Home » Blog

AI Content Detection (Not a Quality Metric)

ByGrant Mucha

It reports surface noise as a number. Here is the complete case: why the score is invalid, why acting on it is worse than ignoring it, and what to measure instead.

Strip away the marketing and an AI content detector does one thing: it scores how statistically predictable a passage is and calls the result “authorship.” That is not a measurement. There is no instrument here, only a proxy that correlates, loosely and temporarily, with the output of whatever models the vendor trained against last quarter.

This is not “use with caution.” It is structurally invalid as a quality signal. What follows is the full case, each claim load-bearing, each sourced: why the number is invalid, why acting on it is worse than ignoring it, and what to measure instead.

No ground truth in production

A metric you can’t validate on your own data isn’t a metric. You never know the true label of a live page. Who wrote it, how, with what assistance. So you can never compute precision or recall on your corpus. The only place those numbers exist is the vendor’s curated benchmark of known-AI-vs-known-human text, generated by specific models, under lab conditions.

“99% accurate” describes performance on that bench. It says nothing about your distribution of edited, mixed, human-but-formulaic content. The number is real. It just doesn’t point at anything you care about.

Detectors advertise figures in the high 90s.

  • Turnitin near 98%
  • Copyleaks around 99%
  • GPTZero around 99%
  • Winston a frankly comic 99.98%

Meanwhile they wrongly flag real human writing in the field at rates that have driven institutions to pull the tools entirely (see section 8). Marketing accuracy and operational accuracy are different animals.

Evaluating a catalog like spendwithpennies.com (3.2 million words) runs about $193/month on mainstream tools, and as much as $466/month on enterprise tiers.

Round it to $100 to $400 a month, per client, to generate a score with no decision attached to it. The cost isn’t the problem. The problem is there’s no decision the number can legitimately drive, so any price above zero is overpaying.

And that’s before the real damage starts. The moment an owner takes the score seriously and begins gaming it, rewriting and humanizing pages to push the number down, they stop writing for readers and start optimizing for a signal Google doesn’t use to rank.

It gets worse. Running paraphrase and humanizer passes across a whole site is itself a footprint. Templated, scaled rewriting is exactly the manipulation pattern Google’s spam systems (SpamBrain and scaled-content-abuse enforcement) are built to flag. So you light the site up like a Christmas tree and paint a target on the business, all to chase a meter that was never measuring anything in the first place.

It’s measuring perplexity, not authorship

The mechanism is stylometry: perplexity (how surprising each word choice is), burstiness, token regularity. Stanford’s James Zou, co-author of the most-cited bias study on these tools, put the failure mode plainly. Common, predictable word choices produce low perplexity and get flagged as AI. Rarer, fancier vocabulary reads as human. That’s the whole engine.

So the detector isn’t really asking whether a machine wrote the text. It’s asking whether the text is predictable. Not the same question. Treating them as the same is the original sin, because predictability is a property of clean, edited, conventional prose, whoever wrote it.

False-positive distribution is your corpus

This is where it stops being abstract.

Liang et al. (Patterns, Cell Press, 2023) ran seven widely used GPT detectors against essays by non-native English writers (TOEFL) and native writers (US 8th-grade). Results:

  • 61.3% of the human-written non-native essays were flagged as AI-generated.
  • 97.8% were flagged by at least one detector.
  • 19.8% were unanimously misclassified by all seven.
  • False positives on native-speaker essays: near zero.

Every essay was 100% human. The detectors weren’t catching AI. They were catching low perplexity. Non-native writers use simpler, more common constructions, which is exactly the statistical fingerprint the models are trained to read as synthetic.

Now map that onto a recipe, garden, or home decor blog, where the goal is to produce meaningful, easy-to-follow content in one of the most conventional and predictable forms of prose. Minimal perplexity. The ideal false positive. The corpus being scanned would consist almost entirely of the kind of writing these tools already fail on. You would be running an instrument whose error mode is exactly your input.

