By NHI Mgmt Group Editorial TeamPublished 2026-06-30Domain: Governance & RiskSource: SumSub

TL;DR: AI-generated identities, deepfake liveness attacks, romance scams, synthetic profiles, and coordinated fraud networks are making online dating trust harder to establish, while users still expect low-friction experiences, according to SumSub and the ODDA. The central issue is that one-time checks and reactive moderation no longer match the speed, scale, and believability of AI-enabled deception.


At a glance

What this is: This white paper examines how AI-enabled deception is changing trust and safety in online dating and what verification models can still work.

Why it matters: It matters to IAM and security leaders because the same trust signals, verification trade-offs, and fraud patterns are increasingly relevant across NHI, autonomous systems, and human identity journeys.

By the numbers:

👉 Read SumSub's white paper on AI-enabled deception and dating trust


Context

Online dating depends on fast trust decisions, but AI-generated profiles and deepfake verification attempts are eroding the reliability of the signals users and platforms have traditionally relied on. When deception can be created at machine speed, identity assurance has to move beyond static profile checks and into behavioural and risk-based validation.

The governance question is not whether fraud exists, but whether trust and safety models can keep up without turning the user experience into a friction-heavy security funnel. For IAM, fraud, and platform teams, that makes identity proofing, age assurance, and visible trust signals part of the same broader assurance problem seen across human identity and non-human identity programmes.

The article's baseline is typical for consumer platforms: a high-trust service facing low-friction expectations. What is changing is the scale and realism of AI-assisted impersonation, which makes older moderation and verification patterns less dependable.


Key questions

Q: How should dating platforms reduce AI-generated profile fraud without adding too much friction?

A: Use layered assurance, not a single verification gate. Combine liveness testing, behavioural signals, device reputation, and selective step-up checks so low-risk users move quickly while suspicious accounts face additional scrutiny. The goal is to raise attacker cost without making genuine users feel they are entering a security investigation. Trust has to be proportional to risk.

Q: Why do one-time verification checks fail against synthetic identities?

A: One-time checks fail because they verify a moment, not a pattern. Synthetic identities can be built to pass a selfie or document test while still behaving like fraud later. Platforms need to correlate profile consistency, conversation behaviour, and session risk over time, because the abuse path often emerges after the first successful check.

Q: What do security teams get wrong about trust signals in online dating?

A: They often treat trust signals as static proof instead of dynamic evidence. In practice, a badge or successful check means little if the account later shows coordinated behaviour, rapid device rotation, or attempts to move the conversation off-platform. Trust signals are only useful when they are continuously re-evaluated.

Q: Who is accountable when AI-enabled romance fraud succeeds on a platform?

A: Accountability usually sits with the platform owner for the control design, with operational responsibility shared across trust and safety, fraud, and identity teams. When platforms allow low-assurance onboarding and weak escalation paths, they create the conditions for abuse. Governance should define who owns detection, who owns intervention, and who owns user communication.


Technical breakdown

How AI-generated identities bypass dating verification flows

AI-generated identities reduce the reliability of the usual trust signals because they can be tuned to look consistent across profile photos, biography fields, and message patterns. Deepfake liveness attacks target the moment where platforms try to prove that a face, camera feed, or short video corresponds to a real person. In practice, this collapses simple document or selfie verification into a probability problem, not a binary pass or fail. Platforms therefore need to treat identity proofing as an ongoing risk signal, not a one-time gate.

Practical implication: replace single-step verification with layered checks that can be raised only when risk increases.

Why reactive moderation fails against coordinated fraud networks

Reactive moderation works when abuse is slow and visible, but coordinated fraud networks operate across many accounts, rotating personas and adapting language to evade detection. That means the fraud pattern is distributed rather than isolated, and the platform only sees fragments unless it correlates behaviour across sessions, devices, and identity attributes. The article's concern is not just bad accounts, but the system's inability to connect them fast enough to matter.

Practical implication: build cross-session correlation and high-risk triage so suspicious clusters are detected before they scale.

Reusable identity signals and the DATE framework

Reusable identity signals aim to let trustworthy users carry assurance forward without repeating the same friction every time they interact. That works only if the platform can separate durable trust indicators from transient activity and then apply them proportionately. The DATE framing in the white paper points to deterrence, behavioral analysis, high-risk triage, and user empowerment as a way to keep verification visible without making it punitive. The design challenge is to increase confidence while preserving legitimate user intent.

Practical implication: design verification journeys around risk-based escalation and user transparency rather than uniform challenge for every interaction.


Threat narrative

Attacker objective: The attacker aims to convert platform trust into financial fraud, social engineering success, or scalable deception across many victims.

  1. Entry occurs when attackers create synthetic profiles or use AI-generated identities to appear credible on dating platforms.
  2. Escalation follows through deepfake liveness attacks, message manipulation, and coordinated account behaviour that bypasses routine checks and builds false trust.
  3. Impact occurs when victims are moved into romance scams, off-platform fraud, or repeated deception campaigns that damage both users and platform confidence.
  • Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
  • DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.


