Contents
Of the tools that promise to keep your music out of an AI model, only one has been tested by anyone other than its makers. HarmonyCloak is peer-reviewed, published at IEEE S&P 2025 with measured results and disclosed limits. Poison Pill and Poisonify appear in press coverage but carry no independent evaluation, and one of them has already been wound down by its own founder over the exact weakness the research warns about. That gap, evidence-backed versus marketing-backed, is the whole reason to compare them.
Which anti-AI music tool has independent evidence?
HarmonyCloak is the anchor because Meerza, Sun, Liu (IEEE S&P 2025) published the mechanism, the evaluation, and the limits together. They call it “the first defensive mechanism … to prevent the exploitative use of artwork, specifically in the context of instrumental music, by generative AI models,” and it works by adding “imperceptible error-minimizing noise to make the model’s generative loss approach zero.” On the authors’ own tests the target-genre classification of a generator’s output fell from 89.2% to 32.3% across MuseGAN, SymphonyNet, and MusicLM, and a 31-participant listening study found the noise inaudible. The limits are on the record too: instrumental music only, and MP3 tested but not streaming codecs or the commercial generators people name. The mechanism and those limits get their own reads in how HarmonyCloak makes songs unlearnable and does music poisoning survive MP3, Suno, and MusicGen.
What is Poison Pill?
Poison Pill is a real effort, but a self-reported one. It is a startup from founder Ben Bowler that applies inaudible adversarial noise to independent music so AI systems misclassify the protected tracks, with the stated aim of pushing AI firms toward licensing. Its claims are vendor claims: there is no peer-reviewed paper, no independent benchmark, and no published robustness test. And the most telling data point is what happened next. In 2026 Bowler announced he was shutting Poison Pill down, writing that the protection “worked against specific models but fell apart when tested against a broader range of AI systems.” That is precisely the cross-model generalization problem the research anticipates, surfacing in a live product rather than a footnote.
What is Poisonify?
Poisonify is thinner still as a product. It is reported as a Benn Jordan effort, the musician who records as The Flashbulb, to add adversarial protection to music after he found his catalog scraped into AI generators. The public record describes a heavy, compute-intensive encoding process and demo results rather than a maintained, shipping tool, and coverage notes it was not practically available to ordinary musicians. So it belongs in the conversation as a technique to watch, not as a dependable product, and every capability it advertises should be read as self-reported until someone independent measures it.
How do they compare on evidence?
| Tool | What it claims to defend | Evidence status | Limit |
|---|---|---|---|
| HarmonyCloak | Instrumental music from generative training | Peer-reviewed (IEEE S&P 2025) | Instrumental-only; MP3 tested, streaming unproven |
| Poison Pill | Independent music from unlicensed training | Self-reported, no independent benchmark | Wound down over cross-model generalization |
| Poisonify | Music from AI scraping | Demo or technique, self-reported | Compute-heavy; not clearly a shipping tool |
What the image and voice tools teach here
The reason to insist on independent testing is that it is the only thing that turns a claim into a known quantity, and it cuts both ways. Image style cloaks like Glaze (Shan, Cryan, Wenger, Zheng, Hanocka, Zhao, USENIX Security 2023) and the poison attack Nightshade (Shan, Ding, Passananti, Wu, Zheng, Zhao, IEEE S&P 2024) posted strong authored numbers, and then independent work such as LightShed (Foerster, Behrouzi, Rieger, Jadliwala, Sadeghi, USENIX Security 2025) showed those image protections can be stripped. Voice tells the same story, where AntiFake (Yu, Zhai, Zhang, ACM CCS 2023) meets the purifier De-AntiFake (Fan, Chen, Liu, Zhang, Yu, ICML 2025). HarmonyCloak has been through that scrutiny and its limits are documented; Poison Pill and Poisonify have not, which is why their strengths and their weaknesses are equally unmeasured.
Which should a musician rely on?
Lean on the tool you can check. HarmonyCloak is the only anti-AI music option with independent evidence, so it is the sensible anchor for any real plan, used with clear eyes about its instrumental-only, MP3-only test coverage. Poison Pill and Poisonify may be sincere and may improve, but a launch page or a video demo is not a published result, and Poison Pill’s own shutdown is a reminder that the hard part is generalizing beyond the models you tested against. The most reliable move is still the one no tool sells: keep your cleanest masters and stems off the public web. For the wider reliability picture, see do AI poisoning tools actually work; for the routine, how to protect my music from AI training.
Sources
- Meerza, Sun, Liu (2025). HarmonyCloak: Making Music Unlearnable for Generative AI. IEEE S&P 2025.
- Shan, Cryan, Wenger, Zheng, Hanocka, Zhao (2023). GLAZE: Protecting Artists from Style Mimicry by Text-to-Image Models. USENIX Security 2023.
- Shan, Ding, Passananti, Wu, Zheng, Zhao (2024). Nightshade: Prompt-Specific Poisoning Attacks on Text-to-Image Generative Models. IEEE S&P 2024.
- Foerster, Behrouzi, Rieger, Jadliwala, Sadeghi (2025). LightShed: Defeating Perturbation-based Image Copyright Protections. USENIX Security 2025.
- Yu, Zhai, Zhang (2023). AntiFake: Using Adversarial Audio to Prevent Unauthorized Speech Synthesis. ACM CCS 2023.
- Fan, Chen, Liu, Zhang, Yu (2025). De-AntiFake: Rethinking the Protective Perturbations Against Voice Cloning Attacks. ICML 2025.
New protection tests, breakdowns and how-long-does-it-hold checks. No spam, unsubscribe anytime.