I had a hunch, and it turned out to be published. The idea was simple: if I mark my content before publishing it, and an AI model trains on it, that model should carry the mark inside. And if someone takes that model to train another one, a Chinese one for example, the new one carries it too. A trail that spreads down the chain of models like radioactive ink.
The second part of the hunch was the carrier. The most stubborn way to plant that trail is not cryptography or metadata. It's an impossible lie tucked inside a normal sentence. "Today, January 32, 2026, a new fungus was described." January 32 cannot exist. If it shows up inside your sentence anywhere else, the only plausible source is you.
I set out to knock down my own ideas, which is the only way to find out if they hold. Most people take it for granted that proving an AI trained on your work is impossible without cracking the model open. I was convinced of the opposite. The research proved me right on the essentials, and forced me to be honest about the limits. Both matter.
An LLM watermark exists, and you detect it by counting
I start with the mechanism, because without it nothing else stands. Marking the text a model generates is a solved problem since 2023. The seminal work is Kirchenbauer et al. (ICML 2023). Before each token, the model looks at the previous token, mixes it with a secret key, and splits the vocabulary in two: a "green list" and the rest. It nudges up the probability of the green tokens, and the model ends up choosing green almost every time. Reading it, you can't tell. The distribution shifts just enough.
Detecting is even cheaper. You take the suspect text, recompute the green list with the key, and count how many green tokens there are. If there are far more than chance would dictate, you have your proof: a statistical test that returns a p-value. Kirchenbauer reports z above 4 and p close to 10⁻⁶. You don't need the model. Just the text and the key.
Marking is cheap and the proof is purely statistical. The same mechanical backbone holds up the whole field. Source: author's recreation of Kirchenbauer et al., ICML 2023.
This is not blackboard theory. Google deployed SynthID-Text inside Gemini and validated it over about 20 million real responses with no perceptible quality drop, published in Nature in 2024. There are whole families of variants: some that don't touch the output distribution at all (the "distortion-free" schemes of Aaronson and of Kuditipudi et al.), others robust to paraphrasing through semantics (SIR), others that embed a whole 32-bit message and not just one bit (MPAC). The field is mature on the provider side.
But that marks the output of one model. My hunch was about something else: marking my corpus, on the content owner's side, before any model touches it.
Radioactivity: the trail that passes from one model to another
My theory has an academic name, and it comes from Meta. It's called radioactivity. Sander et al., presented as a spotlight at NeurIPS 2024, prove exactly what I suspected: if a model A emits marked text and a model B trains on it, the mark leaves a detectable residue in B.
The margins are huge. With open access to the weights and no supervision, the trail is detected with p below 10⁻⁵ when only 5% of the training data is marked. In the supervised case it drops to p below 10⁻³⁰ with barely 1%. The term was coined by Sablayrolles et al. in 2020 for images, where 1% of marked data was enough for p below 10⁻⁴. And it survives pretraining from scratch, not just fine-tuning: Sander confirmed it training models with 1 billion parameters on 10 billion tokens.
One hop is proven. The whole chain is an open frontier. Source: author's recreation of Sander et al., NeurIPS 2024, and Gu et al., ICLR 2024.
This is where you have to get honest, which is what separates a serious article from a brochure. The single A→B hop is proven. The A→B→C chain has not been measured by anyone. Every radioactivity paper measures a single hop. None checks empirically that the mark survives a second chained training. And the adjacent evidence warns of decay, not intact propagation:
- A second cleaning pass over the same model already halves the significance (Sander, purification section). It's not a third generation, it's cleaning the same B.
- Gu et al. (ICLR 2024) show that a mark distilled into the weights does not survive a second fine-tuning with clean text. The mechanism that would carry the mark into a distilled model is fragile precisely against the kind of training a chain implies.
- Five chained rewrites at inference drop detection to around 4.9% (Chainwash, 2026).
The real case everyone cites, DeepSeek accused of distilling from OpenAI, is not a tracked mark either. It rests on style similarity, around 74%, and on traffic patterns. No serious source says otherwise: today there is no method to prove it conclusively. And that is exactly why marking proactively matters. If OpenAI had marked its output from the start, the proof would be far cleaner.
So the honest thesis is this: your content trains model A and the trail shows up in A, that is solid and sellable. The whole chain is a fascinating open frontier. Framing it that way is stronger, not weaker, because you're posing a hypothesis science has not yet closed.
Your best invisible ink is a lie: January 32
Anyone who has played with steganography thinks first of invisible characters: zero-width spaces, Cyrillic letters that look Latin, Unicode marks the eye can't see. It's elegant. For this problem it's a mistake.
