datarekha

Watermarking AI content

As machine-generated text and images flood the web, 'did an AI make this?' becomes a real question — for misinformation, academic integrity, and keeping AI slop out of the next model's training data. Watermarking embeds an invisible, statistically detectable signal at generation time, and provenance standards like C2PA attach signed credentials.

8 min read Advanced Generative AI Lesson 34 of 63

What you'll learn

  • Why detecting AI-generated content matters
  • How statistical text watermarking works — green-list bias and z-test detection
  • Watermarking beyond text — images/audio — and the C2PA provenance standard
  • The limits — paraphrase, open weights, and the removal arms race

Before you start

As AI-generated text and images flood the internet, a simple question gets hard to answer: did a machine make this? It matters for misinformation and impersonation, for academic and journalistic integrity, and — quietly important — for keeping AI output out of the next model’s training set, since training on unlabelled synthetic data drives model collapse. Watermarking is one answer: embed an invisible, detectable signal into the generated content at the moment it’s produced.

Statistical text watermarking: the green list

You can’t watermark text by adding pixels — so text watermarking works statistically, by nudging which tokens get sampled. The canonical scheme (Kirchenbauer et al.): at each step, hash the previous token to pseudo-randomly split the vocabulary into a green list and a red list, then add a small boost to the green tokens’ logits before sampling. The text still reads naturally — at each position many green tokens are perfectly good — but it ends up containing far more green tokens than chance would produce.

Detection needs no model, just the hash: walk the text, recompute each green list, and count the fraction of green tokens. Unwatermarked text sits near 50%; watermarked text is high enough to be statistically impossible by chance, which a z-test makes precise:

import math

def z_score(green, total, p=0.5):       # p = expected green fraction by chance
    expected = p * total
    return (green - expected) / math.sqrt(total * p * (1 - p))

for label, green, total in [("human / unwatermarked", 102, 200), ("watermarked", 168, 200)]:
    z = z_score(green, total)
    verdict = "WATERMARKED" if z > 4 else "no watermark"
    print(f"{label:<22} green {green}/{total} ({green/total:.0%})  z={z:.1f}  -> {verdict}")
human / unwatermarked  green 102/200 (51%)  z=0.3  -> no watermark
watermarked            green 168/200 (84%)  z=9.6  -> WATERMARKED

The human text’s 51% green is pure chance (z=0.3). The watermarked text’s 84% gives z=9.6 — the odds of that many green tokens occurring naturally are astronomically small, so the detector is confident. The strength is tunable: a bigger logit boost makes the watermark easier to detect but slightly degrades text quality, so you trade detectability against fluency.

Generate: bias toward greenprevious tokenhash → splitgreen list (+boost)red listsample (green-biased)reads naturally, but green-heavyDetect: count greenrecompute each green list, count green tokens84% greenz = 9.6~50% greenz ≈ 0watermarkedhuman
Generation tilts sampling toward a per-position green list; detection counts green tokens and z-tests the surplus. No model needed to detect — just the hash key.

Beyond text, and provenance

The same idea generalizes — and there’s a complementary, non-statistical approach:

  • Images & audio. SynthID (Google DeepMind) watermarks images, audio, video, and text; Stable Signature bakes a watermark directly into a diffusion model’s decoder so every image it generates carries it. These survive mild edits (crop, compress) better than metadata does.
  • Provenance (C2PA). A different model: instead of hiding a signal in the content, C2PA / Content Credentials attach cryptographically signed metadata recording how content was made and edited. It’s tamper-evident and verifiable, but — being metadata — it’s stripped by a screenshot. Watermarking (embedded, survives stripping but removable) and C2PA (signed, verifiable but strippable) are complementary, not rivals.

In one breath

  • Detecting AI content matters for misinformation, integrity, and keeping synthetic data out of training sets (model collapse).
  • Text watermarking is statistical: hash the previous token to split the vocab into a green/red list, boost green logits, so output is green-heavy while still reading naturally.
  • Detection needs no model — recompute the green lists, count the green fraction, and z-test it (the demo: 84% green → z=9.6, clearly watermarked vs ~50% for human text).
  • Beyond text: SynthID and Stable Signature watermark images/audio; C2PA attaches signed provenance metadata — embedded watermarks and signed credentials are complementary.
  • It’s removable (paraphrase, re-generate, or disable on open weights), so it raises the cost of misuse rather than proving origin — one layer in an arms race.

Quick check

Quick check

0/4
Q1How does statistical text watermarking embed a signal?
Q2How is a statistical text watermark detected?
Q3How does C2PA differ from an embedded watermark?
Q4What is the fundamental limitation of watermarking?

Next

Watermarking helps keep synthetic text out of the next pretraining set (model collapse); removing it is one of the techniques red-teaming probes; and it pairs with runtime guardrails for content policy.

Sign in to track your progress

Completed lessons, your XP, level, and streak save to your account — it's free and takes a few seconds.

Related lessons

Explore further

Skip to content