Sequential Behavioral Watermarking for LLM Agents
For developers and deployers of LLM-based agents, SeqWM provides a robust method for establishing provenance and ownership of agent behavior, addressing the fragility of existing behavioral watermarks under trajectory perturbations.
SeqWM embeds watermarks into LLM agent behavioral trajectories using history-conditioned transition patterns and position-agnostic verification, achieving reliable detection across diverse benchmarks while preserving agent utility and remaining robust under trajectory corruption where prior methods fail.
LLM-based agents act through sequences of executable decisions, but their trajectories provide little evidence of which agent or policy produced them, making provenance, ownership, and unauthorized reuse difficult to establish from observed behavior alone. This motivates watermarking signals embedded directly into agent behavior rather than only into generated text, since text watermarking cannot capture the action-level decisions that define agent execution. Recent agent watermarking methods address this gap by moving the watermark from generated text to behavioral choices. However, by treating each action step as an independent trial, they overlook trajectory structure and become fragile when trajectories are perturbed, truncated, or observed without reliable alignment. We propose SeqWM, a sequential behavioral watermarking framework that embeds signals into history-conditioned transition patterns and verifies trajectories position-agnostically against random-key baselines. Experiments across diverse agent benchmarks and LLM backbones show that SeqWM consistently achieves reliable detection while preserving agent utility, and remains robust under trajectory corruption where round-indexed behavioral watermarks collapse.