Existing DNN watermarking methods are largely invasive—requiring parameter or architectural modifications—that induce behavioral drift and increase fine-tuning overhead, hindering practical deployment of Watermark-as-a-Service (WaaS). This paper proposes Non-invasive Watermark-as-a-Service (NWaaS), the first black-box API watermarking framework achieving *absolute fidelity*: it alters neither model parameters nor architecture. Instead, it establishes an output-side covert channel via a key-based encoder and a dedicated watermark decoder, implicitly embedding and reliably extracting watermarks from the outputs of X-to-Image generative models (e.g., text-to-image or image-to-image). NWaaS is architecture-agnostic and eliminates the inherent trade-off between fidelity and robustness. Extensive experiments demonstrate strong resilience against common attacks—including cropping, compression, and adversarial perturbations—across mainstream diffusion and GAN-based generators, while enabling scalable, production-ready deployment.

The intellectual property of deep neural network (DNN) models can be protected with DNN watermarking, which embeds copyright watermarks into model parameters (white-box), model behavior (black-box), or model outputs (box-free), and the watermarks can be subsequently extracted to verify model ownership or detect model theft. Despite recent advances, these existing methods are inherently intrusive, as they either modify the model parameters or alter the structure. This natural intrusiveness raises concerns about watermarking-induced shifts in model behavior and the additional cost of fine-tuning, further exacerbated by the rapidly growing model size. As a result, model owners are often reluctant to adopt DNN watermarking in practice, which limits the development of practical Watermarking as a Service (WaaS) systems. To address this issue, we introduce Nonintrusive Watermarking as a Service (NWaaS), a novel trustless paradigm designed for X-to-Image models, in which we hypothesize that with the model untouched, an owner-defined watermark can still be extracted from model outputs. Building on this concept, we propose ShadowMark, a concrete implementation of NWaaS which addresses critical deployment challenges by establishing a robust and nonintrusive side channel in the protected model's black-box API, leveraging a key encoder and a watermark decoder. It is significantly distinctive from existing solutions by attaining the so-called absolute fidelity and being applicable to different DNN architectures, while being also robust against existing attacks, eliminating the fidelity-robustness trade-off. Extensive experiments on image-to-image, noise-to-image, noise-and-text-to-image, and text-to-image models, demonstrate the efficacy and practicality of ShadowMark for real-world deployment of nonintrusive DNN watermarking.