This work addresses the lack of traceability in behavioral trajectories of large language model (LLM) agents, which hinders source verification, attribution, and prevention of unauthorized reuse. To this end, the paper proposes SeqWM, a novel framework that embeds watermarks into the sequential transition patterns of agent actions. By modeling conditional transition probabilities conditioned on historical context, SeqWM enables position-invariant and robust watermark verification. The approach effectively handles challenges such as trajectory truncation, perturbation, and misalignment, overcoming the limitations of existing methods that treat actions as independent events. Experimental results demonstrate that SeqWM achieves high detection accuracy while preserving agent utility across diverse LLM-based agent benchmarks, significantly outperforming current behavioral watermarking techniques—particularly under degraded or incomplete trajectory conditions.

LLM-based agents act through sequences of executable decisions, but their trajectories provide little evidence of which agent or policy produced them, making provenance, ownership, and unauthorized reuse difficult to establish from observed behavior alone. This motivates watermarking signals embedded directly into agent behavior rather than only into generated text, since text watermarking cannot capture the action-level decisions that define agent execution. Recent agent watermarking methods address this gap by moving the watermark from generated text to behavioral choices. However, by treating each action step as an independent trial, they overlook trajectory structure and become fragile when trajectories are perturbed, truncated, or observed without reliable alignment. We propose SeqWM, a sequential behavioral watermarking framework that embeds signals into history-conditioned transition patterns and verifies trajectories position-agnostically against random-key baselines. Experiments across diverse agent benchmarks and LLM backbones show that SeqWM consistently achieves reliable detection while preserving agent utility, and remains robust under trajectory corruption where round-indexed behavioral watermarks collapse.