The right question is not “was this written by AI?” That question loses to every paraphraser and produces a 61.3% false-positive rate against Chinese students. The right question is “does this carry a verifiable production signature?” Paleogenomics figured this out 25 years ago.
A paleogeneticist sequencing a fragment from a 40,000-year-old bone is not looking for a clean signal. She is looking for a specific kind of damage. She runs mapDamage 2.0, gets back a plot, and checks the shape: at the 5′ end of the read, cytosine-to-thymine substitutions should spike — typically 20% to 40% in Upper Paleolithic samples (Briggs et al., PNAS, 2007). At the 3′ end, complementary G-to-A substitutions should mirror them. Across the body of the read, the rate falls off into a U-curve. If the plot is flat, the verdict is contamination — modern DNA from a researcher’s skin, or from a reagent. If the plot has the right curves, the sample is what it claims to be.
This is not a contamination test. It is a provenance test, and it works the opposite way from how authenticity testing usually works. The pristine sample is the suspect. The damaged sample carries its own certificate of age, written in chemistry that no contaminant can fake.
The field that figured this out has more than two decades of head start on the problem AI content detection is currently losing.
The University of Waterloo disabled Turnitin’s AI detector in September 2025 after internal testing produced 100% AI flags on demonstrably human-written text (Groundy.com, 2026). Curtin University followed in January 2026. As of early 2026, more than 25 major universities — including MIT, Yale, NYU, UC Berkeley, the University of Toronto, and the University of Manchester — have banned or restricted these tools (tohuman.io, snapshot 2026-04-28; the count is rising). Johns Hopkins now states publicly that “no products on the market can effectively identify generative AI.”
The numbers explain why. A 2026 peer-reviewed study (International Journal for Educational Integrity, doi:10.1007/s40979-026-00213-1) documented persistent accuracy problems across the major detectors. Vendor-claimed accuracy figures (GPTZero advertises 95%) collapse to 66–85% in independent tests, and to 60–80% once text is paraphrased or lightly edited (walterwrites.ai, 2026). OpenAI’s own classifier achieved a 26% true-positive rate before the company shut it down in July 2023 and shelved the text-watermarking project entirely (Trust Insights, April 2026).
The most damaging finding is the false-positive asymmetry. A 2026 replication of the Liang et al. study (originally PMC10382961, 2023) found that Chinese students faced a 61.3% false-positive rate on AI detectors versus 5.1% for US students (Stanford HAI, 2026). Non-native English writers produce text with lower perplexity and more formulaic structures — they and the language models are both optimizing for clarity in a constrained vocabulary — and the detectors cannot tell them apart. The Stanford team “strongly cautioned against the use of GPT detectors in evaluative or educational settings.”
False negatives are an annoyance. A 61% false-positive rate concentrated on a population is a civil-rights problem.
The structural reason these tools fail is that they target correlated signals — perplexity, burstiness, syntactic diversity — which are statistical fingerprints of how current models tend to write, not causal consequences of their generation process. Each correlation can be defeated by a model that varies its output. “Humanizer” tools inject burstiness on demand, and Turnitin reports about 30% of them already evade its current pipeline (Groundy.com, 2026). This is a moving target, and the target is moving toward indistinguishability.
Paleogenomics started in roughly the same place. Higuchi et al. published the first ancient-DNA paper in Nature in 1984 (312:282–284), and the next 16 years were an embarrassment: dinosaur DNA from amber, claims that didn’t replicate, contamination interpreted as signal because nobody had a way to tell the two apart. The reset was Cooper & Poinar’s 2000 Science commentary, “Ancient DNA: Do It Right or Not at All.” Cleanroom protocols got more aggressive — but that was not the conceptual fix. The conceptual fix was inverting the question.
Instead of asking “is this sample contaminated?” — a detection problem with no clean signal — the field asked “does this sample carry the damage profile it should carry, if it is what it claims to be?” — a verification problem against a public reference standard.
Four overlapping decay processes generate the signature. Post-mortem nucleases and oxidative stress fragment the genome from ~10⁸ base pairs down to a 30–80 bp distribution for samples older than 50,000 years; the half-life of an amplifiable 30-bp fragment in bone at 13.1°C is roughly 521 years (Allentoft et al., Proc R Soc B, 2012). Cytosine deaminates spontaneously into uracil in single-stranded overhangs, and polymerases misread it as thymine. The rate is roughly two orders of magnitude higher in single-stranded regions than in double-stranded ones, which is why the C→T signal concentrates at fragment ends and produces the characteristic U-curve. Depurination contributes abasic sites at CpG dinucleotides. Maillard-reaction crosslinks render some otherwise-intact fragments unamplifiable.
Three software tools formalize the verification. mapDamage 2.0 (Jónsson et al., Bioinformatics, 2013) does Bayesian estimation of the damage parameters and renders the plot. PMDtools (Skoglund et al., 2014) assigns each individual read a post-mortem damage score, so researchers can separate authentic ancient reads from modern contaminants in mixed samples. AuthentiCT (Peyrégne & Peter, Genome Biology, 2020, PMC7490890) advances the state of the art by modeling not just the frequency of C→T substitutions but their clustering pattern within each read; it can quantify contamination from as few as 10,000 mapped sequences and achieves a Pearson correlation of r = 0.98 with ancestry-based contamination estimates.
