Proxy betting is when one person uses another person’s authenticated account to place wagers, often from a different location. The account may pass login controls while still violating jurisdiction, consent, and fraud rules, which makes it an identity governance problem as well as a gambling integrity issue.
Expanded Definition
Proxy betting is a form of delegated access abuse: one authenticated account is used by a person who is not the legitimate account holder, often from a different device, network, or jurisdiction. In NHI governance terms, the key issue is not whether the session was technically authenticated, but whether the acting party had authority to use that identity. That distinction matters because identity proofing, consent, geo restrictions, and fraud controls all depend on who is actually operating the account.
Definitions vary across vendors and regulated markets on whether proxy betting is treated primarily as account sharing, fraud, collusion, or a jurisdictional violation. For NHI and access governance, it is best understood as an identity assurance failure paired with policy abuse. A login that passes MFA or password checks can still be illegitimate if the account is being controlled by a proxy operator. That is why controls around device binding, session integrity, behavioral signals, and step-up verification are often discussed alongside account ownership and permitted-use rules. The most common misapplication is treating successful authentication as proof of authorized use, which occurs when enforcement ends at login rather than continuing through session behavior and location checks.
For broader identity-risk context, NHI Management Group notes that Ultimate Guide to NHIs shows how identity misuse often persists when governance stops at authentication. The access-control logic behind proxy betting also aligns with the NIST Cybersecurity Framework 2.0, especially where identity assurance and continuous monitoring are expected to work together.
Examples and Use Cases
Implementing proxy-betting controls rigorously often introduces friction for legitimate users, so operators must weigh fraud reduction and regulatory compliance against false positives and a less seamless experience.
- A bettor logs in from one country, then another person places wagers from a different region using the same session, triggering jurisdiction and age-verification concerns.
- A shared household device is used to access an account, and the platform cannot distinguish between the account holder and a proxy actor without stronger behavioral or device signals.
- A casino or sportsbook detects repeated login success from one credential pair but inconsistent location, timing, and wagering patterns, indicating possible delegated use rather than ordinary travel.
- A platform links repeated proxies to one promoter or affiliate, revealing coordinated account misuse that blends fraud, bonus abuse, and identity impersonation.
- Identity and access teams use guidance from the NIST Cybersecurity Framework 2.0 to strengthen monitoring, while Ultimate Guide to NHIs helps frame how authenticated access can still be operationally unauthorized when governance is weak.
In practice, proxy betting controls are most effective when they combine account ownership checks, geolocation policy, velocity analysis, and session risk scoring rather than relying on password or MFA success alone.
Why It Matters in NHI Security
Proxy betting matters in NHI security because it exposes a recurring governance flaw: a system can authenticate a credential while still failing to verify the actor behind it. That same gap appears in service-account abuse, shared API keys, and delegated access without approval. When organizations ignore this pattern, they lose the ability to enforce jurisdictional restrictions, detect collusion, and prove that access was used by the intended party. The issue is especially serious in regulated environments where identity controls are expected to support compliance, not merely login.
NHI Management Group research shows that Ultimate Guide to NHIs reports 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, underscoring how often trusted access becomes the path of abuse. That same lesson applies here: once an authenticated identity is reused outside its intended context, policy enforcement becomes a matter of evidence, not assumption. Proxy betting also maps to continuous monitoring expectations in the NIST Cybersecurity Framework 2.0, where anomalous use must be detected and acted on quickly.
Organisations typically encounter the full impact of proxy betting only after disputed wagers, compliance investigations, or fraud losses surface, at which point identity governance becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and OWASP Agentic AI Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST Zero Trust (SP 800-207) and NIST SP 800-63 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Proxy betting mirrors unauthorized identity use after valid authentication. |
| NIST CSF 2.0 | PR.AA-01 | Identity proofing and authentication must support the real actor behind access. |
| NIST Zero Trust (SP 800-207) | Zero Trust requires continuous verification after initial authentication. | |
| NIST SP 800-63 | IAL2 | Identity assurance levels help limit account use to verified individuals. |
| OWASP Agentic AI Top 10 | A-03 | Unchecked tool or account use can occur after initial authorization. |
Raise assurance when delegated or remote use is suspected and require re-verification before sensitive actions.