A flag you can’t characterize on your own data isn’t actionable. This one you can characterize. It’s biased against precisely the content you’d point it at.

99% accurate still buries you in false positives

“99% accurate” sounds decisive. Run it across a real corpus and it falls apart, because accuracy on a balanced lab bench and error count on your live site are two different numbers, and base rates govern the gap.

Start with the mechanism. A false-positive rate applies to every page you scan, present AI or not. Point a detector with a 1% false-positive rate at a 100% human site and you still get a 1% flag rate. All of them false. The tool can’t beat its own error rate on clean input, and clean input is the input you’re feeding it.

Put it on a real estate. 19,239 URLs. At a 1% false-positive rate that’s roughly 192 clean, human pages flagged as fake. At the ~4% sentence-level rate Turnitin itself admits, the count detonates: a 500-word page runs about 25 sentences, so multi-sentence false flags per page stop being rare and start being normal. Every one of those is a page you’d burn hours “fixing,” or a writer you’d wrongly accuse.

This isn’t hypothetical math. Vanderbilt ran it in public and it’s why they pulled the tool. One percent of the 75,000 papers they processed in a year is about 750 wrongful flags. They looked at that number and turned the feature off.

Now layer in prevalence, which is where it gets worse. The share of flags that are actually true depends on how much real AI sits in your corpus to begin with. Auditing your own established blogs, the premise is that the writing is largely human, so true AI prevalence is low.

An average real blog, will naturally log:

  • high – small percentage < false positive
  • medium – medium percentage
  • low – high percentage

An average gamed bloged, will natually log:

  • low – high percentage

An average programatic AI driven blog, will naturally log:

  • high – high percentage
  • medium – medium percentage
  • low – low percentage < false positive

Both content manipulated to avoid detection and programmatic AI content produced at scale create the exact footprint owners set out to avoid in the first place.

When prevalence is low, even a small false-positive rate means most of the flags are false. Precision collapses precisely in the scenario where you’re checking trustworthy content. The cleaner your corpus, the more useless the flag list. Read that twice, because it inverts the intuition: the better your content, the more the detector lies to you.

And the false positives aren’t scattered randomly. They cluster, for the perplexity reason in section 3: your most conventional, cleanly edited pages, plus any non-native English writers.

A 2025 study found a known human-written abstract, merely edited with Grammarly, came back 16% AI on Turnitin. Polish raises the score. Tight, professional prose looks the most synthetic, because tight professional prose is the most predictable.

So “99% accurate” is a claim about a lab. Your flag list is a claim about base rates. On a large, mostly-human corpus the base rates win every time, and what they tell you is blunt: most of what lights up is your good content, flagged for being clean.

Defeated in one pass, and provably so

Sadasivan et al., Can AI-Generated Text Be Reliably Detected? (arXiv 2303.11156, published in Transactions on Machine Learning Research, 2025) is the paper that settles the engineering question. A light recursive paraphrasing pass breaks the entire detector family: watermarking schemes, neural-net classifiers, zero-shot detectors, even the retrieval-based defenses built specifically to resist paraphrasing. The paraphrase barely touches text quality (they measured perplexity and ran a human study). You null the score without changing whether the writing is any good.

Perkins et al. (2024) put numbers on the casual version. Ordinary manual editing, the kind any writer does revising a draft, dropped detector accuracy from about 39.5% to 22.1% and pushed Turnitin from over 90% down to roughly 30% under heavy paraphrasing. Not adversarial wizardry. Just normal editing.

The deeper problem isn’t the paraphrase. Sadasivan’s theoretical result is the one that should end the argument. As language models get better at imitating human writing, the gap between the two distributions shrinks, and the best possible detector (not today’s, the best one that can ever exist) converges on a coin flip. Detection accuracy is bounded by the total-variation distance between human and AI text, and that distance is shrinking by design. A metric an adversary, your own writer, or simple time can null at will isn’t grading quality. It’s grading evasion effort.

