia when Firefly features are used within Photoshop alongside real image content.

Adobe signs these credentials through its own certificate authority, and the credentials survive editing chains in Photoshop, so you can trace the full history of modifications.

Midjourney

Midjourney takes a different approach. As of early 2026, Midjourney does not embed C2PA Content Credentials. Instead, it writes generation data into standard EXIF and IPTC fields. The Description field contains the complete prompt text, all parameters (like --ar, --stylize, --chaos), the Job ID, and any image reference URLs. The Author field stores the Midjourney username, and the Digital Image GUID stores the Job ID as a UUID.

Midjourney does set the IPTC DigitalSourceType to trainedAlgorithmicMedia, which is the machine-readable flag that marks the image as AI-generated. But because none of this metadata is cryptographically signed, anyone with ExifTool can strip or alter it.

Stable Diffusion

Stable Diffusion's metadata depends entirely on which interface you use. Stability AI's hosted API includes C2PA credentials, but local installations through AUTOMATIC1111, ComfyUI, or InvokeAI do not embed any content credentials by default.

What they do embed is generation parameters. AUTOMATIC1111 writes the complete parameter string into the UserComment EXIF field, including the model checkpoint name, sampling method (DPM++ SDE, DDIM, Euler), step count, CFG scale, and seed value. ComfyUI goes further, storing the entire workflow graph as structured JSON data in the image metadata. These parameters are a strong signal that an image was locally generated, but they're trivially removable.

Comparison Table

ExifTool is the standard open-source tool for reading image metadata. It runs on Windows, macOS, and Linux, and it can read every metadata format relevant to AI detection. Version 13.40 (released October 2025) added support for the IPTC Photo Metadata Standard 2025.1 properties, including the new AI-specific fields.

Check for AI Software Tags

The simplest check is reading the Software and Description tags:

exiftool -Software -Description -DigitalSourceType image.png

If the image came from DALL-E, you'll see something like:

Software                        : DALL-E 3 via ChatGPT
Digital Source Type              : trainedAlgorithmicMedia

For a Midjourney image, the Description field contains the prompt:

Description                     : a futuristic city at sunset --ar 16:9 --v 7 --s 250
Digital Source Type              : trainedAlgorithmicMedia

Read the Full IPTC and XMP Data

For a deeper inspection, dump all IPTC and XMP tags:

exiftool -IPTC:all -XMP:all image.png

Look for these fields specifically:

• XMP:DigitalSourceType with any value containing AlgorithmicMedia or trainedAlgorithmicMedia
• XMP:AISystemUsed (new in IPTC 2025.1) containing the generator name
• XMP:AISystemVersionUsed for the model version
• XMP:AIPromptInformation for the text prompt used

Check for Stable Diffusion Parameters

Locally generated Stable Diffusion images store parameters in the UserComment or PNG tEXt chunks:

exiftool -UserComment -Parameters image.png

A positive result looks like this:

UserComment                     : Steps: 30, Sampler: DPM++ SDE, CFG scale: 7,
                                  Seed: 1234567890, Model: sdxl_base_1.0

The presence of sampling method names, CFG scale values, and model checkpoint references is a strong indicator of AI generation even without a formal DigitalSourceType tag.

Batch Check a Directory

To scan an entire folder of images for AI markers:

exiftool -if '$DigitalSourceType =~ /AlgorithmicMedia/' -FileName -DigitalSourceType -r /path/to/images/

This recursively searches all images and prints only those where the DigitalSourceType contains an AI-related value. For large media libraries, this kind of batch scanning is far more practical than running individual images through a pixel-analysis classifier.

Catalog Your Image Provenance Data Automatically

Fast.io Metadata Views turn image libraries into queryable databases. Describe the fields you want extracted, and AI builds a structured spreadsheet from your files. 50 GB free, no credit card required.

Sign Up Free

C2PA Content Credentials work like a digital nutrition label for images. They record who created the content, what tools were used, and whether AI was involved, all wrapped in a cryptographic signature that makes tampering detectable.

The difference between C2PA and regular metadata matters. EXIF tags and IPTC fields can be freely edited with ExifTool or any hex editor. C2PA manifests use public-key cryptography: the signing organization (like Adobe or OpenAI) generates a manifest, signs it with their private key, and anyone can verify that signature against the organization's public certificate. If someone modifies the image or the manifest after signing, the verification fails.

Online Verification Tools

The simplest way to check C2PA credentials is through a browser-based tool:

• Content Credentials Verify (contentcredentials.org/verify): Adobe's official verifier. Upload an image and it displays the full credential chain, including the signing organization, generation tool, timestamp, and any edits.
• C2PA Viewer (c2paviewer.com): Independent viewer that processes images client-side. Useful when you don't want to upload sensitive images to a third-party server.

