They should combine document validation, liveness detection, behavioural analytics, and risk-based step-up checks rather than relying on a single identity proofing event. Deepfakes and synthetic identities are strongest when a programme trusts one signal too much. The goal is to make spoofed evidence fail across multiple independent checks before approval.
Why This Matters for Security Teams
Deepfakes and synthetic identities change fraud from a static identity-check problem into a live adversarial one. A forged face, voice, document, or profile can look credible at the moment of proofing, then be reused to open accounts, bypass recovery, or impersonate a trusted customer or contractor. The risk is not just enrollment fraud. It is downstream trust collapse across onboarding, support, payments, and privileged access.
Security teams often over-rely on a single high-confidence signal, such as a government ID scan or one successful liveness check. That approach breaks when attackers chain multiple low-cost artifacts that each pass one control but fail under correlation. Current guidance suggests treating identity proofing as a sequence of independent checks, not a one-time verdict. The same pattern appears in broader NHI risk research: NHI security maturity is still low, and attack paths often succeed because organisations trust one credential or one visibility layer too much, as discussed in The State of Non-Human Identity Security and The 52 NHI breaches Report. In practice, many security teams encounter synthetic identity abuse only after accounts are opened, funds are moved, or recovery workflows have already been exploited.
How It Works in Practice
Reducing fraud requires layered verification that is hard to replay, automate, or socially engineer. The practical model combines document authenticity checks, biometric and liveness tests, device and network risk signals, behavioural analytics, and step-up review when any signal conflicts. Security teams should prefer evidence that is difficult to synthesize at scale, and they should score the whole interaction rather than the document alone.
Where the programme is mature, the workflow usually looks like this:
- Validate document structure, issuer data, and tamper indicators before accepting image-based proof.
- Use liveness detection that is resistant to replay, injection, and deepfake video, then verify consistency across multiple frames or prompts.
- Compare behavioural patterns such as typing rhythm, navigation flow, device reputation, and session anomalies against known fraud clusters.
- Apply risk-based step-up checks for unusual geography, velocity, identity mismatch, or recovery attempts.
- Route borderline cases to human review with a clear evidence bundle instead of auto-approving on partial confidence.
This is where identity governance and fraud controls converge. Deepfake-enabled attacks often pair with compromised workflows, so teams should also watch for tool abuse, exposed secrets, and weak access boundaries, as shown in LLMjacking: How Attackers Hijack AI Using Compromised NHIs and the broader patterns in Ultimate Guide to NHIs — Key Challenges and Risks. External advisories from CISA cyber threat advisories and the MITRE ATLAS adversarial AI threat matrix support a multi-signal, adversary-aware approach. These controls tend to break down when organisations keep a fast-path approval for high-value users or when review teams cannot see linked accounts, reused devices, and repeated proofing artefacts.
Common Variations and Edge Cases
Tighter verification often increases friction, false rejects, and review workload, so organisations must balance fraud reduction against customer abandonment and operational cost. That tradeoff is real, especially in high-volume onboarding or support environments where speed is part of the service model.
Best practice is evolving, not fully settled, in a few areas. There is no universal standard yet for how much behavioural telemetry is enough to justify a rejection, or how to weight synthetic media detection against customer experience. For low-risk journeys, lightweight proofing with selective step-up may be enough. For account recovery, payments, or high-trust roles, stronger challenge ladders are warranted. Teams should also plan for edge cases such as accessibility needs, camera limitations, international identity documents, and legitimate users whose behaviour looks unusual because of device sharing or remote assistance.
The most reliable programmes treat fraud controls as adaptive rather than binary, and they tune thresholds based on loss patterns, not vendor claims. NHIMG’s research on identity-related attack patterns shows that weak visibility and over-trust are recurring failure modes, which is why practitioners should anchor controls in Top 10 NHI Issues and the OWASP NHI Top 10 where automation and identity abuse intersect.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | Deepfake fraud often uses automated and agentic abuse chains. | |
| CSA MAESTRO | MAESTRO addresses trust, workflow, and runtime risk in AI-driven systems. | |
| NIST AI RMF | AI RMF helps manage fraud risk from synthetic media and model-driven decisions. |
Apply layered verification and abuse-resistant controls across every identity proofing step.
