Anchored Decoding: Provably Reducing Copyright Risk for Any Language Model

Abstract: Modern LMs tend to memorize portions of their training data and emit verbatim spans. When the underlying sources are sensitive or copyright-protected, such reproduction raises issues of consent and compensation for creators and compliance risks for developers. We propose Anchored Decoding, a plug-and-play inference-time method for suppressing verbatim copying: it enables decoding from any risky LM trained on mixed-license data by keeping generation in bounded proximity to a permissively trained safe LM. Anchored Decoding adaptively allocates a user-chosen information budget over the generation trajectory and enforces per-step constraints that yield a sequence-level guarantee, enabling a tunable risk-utility trade-off. To make Anchored Decoding practically useful, we introduce a new permissively trained safe model (TinyComma 1.8B), as well as Anchored${\mathrm{Byte}}$ Decoding, a byte-level variant of our method that enables cross-vocabulary fusion via the ByteSampler framework (Hayase et al., 2025). We evaluate our methods across six model pairs on long-form evaluations of copyright risk and utility. Anchored and Anchored${\mathrm{Byte}}$ Decoding define a new Pareto frontier, preserving near-original fluency and factuality while eliminating up to 75% of the measurable copying gap (averaged over six copying metrics) between the risky baseline and a safe reference, at a modest inference overhead.

• The paper introduces Anchored Decoding, a novel method that blends risky and safe LM distributions to achieve formal K-NAF copyright risk mitigation.
• It employs per-token optimization with adaptive budgeting and prompt-dependent prefix debt to balance risk and utility efficiently.
• Empirical results demonstrate up to 75% reduction in copying risk while maintaining near-native fluency and factual precision across model pairs.

Anchored Decoding: Provable Copyright Risk Mitigation for LLMs

Motivation and Framework

Large-scale LMs trained on web data are susceptible to verbatim reproduction of copyrighted material, which results in substantial legal and ethical risk for developers and threatens fair compensation to content creators. Retraining or filtering frontier models is economically infeasible and may degrade model utility. Anchored Decoding introduces a universal, inference-stage algorithm for constraining any risky LM trained on mixed-license data by anchoring the generation in bounded proximity to a reference LM trained solely on permissively licensed text (the "safe" model). The objective is to preserve utility while formally controlling copyright leakage under the $K$-Near Access-Freeness ($K$-NAF) criterion.

This mechanism interpolates between the next-token distributions of the safe model ($p_s$) and risky model ($p_r$), enforcing stepwise divergence budgets such that the accumulated sequence-level divergence remains below a user-specified threshold $K$. The approach is versatile: it leverages closed-form fusion via a geometric mean of distributions and remains agnostic to vocabulary and tokenizer via a byte-level variant compatible with mismatched model pairs through ByteSampler.

Figure 1: (a) Anchored Decoding produces plausible, non-infringing continuations by bounding proximity to the safe model within budget $K$; (b) Achieves optimal risk-utility tradeoff for the pair $\{$TinyComma 1.8B, Llama 3.1 70B$\}$.

Algorithmic Design

Anchored Decoding solves the constrained optimization:

$$\min_{p} KL(p\|p_r) \quad \text{s.t.} \quad KL(p\|p_s) \le K,$$

approximated tractably by per-token local objectives, where at each decoding timestep $t$ with prefix $y_{<t}$ the next-token distribution $p_t^*$ satisfies:

$$\min_{p} KL(p\|p_r) \quad \text{s.t.} \quad KL(p\|p_s) \le k_t,$$

with $K = \sum_{t} k_t$. The solution is a weighted geometric mean of the safe and risky distributions, with mixing weights chosen via a Lagrange multiplier determined by root-finding. Sequence-level guarantees are provided by the KL chain rule and are extended to worst-case guarantees via Rényi divergence.

Two empirical enhancements improve efficacy: prompt-dependent prefix debt (offsetting the global budget when the prompt is likely memorized) and adaptive banking (allowing unused budget from low-risk steps to be reallocated for high-risk events). The byte-level variant, Anchored, sidesteps tokenization mismatches by operating on UTF-8 byte distributions, preserving safety guarantees for a broader class of model pairs.