Command-Line Verification with c2patool

For programmatic verification, the C2PA project maintains c2patool, an open-source command-line utility:

c2patool verify image.png

The output shows the manifest store, including the digitalSourceType assertion, the signing certificate chain, and the validation status. A valid manifest from OpenAI will show the assertion c2pa.actions with a digitalSourceType value pointing to the IPTC trainedAlgorithmicMedia URI.

Who Signs What

Not all C2PA implementations carry equal weight. The C2PA Trust List is a curated registry of organizations whose signing certificates are trusted by default in verification tools. Adobe, OpenAI, Google, and Microsoft are on this list. If an image carries a C2PA manifest signed by a certificate not on the Trust List, the credentials are structurally valid but unverified, similar to a self-signed HTTPS certificate.

The IPTC Photo Metadata Working Group released version 2025.1 of its standard in November 2025, adding four properties specifically designed for AI-generated content. These go beyond the existing DigitalSourceType flag by capturing the generation context.

The four new properties are:

• AI System Used: The name of the AI engine or model, such as "ChatGPT DALL-E" or "Google Gemini"
• AI System Version Used: The specific model version, when known
• AI Prompt Information: The text prompt given to the generator, including both positive instructions and negative exclusions
• AI Prompt Writer Name: The name of the person who wrote the prompt (notably, IPTC specifies this person should not be considered the image creator)

ExifTool supports all four properties since version 13.40, released in October 2025. To read them:

exiftool -AISystemUsed -AISystemVersionUsed -AIPromptInformation -AIPromptWriterName image.png

These properties sit in the XMP namespace and follow the same embedding pattern as other IPTC metadata. The important distinction from C2PA is that these IPTC fields are not cryptographically signed. They can be added, removed, or altered after creation. Their value comes from standardization, not tamper-resistance: when a generator writes these fields, every tool that speaks IPTC can read them without needing to understand a specific generator's proprietary format.

The EU AI Act (Article 50, enforcement begins August 2026) requires AI-generated content to be "marked in a machine-readable format and detectable as artificially generated or manipulated." The DigitalSourceType tag and the new 2025.1 properties are the primary mechanisms generators use to meet this requirement.

Metadata-based detection is deterministic when the metadata is present. The problem is that metadata frequently gets stripped, and no metadata layer is immune.

Social Media Stripping

Most social media platforms strip EXIF, IPTC, and C2PA data on upload. Instagram, X (formerly Twitter), Facebook, and TikTok all remove embedded metadata during their image processing pipeline. An AI-generated image downloaded from any of these platforms will have no useful provenance data regardless of what the original file contained.

Some platforms are beginning to preserve or re-attach provenance signals. Instagram reads C2PA content credentials and IPTC DigitalSourceType to apply its "Made with AI" label, but it does not pass those credentials through to downstream downloads. The label is platform-specific, not embedded in the file you download.

Deliberate Metadata Removal

Anyone with ExifTool can strip all metadata from an image in one command. Screenshot tools create new files with no inherited metadata. Format conversions (PNG to JPEG, for example) often discard metadata. Re-encoding through image editing software may or may not preserve C2PA manifests depending on the tool.

Missing Metadata Does Not Mean "Real"

The absence of AI metadata never proves an image is authentic. Legitimate photographs can have their metadata stripped by CMS platforms, email clients, or privacy-conscious users. And locally-run AI models like Stable Diffusion through AUTOMATIC1111 only embed generation parameters if the user hasn't disabled that option.

A Practical Detection Workflow

For teams that need to verify image provenance at scale, the most effective approach combines metadata checks with other signals:

1. Check C2PA first: If a valid, signed manifest exists, trust it. This is the most reliable signal.
2. Check IPTC DigitalSourceType: If set to trainedAlgorithmicMedia or compositeWithTrainedAlgorithmicMedia, the creator's tool flagged it as AI-generated. Remember this field is unsigned and editable.
3. Check EXIF Software and UserComment: Look for generator-specific signatures like "DALL-E 3 via ChatGPT" or Stable Diffusion parameter strings.
4. If no metadata is found: Fall back to pixel-analysis classifiers like Hive AI, SynthID, or Sightengine. These are probabilistic but work on images with stripped metadata.

For organizations managing large image libraries, Metadata Views on Fast.io can extract structured fields from uploaded files automatically. Describe the metadata fields you want to capture in natural language, and the system builds a queryable spreadsheet from your image collection. This is useful for cataloging provenance data across hundreds of files without writing custom scripts or running ExifTool commands manually.