Four properties make this system work, and they are exactly the properties AI detection lacks:
Detection-paradigm AI tools have none of these. They measure correlated proxies, the proxies vary with population and editing, the expected signature for “human-authored text” is not a published reference distribution, and even a perfect detector can be circumvented by anyone unwilling to cooperate.
The cross-domain mapping is tighter than it looks at first glance:
| Paleogenomics | AI content provenance |
|---|---|
| Modern contamination | Unsigned text |
| Authentic ancient DNA | Text carrying a verifiable production signature |
| C→T deamination profile at read ends | Statistical watermark embedded in token-selection probabilities |
| mapDamage / PMDtools / AuthentiCT | SynthID detector / C2PA verifier |
| Flat damage profile = “cannot authenticate as ancient” | No watermark = “cannot authenticate as signed-source” |
| Multi-tool convergence (damage + fragment length + contamination controls) | Multi-layer scheme (watermark + metadata + fingerprint + visible label) |
Google DeepMind’s SynthID (published in Nature, 2024, doi:10.1038/s41586-024-08025-4) is the closest existing analog of mapDamage. During generation, SynthID modulates token-selection probabilities using a cryptographic key — a “tournament sampling” structure — and the watermark lives in the statistical pattern of token choices, not in the visible text. A detector with the same key recreates the tournament structure and checks for consistency. Image SynthID has reported false-positive rates below 0.1% at high-confidence thresholds (Google DeepMind, with independent testing replicating the figure in 2024). Google’s announced figure is over 10 billion pieces of content watermarked (SynthID Detector portal announcement, snapshot 2026-04-28; counter is monotonic — replication will see higher).
The Coalition for Content Provenance and Authenticity (C2PA) is the metadata layer of the same architecture: cryptographically signed manifests recording the production chain — which camera, which editing software, which model. The EU AI Act’s Code of Practice (December 2025 first draft, final version expected June 2026) specifies a four-layer system that maps almost too neatly onto the paleogenomics multi-tool standard: visible disclosure labels, C2PA metadata manifests, invisible watermarks, and content fingerprinting. No regulator cited Briggs 2007. The EU arrived at multi-tool convergence the same way paleogenomics did — by watching every single-signal scheme fail.
The most striking convergence is from the opposite direction. ArtGene Archive (artgene-archive.org), a proposed registry for AI-designed biological sequences, specifies 128-bit institutional watermarks embedded into synonymous codon choices in coding DNA — invisible to the ribosome but recoverable from re-sequenced material. A field designed to authenticate AI-generated biology has independently arrived at the structural solution paleogenomics took two decades to formalize: a process-intrinsic signature that travels with the artifact and is verifiable against a public specification. When two fields converge on the same architecture from opposite starting points, the architecture is probably right.
Read literally, the paleogenomics paradigm makes four non-obvious predictions about what AI provenance has to look like.
The signature has to be embedded during generation, not bolted on afterward. Damage accumulates during the centuries the bone sits in the ground; nobody adds it after extraction. Watermarks embedded at the token-selection layer, like SynthID’s, are structurally stronger than C2PA manifests bolted onto the file, because the embedded signal can survive transformations that strip metadata. The EU’s four-layer scheme acknowledges this — metadata is one layer of four, because metadata alone is strippable.
The signature has to be publicly characterizable. The Briggs 2007 deamination curve is a public reference standard. Any lab can fetch it. Current AI watermarking is private-key — the detector has to know the embedding secret. The paleogenomics paradigm predicts that published, model-class-specific reference signatures are stronger: a public specification of the statistical pattern that a Llama-class, Gemini-class, or Claude-class output ought to carry, verifiable by any party with the spec. We don’t have this yet.
Absence of signature is informative, not accusatory. In paleogenomics, a flat damage profile does not mean “this sample is fake.” It means “this sample cannot be authenticated as ancient.” The shift is from accusation to provenance. Translated: text without a verifiable production signature is unprovenanced — like a museum object without excavation records — not “AI-generated.” This single reframing dissolves the false-positive crisis. A 61.3% false-positive rate concentrated on Chinese students is impossible under a provenance paradigm; the question being asked is different.
Multi-tool convergence is the standard, not the upgrade. No one authenticates ancient DNA from mapDamage alone. mapDamage gives the plot, PMDtools classifies individual reads, AuthentiCT quantifies contamination, fragment-length distributions corroborate, and contamination controls anchor the result. Any AI provenance system that rests on a single signal — only the watermark, only the metadata, only the statistical detector — is one adversarial paper from collapse. The 79% bypass rate the UnMarker attack achieved against SynthID alone (IEEE S&P, 2025) is what single-signal systems get.
Three honest disanalogies, which the paradigm has to absorb rather than dodge.
