A professional services firm, around fifteen people, has started using an AI tool to help draft client-facing summaries and emails. The workflow seems tight. A human reviews, approves, sends. Then one morning a client rings to challenge a message sent in the firm’s name. The founder checks the outbox. The message is not there. Did the AI generate something outside the approved workflow? Did a supplier’s system produce it? Can anyone prove either way?
That is the question model watermarking is designed to help answer. Not in every situation, and not perfectly, but it is the right tool when the problem is provenance.
What is model watermarking?
Model watermarking is a way of embedding a hidden, machine-readable signal into an AI model or its outputs so the origin can be checked later. Think of it as a serial number stamped inside a piece of machinery: invisible in normal use, but readable by the right tool when you need to trace where something came from.
Two distinct uses exist and they run along different lines. Content watermarking tries to show that a piece of text, image, audio, or video was generated by a specific AI system rather than a human or another tool. Model watermarking, in the narrower sense, tries to prove that a model itself came from a particular developer, or that it was copied or taken without authorisation. Both are attribution tools rather than prevention tools.
The Brookings Institution’s 2024 guide to detecting AI fingerprints is direct on this point: watermarking is most useful when you need to show provenance after the fact, not in real time. A determined attacker can often remove or degrade a watermark through paraphrasing, translation, screenshotting, or reformatting. The signal can survive casual copying, but it is not indestructible, and it is not a standalone proof system.
Why does it matter for your business?
For many owner-managed businesses using AI tools, model watermarking becomes relevant in one of two situations: you need to prove that a particular output came from your system and not someone else’s, or you suspect your AI supplier’s model was used outside agreed terms. Outside those situations, it tends to sit behind better-prioritised controls like logging and supplier contracts.
There are sectors where provenance controls matter more than others. If your firm operates in law, accountancy, recruitment, property, financial advice, or healthcare-adjacent services, a false attribution can escalate quickly into a client complaint, a regulatory enquiry, or a professional indemnity claim. The ICO’s AI and data protection guidance focuses on fairness, transparency, and accountability in automated processing. The FCA’s outsourcing and third-party risk expectations make audit trails and traceability a practical governance requirement, not an optional extra.
The NCSC has noted that AI is being used by attackers to improve phishing, social engineering, and impersonation fraud. In that context, a provenance trail helps you demonstrate whether a suspicious communication genuinely came from your firm or was produced by a spoofed system. For a services firm sending AI-assisted proposals or reports to clients, that distinction can matter significantly when a dispute arises.
Where will you actually meet it?
You are most likely to come across model watermarking in three places: in the published documentation of major AI providers explaining how they certify output authenticity, in regulatory and policy discussions tied to the EU AI Act’s transparency requirements, and in the procurement conversations of regulated industries where provenance and audit trails are standard contract expectations.
The EU AI Act, adopted in 2024, contains transparency obligations for certain AI-generated content and deepfakes. That has pushed watermarking from an emerging research area into the compliance conversation, even for UK-based firms that serve EU customers or operate in EU-linked workflows. A 2024 analysis by the Center for Data Innovation argues that watermarking mandates often fall short in practice because signals are difficult to preserve across edits and reposts. The Act does not mandate a single technical approach, but the direction of travel is clear.
Google and OpenAI have both published documentation on their approaches to content provenance and output authenticity. A 2026 arXiv paper on verifiable watermark detection underlines that the field remains technically unsettled: researchers are still working out how to make detection reliable enough to treat as evidence rather than simply as an indicator. That gap between a useful signal and legal proof is worth keeping in mind when vendors make provenance claims.
When should you ask for it, and when can you ignore it?
The honest answer is that watermarking is rarely the right first question for an owner-managed business. A better starting point is whether you can already explain your AI use to a client or regulator: what system produced the output, under what conditions, and with what human sign-off. If you can answer those three things clearly, you have the traceability that matters in practice.
Before reaching for watermarking, run a simple use-case test. Do you need to prove origin after the fact? Are you investigating a suspected misuse, defending authorship in a dispute, or satisfying a client’s contractual provenance requirement? If yes, how your AI supplier approaches output authentication is worth raising in your next contract review. If no, logging and approval workflows are likely to give you more governance value at lower cost.
There are limits worth keeping in mind. A 2024 EY analysis notes that watermarks can be weakened or destroyed by ordinary actions: a document reformatted, a paragraph paraphrased, a screenshot run through OCR, or a text translated then retranslated. A missing watermark does not prove an output was human-made. A present watermark does not prove the output is accurate or lawful. Treat it as one piece of evidence in a wider governance picture, not as proof on its own.
What related concepts should you know?
Model watermarking sits inside a wider cluster of provenance and governance tools that AI policy discussions increasingly treat together. Understanding the differences matters because vendors often use the terms interchangeably, and what one tool promises may not be what another delivers. Knowing what sits alongside watermarking helps you ask sharper questions and build a governance approach that holds up under scrutiny.
Content provenance is the broader goal that watermarking supports: being able to trace an output back to its origin, including who produced it, when, with which model, and under what conditions. Watermarking is one technical method of achieving that provenance, but not the only one.
Audit logs tend to be more accessible for an owner-managed business. They capture system-level records of which model processed which input and when. Many cloud-based AI tools produce them automatically; the practical question is whether you have access to those records, how long they are retained, and who controls them if you switch suppliers.
Digital signatures attached to outputs offer a related but different form of authentication: they confirm the output has not been altered since signing, but they do not tell you which AI model generated it in the first place. Labelling policies, meanwhile, are increasingly expected from firms producing AI-assisted content for clients, and the EU AI Act’s transparency requirements push in that direction for anyone serving EU customers.
A sensible governance approach for a UK service firm combines supplier contracts that clarify provenance and audit rights, approval gates before client delivery, and a labelling policy that documents AI involvement clearly. Watermarking fits into that picture when you need to prove origin in a dispute or satisfy a client who specifically asks for it. For everything else, start with the logs.
