Watermarking
AI content watermarking: the engineering view
AI content watermarking embeds an imperceptible, machine-detectable signal into content at generation time, so that a paired detector can later establish that the content came from an AI system. It is done differently per modality: text watermarks bias which tokens the model samples, image and video watermarks shape pixels or latent representations, and audio watermarks modify the waveform below what humans can hear. The reason most engineering teams are looking at this now is regulatory: Article 50 of the EU AI Act requires providers of generative AI systems to ensure outputs are “marked in a machine-readable format and detectable as artificially generated or manipulated,” with the obligation applying from 2 August 2026.
This page is the technical overview: what a watermark actually is, how the techniques differ across text, image, audio, and video, what an end-to-end pipeline looks like in production, and how to decide whether to build or buy.
What an AI watermark is (and is not)
A generative watermark is a signal deliberately introduced into content by the system that produced it. Three properties define a useful one:
- Imperceptible. A human consuming the content should not notice quality degradation. Google DeepMind’s live experiment with SynthID-Text across roughly 20 million Gemini responses, published in Nature, found no statistically significant difference in user feedback between watermarked and unwatermarked responses.
- Detectable. A detector holding the right key or model can score content and return a decision (watermarked, not watermarked, or uncertain) with a controlled false positive rate.
- Robust enough. The signal should survive the transformations content normally undergoes in distribution: compression, resizing, format conversion, light editing. No watermark survives everything, a point covered in depth in watermark robustness and attacks.
Two things a watermark is not. It is not a detector of arbitrary AI content: a watermark detector only recognizes content marked by a compatible embedder, so it says nothing about output from models that never watermarked. And it is not provenance metadata: standards like C2PA Content Credentials attach signed metadata alongside the file, which is cryptographically strong but strips out the moment someone screenshots or re-encodes the asset. Watermarks live inside the signal itself. Mature architectures use both, and the trade-off is covered in C2PA vs watermarking and detection vs provenance.
How watermarking works, modality by modality
Text: biasing token sampling
A language model produces a probability distribution over its vocabulary at every step, then samples one token. Text watermarking intervenes in that sampling step. The foundational scheme from Kirchenbauer et al., “A Watermark for Large Language Models” (ICML 2023), partitions the vocabulary into a pseudorandom “green list” and “red list” before each token is generated, then softly promotes green tokens. Watermarked text ends up statistically greener than chance, and a detector that can recompute the lists runs a statistical test with an interpretable p-value, without needing the model itself.
Google’s production scheme, SynthID-Text, refines this with Tournament sampling: candidate tokens compete through rounds of pseudorandom scoring functions, embedding the signature while preserving output quality, as described in the Nature paper. It ships as an open-source logits processor in Hugging Face Transformers, which matters for build-vs-buy below. Full detail is on SynthID explained.
The structural constraint of all text watermarking: it needs entropy. If the model’s distribution is nearly deterministic (code, short factual answers, boilerplate), there is little sampling freedom in which to hide a signal, and detection confidence drops on short or low-entropy passages.
Images: pixel, decoder, and sampling-process watermarks
Image watermarking has three architectural families:
- Post-hoc pixel-domain watermarks. A separate encoder network adds a low-amplitude pattern to the finished image, and a paired decoder extracts it. Simple to bolt onto any generator, but pixel-level marks are the most exposed to removal: Zhao et al. showed at NeurIPS 2024 that regeneration attacks (add noise, then reconstruct with a diffusion model) strip this class of watermark reliably.
- Decoder-integrated watermarks. Meta’s Stable Signature (ICCV 2023) fine-tunes the latent decoder of a diffusion model so every generated image carries a binary signature. The reported extraction survives aggressive edits, including detecting origin with over 90 percent accuracy after cropping the image to 10 percent of its content, at a false positive rate below one in a million. Because the watermark is baked into the model weights, there is no unwatermarked variant to intercept.
- Sampling-process watermarks. Tree-Ring watermarking embeds a pattern in the initial noise vector of the diffusion process, influencing generation itself rather than editing the output. These semantic-level marks are precisely the alternative defense the regeneration-attack authors point to.
Audio: signal below the hearing threshold
Audio watermarks embed structure in the waveform or spectrogram at amplitudes and frequencies human hearing discards. Google’s SynthID marks Lyria music output with a watermark inaudible to the human ear. Meta’s open-source Meta Seal family includes localized audio watermarking with sample-level detection, which can flag which segment of a clip is synthetic rather than issuing a single verdict for the whole file: relevant when AI speech is spliced into real recordings.
