Watermarking is widely proposed for provenance, attribution, and safety monitoring in generative models, yet is typically evaluated only under adversaries who attempt to evade detection or induce false positives at the level of individual samples. We argue that watermarking should be treated as a monitoring primitive, and that internal monitoring is unavoidable given per-entity attribution keys and messages, as well as detector access. We introduce an observer-based threat model in which observers can aggregate watermark signals across outputs to infer entity-level information, showing that even zero-bit watermarking enables attribution under multi-key settings. We further show that external monitoring can emerge over time from persistent, key-dependent statistical structure, although this depends on watermark design and may be mitigated by distribution-preserving or undetectable schemes. Our findings reveal a fundamental dual-use tension between attribution and monitoring, motivating evaluation of watermarking beyond per-sample robustness to account for aggregation and observer-based capabilities.

翻译：水印被广泛用于生成模型中的溯源、归属及安全监控，但其评估通常仅针对试图在单个样本层面规避检测或引发误报的对手。我们主张应将水印视为一种监控原语，且鉴于每个实体的归属密钥与消息以及检测器可访问性，内部监控难以避免。我们提出了一种基于观察者的威胁模型，在该模型中观察者能够聚合跨输出的水印信号以推断实体级信息，证明即便零比特水印也能在多密钥设置下实现归属。我们进一步表明，持续的密钥相关统计结构可能随时间催生外部监控能力，尽管这取决于水印设计，且可通过分布保持或不可检测方案加以缓解。我们的发现揭示了归属与监控之间根本性的双重用途矛盾，推动水印评估超越单样本鲁棒性，将聚合能力与基于观察者的能力纳入考量。