This work addresses the pressing model theft threat in large language model (LLM) deployment by systematically evaluating the practical bottlenecks of watermarking techniques. We propose the first Systematization of Knowledge (SoK) for LLM watermarking, introducing a principled watermark taxonomy and an intellectual property (IP) attribution classifier, and quantifying the robustness–utility trade-off. Through comprehensive adversarial robustness evaluation, output distribution analysis, and multi-dimensional utility benchmarking—including perplexity, question answering, and summarization—we find that state-of-the-art watermarks significantly degrade downstream performance (average +2.3% perplexity, −4.1% ROUGE-L). Our results demonstrate that existing methods fail to achieve an industrially viable balance between security and utility, exposing critical deployment bottlenecks. This study provides both a theoretical framework and empirical foundation for trustworthy LLM governance.

Large Language Models (LLMs) have transformed natural language processing, demonstrating impressive capabilities across diverse tasks. However, deploying these models introduces critical risks related to intellectual property violations and potential misuse, particularly as adversaries can imitate these models to steal services or generate misleading outputs. We specifically focus on model stealing attacks, as they are highly relevant to proprietary LLMs and pose a serious threat to their security, revenue, and ethical deployment. While various watermarking techniques have emerged to mitigate these risks, it remains unclear how far the community and industry have progressed in developing and deploying watermarks in LLMs. To bridge this gap, we aim to develop a comprehensive systematization for watermarks in LLMs by 1) presenting a detailed taxonomy for watermarks in LLMs, 2) proposing a novel intellectual property classifier to explore the effectiveness and impacts of watermarks on LLMs under both attack and attack-free environments, 3) analyzing the limitations of existing watermarks in LLMs, and 4) discussing practical challenges and potential future directions for watermarks in LLMs. Through extensive experiments, we show that despite promising research outcomes and significant attention from leading companies and community to deploy watermarks, these techniques have yet to reach their full potential in real-world applications due to their unfavorable impacts on model utility of LLMs and downstream tasks. Our findings provide an insightful understanding of watermarks in LLMs, highlighting the need for practical watermarks solutions tailored to LLM deployment.