ARM has a team involved in accounting and finding "catch up revenue." This are royalty payments that were supposed to be paid but the customer "accidentally forgot" to pay but thanks to ARM's "helpful accountants" they get the money sent over.
How exactly ARM does this isn't always clear. For hard IP there is a GDS layer called IP tags and the foundry is supposed to scan this layer and can report numbers back to IP providers like ARM, Cadence, Synopsys, etc. If the customer removed this layer "accidentally" then the foundry can still scan for certain patterns and structures within the GDS mask data. Like a unique hidden watermark and report back to the IP vendor.
For soft IP that is synthesized there are probably other ways to do it but I'm not that up to date.
I believe this is because ARM wasn't confident they'd be able to enforce licensing effectively.
For non-FPGA designs, they only need to have insider knowledge from a handful of fab companies to detect those using cores without valid licenses.