Watermarking AI content
As machine-generated text and images flood the web, 'did an AI make this?' becomes a real question — for misinformation, academic integrity, and keeping AI slop out of the next model's training data. Watermarking embeds an invisible, statistically detectable signal at generation time, and provenance standards like C2PA attach signed credentials.
What you'll learn
- Why detecting AI-generated content matters
- How statistical text watermarking works — green-list bias and z-test detection
- Watermarking beyond text — images/audio — and the C2PA provenance standard
- The limits — paraphrase, open weights, and the removal arms race
Before you start
As AI-generated text and images flood the internet, a simple question gets hard to answer: did a machine make this? It matters for misinformation and impersonation, for academic and journalistic integrity, and — quietly important — for keeping AI output out of the next model’s training set, since training on unlabelled synthetic data drives model collapse. Watermarking is one answer: embed an invisible, detectable signal into the generated content at the moment it’s produced.
Statistical text watermarking: the green list
You can’t watermark text by adding pixels — so text watermarking works statistically, by nudging which tokens get sampled. The canonical scheme (Kirchenbauer et al.): at each step, hash the previous token to pseudo-randomly split the vocabulary into a green list and a red list, then add a small boost to the green tokens’ logits before sampling. The text still reads naturally — at each position many green tokens are perfectly good — but it ends up containing far more green tokens than chance would produce.
Detection needs no model, just the hash: walk the text, recompute each green list, and count the fraction of green tokens. Unwatermarked text sits near 50%; watermarked text is high enough to be statistically impossible by chance, which a z-test makes precise:
import math
def z_score(green, total, p=0.5): # p = expected green fraction by chance
expected = p * total
return (green - expected) / math.sqrt(total * p * (1 - p))
for label, green, total in [("human / unwatermarked", 102, 200), ("watermarked", 168, 200)]:
z = z_score(green, total)
verdict = "WATERMARKED" if z > 4 else "no watermark"
print(f"{label:<22} green {green}/{total} ({green/total:.0%}) z={z:.1f} -> {verdict}")
human / unwatermarked green 102/200 (51%) z=0.3 -> no watermark
watermarked green 168/200 (84%) z=9.6 -> WATERMARKED
The human text’s 51% green is pure chance (z=0.3). The watermarked text’s 84% gives z=9.6 — the odds of that many green tokens occurring naturally are astronomically small, so the detector is confident. The strength is tunable: a bigger logit boost makes the watermark easier to detect but slightly degrades text quality, so you trade detectability against fluency.
Beyond text, and provenance
The same idea generalizes — and there’s a complementary, non-statistical approach:
- Images & audio. SynthID (Google DeepMind) watermarks images, audio, video, and text; Stable Signature bakes a watermark directly into a diffusion model’s decoder so every image it generates carries it. These survive mild edits (crop, compress) better than metadata does.
- Provenance (C2PA). A different model: instead of hiding a signal in the content, C2PA / Content Credentials attach cryptographically signed metadata recording how content was made and edited. It’s tamper-evident and verifiable, but — being metadata — it’s stripped by a screenshot. Watermarking (embedded, survives stripping but removable) and C2PA (signed, verifiable but strippable) are complementary, not rivals.
In one breath
- Detecting AI content matters for misinformation, integrity, and keeping synthetic data out of training sets (model collapse).
- Text watermarking is statistical: hash the previous token to split the vocab into a green/red list, boost green logits, so output is green-heavy while still reading naturally.
- Detection needs no model — recompute the green lists, count the green fraction, and z-test it (the demo: 84% green → z=9.6, clearly watermarked vs ~50% for human text).
- Beyond text: SynthID and Stable Signature watermark images/audio; C2PA attaches signed provenance metadata — embedded watermarks and signed credentials are complementary.
- It’s removable (paraphrase, re-generate, or disable on open weights), so it raises the cost of misuse rather than proving origin — one layer in an arms race.
Quick check
Quick check
Next
Watermarking helps keep synthetic text out of the next pretraining set (model collapse); removing it is one of the techniques red-teaming probes; and it pairs with runtime guardrails for content policy.