Highlights from the First ICLR 2025 Watermarking Workshop
This year, we organized the first Watermarking Workshop at ICLR 2025. With 61 submissions and 51 accepted papers, the response far exceeded expectations—especially considering fewer than 10 watermarking papers were submitted to ICLR just two years ago. The workshop brought together a fast-growing community from research, industry, and policy and was well-received by participants across disciplines.
Most papers focused on text and LLM watermarking, exploring generation-time methods, detection, and robustness. Image watermarking, especially in diffusion models, formed the next largest group, followed by a smaller but growing interest in audio and video watermarking. This spread of topics shows that watermarking has moved from a niche issue to a core concern in generative AI, with clear technical, ethical, and policy implications.
The workshop also featured strong industry participation, with contributions from Meta, Adobe, Kensho Technologies, DeepMark, and Ingonyama, highlighting the increasing investment in watermarking as part of the broader content authenticity ecosystem.
📈 Research Trends
Robustness vs. Imperceptibility – A Central and Well-Defined Challenge
A clear dominant theme at the workshop was the trade-off between robustness and imperceptibility, which emerged as arguably the most active and accessible area in generative AI watermarking. Nearly half the submissions referenced robustness, attacks, or related defenses. “Robust Multi-bit Text Watermark with LLM-based Paraphrasers” developed a stealthy yet resilient text watermark using LLM-based paraphrasing pairs, achieving extremely high detection performance while resisting perturbations. Others like “Optimizing Adaptive Attacks against Content Watermarks for Language Models” or “Visual Fidelity vs. Robustness: Trade-Off Analysis…” for images and “Deep Audio Watermarks are Shallow” for speech explicitly tested and benchmarked the limits of watermark resilience under attacks. Detection defenses and Robustness mitigations also appeared prominently, as in “Discovering Spoofing Attempts on Language Model Watermarks” and “Watermarking Language Models with Error Correcting Codes”.
🟦 This direction stood out for being measurable, benchmarkable, and practically grounded—making it the most intensely explored theme of the workshop.
Trend 1: 🌐 Public Deployment, Online Trust and Transparency at Scale
A key theme in the workshop was the deployment of watermarking systems in real-world settings to support transparency at scale. Meta’s paper shared practical lessons from implementing metadata standards like C2PA across their platforms, highlighting real-world challenges such as metadata fragility and evolving user expectations. A taxonomy paper complemented this by classifying watermarking strategies—post-hoc, out-of-model, and in-model—helping guide deployment decisions based on technical and policy constraints. In the audio domain, another work from Meta talked about real challenges deploying Audio watermarking on short-form video, balancing audibility and detectability in high-volume, user-facing environments. Finally, a study on watermark coexistence addressed a growing operational concern: the need for multiple watermarking schemes to function together robustly. Collectively, these works emphasize that watermarking is moving from lab prototypes to scalable, product-grade infrastructure.
Trend 2 : Emerging Directions – 🔐 Cryptography, NeRF, Dataset Attribution, and Knowledge Distillation Defense
A prominent trend in the workshop was the expansion of watermarking research into technically novel and high-impact directions. Several papers explored cryptographic foundations for provable and secure watermarking. “Provable Watermark Extraction” introduced zkDL++, a framework using zero-knowledge proofs to extract watermarks without revealing extractor internals, preserving privacy and robustness. Similarly, “Towards a Correct Usage of Cryptography in Semantic Watermarks for Diffusion Models” clarified the role of cryptographic primitives in semantic watermarking, offering a secure and formally grounded alternative to existing schemes. Another direction tackled watermarking in 3D rendering, as “MultiNeRF” presented a method to embed multiple keyed watermarks in Neural Radiance Fields (NeRFs), providing scalable attribution in 3D content. Watermarking also proved useful for dataset attribution: “Detecting Benchmark Contamination Through Watermarking” proposed rephrasing benchmarks with LLMs to detect whether they were used during training, aiding transparency in evaluation pipelines. Likewise, “WINTER SOLDIER” introduced an indirect poisoning strategy during LLM pretraining to embed covert, robust data watermarks. Finally, “Can LLM Watermarks Robustly Prevent Unauthorized Knowledge Distillation?” investigated whether watermark signals survive in student models trained via knowledge distillation from watermarked teachers—highlighting both vulnerabilities and defense mechanisms against watermark removal.
🎤 Speaker Highlights from WMARK @ ICLR 2025
Scott Aaronson (UT Austin / OpenAI) presented his work on statistical watermarking for large language models, developed in collaboration with OpenAI. The method subtly adjusts token selection to embed attribution signals without affecting text quality and was designed to prevent LLM-generated content from being reabsorbed into training data—a cycle he likened to a dog chasing its tail. Despite its efficiency, he mentioned that the method was not deployed by OpenAI at the time due to concerns around output quality, public detectability, and vulnerability to adversarial removal. Aaronson also raised important open questions, including who should control detection tools, and called for more research on semantic watermarking, and broader ecosystem coordination.