The pipelines that prepare data before training are built precisely to erase that layer. Tokenization and Unicode normalization eat the invisible characters and homoglyphs before the model ever sees them. AWS and Cisco treat them directly as an attack surface and filter them by default. Your mark disappears at the first filter.
The impossible date goes the opposite way. It doesn't hide in the bytes, it hides in the meaning. "January 32" are perfectly ordinary tokens. The "32" is a single stable token in the GPT-4 tokenizers (cl100k and o200k use the regex \p{N}{1,3}), and "2026" always splits the same way into [202, 6] (tiktoken; Singh and Strouse, 2024). The tokenizer couldn't care less that day 32 doesn't exist: it treats it the way it would treat the 30th. The oddity is in the meaning, not in the bytes.
The pipeline erases bytes and metadata, not meaning. An impossible value rides on ordinary tokens. Source: author's recreation, synthesis of the tokenization and data-pipeline literature.
And this isn't new, which is the best thing about it. Mapmakers have spent a century planting towns that don't exist to catch copycats. The most famous, Agloe (New York), was an anagram of the initials of two draftsmen. Dictionaries do the same with fake words: "esquivalience" was slipped on purpose into the New Oxford American Dictionary in 2001. Academia already brought it to language models with a name of its own, "copyright traps" (Meeus et al., ICML 2024), and dictionaries call them mountweazels. There's even case law: in Feist v. Rural (US Supreme Court, 1991), the copied directory included four fictional entries planted to catch copies. We come back to Feist below, because it has a fine print worth knowing.
The memorization wall
Here comes the nuance that decides whether this is a toy or a tool. Marking is trivial. Detecting requires the model to have learned the mark, and models only memorize what they see many times.
Meeus's numbers are harsh. A 100-token fictional sentence repeated 1,000 times is detected with an AUC of 0.748. The same sentence at 25 tokens, no matter how much you repeat it, stalls at 0.557, near chance. A single appearance is practically undetectable. Wei, Wang and Jia (Findings of ACL 2024) set the bar on a giant model: a statistical mark is detectable in BLOOM-176B if it appears at least 90 times. The "ghost sentences" of Zhao et al. call for at least 10 repetitions for reliable memorization.
Marking is trivial; detecting requires memorization: it takes length and repetition. Source: author's recreation of Meeus et al., ICML 2024, with data from Wei et al. and Zhao et al.
There are two more traps on the way. The first is deduplication: if you repeat the mark to cross the threshold, dedup can erase it, unless you use fuzzy variation that changes a few tokens in each copy (Mosaic Memory: with four substitutions across ten repetitions, the AUC barely falls from 0.90 to 0.87). The second is a beautiful paradox: the rarer you make the mark so it memorizes better, the more you risk the quality filter discarding it for being rare. The same perplexity that helps detection (Meeus finds a correlation of r equal to 0.715) can get the document thrown out before it enters.
Which carrier to choose, and why the semantic one wins
The content owner's threat model is narrow: I publish text written by humans and I want to prove afterward that a large model trained on it. That rules out two whole families. The generation carriers (which mark a model's output, not your corpus) and the format ones (zero-width, homoglyphs, which the pipeline erases). What's left has to do four things: survive the pipeline, be detectable after training, be stealthy, and hold up in court.
The right family is the semantic one: fictional facts, mountweazels, impossible values. It survives by construction and is legally unambiguous. The impossible date wins on survival, stealth, and legal defense, and only loses on memorization if it's unique or short. How to level it up in practice: repeat the value across many documents, make it longer and more distinctive (combine the date with a unique surrounding phrase, passphrase-style), and deploy several independent traps so the joint probability of innocent inclusion collapses.
If you can publish a rewritten variant, there are distributional schemes that beat raw traps. STAMP generates several watermarked rewrites of the same content, publishes one and keeps the others, then compares the model's perplexity on the public one against the private ones with a t-test. It detects contamination at less than 0.001% of tokens seen once, and doesn't depend on the model reciting the exact date. LexiMark replaces rare words with even rarer synonyms, exploiting the fact that LLMs memorize rare tokens, and raises membership AUROC from 79% to 90-97%.
The ceiling: no strong mark is unerasable
Time for the uncomfortable warning. Text watermarking is the least robust modality of all, and it has a proven theoretical ceiling.
