Na\"ive Exposure of Generative AI Capabilities Undermines Deepfake Detection

TL;DR

This paper demonstrates that the widespread use of commercial generative AI systems with benign prompts can undermine deepfake detection, as refined images evade detection and maintain high perceptual quality, posing security risks.

Contribution

It reveals how commercial generative AI exposes authenticity reasoning that enables evasion of deepfake detectors, highlighting a gap between threat models and real-world AI capabilities.

Findings

State-of-the-art detectors fail against AI-refined images

Commercial AI systems enable effective evasion by non-experts

Refined images maintain identity and high perceptual quality

Abstract

Generative AI systems increasingly expose powerful reasoning and image refinement capabilities through user-facing chatbot interfaces. In this work, we show that the na\"ive exposure of such capabilities fundamentally undermines modern deepfake detectors. Rather than proposing a new image manipulation technique, we study a realistic and already-deployed usage scenario in which an adversary uses only benign, policy-compliant prompts and commercial generative AI systems. We demonstrate that state-of-the-art deepfake detection methods fail under semantic-preserving image refinement. Specifically, we show that generative AI systems articulate explicit authenticity criteria and inadvertently externalize them through unrestricted reasoning, enabling their direct reuse as refinement objectives. As a result, refined images simultaneously evade detection, preserve identity as verified by commercial face recognition APIs, and exhibit substantially higher perceptual quality. Importantly, we find that widely accessible commercial chatbot services pose a significantly greater security risk than open-source models, as their superior realism, semantic controllability, and low-barrier interfaces enable effective evasion by non-expert users. Our findings reveal a structural mismatch between the threat models assumed by current detection frameworks and the actual capabilities of real-world generative AI. While detection baselines are largely shaped by prior benchmarks, deployed systems expose unrestricted authenticity reasoning and refinement despite stringent safety controls in other domains.