DNA damage is physics; AI watermarks are engineering. Cytosine deamination is going to happen whether anyone wants it to. Watermarks require intentional embedding by a cooperating producer. This is a real distinction — but it changes the deployment problem, not the paradigm. The paleogenomics insight isn’t “use physics-based watermarks.” It’s “verify process-intrinsic signatures rather than detect post-hoc statistical anomalies.” SynthID is already engineering process-intrinsic signals; the analogy specifies what they need.
Open-weight models break the cooperation assumption. Llama, Mistral, DeepSeek, and any local fine-tune emit no signal and have no obligation to. The “Missing the Mark” study (arxiv.org/html/2503.18156v3, March 2025) found that open-source watermarks, where they exist at all, can be disabled by commenting out a line of code — and only 38% of 50 widely-used generative AI image systems implement any form of machine-readable watermarking. The paleogenomics-paradigm response is uncomfortable but consistent: unprovenanced text is unprovenanced. The system does not need to authenticate every string of words on the internet. It needs to provide a reliable provenance signal for compliant outputs, which covers most API and enterprise traffic. Unsigned text becomes the default suspect class — not because it is “AI” but because it lacks provenance, the same status an undocumented archaeological object holds.
The EU’s draft Code of Practice pushes further than this. Open-weight providers are explicitly not exempt and are expected to implement “structural marking techniques encoded in the weights during training,” and downstream systems are required to “technically ensure that existing detectable marks are retained.” Fines run up to €15 million or 3% of global annual turnover (Resemble AI, EU AI Act guide, 2026). This is regulators trying to mandate the equivalent of universal deamination — a process-level signature that cannot be stripped without violating law. Whether it works is empirical; that they had to try is structurally informative.
The incentives are reversed. Paleogeneticists want to prove their samples are ancient — the damage signal is desirable. AI producers may not want their text to be identifiable. This was Cooper & Poinar’s situation too, before 2000: nobody wanted to admit their amber-locked beetle was modern contamination. The fix was social and institutional: damage-pattern verification became a precondition for publication in peer-reviewed journals. The EU’s August 2026 Article 50 deadline is the closest analog to that moment. Compliance flips from “annoying” to “the price of market access.”
A fourth objection: stylometric analysis — the writer’s individual fingerprint — has been suggested as a human-side equivalent of damage profiles. It isn’t. Stylometry identifies which individual produced a text; aDNA authentication identifies whether the production process was ancient. Different problems, different mathematics.
If you are building or evaluating an AI provenance system, the paleogenomics paradigm gives you a checklist:
If a vendor pitches you an AI detector that scores text as “likely AI-generated” with a confidence percentage, you are buying a 2007-era contamination test. If they show you a verifier that checks for a specific embedded signature against a published reference and reports “signed by source X” or “no verifiable signature present,” you are buying the 2024 paradigm — the one a different field already proved out.
The reframing is the entire point. The right question is not “was this written by AI?” That question loses to every paraphraser and every base-rate problem, and it produces a 61.3% false-positive rate against people whose first language isn’t English. The right question is “does this carry a verifiable production signature?” That question can be answered, and its negative answer — “this is unprovenanced” — does not lie about a Chinese student’s essay.
The paleogeneticists figured this out by watching their old paradigm produce the wrong results for 16 years. The 25 universities that have shut off Turnitin are at year three.
Sources: Briggs et al., “Patterns of damage in genomic DNA sequences from a Neandertal,” PNAS, 2007. Allentoft et al., “The half-life of DNA in bone,” Proc R Soc B, 2012. Jónsson et al., “mapDamage2.0,” Bioinformatics, 2013. Skoglund et al., PMDtools, 2014. Peyrégne & Peter, “AuthentiCT,” Genome Biology, 2020 (PMC7490890). Cooper & Poinar, “Ancient DNA: Do It Right or Not at All,” Science, 2000. Higuchi et al., Nature, 1984. Liang et al., 2023 (PMC10382961); Stanford HAI replication, 2026. International Journal for Educational Integrity, doi:10.1007/s40979-026-00213-1, 2026. Google DeepMind SynthID, Nature, 2024 (doi:10.1038/s41586-024-08025-4); SynthID Detector portal announcement, snapshot 2026-04-28. tohuman.io university tracker, snapshot 2026-04-28. Groundy.com, walterwrites.ai, Trust Insights, 2026. EU AI Act Code of Practice, December 2025 first draft. UnMarker attack, IEEE S&P, 2025. “Missing the Mark,” arxiv.org/html/2503.18156v3, March 2025. Resemble AI EU AI Act guide, 2026. ArtGene Archive, artgene-archive.org.
Provenance is the paradigm. Here is one implementation.
Chain of Consciousness applies the same four properties to agent-generated content: a hash-linked, append-only chain that is intrinsic to the production process, quantifiable, falsifiable against a public spec, and verifiable without trusting the producer. Every action becomes a signed entry. Verification is local, independent, and answers the right question — not “was this AI?” but “what produced this, under whose authority, with what scope?”
Install: pip install chain-of-consciousness or npm install chain-of-consciousness
Hosted Chain of Consciousness · Verify a provenance chain · Follow a claim through its evidence