No watermarking won’t fix this

Fine, statistical detection is dead, perplexity is a dead end, granted. But provenance is different. Watermark the text at generation (Google DeepMind’s SynthID-Text) or attach signed origin metadata (C2PA Content Credentials), then read the marker later. Tag at the source instead of guessing after the fact. That sidesteps the whole perplexity problem.

It’s a real distinction and a smarter idea than detection. It still doesn’t give you a quality metric, and in the wild it doesn’t even give you a reliable authorship signal. Two structural reasons, both fatal.

It only covers generators that opt in. A watermark exists only if the model that wrote the text chose to embed one. Absence of a watermark is not evidence of human authorship. And the content you’d most want to catch, someone deliberately passing AI off as human, is exactly the content that will be run through an unmarked or self-hosted model. Coverage is opt-in by the adversary. A signal your adversary controls is not a signal.

It doesn’t survive editing. DeepMind’s own SynthID-Text work concedes the watermark degrades under paraphrasing. A 2025 robustness study put numbers on it: detection drops sharply under light paraphrase, synonym substitution, copy-paste rearrangement, or back-translation, with SynthID-Text falling below 0.9 F1 under all three of the first three attacks. So the same one-pass rewrite that nulls a statistical detector also strips the watermark. The arms race doesn’t vanish. It relocates.

Here’s the tell, and it’s the same admission behind section 8. When OpenAI killed its classifier it didn’t just admit failure, it announced a pivot to “provenance techniques.” That is a public concession that post-hoc detection is unsolvable and that the industry’s remaining hope is provenance. Worth noting. But provenance is a chain-of-custody tool for cooperating publishers, not a way to scan an arbitrary web page and learn the truth. At best it proves “this came out of our watermarked system with the marker intact.” It cannot prove “this human wrote this,” which is the claim a content audit actually needs.

And grant perfect provenance someday anyway. It still measures origin, not quality. A watermarked AI passage can be excellent. An unwatermarked human passage can be garbage. Origin was never the property worth measuring. That doesn’t change when you measure origin more reliably.

So watermarking is the serious answer to a narrow and different question: did this specific cooperating system produce this specific unedited text. Worth tracking as it matures. It is not a rescue for content-quality auditing, and building a workflow on it means betting that adversaries will watermark themselves and never edit. They won’t do either.

The target keeps moving

Every detector is trained on a snapshot of yesterday’s model outputs. New base models, new fine-tunes, ordinary editing, and a whole industry of “humanizer” tools keep changing the pattern the detector is trying to recognize. The score rots unless the vendor keeps retraining it on a treadmill.

A real quality metric is anchored to something stable. A 1,500-word page is still 1,500 words next year. A score that has to be chased, refreshed, and reinterpreted every few weeks is not anchored to the page. It is measuring the detector’s own staleness.

Watch what the sellers do. Several detector vendors also sell, promote, or sit beside the tools that defeat detection. The same market sells the lock and the key. That is not how a vendor behaves when it believes its own measurement is real.

Universities and Large Companies already quit

If detection were solvable, the lab that builds the models would have solved it. They have the training data and every commercial and reputational reason to win. Instead:

OpenAI killed its own classifier. Launched January 31, 2023. Retired July 20, 2023 with a one-line admission of a “low rate of accuracy.” On its own challenge set it caught only 26% of AI text while mislabeling 9% of human text as AI. Six months. Best data on earth. Dead.

Universities pulled the commercial tools. Vanderbilt disabled Turnitin’s AI detector on August 16, 2023. Their math: Turnitin’s claimed 1% false-positive rate, applied to the 75,000 papers Vanderbilt processed in 2022, equals roughly 750 students wrongly accused, and from a vendor that won’t disclose how the tool decides. Montclair State and others followed. The University of Pennsylvania’s Warren Center and similar bodies now tell faculty to treat a detector score as one weak signal, never as evidence.