Zhang et al., "Watermarks in the Sand" (ICML 2024), prove that no strong watermarking is unbreakable against an adversary with a quality oracle and a perturbation oracle, both realizable with another LLM. It holds even with a secret key. And practice confirms it. An attacker can reverse-engineer the green-list rules by querying the public API for under 50 dollars, and with that forges or erases the mark with over 80% success. Recursive paraphrasing with DIPPER collapses detection: the TPR at 1% false positives drops from 99.8% to 9.7% with little quality loss.
That's why industry and regulation combine layers instead of trusting everything to the watermark. And that's why technical honesty is not an ornament here, it's the product. Whoever sells you a silver bullet is selling you smoke.
There's a second half of the problem worth naming: model fingerprinting, identifying the model itself rather than marking its output. It's the tool for the "model B comes from model A" case. Representation fingerprints like REEF survive fine-tuning, pruning and merging; planted ones like Instructional Fingerprinting persist through fine-tuning across 11 models. The weak point of all of them, again, is distillation.
Radioactivity depends on the architecture, and text is the fertile ground
A 2025 finding that reinforces the thesis from an unexpected flank. Meintz et al. study radioactivity in image models and find that diffusion watermarks are not retained: the latent and the noise erase them, so a diffuser trained on marked images does not reproduce the mark. They had to invent the first method for autoregressive image models, borrowing it from LLM watermarking.
The lesson reads itself: radioactivity depends on the architecture, and the autoregressive one, the one text uses, is the one that keeps it. The ground where my hunch works best is exactly language.
Language changes the game, and Catalan is a double-edged weapon
A detail that hits close to home for us. Detection strength is not equal across languages. In Sander's Table 6, cross detection is extremely strong in English (log₁₀ of the p-value below −50) and the weakest of all in Catalan (−2.1), with Spanish at −5.7 and French at −7.8 in between. Languages with less data have less coverage in the model, and on top of that the commercial detectors are tuned in English.
But there's a flip side. Rare strings memorize more strongly per instance (Shared Path, 2025). A rare, anomalous Catalan sentence is a nearly unique text in the world, with a natural baseline near zero. If the model swallows it, it records it hard, and any reappearance is compelling proof. These are two distinct quantities: the detection power of a propagated distributional watermark, where Catalan loses, and per-instance memorization if the text is in the training set, where rarity wins. For a Catalan creator the play is to lean on a literal, blunt canary, the impossible date, rather than a subtle statistical mark, and to probe in Catalan, not English.
The courts have already seen this
Watermarking does not live in a legal vacuum. It lives in the middle of the largest wave of copyright litigation in recent history.
- Bartz v. Anthropic (ND Cal., 2025) ended in the largest copyright settlement in US history: a minimum of 1.5 billion dollars, about 3,000 per work over half a million books. Judge Alsup ruled that training on legally purchased books is fair use, but downloading pirated copies from LibGen is not.
- NYT v. OpenAI is still in discovery, and memorization is the central evidence: Exhibit J collects around 100 examples of near-verbatim regurgitation.
- Feist v. Rural is the critical nuance. The Supreme Court ruled that facts are not copyrightable, only original expression, and Feist included four fictional entries planted by Rural. Translated to our case: a fake date proves the copy as a forensic fingerprint, but the trap itself often is not protectable. The fix is to embed it inside enough original expression and use several.
Regulation is pushing
This is not an academics' debate, for two reasons that have moved the board.
China has required labeling and marking AI-generated content since September 1, 2025, and is the first country to do it, with explicit and implicit labels (metadata or watermark with the provider's name). Article 50 of the European AI Regulation takes effect on August 2, 2026, and requires providers to mark AI outputs, including text, in machine-readable format. The Code of Practice position is clear: no single technique is enough, you have to combine layers. NIST itself, in its document AI 100-4, acknowledges that text watermarking is the least robust modality and recommends combining it with provenance and detection. The signed-metadata standard, C2PA, is already ISO/IEC 22144.
It already means money
The commercial "why" of this whole line. Showing up inside AI answers already brings business, and it can be measured. According to the Similarweb study with data from July to December 2025, brands recommended by ChatGPT get 2.5 times more visits in the following seven days. ChatGPT referral traffic converts at 7.1%, second only to paid search. And the number I like best: 55.9% of AI-influenced traffic arrives through search, not as direct referral, so your analytics lies to you and attributes to search what AI actually started.
If your content already works inside those models and brings you customers, being able to mark it, trace it, and defend its ownership goes from technical curiosity to business interest.
