Detecting AI-generated identity documents.

By late 2024, producing a synthetic ID that fools the human eye stopped costing money. It wasn’t one breakthrough. Several things landed at once. Diffusion models that get less embarrassing with every generation. Inpainting tools that run in the browser. Templates of state driver’s licenses leaking onto forums anyone with patience can find. By January 2026, Sumsub flagged a number that in another context would have been a headline: AI-assisted fraudulent documents went from 0% to 2% in twelve months. Inscribe, looking at the same phenomenon from the banking side, reported a fivefold increase between April and December 2025 in template-based and AI-generated document fraud. The 2026 deepidv report documented a 311% year-over-year jump in synthetic document fraud.

The numbers aren’t the interesting part. What’s interesting is what they uncovered.

A modern attacker wakes up, generates a hundred fake passports before lunch, runs them through a public detector after, throws away the ones that fail, and by nightfall has a polished batch ready to flood institutional verifiers. Each one cost pennies. Pennies. Detecting them on the other side, with the confidence a bank or a federal agency demands, takes something else. Forensic pipelines. Trained models. Per-jurisdiction calibration. Audit trails that survive a compliance review without falling apart. The cost gap between generating and detecting properly sits somewhere in the four-to-five orders of magnitude range, conservatively.

That’s the gap. And it’s widening faster than it’s closing.

Most people’s first reaction, and honestly mine when I started, is to train a classifier. Grab a balanced dataset, pick a reasonable architecture, tune until you get clean numbers on validation. The problem with that approach surfaces almost immediately once you point the system at real documents.

Corvi and colleagues showed it back in 2023: detectors trained on GAN-generated images break against diffusion, and vice versa. The spectral fingerprints of each generator family are distinct. A model that learned to sniff out Stable Diffusion 1.5 doesn’t necessarily catch SDXL, let alone the more recent diffusion-transformer derivatives. Marra and colleagues had anticipated the same thing back in 2019 with GANs: cross-architecture generalization is the exception, not the rule.

On top of that fragility comes an uglier second front. Work like StealthDiffusion demonstrated that you can build counter-forensic attacks that reduce the spectral differences between generated and authentic images without any visible quality loss. Meaning: the same model an attacker uses to generate the forgery can be used to file it down, dragging it into a region of spectral space where deterministic detectors have nothing left to say. Any system leaning on a single signal inherits the full fragility of that signal.

After months of building and breaking prototypes I landed on the only conclusion that holds. No individual detector carries the load. What carries it is an ensemble whose signals are forensically independent, meaning they don’t fail together against the same attack, plus an aggregator that knows what to trust depending on what kind of document it’s looking at.

SentinelVerify processes each document through five parallel paths. Each path returns a signal with its own scale and its own error distribution. A heuristic layer downstream consumes those five signals and produces a verdict calibrated against the class of document being evaluated.

Metadata forensics

Metadata is the cheapest layer and the most underrated. Every image file carries an EXIF trail that almost never gets cleaned up with the care it should. A photo from an iPhone leaves different fingerprints than a Photoshop export, and both leave different fingerprints than an image generated with Midjourney or Stable Diffusion. AI software markers, when present, settle the case immediately. When absent, that absence in an image claiming to be a camera capture also says something.

On top of EXIF sits C2PA provenance verification, the open standard for cryptographically signing the chain of origin and edits of an image file. C2PA doesn’t detect forgeries. It certifies authenticity. But the absence of a C2PA manifest, in a world where camera manufacturers and platforms are adopting it, starts becoming a signal in its own right. I’ll come back to why I think C2PA matters more than people give it credit for, in a separate essay.

Error level analysis (ELA)

ELA is an old technique, predating AI generation, and still useful. The intuition is simple. When a JPEG image gets partially re-edited and saved again, the modified regions and the original ones accumulate different numbers of quantization passes. Re-compressing uniformly and subtracting exposes the regions where compression "bounced" more, marking them as suspicious.

On its own, ELA is noisy, especially with heavy compression. It also doesn’t help much against clean from-scratch compositions, since there’s no localized editing to detect. But as a complement to the other signals, it catches a specific kind of manipulation: editing on top of an authentic document. Pasting a different photo onto a real license. Changing a date of birth. ELA sees that.

FFT spectral fingerprints

This is the richest line of work in the field, and probably the most fragile in the medium term. Diffusion models, by the nature of their denoising process and the convolutional architectures inside them, leave periodic patterns in the frequency domain. Applying a Fourier transform over noise residuals (subtracting scene content to isolate residual noise, the way Marra and colleagues proposed in 2019), characteristic spectral peaks emerge.

Stable Diffusion leaves one pattern. Latent Diffusion leaves another. Newer models using different VAEs leave weaker patterns, per Corvi and colleagues. StealthDiffusion-style attacks aim to scrub those very fingerprints. But today, a meaningful share of documents generated with consumer tools still carries them, and FFT detects them with cheap compute.

Vision reasoning with a transformer

The fourth signal is a different beast. Instead of looking for physical artifacts of the generation process, it asks a multimodal vision model (Claude 4.7 in my implementation) to inspect the document the way a trained human reviewer would. Is the typography consistent with that jurisdiction’s official format? Are the security marks in the right position? Does the structured information (name, dates, ID number) follow expected formats, or are there subtle anomalies? Weird spacing. Wrong kerning. Impossible dates.

Current vision models don’t reach the level of a forensic examiner, but they’re surprisingly good at catching semantic inconsistencies that deterministic detectors miss. A field that’s missing. A field that doesn’t belong. An alphanumeric string with a check digit that doesn’t compute. The output is structured JSON: list of findings, severity, location. That feeds the aggregator as one more signal.