When the builders abandon it and the heaviest institutional users reject it on reliability grounds, the question isn’t whether the metric is weak. It’s why anyone is still quoting the number.

Acting on a flag is now a legal exposure

Quoting it is the cheap part. The instant you act on it against a person, accuse a freelancer, withhold payment, fire a writer, discipline a contributor, you convert a meaningless number into a decision with legal and reputational consequences. Education is the canary here, because schools acted on detector scores first and at scale, and they are now in court losing.

The cases are real and current.

Adelphi. Turnitin flagged an autistic freshman’s World Civilizations essay as 100% AI. He denied using it, ran it through two other detectors that both called it human, and the originality report itself showed 4% overlap with existing sources. The university upheld the violation anyway and denied his appeal, without even handing him the supposed 100% report. In February 2026 a court found the finding “without merit,” ordered his record expunged, and denied the university’s motion to dismiss. The family spent six figures in legal fees to get there.

Palo Alto. A sophomore’s essay on The Crucible was tagged 76% AI by Turnitin. His semester grade dropped from the A/B range to a C. An administrator then took his handwritten rewrite, had it typed up, and ran that through Turnitin too, without notifying the family. In May 2026 the parents filed a federal civil-rights suit in the Northern District of California, alleging the flagging fell disproportionately on Asian and male students in the class.

University of Michigan. A student with OCD and anxiety sued for disability discrimination, alleging the school treated her writing style and “AI comparison” outputs generated from her own outlines as proof of cheating, and blocked her from graduating.

The throughline for a business is direct. Every one of these is an accusation built on a detector score, applied to a real person, with no independent evidence and no due process. Swap “student and university” for “freelancer and agency” or “contributor and publisher” and the exposure is the same shape: wrongful accusation, breach of contract, withheld pay, reputational damage. Plus a discrimination vector that is already documented in the research, not theoretical: these tools systematically flag non-native English writers (61.3% in the Stanford study) and, in these suits, disabled writers. Accuse on that basis and you’ve manufactured a disparate-impact problem on top of a tool whose own vendor won’t explain how it decides.

The cruelest mechanic is the one from section 4: polish raises the score. Legitimate bloggers, meanwhile, produce some of the cleanest and most professionally polished content on the internet.

The same Grammarly-edited human abstract that hit 16% AI is the pattern here too. Your most careful writers, and the editing tools you encourage them to use, generate the very flags you’d punish them for.

Notice which institutions ran the math and which way they moved. Vanderbilt disabled the tool. Australian Catholic University logged roughly 6,000 misconduct cases in 2024, about 90% of them AI-related, dismissed a large share after investigation, and abandoned the detector as ineffective. The serious players are exiting, not leaning in.

There is no upside that offsets this. The flag can’t reliably be true. Google doesn’t reward acting on it. And acting on it against a person is now a documented path into litigation. For an agency or a publisher, “we ran it through an AI detector” is not a defense. It is the liability.

Manufactured Business Model

Stack the case up. Invalid by construction. Biased toward your cleanest prose. Broken by a single paraphrase. Disowned by the labs that build the models. A standing legal liability the moment you act on it. A product this broken should be dead. Instead it’s one of the fastest-growing categories in software.

The analysts disagree on the exact figure, never on the direction. MarketsandMarkets puts the AI-detector market at roughly $0.58B in 2025, scaling to $2.06B by 2030, a 28.8% CAGR. Coherent Market Insights pegs AI content-detection software at $1.79B in 2025 rising to $6.96B by 2032. Pick either. It’s a multi-billion-dollar market selling a measurement the people who make the underlying models walked away from.

There’s only one question that reconciles “doesn’t work” with “exploding revenue.” Cui bono is a Latin phrase literally translating to “to whom is it a benefit?

