Subscribe to the Non-Human & AI Identity Journal

How should insurers prevent application fraud in digital onboarding flows?

Insurers should require identity proofing before any sensitive data is disclosed or auto-filled to the applicant. The key is sequencing: do not let unverified users see attributes that help them complete fraud elsewhere. Pair proofing with device, phone, and reputation signals so stolen consumer data alone cannot establish trust.

Why This Matters for Security Teams

digital onboarding is a fraud target because it concentrates high-value identity data, policy decisions, and account creation in one short flow. If insurers reveal stored attributes, pre-fill sensitive fields, or trust weak signals too early, an attacker can use stolen consumer data to pass as a legitimate applicant and then pivot into claims fraud, policy abuse, or account takeover. Current guidance suggests sequencing controls so verification happens before disclosure, not after.

This is not only an identity-proofing problem. It is also an access-control problem: the onboarding journey must decide what the applicant can see and do at each step. That makes alignment with NIST SP 800-53 Rev 5 Security and Privacy Controls relevant, especially where verification, fraud monitoring, and least privilege intersect. The risk becomes sharper when onboarding integrates external data sources, mobile devices, and instant decisioning engines.

NHI Management Group’s research shows how quickly attackers exploit trust boundaries in automated workflows, including the CI/CD pipeline exploitation case study and the Emerald Whale breach, where secrets and automation were abused to scale impact. In practice, many security teams discover onboarding fraud only after an attacker has already used the flow to validate stolen data and open a path to downstream abuse.

How It Works in Practice

The operational goal is to make the onboarding flow progressively trustworthy. A user should not receive auto-filled policy details, address history, risk attributes, or account benefits until the insurer has enough evidence that the applicant is real and that the device, phone number, and session context are consistent with the claimed identity. That sequencing reduces the value of stolen PII because the attacker cannot use the insurer’s own data to complete fraud elsewhere.

A practical design usually combines several controls:

  • Identity proofing before disclosure of sensitive fields or policy-specific data.
  • Document checks and biometric or liveness steps where the product and jurisdiction permit them.
  • Device intelligence, phone reputation, and velocity checks to spot recycled or synthetic identities.
  • Step-up verification when the flow requests a payout method, dependent, beneficiary, or other fraud-sensitive attribute.
  • Fraud telemetry shared across the onboarding, underwriting, and claims journey so the same identity cannot be re-used with a different risk posture.

For insurers operating across jurisdictions, identity policy must also reflect regulatory context. The verification standard for a low-risk quote flow is not always the same as for a bound policy, and the evidentiary burden may vary under eIDAS 2.0 — EU Digital Identity Framework or related customer due diligence expectations such as the FATF Recommendations — AML and KYC Framework. NHIMG’s broader guidance on secrets exposure in Millions of Misconfigured Git Servers Leaking Secrets underscores a related point: attackers often combine identity data with operational leakage to defeat weak onboarding.

These controls tend to break down when insurers let legacy CRM, quote, and policy systems pre-populate fields before proofing is complete, because the attacker can harvest enough context to pass later checks.

Common Variations and Edge Cases

Tighter onboarding controls often increase abandonment and manual review, so insurers must balance fraud reduction against conversion friction. Best practice is evolving, and there is no universal standard for how much friction is appropriate at each product tier.

Low-value quote requests may justify lighter proofing, while high-limit products, payment changes, beneficiary updates, and accelerated issuance usually deserve stronger checks. A common edge case is synthetic identity fraud, where no single attribute looks suspicious, but the total pattern does. Another is business-to-consumer distribution through agents or aggregators, where the insurer may inherit trust signals from a third party but still needs independent verification before binding coverage.

Insurers should also be careful not to treat device or phone signals as proof of identity on their own. Those signals are useful for risk scoring, but they can be replayed, forwarded, or manipulated. The stronger pattern is to combine them with policy-as-code decisioning, step-up verification, and explicit limits on what the applicant can view until trust is established. That keeps the onboarding flow from becoming an identity oracle for attackers. The edge cases are remote-assisted applications and call-center handoffs, where a human intermediary can accidentally bypass the sequencing controls if the workflow is not enforced centrally.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10, OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
OWASP Non-Human Identity Top 10 NHI-01 Covers identity lifecycle and trust boundaries for non-human access in automated flows.
OWASP Agentic AI Top 10 A-04 Relevant where onboarding logic uses autonomous decisioning or AI-assisted fraud checks.
CSA MAESTRO IAM-01 Addresses identity-centric controls for agentic or automated workflows in customer onboarding.
NIST AI RMF Supports governance of AI-assisted fraud scoring and automated onboarding decisions.
NIST CSF 2.0 PR.AC-1 Access permissions and identity proofing map directly to controlled onboarding access.

Limit what automated actors can access until identity assurance is complete and continuously enforced.