Furong Huang (University of Maryland): shared results from the WAVES neurips competition on image watermarking. Top teams were able to remove up to 96% of watermarks, highlighting serious vulnerabilities to attacks. With Double watermarking being a strong mitigation.
Melissa Omino (CIPIT): brought a much-needed African perspective to the watermarking conversation, highlighting how current intellectual property laws often don’t fit the realities of AI-generated content—especially in cultures where knowledge is shared, not individually owned. She advocated for a sui generis approach, a custom legal framework built specifically for AI—one that focuses on provenance, safety, and accountability instead of traditional ownership. Drawing on examples from Nigeria, Kenya, Egypt, and South Africa, Melissa emphasized the need for local solutions that work with limited infrastructure and protect indigenous knowledge. She pointed out key gaps in global standards and called for more regional coordination, open-source tools, and support for African-led research. Her message was clear: Africa shouldn’t just adapt to watermarking frameworks—it should help shape them.
John Collomosse (Adobe / C2PA): talk focused on the role of watermarking within the broader ecosystem of AI content provenance, especially through the lens of the C2PA (Coalition for Content Provenance and Authenticity) initiative. He emphasized that watermarking should not be treated as a one-size-fits-all solution to misinformation or manipulation but rather as one tool among many—best deployed in specific use cases. One such use case is AI provenance: verifying where content came from, how it was generated, and whether it has been altered. Unlike manipulation detection, which tries to identify if an image was tampered with, provenance is about tracing the origin and history of content. As Collomosse noted, most manipulated content is not misinformation, and most misinformation is not technically manipulated—it’s often misattributed or taken out of context. The C2PA standard aims to address this by embedding tamper-evident metadata into digital files, detailing authorship and edit history. However, since metadata can be easily stripped, watermarking plays a critical role in restoring or reinforcing provenance information. Learn more about the initiative here: https://c2pa.org.
Mauro Barni (University of Siena) offered a reflective overview of watermarking’s evolution over the past 30 years, from its DRM roots in the 1990s to its recent revival in the GenAI era. While the field peaked with significant advances around 2005–2010, Barni noted that progress later slowed, leaving core challenges—like security, evaluation, and key management—unresolved.
To guide the next phase of research, he shared a clear set of lessons:- Revisit the trade-offs between robustness, invisibility, and capacity *Define strong, realistic threat models
- Use statistically grounded evaluation metrics
- Treat watermarking as a security problem, with attention to key secrecy
- Avoid ad hoc metrics, and conflating robustness with true security
👥 Panel: Watermarking & Policy
A standout moment of the workshop was the panel on “Watermarking in Policy,” which brought together voices from across the ecosystem. The panel featured John Collomosse (Adobe / C2PA), Wan-Sie Lee (IMDA Singapore / Singapore AI Safety Institute), Adina Yakefu (Hugging Face, China open-source community), and Zohaib Ahmed (CEO, Resemble AI). Together, they tackled pressing questions around watermarking’s policy readiness, legal implications, and practical deployment.
The discussion highlighted how watermarking is evolving from a research focus to a policy-relevant tool. While panelists agreed the technology is maturing, they emphasized the need for solutions that are usable, interoperable, and designed with real-world constraints in mind. The conversation reinforced the idea that watermarking is necessary—but must be applied with flexibility, accountability, and awareness of broader societal impacts.
Key Highlights
- Watermarking technology is rapidly maturing for public-facing applications, particularly when used to authenticate official content, as demonstrated in Singapore’s election safeguards (Wan-Sie Lee). Deployment still faces usability and access challenges, especially in user-facing contexts.
- Policy frameworks should focus on specific, well-defined use cases like AI provenance, rather than pushing for rigid, one-size-fits-all technical standards.
- Both public and private detectors systems are needed, no one size solution can fit all, depending on the sensitivity and risk of the application several watermarks can coexist.
- Privacy must remain a priority—as seen in China’s recent legislation, watermarking should never embed personal data.
- Narrow, use-case-driven deployment is key to establishing credibility and trust with the public.
- There’s a major opportunity for startups to innovate in watermarking and build the infrastructure for AI safety.
Closing Thoughts
WMARK @ ICLR 2025 showed just how quickly watermarking is evolving—from a side topic in AI safety discourse into a central topic in generative AI. The workshop brought together academic insights, real-world deployment lessons, and emerging policy discussions, reflecting the field’s increasing depth and relevance. From LLMs and diffusion models to cryptography, NeRFs, and data attribution, the range of contributions was broad and forward-looking. With strong engagement across research, industry, and policy we’re excited to continue building this community. We look forward to bringing the next edition of the WMARK workshop to ICLR 2026 in Brazil.
Feedback
If you attended the workshop and want to give feedback, please fill this feedback form.