Subscribe to the Non-Human & AI Identity Journal

Who is accountable for proving authenticity during a deepfake crisis?

Accountability should sit across security, legal, records management, and executive communications because the problem spans technology and trust. Security protects the data, legal preserves evidentiary value, and communications validates what can safely be stated publicly.

Why This Matters for Security Teams

A deepfake crisis is not just a media problem. It is an authenticity problem that can affect incident response, fraud prevention, executive authority, and legal admissibility at the same time. Security teams often want a single owner, but proof of authenticity is a chain of custody issue that spans technical evidence, policy decisions, and public statements. Current guidance suggests treating this as an integrity and verification workflow, not a branding exercise.

The risk is amplified when organisations already struggle with identity hygiene and evidence handling. NHIMG notes in the Ultimate Guide to NHIs that 79% of organisations have experienced secrets leaks, with 77% of those incidents causing tangible damage. That matters because the same teams that cannot reliably control secrets often also lack disciplined provenance controls for audio, video, and executive communications. NIST’s NIST SP 800-53 Rev 5 Security and Privacy Controls reinforces the need for auditability, incident handling, and media protection as part of a broader control environment.

In practice, many security teams encounter authenticity failures only after a fake recording has already circulated, rather than through intentional verification planning.

How It Works in Practice

Accountability should be assigned by function, with one group owning the evidence trail and others owning interpretation and disclosure. Security usually preserves source artifacts, metadata, platform logs, and access records. Legal determines what can be represented as fact, what requires qualification, and how to preserve evidentiary value. Records management maintains retention, versioning, and chain-of-custody procedures. Executive communications controls the approved narrative and ensures no one overstates certainty.

That division works best when the organisation has a prebuilt verification playbook. A practical workflow often includes:

  • Preserving original files, timestamps, hashes, and transmission metadata before any analysis.
  • Validating whether the content originated from trusted channels, signed systems, or controlled recording environments.
  • Comparing the item against known-good references, including prior voice samples, video baselines, or authenticated statements.
  • Escalating uncertain cases to a cross-functional review group before public response.
  • Documenting every decision so later review can show who confirmed what and on what basis.

For identity-heavy environments, the same discipline applies to system-generated content and machine actions. NHIMG’s Ultimate Guide to NHIs is useful here because it frames authenticity as part of broader identity governance, not a one-off verification step. NIST guidance on control families also supports separating evidence handling from message approval, which is the right model for crisis response. These controls tend to break down when communications teams publish before legal preserves the artifact set, because the evidentiary record is already compromised.

Common Variations and Edge Cases

Tighter authenticity controls often increase response time, requiring organisations to balance speed against evidentiary certainty. That tradeoff becomes most visible in fast-moving public incidents, where waiting for proof can look like hesitation, but speaking too quickly can amplify a fake.

There is no universal standard for this yet, but current guidance suggests treating high-confidence authenticity claims differently from operationally useful statements. For example, a team may be able to say “the recording does not match our approved channel history” without claiming the content is definitively fake. That distinction matters when the evidence is incomplete or the source is a third-party platform with limited metadata.

Edge cases include live deepfake calls, impersonated executives in crisis chat channels, and altered clips that mix real and synthetic material. In those situations, accountability still remains shared, but the incident commander should designate one evidence custodian and one public spokesperson. The best practice is evolving toward signed media, provenance logging, and preapproved verification triggers, but there is no universal standard for this yet. Organisations that lack retention discipline, especially across collaboration tools and mobile devices, usually lose the proof trail before the authenticity dispute is even formally opened.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
NIST CSF 2.0 ID.AM-7 Authenticity crises depend on knowing critical information assets and their ownership.
OWASP Non-Human Identity Top 10 NHI-01 Authenticity failures often involve compromised non-human channels and credentials.
NIST AI RMF AI RMF governance supports accountability for trustworthy AI-related claims.

Maintain a current inventory of sensitive media sources and assign accountable owners for verification.