CNN trained on AI-image corpus

The fifth signal is, in a sense, the most conventional. A convolutional network trained on HuggingFace’s public AI-image detection corpus, fine-tuned specifically on ID-document subsets. It’s the piece currently being integrated. Not the first one that went into the pipeline, and not the one I trust most, for the reasons I gave above. But it contributes a learned view that complements the four deterministic signals, and crucially, catches kinds of artifacts the analytical methods don’t formalize well.

Building five independent detectors isn’t novel. What I find underrepresented in current commercial literature is the aggregation layer, and specifically the question of how to calibrate an aggregator for a concrete document class.

A Florida driver’s license has structure. Fixed fields, official typography, security mark positions, specific MRZ encodings. A US passport has its own. A Panamanian birth certificate has yet another. A general detector that applies the same weights across the five signals on any document will return decent average numbers and be mediocre on every specific class.

SentinelVerify’s calibration layer leans on that structure. For each document class, the aggregator knows how informative FFT is on that kind of image (laminated licenses with holograms have their own spectral fingerprint that coexists with any diffusion trace), how much weight vision reasoning carries (high for documents with structured fields, lower for open photos), and what thresholds apply before flagging a case as suspicious. Per-document priors reduce false positives without sacrificing sensitivity. At least in my internal tests, against a small but curated dataset of fakes generated with consumer tools and authentic images carrying trivial artifacts like compression, low-quality scans, or handwritten signatures crossing the field.

I don’t sell this as a radical innovation. It’s disciplined engineering of an aggregator most general stacks don’t bother to do. But the operational difference, when you’re integrated in a KYC pipeline doing thousands of verifications a day, is brutal. The difference between a system your compliance team can use, and one whose false positives bury them in noise.

SentinelVerify’s internal demo has been processing real cases for a short time. Version 0.5.1, live since late April 2026, has processed six cases against my human reviewer of record. Agreement between the system’s verdict and the reviewer sits at 75% (3 of 4 reviewed decisions confirmed). Five cases passed as authentic with suspicion scores between 9% and 22%. One was flagged as suspicious at 50%. Three of the authentic ones were auto-promoted to the system’s reference library, which is how SentinelVerify starts building its own calibration dataset out of every new deployment.

It’s too small a sample to draw conclusions from. It’s the foundation for the internal calibration dataset I’m building, not validation. But the early pattern is reasonable. Low scores for authentic documents with trivial artifacts (compression, capture angles). High score and reviewer agreement on the suspicious case. What’s missing is volume, and especially confirmed high-quality fakes in the evaluation set.

The demo lives at veridor.tech. It’s password-protected by design: the system handles real identity documents, and broad public access would expose detection logic to adversaries looking for ways around it. Access is available on request to academic reviewers and qualified institutional partners.

There are several. Worth naming them rather than dressing them up.

First, and most obvious. Any detector you describe in public becomes a target. Attackers adapt. Diffusion models are reducing, generation by generation, the spectral fingerprints FFT techniques rely on. Reasonable to assume that within two or three years FFT becomes a marginal signal, not a central one, in any serious pipeline.

Second. Vision reasoning with a large model carries latency and cost. Running each document through a multimodal transformer takes time and money. At very high volumes the unit cost gets restrictive, and you have to decide whether that signal runs against every document or only against ones the other four already flag as doubtful. The choice isn’t trivial and depends on the economics of each deployment.

Third. C2PA still isn’t universally adopted. Its power as a positive signal grows with adoption, but today most authentic documents also don’t carry a C2PA manifest. That makes the absence not very informative, yet.

Fourth. Cross-verification against external APIs (IRS, OpenCorporates, state license registries) depends on services whose availability and rate limits are out of my control. A verification system that goes down when the IRS goes down isn’t a verification system.

And fifth, the one I think matters most. No automated detector should replace a human reviewer in high-impact decisions. SentinelVerify is built to amplify, prioritize, and document a compliance officer’s work, not to replace it. When the human reviewer overrides the system, that signal gets learned and feeds back into recalibration. Final authority is always human.

The integrity of the identity verification system is an invisible public good. When it works, nobody notices. When it fails, the cost spreads (quietly at first, catastrophically later) across every institution that rests on the document as an anchor of trust. Banks opening accounts. USCIS evaluating petitions. SSA issuing Social Security numbers. IRS processing returns. Companies running background checks. Hospitals identifying patients.

Most of those institutions today still operate verification systems designed before a teenager with a rented GPU could generate a photorealistic passport in thirty seconds. Closing the gap isn’t the job of a single company, or a single researcher. It’s going to take coordinated work between vendors, regulators, bodies like NIST, and federal agencies whose work depends directly on document verification.

My project is one of many that will be needed. I’m opening it up to the conversation. Not the source code, for operational reasons, but the methodology and the architecture. I think that’s where the useful asymmetry sits. The more openly detection techniques get discussed, the faster the field converges on something defensible.

The immediate roadmap is concrete. Vision reasoning is finishing integration. After that comes per-document-class calibration over larger datasets, full-audit-trail persistence in Postgres, and CNN integration as the fifth signal over the HuggingFace corpus. The production pilot is targeted at Florida, one of the four jurisdictions concentrating the bulk of identity fraud volume in the United States. Phase two, with Texas, California, and New York, depends on lessons from the pilot.

I’m open to collaborations with academic institutions, identity verification vendors, and federal agencies with genuine interest in closing part of this gap. If you’re building systems that depend on document verification, in any sector, I’d love to know what you’re seeing in production. Field data is what makes this work defensible.