Abstract
Cryptographic and statistical watermarking of LLM-generated text has moved from academic proposal to deployed infrastructure. Google DeepMind’s SynthID-Text, a version of which shipped in the Gemini API, and the red-green list approach originally described by Kirchenbauer et al. at the University of Maryland represent two different technical bets on how to embed detectable signals in generated text without degrading output quality. Both approaches have measurable detection accuracy under controlled conditions; both have documented evasion paths under adversarial conditions. The gap between laboratory detection performance and practical robustness in the wild is the current frontier problem.
How Statistical Watermarks Work and Where They Fail
The red-green list method biases token sampling toward a pseudo-randomly selected subset of the vocabulary during generation. The bias is imperceptible to readers but statistically detectable by someone with the secret key used to partition the vocabulary. The fundamental limitation is that the statistical signal is preserved only if the text is reproduced intact. Paraphrase - at the sentence level, not just word substitution - disrupts the token-level statistics while preserving meaning. GPT-4-class models can paraphrase text well enough to reduce detection probability below the baseline rate; crowdworker paraphrasing achieves similar evasion. SynthID-Text uses a different mechanism tied to sampling process rather than vocabulary lists, which has better robustness under character-level edits but similar vulnerability to semantic paraphrasing.
Evasion as a Coordination Problem
The policy relevance of watermarking depends on the adversary model. For platforms trying to detect AI-generated content at scale - academic integrity tools, social media moderation, election integrity monitoring - the adversary is often a motivated individual, not a well-resourced nation-state. Research published by Stanford’s Internet Observatory and separate work from the AI Forensics collective has documented that consumer-grade paraphrasing tools marketed for academic evasion reliably defeat commercial AI detectors, and those detectors often use watermark detection as one signal among several. The false positive rate on non-watermarked human text written in second languages or non-standard registers remains a significant equity concern in academic applications.
What Watermarking Can Reasonably Do
Watermarking is not a reliable adversarial control; it is a forensic aid. It works for attribution when the text is reproduced or lightly edited, which covers a meaningful fraction of misuse scenarios: bulk content farms, auto-generated fake reviews, and scraped-and-republished disinformation. It does not work as a hard technical barrier against a user who knows that paraphrasing defeats it. Regulatory proposals in the EU AI Act implementation guidance that treat watermarking as a compliance checkbox for high-risk AI systems are conflating a forensic tool with a safety control. The honest framing is that watermarking raises the cost of undetected misuse for unsophisticated actors while providing an audit trail for attribution after the fact - a real but bounded contribution to AI content governance.