The demand is fear, not utility. The single largest segment isn’t quality assurance. It’s “academic integrity,” the panic that students are cheating and you MUST catch them.

In content and SEO the equivalent scare is “Google penalizes AI writing,” a claim that is flatly false (see section 11) but converts to subscriptions beautifully. The pitch leans on apocalypse numbers (“90% of the web will be AI by 2026”) to manufacture urgency. The anxiety is the product. The detector is the upsell stapled to it.

The product is unfalsifiable, and that’s the design, not a flaw. Because there’s no ground truth in the field (section 1), the buyer can never audit the vendor. A false positive and a true positive render identically on the dashboard. You can’t prove the tool failed you, because you never learn the real answer. That’s the perfect business. You pay in perpetuity and can never collect on a broken promise. Correctness isn’t required for the invoice to clear.

They sell the disease and the cure. The same market, sometimes the same brand, ships detectors AND the humanizers and paraphrasers that defeat them. Industry vendor rosters for content detection list paraphrasing tools like QuillBot right next to the detectors. Researchers documenting the space note that several detector providers sell the humanizer products that null their own scores. The arms race isn’t a battle they’re losing. It’s the recurring-revenue engine. Lock and key, billed monthly, escalation guaranteed.

Accuracy theater is a sales instrument. “99%+” isn’t a field-validated number (section 1). It’s a conversion device, a figure built to turn fear into a card on file. The tell: market-research firms list “high false-positive rates affecting trust” as a known restraint on the sector. The people pricing the industry know the tool misfires. It grows anyway, because correctness was never what they were selling.

The pricing is built for recurrence, not truth. Credits per scan, per-seat licensing, “full-site scan” upsells, monthly auto-renew. A one-time true measurement doesn’t need a credit meter. A permanent worry does and I’ve seen this first hand.

You’re not buying a measurement. You’re buying an anxiety. The number was never meant to be true. It’s meant to be billable.

What decision is this score driving?

Set the racket aside and ask the question that should have governed this from the start. For an SEO or content operation, the implied decision is “will this page rank, or get demoted.” On that question authorship is the wrong axis, and Google has said so directly.

Google’s stance is origin-neutral. The spam policy updates reframed enforcement around scaled content abuse, meaning content produced at scale to manipulate rankings, and said it applies “whether automation, humans or a combination are involved.” The official generative-AI guidance points raters to two criteria: scaled abuse, and content made with little effort, originality, or value. The trigger is thin, mass-produced, low-value content. Not “a model touched it.” Thin human content gets caught the same way. Helpful AI-assisted content isn’t the target.

The data backs the policy. A 2025 Ahrefs analysis of 600,000+ URLs found no correlation between AI-generated text and lower rankings. Top-ranking pages use AI assistance at high rates. Google rewards quality however it’s produced and demotes low-value production however it’s produced.

So measure what Google actually scores instead. We now know its names.

Measure what Google actually scores

The rebuild does not rest on opinion. Two events put Google’s actual quality machinery on the record: sworn testimony and exhibits from the 2020 to 2025 DOJ antitrust trial, and the May 2024 Content Warehouse API leak of more than 2,500 internal documents (surfaced by Rand Fishkin at SparkToro, analyzed by Mike King at iPullRank). Between them, the signals Google uses to score quality are now named. Not one of them is an “is this AI” signal.

Start with the trial. A DOJ exhibit, notes from a February 18, 2025 call with Google engineer HJ Kim, records it in Google’s own words:

“Q* (page quality (i.e., the notion of trustworthiness)) is incredibly important.”

The same exhibit says quality score is hugely important even today, that “page quality is something people complain about the most,” and that PageRank is a single signal feeding the quality score as a measure of distance from a known-good source. It also notes that query-based signals are computed at query time, while this quality score is not: it is largely static and tied to the site. For an owner that means Google holds a slow-moving trust score for your whole site, it exists before the search runs, and it follows you across every query you could rank for.

