AuthPrint: Fingerprinting Generative Models Against Malicious Model Providers

Abstract--Generative models are increasingly adopted in high-stakes domains, yet current deployments offer no mechanisms to verify whether a given output truly originates from the certified model. We address this gap by extending model fingerprinting techniques beyond the traditional collaborative setting to one where the model provider itself may act adversarially, replacing the certified model with a cheaper or lower-quality substitute. T o our knowledge, this is the first work to study fingerprinting for provenance attribution under such a threat model. Our approach introduces a trusted verifier that, during a certification phase, extracts hidden fingerprints from the authentic model's output space and trains a detector to recognize them. During verification, this detector can determine whether new outputs are consistent with the certified model, without requiring specialized hardware or model modifications. In extensive experiments, our methods achieve near-zero FPR@95%TPR on both GANs and diffusion models, and remain effective even against subtle architectural or training changes. Furthermore, the approach is robust to adaptive adversaries that actively manipulate outputs in an attempt to evade detection. Recent advances in generative AI have led to the widespread deployment of generative models across various domains, with providers of generative AI services increasingly monetizing their models by offering subscription-based access. However, this rapid adoption has raised serious concerns about the risks posed by these models, particularly in safety-critical domains, such as healthcare and defense, where erroneous model outputs can have disastrous consequences [1]. In response, policymakers are introducing legal frameworks to regulate the use of AI and, in particular, the deployment of generative models. For instance, the European Union's AI Act mandates independent, periodic audits for "high-risk" AI systems deployed in domains such as healthcare, education, employment, and critical infrastructure [2]. This requirement to pass or be certified by an audit raises a critical question: How can users verify that a given output indeed originated from the audited model?