A fraud technique that uses synthetic audio, video, or both to make an attacker appear to be a trusted person during a live interaction. The tactic exploits human trust in familiar cues and often aims to trigger urgent actions such as payments, resets, or access changes before verification is challenged.
Expanded Definition
Deepfake-based impersonation is a social engineering tactic that pairs synthetic voice, video, or both with a trusted persona so the attacker can influence a live conversation. In NHI security, it matters because the interaction often targets identity workflows, not just persuasion, with the goal of changing access, approving payments, or bypassing verification.
Definitions vary across vendors, but the core risk is consistent: the attacker exploits familiar cues such as a manager’s voice, a vendor’s video presence, or a help desk style conversation to create false legitimacy. That makes it adjacent to phishing and business email compromise, yet more dangerous in live operations because it can pressure staff into acting before controls are checked. For governance teams, the relevant question is not whether the media looks realistic, but whether the process includes out-of-band validation, step-up checks, and separation of duties. The most common misapplication is treating it as a pure awareness issue, which occurs when organisations rely on recognising fakes instead of verifying authority through policy and workflow.
For broader identity governance context, see the Ultimate Guide to NHIs and the NIST Cybersecurity Framework 2.0.
Examples and Use Cases
Implementing defences against deepfake-based impersonation rigorously often introduces friction, requiring organisations to weigh faster approvals against stronger verification before sensitive actions are taken.
- A finance team receives a live video call from a “CFO” requesting an urgent wire transfer, and the payment is delayed until an out-of-band callback confirms the request.
- A help desk is asked to reset access for a “new contractor” speaking in a cloned voice, but the workflow requires identity proofing before any credential changes are made.
- A vendor onboarding team sees a synthetic executive video during a contract escalation, and the case is routed through a second approver rather than the single person on the call.
- A security operations centre reviews a suspicious meeting recording after a privileged access request, then correlates it with identity logs and approval trails before actioning the request.
- An internal training exercise uses a simulated deepfake to test whether staff will follow policy when a familiar leader appears to authorise a secrets reset.
These scenarios align with NHI governance concerns in the Ultimate Guide to NHIs and with identity assurance principles reflected in the NIST Cybersecurity Framework 2.0. In practice, the decision point is whether the request is authenticated by process, not by appearance.
Why It Matters in NHI Security
Deepfake-based impersonation is dangerous because it targets the human layer that often approves or resets access for NHIs, secrets, and privileged workflows. When a synthetic executive or engineer can persuade staff to reveal a token, rotate a certificate incorrectly, or approve a new service account, the attacker can move from deception to durable access. This is especially relevant where organisations already struggle with NHI visibility, since Ultimate Guide to NHIs reports that only 5.7% of organisations have full visibility into their service accounts. That gap makes impersonation more likely to succeed because reviewers cannot quickly validate whether the request fits established identity patterns.
Used well, the lesson is not to distrust every voice or video, but to ensure that access decisions are bound to controls such as callback verification, approval segregation, and policy-based checks. The term connects directly to the NIST Cybersecurity Framework 2.0 because response, recovery, and protection all depend on resisting fraudulent identity assertions. Organisations typically encounter the full impact only after a fraudulent request has already triggered a payment, reset, or access change, at which point deepfake-based impersonation becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | Covers impersonation and unsafe actioning in agentic and human-in-the-loop workflows. | |
| NIST CSF 2.0 | PR.AA | Identity verification and authentication controls reduce success of impersonation attacks. |
| NIST AI RMF | Addresses AI-enabled manipulation risks and governance for harmful synthetic media use. |
Assess synthetic-media misuse as an AI risk and add controls for detection, response, and accountability.
Related resources from NHI Mgmt Group
- What is the difference between phishing and deepfake-based impersonation?
- How should security teams respond to deepfake impersonation of employees or executives?
- Who is accountable when a deepfake impersonation bypasses identity controls?
- Why do voice-based identity checks fail against AI-generated impersonation?
