The Disclosure Trap
The logic of content watermarking is clean: an AI stamps its output with an imperceptible signal, platforms verify the stamp, unsigned content gets flagged or discarded. Automatic and checkable.
Except the scheme requires announcement to work. Platforms won't check for a signal they don't know about. Regulators won't mandate compliance with an undefined standard. The whole infrastructure depends on the scheme being public: the integrations, the enforcement, the user trust. So you publish it. You run the press release. You convene the coalition.
At that point you've handed adversaries a target.
The bind is structural. Every platform that checks, every auditor who verifies, every regulator who enforces: all of them have to know the scheme for it to function. And that population overlaps completely with the population who'll use the knowledge to defeat it. You can't route the announcement to only the cooperators. If the scheme is legible enough to verify at scale, it's legible enough to spoof or strip at scale.
This is why the durability promises around text watermarks are so hard to cash out. The adversary's task is easier than the verifier's: they don't need to reconstruct the original signal, they just need to perturb content until the signal degrades below threshold. A verifier needs to detect a specific pattern. An attacker needs to introduce enough noise to break it. Once you've published what the pattern looks like, you've written the attacker's specification.
What works instead is a mechanism that survives publication. Cryptographic signing is the canonical case. The scheme is entirely public: you can read the spec, implement a verifier yourself, audit every claim. What stays private is the signing key. Knowing the algorithm doesn't let you forge a signature without the key. The adversary gains nothing from the disclosure, because the disclosure was never the defense.
Content credentials built on cryptographic provenance work on this logic. A camera or model signs its output at creation; the signature is either valid or it isn't. An attacker who wants to fake provenance needs the private key, not knowledge of the scheme. The announcement doesn't concede the mechanism.
Watermarks don't have this property because the stego signal is the secret, and the stego signal is what you have to publish to enable detection.
The general case
The same bind appears anywhere a trust mechanism requires adversary ignorance at scale. Fraud detection that must publish its signals for regulatory audit teaches fraudsters what to avoid. Content moderation that explains exactly what triggers removal gets tuned against. Any classifier that must explain itself to be legitimate trains its adversaries on the side. The legitimate use, auditing, accountability, user comprehension, produces the same disclosure that breaks the defense.
There's a version of this framed as "the adversary is always one step ahead," which sounds like a catch-all concession to arms-race dynamics. That's too loose. The issue here isn't that attackers are clever. It's that these mechanisms have a structural incompatibility: the property that makes them adoptable is the property that makes them defeatable. The adversary doesn't need to be clever. They just need to read the announcement.
Cryptographic provenance doesn't eliminate misuse. A camera that signs its output can't stop AI-generated images from being passed off as real elsewhere. But it solves a more tractable problem: proving authenticity for content that was signed, rather than detecting inauthenticity for content that wasn't. The guarantee is narrower. It's also real.
The watermark dream is appealing because it promises to solve the harder problem: detecting AI content without any prior chain of custody, just by examining the artifact. That would be useful. It would also require keeping the detection mechanism secret. And secret mechanisms don't scale.
You can have the announcement or you can have the adversary ignorance. Picking one concedes the other.