This work proposes a novel approach to safeguard the intellectual property of vision foundation models, whose training incurs substantial costs, by embedding imperceptible watermarks into their internal feature representations. The method leverages a lightweight encoder-decoder network to inject watermarks into a reserved image set, enabling reliable ownership verification. Crucially, the watermark remains detectable even in functionally replicated models while significantly reducing both false positive and false negative rates. Theoretical analysis and extensive experiments demonstrate that the technique achieves high detection accuracy for watermarked models and an extremely low false alarm rate on non-watermarked ones, offering an efficient and robust solution for copyright protection of vision foundation models.

Being trained on large and diverse datasets, visual foundation models (VFMs) can be fine-tuned to achieve remarkable performance and efficiency in various downstream computer vision tasks. The high computational cost of data collection and training makes these models valuable assets, which motivates some VFM owners to distribute them alongside a license to protect their intellectual property rights. In this paper, we propose an approach to ownership verification of visual foundation models that leverages a small encoder-decoder network to embed digital watermarks into an internal representation of a hold-out set of input images. The method is based on random watermark embedding, which makes the watermark statistics detectable in functional copies of the watermarked model. Both theoretically and experimentally, we demonstrate that the proposed method yields a low probability of false detection for non-watermarked models and a low probability of false misdetection for watermarked models.