The other door: not whether they remember you, whether they cite you
Up to here everything runs through the same door: your content trains the model and the mark stays inside. But there is a second door, and it's the one that touches our daily work most.
Models no longer only train on text and store it. More and more, they go out to search at the moment of answering. ChatGPT with search, Google's AI Overviews, Perplexity, Copilot. They don't memorize you, they go fetch you and cite you. And that changes the question. With GEORadar we measure how those models see you from the outside: whether they name you, whether they recommend you, with how much share against your competition. Watermarking is the flip side of the same coin. Not "do they see me?", but "am I the source they're reading, and can I prove it?".
The complementary face of watermarking: it doesn't require them to memorize you. Source: author's recreation of Seiden et al., 2026.
Here the watermark changes shape. You don't need the model to learn your sentence by heart, with its wall of repetitions. You need a trail you can follow when the model goes out to search and returns your material. That already exists, and it has an unglamorous name: canary tokens. You serve a unique identifier, different for each bot that crawls you, and then you query the AI search systems. If one spits out your token, you've proven the whole chain. A 2026 paper did it against a couple dozen systems, Claude, ChatGPT, Gemini, Copilot, Perplexity and DeepSeek among them (Seiden et al.). The difference with the impossible date is clean: the date proves you were trained on, it's slow and looks at the model's past; the canary proves you were read and served, it's fast and needs no memorization. And while you wait, you can use today's tools: robots.txt, the TDMRep protocol that the European Regulation itself recognizes as a machine-readable means, or Cloudflare's Pay-Per-Crawl, which since July 2025 blocks AI crawlers by default and charges for access with an HTTP 402.
What we're building on top of this
The theory doesn't stop at the paper. At 498A, Zoopa's R&D lab, we're looking at how it becomes a product, and the exercise is revealing because almost every idea lives or dies on the same detail: marking is easy, detecting requires memorization. Except the ones that play on the retrieval surface, which skip that wall. We looked at five. Three hold up, one needs reframing, and one gets discarded.
The most solid technically is a trust layer for the data licensing market. The big labs buy data more and more. If you sell your archive to one, how do you know another isn't using it for free? There the corpus is enormous and repeated, so it clears the memorization threshold easily and radioactivity works almost out of the box.
The closest to our DNA is an evidence layer for media. Mark each article at publication, keep a notarized, time-stamped record of the marks, and produce forensic reports when a contaminated model shows up. The good part is that the time stamp doesn't depend on detection coming out perfect: it's the chain of custody that makes any claim credible. The Feist precedent rules: the trap proves the copy, but you need to prove when you planted it.
The one with the most runway is a forensic lab for the AI Regulation. The regulator demands transparency about training data but has no independent verification tools. A neutral third party that audits for the regulators and verifies compliance for the labs themselves. Nobody trusts a lab that audits itself, and that gap is the moat. It depends on Article 50 taking effect and on slow sales cycles, so it's high ceiling and long road.
The idea of marking a company's internal documents to catch leaks needs reframing: as proof that a lab trained on a unique document it's weak, because a single appearance falls below the threshold. It lives better on the retrieval surface, with canary tokens and audit logs, where the value is the chain of custody and not the mark. And the idea of marking an API's output to sell it to the labs themselves we discard: it already exists and is occupied by the big players. It's exactly GINSEW (ICML 2023) and SynthID. It lives on the model provider's side, not the content owner's.
For S.A.M., our semantic alignment tool, all of this extends the practice to a second axis. We measured how models see you from the outside. Now it's also about whether your content is inside, and whether you can prove it. What we won't promise is catching a mark through a distillation chain, or detecting the leak of a unique document. Technical honesty is part of the product, not a footnote.
The wall, the ceiling, and why it's worth it anyway
Let me recap without selling smoke, which I think I've repeated in every section. Marking adds up when the content is yours, niche, repeatable, and you're after proactive defense and dated proof. It subtracts when you expect a single mark to be airtight evidence, when you trust it to survive a chain of distillations, or when you want to catch a unique document that appears once. In those cases the physics of memorization plays against you.
What fascinates me most about all this is how unsophisticated it is. The answer to one of the most modern problems there is, knowing whether an artificial intelligence trained on your work, was invented by some mapmakers a century ago by dropping in a town that didn't exist. January 32 is the Agloe of language models.
It's not a silver bullet. It's a layer. But it's a layer almost nobody has, at a moment when your content has started working for free inside machines you don't control, regulation already requires marking in China and will in Europe in August, and showing up inside ChatGPT already brings you real customers. An invisible character gets erased by the system without a thought. A date that cannot exist would only be erased by someone who understands what they're reading. And there's an irony I love to close on: an article about how to prove copying can't use a single data point without citing its source. Here they all are.
