poisoning.ai
Explainers

Glaze and Nightshade, explained

By The Poisoning.ai team
5 min read
Contents

Glaze and Nightshade are two free tools from the University of Chicago that protect art from AI in opposite ways. Glaze is defensive: it adds an invisible “style cloak” so a model that trains on your art learns the wrong style. Nightshade is offensive: it poisons the image so a model that scrapes it learns the wrong thing entirely. Same lab, opposite jobs, and many artists run both.

What is Glaze?

Glaze is a style-mimicry defence from the University of Chicago (Shan et al., USENIX Security 2023). It adds a barely perceptible perturbation to an image before you post it, so a model that later trains on the picture learns a different style than the one you actually drew in. In the authors’ words, the cloaks “apply barely perceptible perturbations to images, and when used as training data, mislead generative models that try to mimic a specific artist.” The change lives in the model’s feature space, not in anything your eye is meant to catch, and Glaze holds the visible distortion to a fixed perceptual budget so the cloaked image still looks like your work.

How well does Glaze hold on its own benchmark? The lab’s user study reports a 94.3% artist-rated protection success rate on Stable Diffusion for current artists at the default perturbation budget (Shan et al., USENIX Security 2023). That is Glaze’s headline number, and independent testing tells a more complicated story, below.

What is Nightshade?

Nightshade, from the same lab (Shan et al., IEEE S&P 2024), is a poison rather than a shield. Instead of protecting one image from imitation, Nightshade corrupts what a model learns from it, shifting the association between a concept and an image so the trained system maps the wrong thing. The finding is about scale: Nightshade is “a prompt-specific poisoning attack optimized for potency that can completely control the output of a prompt in Stable Diffusion’s newest model (SDXL) with less than 100 poisoned training samples.” The authors report a single “car” to “cow” attack succeeding with roughly 50 optimized samples, after which the poisoned model “outputs an image of a cow for every mention of a car in its prompts,” and note that a moderate number of such attacks on different prompts can begin to destabilize a model. That makes Nightshade collective action: its power comes from many poisoned images circulating in scraped data, not from shielding your own portfolio, and it needs no access to the target model.

What is the difference?

Glaze protects your style; Nightshade attacks the model. Glaze is a cloak that defends one artist’s work image by image. Nightshade is a poison that corrupts a scraper’s training run at scale. One keeps a usable copy of you from forming; the other degrades the system doing the copying. For the full side-by-side, see Glaze vs Nightshade.

Do they actually work?

Both raise the cost of copying, but neither is a guarantee. In a peer-reviewed study, Hönig et al. (ICLR 2025) found that Glaze, Mist and Anti-DreamBooth “are ineffective when faced with simple robust mimicry methods” such as image upscaling; their best-of-4 attack reached a 56.6% quality success rate against Glaze, where 50% means a copy indistinguishable from one trained on unprotected art. IMPRESS (Cao et al., NeurIPS 2023) attacks the same class of protections through a purification step that exploits “a perceptible inconsistency between the original image and the diffusion-reconstructed image,” and the newer PurifyOnce (Zhao et al., 2026) generalises purification across many protections and models. Mist (Liang and Wu, 2023), an open-source cloak in the same family, was broken in the same tests. Nightshade, the poison rather than the cloak, has also been broken: LightShed (Foerster et al., USENIX Security 2025) is a generalizable depoisoning attack that reports detecting Nightshade at a 99.98% true-positive rate while removing the perturbation, and it generalises to Glaze as well.

Can the tools be hardened?

The research is trying. A second generation of protections is built specifically to survive purification, such as StyleGuard (Li et al., NeurIPS 2025), which trains the perturbation against ensembles of purifiers and upscalers so simple removal steps do not strip it. These tools postdate the bypass papers, and none has been independently broken yet. That is encouraging, but it is not the same as proven.

Glaze and Nightshade are best understood as two ends of one strategy: make your work expensive to copy, and make copied work expensive to train on. Neither is permanent, and the clear reading of the evidence is that any single cloak can eventually be removed. Use Glaze on everything you post for personal defence, add Nightshade when you want to push back collectively, and read how to protect your art from AI training for a layered routine.

Sources

  • Shan, Cryan, Wenger, Zheng, Hanocka, Zhao (2023). GLAZE: Protecting Artists from Style Mimicry by Text-to-Image Models. USENIX Security 2023.
  • Shan, Ding, Passananti, Wu, Zheng, Zhao (2024). Nightshade: Prompt-Specific Poisoning Attacks on Text-to-Image Generative Models. IEEE S&P 2024.
  • Liang, Wu (2023). Mist: Towards Improved Adversarial Examples for Diffusion Models.
  • Cao, Li, Wang, Jia, Li, Chen (2023). IMPRESS: Evaluating the Resilience of Imperceptible Perturbations Against Unauthorized Data Usage in Diffusion-Based Generative AI. NeurIPS 2023.
  • Hönig, Rando, Carlini, Tramèr (2025). Adversarial Perturbations Cannot Reliably Protect Artists From Generative AI. ICLR 2025.
  • Foerster, Behrouzi, Rieger, Jadliwala, Sadeghi (2025). LightShed: Defeating Perturbation-based Image Copyright Protections. USENIX Security 2025.
  • Zhao, Zhai, Bai, Shen, Lin, Gao, Wu (2026). Purify Once, Edit Freely: Breaking Image Protections under Model Mismatch.
  • Li, Zhang, Lyu, Liu, Xiao (2025). StyleGuard: Preventing Text-to-Image-Model-based Style Mimicry Attacks by Style Perturbations. NeurIPS 2025.
#glaze#nightshade#art-protection
Get new protection tests & guides

New protection tests, breakdowns and how-long-does-it-hold checks. No spam, unsubscribe anytime.