A preprint posted to arXiv on 15 July 2026 shows that a stretch of AI-generated text can be provably machine-made yet impossible to attribute to any specific user within a window of roughly log N tokens, where N is the number of possible users [S1]. The paper, which has not been peer-reviewed, maps the exact information cost of every rung on a forensic ladder, from bare detection to naming the person who generated it. Why that window exists, and why the obvious way to catch a culprit charges far more than necessary, is what makes this work uncomfortable for anyone building watermarking into a production system.

The forensic ladder

Most watermarking schemes for generative AI ask one question: is this text machine-made? The new preprint, filed in cs.AI and cs.LG, argues that the same hidden mark can do far more [S1]. It lays out what it calls a forensic ladder with four rungs:

  • Detection: is this text AI-generated?
  • Attribution: which user produced it?
  • Extraction: what hidden payload does it carry?
  • Localization: which parts survived editing?

Each rung demands more from the watermark. Detection only needs the marked text to differ from what an unmarked model would produce. Attribution needs enough information to distinguish one user from N others. Extraction needs to recover specific bits. Localization needs to pinpoint which tokens carry the mark after someone has rewritten, trimmed, or spliced the text.

The information profile

The paper's central tool is what it calls an information profile, written as a function that records how much the t-th token reveals about a secret S given the tokens that came before it [S1]. Think of it as a budget ledger: each token spends a little of the watermark's secret information, and the profile tracks the spending token by token.

The total mass of this profile pays for attribution and extraction. How that mass is spread across tokens pays for localization. Detection, the cheapest rung, is paid for not by information at all but by presence, the statistical distance between marked and unmarked output [S1].

The paper identifies two quality models in the existing literature: a mark that is subtle on every token, and one that stamps a few tokens loudly [S1]. These are two incomparable ways of capping the information profile, and the choice between them shapes what the watermark can achieve.

The attribution bound

Here is the paper's headline result. For watermarking schemes that are statistically distortion-free, meaning the marked output is statistically indistinguishable from the unmarked, attributing a text to one of N users costs a number of tokens proportional to log N divided by h, where h is the entropy rate of the source [S1]. The bound is sharp to a (1+o(1)) factor, meaning you cannot do better by any meaningful margin.

The authors state this is, to their knowledge, the first tight entropy-rate law for multi-user attribution via exact alignment [S1]. A matching converse makes the law two-sided: it is both achievable and unavoidable [S1].

The practical implication is stark. The natural approach to attribution, counting collisions between a user's key and the observed text, overcharges without bound [S1]. Only a decoder that thresholds each candidate by its own realized surprisal, a measure of how unexpected each token is under that user's key, attains the optimal rate while almost never implicating an innocent user [S1].

Extracting a hidden payload follows a similar law: recovering a payload of ℓ bits costs a number of tokens proportional to ℓ divided by h [S1].

The unattributable window

The paper identifies a window of roughly log N tokens in which a text is provably machine-made yet unattributable [S1]. In other words, there is a minimum length below which you can confirm the text came from a machine but cannot say which machine user produced it. This is not a failure of engineering. It is a structural limit, baked into the mathematics of information.

The paper also describes what it calls a footprint-resolution uncertainty principle [S1]: you cannot simultaneously maximize the footprint of the watermark, how much text it covers, and the resolution at which you can localize it, how precisely you can point to the marked tokens. The more spread out the mark, the harder it is to pin down.

What it means

This paper changes the question from "can we watermark AI output?" to "what exactly do we want the watermark to do, and what will it cost?" The forensic ladder makes the tradeoffs explicit. Detection is cheap. Attribution is expensive, and the price scales with the number of users. Extraction costs bits. Localization fights against its own footprint.

For policymakers pushing for mandatory AI watermarking, the unattributable window is a problem. A short piece of AI-generated text, the kind that might appear in a social media post or a phishing email, may be too short to trace back to a specific user even if it is clearly machine-made. The law says: you can prove it was AI, but you cannot prove who used the AI to make it.

The result connects to a broader research thread. A prior arXiv paper, "Watermarks in the Sand," showed that strong watermarking for generative models is impossible under certain conditions [P2]. Separate work on coding limits for robust watermarking explored how much information a watermark can carry [P4]. This new preprint adds the precise cost structure: whether watermarking works, and how many tokens each forensic task consumes.

What it means for business

A two-person marketing agency using AI to draft client copy faces a concrete question: if they watermark their output for provenance tracking, how much text do they need before they can attribute a draft to a specific team member? The paper's bound says the answer depends on the number of users and the entropy rate of the text. For a team of 10 writers, the attribution cost scales with log 10 divided by h. In practice, that means short snippets, a headline or a tweet, may fall inside the unattributable window. Full articles almost certainly do not.

For a platform operator, the tradeoffs are sharper. If you serve millions of users and want to attribute every generated string, the log N term grows, though slowly. The bigger concern is the "statistically distortion-free" assumption. The paper's bounds apply only to schemes where the watermark does not change the statistical distribution of the output. Real-world watermarking schemes that visibly nudge token probabilities may not satisfy this condition, and the bounds may not hold.

For a compliance team, the forensic ladder offers a useful framework. Detection alone, the cheapest rung, may satisfy a regulatory requirement to label AI content. Attribution, the next rung, is what you need if a regulator asks who generated a specific piece. The paper shows these are not the same task, and the second one costs more.

What we don't know yet

The paper is a preprint and has not been peer-reviewed [S1]. Its mathematical claims, including the novelty of the entropy-rate law, are author-assessed and await independent verification.

The experimental validation covers three models: GPT-2, Pythia-410M, and Qwen2.5 [S1]. Whether the predicted constants hold for larger or different model families is an open question. The bounds are derived for stationary-ergodic sources with a well-defined entropy rate, and the paper does not claim they extend to non-stationary or non-ergodic settings.

The "statistically distortion-free" condition is a specific theoretical assumption. Many production watermarking schemes introduce measurable distributional shifts, and the paper's cost laws may not apply cleanly to them.

The footprint-resolution uncertainty principle is identified but not fully characterized in the available evidence. How it interacts with editing attacks, where a user rewrites part of the text to strip the mark, remains to be worked out.

The next concrete event to watch is whether this preprint enters peer review and whether independent groups reproduce the entropy-rate law on additional models.

If you want to follow what happens when this hits review, subscribe for the next update.

Sources

More from Not A Tech Guy


Generated from an audited evidence pack with primary-source research. Social-media items are discussion signals, not verified facts. Nothing here is financial, legal or medical advice.