Technical sources
Foundational watermarking techniques
- Kirchenbauer, Geiping, Wen, Katz, Miers, Goldstein: A Watermark for Large Language Models, ICML 2023. The green-list and red-list scheme, the base of the whole field.
- Kirchenbauer et al.: On the Reliability of Watermarks for LLMs, ICLR 2024. Survival to human and machine paraphrasing.
- Kuditipudi, Thickstun, Hashimoto, Liang: Robust Distortion-free Watermarks, TMLR 2024.
- Liu et al.: A Semantic Invariant Robust Watermark (SIR), ICLR 2024.
- Yoo, Ahn, Kwak: Multi-bit Watermark via Position Allocation (MPAC), NAACL 2024.
- Dathathri et al., Google DeepMind: Scalable watermarking for identifying LLM outputs (SynthID-Text), Nature 2024. The first text watermark in production, inside Gemini.
Radioactivity and propagation through training
- Sander, Fernandez, Durmus, Douze, Furon (Meta FAIR): Watermarking Makes Language Models Radioactive, NeurIPS 2024. The central paper of the thesis.
- Sablayrolles, Douze, Schmid, Jégou: Radioactive Data: Tracing Through Training, ICML 2020. The origin of the term, in images.
- Sander et al.: Detecting Benchmark Contamination Through Watermarking, ICLR 2025. Radioactivity survives pretraining.
- Gu, Li, Liang, Hashimoto (Stanford): On the Learnability of Watermarks for Language Models, ICLR 2024. The distilled mark does not survive a second clean fine-tuning.
Copyright traps, memorization and detection
- Meeus, Shilov, Faysse, de Montjoye: Copyright Traps for Large Language Models, ICML 2024. The memorization wall with data.
- Wei, Wang, Jia: Proving Membership in LLM Pretraining Data via Data Watermarks, Findings of ACL 2024. The 90-appearance threshold in BLOOM-176B.
- Zhao, Zhu, Quan, Yang: Ghost Sentences, 2024. Unique passphrases and the 10 repetitions.
- Shilov, Meeus, de Montjoye: Mosaic Memory: Fuzzy Duplication in Copyright Traps, 2024. How to beat deduplication.
- Rastogi, Maini, Pruthi: STAMP: Proving Dataset Membership via Watermarked Rephrasings, 2025. The distributional approach.
- Ben-Gurion et al.: LexiMark, 2025. Rare-word substitution. (Recent preprint, verify before citing formally.)
- Singh, Strouse: Tokenization counts, 2024. How models tokenize numbers and dates.
The theoretical ceiling, attacks and fingerprinting
- Zhang, Edelman, Francati, Venturi, Ateniese, Barak: Watermarks in the Sand, ICML 2024. The impossibility of strong watermarking.
- Jovanović, Staab, Vechev (ETH): Watermark Stealing in Large Language Models, ICML 2024. Stealing the mark for under 50 dollars.
- Krishna et al.: Paraphrasing Evades Detectors (DIPPER), NeurIPS 2023.
- Zhang et al.: REEF: Representation Encoding Fingerprints, 2024.
- Xu et al.: Instructional Fingerprinting of LLMs, NAACL 2024.
Multimodal, language, data protection
- Meintz, Dubiński, Boenisch, Dziedzic: Radioactive Watermarks in Diffusion and Autoregressive Image Generative Models, 2025. Radioactivity depends on the architecture.
- Shared Path, 2025. Low-resource languages memorize more per instance.
- Zhao, Wang, Li: Protecting Language Generation Models via Invisible Watermarking (GINSEW), ICML 2023. The provider-side watermark.
- Seiden, Ren, Zhang, Kim, Liu, Wenger: Identifying AI Web Scrapers Using Canary Tokens, 2026. The retrieval surface. (Recent preprint.)
- Wu, Cao: Chainwash: Multi-Step Rewriting Attacks, 2026. Decay through chained rewrites. (Recent preprint.)
Regulation, market and context
- Regulation (EU) 2024/1689, Article 50. Marking obligations from August 2, 2026.
- NIST: AI 100-4. Text watermarking as the least robust modality.
- Cloudflare: Introducing Pay Per Crawl. Blocking by default and HTTP 402.
- Similarweb: The Downstream Impact of AI Visibility, data Jul-Dec 2025. The 2.5x traffic and the 7.1% conversion.