Model Pairing and Deployment

Anchored Decoding requires access to both $p_r$ and $p_s$ at inference, but the computation overhead is modest, as the safe anchor can be much smaller than the risky model. For token-level compatibility, the authors release TinyComma 1.8B, a compact, well-performing LM trained exclusively on the Common Pile with a Llama 3.1 tokenizer, facilitating paired decoding with state-of-the-art models. The byte-level Anchored framework enables fusion with larger Comma 7B models, Qwen 2.5, and Llama 4 variants regardless of tokenization.

Copyright Risk and Utility Evaluation

Copyright risk is measured on excerpts from recently copyrighted books using six metrics: ROUGE-1/L above threshold, MinHash, word-/char-level LCS, and ACS. Utility is evaluated on two axes: fluency (LLM-as-a-judge with Prometheus-v2) and factual precision (FActScore claim precision on biographical generation). The Normalized Copying Reduction (NCR) quantifies the fraction of the risk gap between $p_r$ and $p_s$ that is closed by a particular method, with a high-protection regime defined as NCR $\geq 75\%$.

Figure 2: Anchored and Anchored define the Pareto frontier for risk-utility tradeoff at byte level across five model pairs.

Empirical Results and Ablations

Anchored Decoding achieves strong results over six model pairs. At the high-protection regime, Anchored Decoding eliminates up to 75% of the measurable copying gap with nearly original fluency and factuality, outperforming prior baselines in both metrics. Ablation studies demonstrate that adaptive budgeting and top-$n$ prefix debt are critical for Pareto-optimal tradeoffs; naïve global or constant budgeting and averaging prefix LLRs degrade performance.

Figure 3: Ablation of the optimization, prefix debt, and adaptive budgeting axes reveals superiority of Anchored Decoding variants.

With two-model overhead, inference slows by only $\sim$1.1x compared to standalone $p_r$ decoding, with minimal incremental arithmetic compute; wall-clock delays primarily arise from synchronization and logit fusion bandwidth.

Diagnostic Analysis

Per-step KL divergence between $p_r$ and $p_s$ reliably signals memorization events, with Copyright prompts producing heavier right tails compared to creative and factual domains. Copying risk is front-loaded in generation, motivating the prefix debt mechanism. High-copying events are detected early both at token and byte levels.

Figure 4: Per-step $\mathrm{KL}(p_r\|p_s)$ spikes in copyright-sensitive domains.

Figure 5: Histogram of copying metric start positions underscores early clustering in Copyright generations.

Figure 6: KDE of prefix log-likelihood ratios reveals Copyright prompts induce large positive LLR, triggering prefix debt.

Limitations and Extensions

Anchored Decoding is not a binary filter and inherits the baseline risk of the safe model; guarantees hold strictly within the evaluation protocol. The method's mitigation is probabilistic and local, not sequence-optimal. A limitation is that divergence-based proximity may suppress legitimate rare factual recall when the safe anchor is capacity-limited. Efficacy further depends on certainty in training data provenance for $p_s$.

Anchored Decoding generalizes beyond copyright to other risk-mitigation scenarios: sensitive-attribute leakage, domain or policy compliance, or alignment with licensed corpora. The reference-anchored paradigm extends to any generative process requiring bounding by a trusted distribution.

Future Directions

Anchored Decoding and Anchored are compatible with most modern LMs, particularly via byte-level decoding. Extension to non-text modalities—such as image or video models—via reference distribution bounding is feasible, as is integration for privacy, code safety, or policy enforcement. Future developments may address global sequence-level optimization to improve factual recall for rare entities and robust provenance verification.

Figure 7: TinyComma 1.8B benchmarks as the strongest open 2B-range LM on OLMES tasks.

Figure 8: Debt window trade-off curves illustrate prefix debt window $n$ is robust to choice.

Figure 9: Deciles of prefix debt correlate tightly with copyright copying metrics.

Figure 10: Adaptive budget tracks KL spikes adaptively across random trajectories.

Conclusion

Anchored Decoding offers a theoretically sound, practical, and tunable mechanism for post-hoc mitigation of copyright risk in LMs. It closes the majority of the copying gap between risky and safe baselines while preserving near-native utility, and is applicable to a wide class of model pairs. The framework is general and lends itself to broader compliance and safety scenarios in generative modeling. The empirical results demonstrate consistent Pareto-optimality, and released artifacts, including TinyComma 1.8B and an open codebase, facilitate reproducibility and further innovation.