The leak names the machinery underneath it. Inside a module called CompressedQualitySignals, Google keeps a curated set of its most important signals in fast storage so a document can be quality-scored before anyone types a query (the documentation explicitly warns the data sits in very limited serving memory across a huge number of documents). A page’s quality ceiling is set early, at the site level, on named attributes like these:

  • siteAuthority: site-level authority and trust, held in CompressedQualitySignals.
  • pandaDemotion (and babyPandaDemotion): a persistent, site-wide demotion for domains carrying a high share of thin, duplicate, or low-quality pages. Panda, codified into a standing penalty.
  • contentEffort: described in the leaked docs as an “LLM-based effort estimation for article pages,” and the likely engine of the Helpful Content System. It scores how much real work went into a page.
  • OriginalContentScore: how unique the page’s content is.
  • siteFocusScore: how coherently the site stays on its subject.
  • navDemotion: a penalty for poor navigation and user experience.
  • NavBoost: re-ranking driven by real click behavior (goodClicks versus badClicks, longest clicks).

Now read that list for what is missing. There is no “AI authorship” attribute anywhere in it. The closest signal, contentEffort, measures effort, not origin: a zero-effort page scores badly.

The thing Google actually encodes as risk is low effort and thin, duplicate content (pandaDemotion), whoever or whatever produced it. That is the same origin-neutral position from section 11. The fuller mapping of these signals to Google’s updates is worth reading on its own.

So change the question. Stop asking “was this written by AI” and start asking “does this earn trust and effort against Google’s own named signals.” Here is that question in a form a regular owner can run, each row tied to the signal behind it.

What it is, in plain termsGoogle’s internal signal (testified or leaked)What hurts itWhat to do
Your whole site’s quality and trust, scored across all searchesQ-star (DOJ testimony), siteAuthority (leak)Thin or duplicate pages anywhere on the domainPrune or improve weak pages, state clear ownership, stay on-topic
Proof a real person did the workE-E-A-T, isAuthor, authorReputationScoreGeneric info, stock text and images, no named authorFirst-hand detail, original photos, bylines, an honest verdict
Effort and originality in the page itselfcontentEffort, OriginalContentScoreSpun text, thin summaries, low-effort fillerReal testing, new data, depth a rival can’t cheaply copy
Whether the site coherently covers its subjectsiteFocusScoreScattered, off-topic, unfocused pagesTight topical clusters, cut unrelated filler
Whether searchers are actually satisfiedNavBoost (goodClicks vs badClicks, longest clicks)People bouncing back to Google, fluff before the answerAnswer fast and completely, clean structure, quick load
Site-wide penalties for low qualitypandaDemotion, babyPandaDemotion, navDemotionA high share of thin or duplicate pages, poor navigationConsolidate or remove thin pages, fix site structure
Whether a tool helped write itNo such signal existsNothing. There is no AI-authorship attribute.Nothing. Stop measuring it.

Read the last row against every row above it. The one thing the detection industry sells you maps to no Google signal at all. Every other line maps to a named, confirmed one.

The common thread is that every signal in that table is something you can check on your own site, with answers you control, which is the exact thing an AI detector can never have. You can read a page and judge whether it shows real effort and experience. You cannot read a page and know whether a model touched it, and Google, by its own machinery, is not trying to.

For an SEO operation this is also the stronger product. “We scan your content for AI” sells fear and ships a number the client can’t act on. “We find the thin, low-effort pages dragging down your siteAuthority and tripping pandaDemotion, and we fix them” sells an outcome and ships a worklist. One is a meter. The other is a roadmap, built on the signals Google has now been forced to name under oath.

It reports surface noise as a number. Junk. Measure the thing that moves the decision instead.

References

Detector failure and accuracy

Bias and false positives

Watermarking and provenance

Litigation and institutional rejection

Market size and business model

Google ranking, the Content Warehouse leak, and Q-star

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *