The most cited approach to text watermarking (Kirchenbauer et al., 2023) works by splitting the vocabulary into "green" and "red" lists at each generation step, using a hash of the previous token as the seed. The model is then biased to prefer green-list tokens. A detector that knows the hashing scheme can check whether a text uses statistically more green-list tokens than expected by chance. The bias is small enough that humans don't notice, but large enough for statistical detection over a few hundred tokens.
Text watermarks are fragile. Paraphrasing the text (manually or with another model), translating to another language and back, or even inserting/deleting a few words can destroy the statistical signal. This is fundamentally different from image watermarks, which can survive cropping, compression, and resizing. The research community is working on more robust schemes, but there's an inherent tension: a stronger watermark affects text quality, while a subtler watermark is easier to remove.
The EU AI Act mandates that AI-generated content be labeled as such, pushing watermarking from research toward deployment. Google's SynthID and Meta's watermarking research are production implementations. But voluntary adoption is uneven — if only some providers watermark, users can simply switch to one that doesn't. Effective watermarking may ultimately require regulation or industry-wide standards, similar to how content ratings work for media.