Video: images plus time
Video watermarking extends image techniques across frames, with temporal propagation so the mark survives frame-rate changes, re-encoding, and clipping. Google applies SynthID to Veo output, designed to remain detectable through cropping, filters, frame-rate changes, and lossy compression, per DeepMind’s announcement. The engineering challenge is cost: marking every frame of high-resolution video at generation time adds real compute, which is why watermarking belongs inside the generation service, not as a post-processing afterthought.
Summary table
| Modality | Where the signal lives | Representative schemes | Typical failure mode |
|---|---|---|---|
| Text | Token sampling statistics | Kirchenbauer green list, SynthID-Text | Paraphrasing, translation, low-entropy output |
| Image | Pixels, decoder weights, or initial noise | Post-hoc encoders, Stable Signature, Tree-Ring | Regeneration attacks on pixel-level marks |
| Audio | Waveform below hearing threshold | SynthID audio, Meta Seal (localized) | Heavy re-encoding, time-stretching |
| Video | Per-frame plus temporal propagation | SynthID for Veo, VideoSeal | Aggressive re-encode plus crop pipelines |
The end-to-end pipeline: embed at generation, detect later
Here is what an actual production watermarking system looks like, in prose rather than a vendor diagram.
Generation side. Every model endpoint that produces content routes through a watermarking layer before returning output. For text, that is a logits processor keyed with a secret watermarking key, inserted into the sampling loop after top-k and top-p filtering. For images and video, it is either a fine-tuned decoder that cannot produce unmarked output, or a watermark module applied inside the generation service before the asset ever leaves it. The key material is the crown jewel: whoever holds the key can detect (and, for some schemes, spoof), so keys live in a KMS, are rotated on a schedule, and key identifiers are logged with every generation event. That log entry (asset hash, model version, key ID, timestamp) becomes your audit trail, and it is also the natural place to emit a C2PA manifest if you run both systems.
Distribution side. Content flows out through your normal channels: CDN, user downloads, third-party platforms. You should assume every transformation in that path (thumbnailing, transcoding, platform re-compression) is a robustness test your watermark either passes or fails. Test your actual distribution pipeline, not the vendor’s benchmark suite.
Detection side. Detection is a service: content in, score out. For text, the detector recomputes the pseudorandom functions under your key and runs a statistical test; SynthID-Text’s open-source release includes a Bayesian detector with three output states (watermarked, not watermarked, uncertain) and tunable thresholds so you set your own false-positive and false-negative rates. For media, the detector is a neural extractor paired with your embedder. Operationally, the detector sits behind an internal API used by trust-and-safety tooling, compliance reporting, and, where relevant, customer-facing verification. Decide up front who may call it: a public detection endpoint gives attackers an oracle to iterate against, which measurably weakens robustness.
Governance around both. The regulation cares about the whole loop. Article 50(2) requires marking solutions to be “effective, interoperable, robust and reliable as far as this is technically feasible,” which in practice means you need documented evidence: which outputs are marked, with what scheme, tested against which transformations, with what detection rates. That documentation burden is often more work than the embedding integration itself. The compliance mapping is covered in EU AI Act watermarking requirements.
Build vs buy
Lean on platform watermarks when you consume hosted models. If your product generates content through Gemini, Imagen, Veo, or Lyria, Google already embeds SynthID, with more than 10 billion pieces of content watermarked according to Google’s announcement of the SynthID Detector portal. Your work is then verification and documentation, not embedding: confirm the marking exists for your usage pattern, and record it in your compliance file.
Integrate open-source schemes when you self-host models. If you run your own LLMs, SynthID-Text is available in Hugging Face Transformers as a generation-time logits processor with no retraining required. For images, audio, and video, Meta’s Meta Seal family and Stable Signature offer open implementations. The real cost is not the algorithm: it is key management, detector hosting, threshold calibration against your false-positive budget, robustness testing against your distribution pipeline, and regression testing every time you swap a model version.
Build custom only at the edges. Custom schemes make sense when your modality or threat model is unusual (structured documents, 3D assets, adversarial users with detector access) or when you need multi-bit payloads (encoding which customer or session generated the asset, not just “AI-made”). Otherwise you are re-deriving published work with fewer reviewers.
A useful forcing question for the decision: who needs to detect your watermark? If only you do, a proprietary keyed scheme is fine. If regulators, platforms, or customers must verify independently, you need either a shared detector arrangement or a standards-based layer like C2PA on top, because Article 50’s interoperability language points away from purely private schemes over time.
Where to go next in this pillar
For the deepest single implementation to study, read SynthID explained. For the choice between marks users can see and marks only machines can find, read invisible vs visible watermarks. And before committing to any scheme, read watermark robustness and attacks to understand what a motivated adversary can actually remove.
Webisoft designs and builds watermarking and provenance pipelines for teams that need this working, and documented, before the Article 50 deadline.