NHI Mgmt Group analysis

AI-generated dating fraud is a trust signal problem, not just a moderation problem. The central failure is that platforms still rely on identity cues that can now be synthesized faster than they can be reviewed. When profile authenticity, liveness, and intent can all be faked with AI, the governance model must treat assurance as a continuous control plane rather than a front-door check. Practitioners should read this as a shift from account review to trust orchestration.

Behavioral correlation is now more valuable than single-event verification. A one-time selfie, document scan, or phone check says little when fraud networks rotate through synthetic personas at scale. The governance implication is that platform risk now sits in patterns across time, devices, and sessions, which is closer to identity intelligence than point-in-time proofing. Teams should expect their highest-signal detection to come from correlation, not friction.

Visible trust features are becoming part of the identity control stack. Users will not accept endless checkpoints, but they will respond to understandable trust cues that reduce ambiguity. That means the trust model must be legible, not merely secure, because adoption and safety now depend on the same user journey. Practitioners should treat trust UX as a governance control, not a marketing layer.

Reusable identity signals create the possibility of proportionate assurance, but only if platforms separate durable trust from transient behavior. The named concept here is trust reuse with risk gating: verified signals can reduce repetition only when the platform can re-evaluate them against current behavior. Without that separation, reuse becomes persistence of false confidence. Practitioners should think in terms of conditional portability, not permanent trust.

Dating platforms are facing the same governance pressure that NHIs already exposed in enterprise identity. High volume, low visibility, and weak lifecycle controls produce the same structural weakness whether the subject is a service account or a user profile. The broader lesson is that identity assurance degrades when systems cannot distinguish stable identity from convenient appearance. Practitioners should align fraud, IAM, and trust-and-safety control design before the gaps widen further.

From our research:

  • 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
  • 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
  • Read Top 10 NHI Issues for the control failures that let low-visibility identities and weak governance persist.

What this signals

Trust reuse with risk gating: online dating platforms now need a model that lets verified users move faster without assuming every interaction deserves the same assurance burden. The practical lesson is that identity confidence should follow behaviour, not just initial proofing, and that selective challenge is more sustainable than universal friction.

The governance pressure here mirrors what identity teams already see in machine identity environments. When access, trust, and lifecycle are not continuously reassessed, the control surface becomes easier to game than to defend. The same discipline that limits NHI sprawl, visible in the fact that NHIs outnumber human identities by 25x to 50x in modern enterprises, should shape how platforms think about synthetic user populations.

For practitioners building trust and safety programmes, the next step is to connect fraud signals to identity governance rather than leaving them in separate operational silos. That means linking verification outcomes, abuse patterns, and escalation logic to the same risk framework that already supports stronger identity assurance across human and non-human journeys.


For practitioners

  • Add behavioural correlation to identity proofing Use device, session, message-pattern, and velocity signals together so a single verification event is never treated as final proof of authenticity.
  • Create high-risk triage for suspicious matching and messaging patterns Escalate reviews only when account clusters, liveness anomalies, or off-platform migration signals converge, rather than challenging every user equally.
  • Design visible trust cues that users can understand Surface verification state, age assurance, and trust badges in a way that explains why a profile is challenged or cleared.
  • Limit overreliance on one-time checks Treat selfies, document scans, and phone validation as inputs to an ongoing assurance model, not as a one-and-done control.

Key takeaways

  • AI-generated identities turn dating trust into a continuous assurance problem rather than a one-time verification problem.
  • Platforms that rely on static checks will struggle most where fraud networks can adapt profiles, liveness, and messaging patterns at scale.
  • The most effective response is proportionate verification with behavioural correlation, visible trust cues, and clear ownership across fraud and identity teams.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-01Synthetic identities and weak verification mirror identity assurance failures.
NIST CSF 2.0PR.AA-1Identity proofing and trust signals support access and authentication assurance.
NIST Zero Trust (SP 800-207)PR.AC-4Risk-based step-up checks align with least-privilege, continuous verification principles.

Map dating platform verification to identity assurance controls and revisit them as risk changes.


Key terms

  • Synthetic Identity: A synthetic identity is an identity constructed from fabricated or blended attributes rather than a single real person. In online dating, it can combine AI-generated photos, copied biographies, and coordinated messaging to appear credible while hiding the actor's true intent.
  • Liveness Attack: A liveness attack is an attempt to fool a system into accepting a fake person, image, or video as a real, present human. In consumer identity journeys, it targets selfie and video checks by using deepfakes, replayed media, or scripted interaction to defeat verification.
  • Risk-Based Verification: Risk-based verification is an approach that increases assurance only when signals suggest elevated abuse or impersonation risk. It uses behavioural, device, and context signals to decide when to step up checks, which helps preserve user experience while reducing exposure to fraud.
  • Trust Signal: A trust signal is any observable indicator that helps a platform or user judge whether an identity is genuine, safe, or credible. In dating environments, the signal must be treated as dynamic evidence, because static badges or checks can be copied, faked, or become stale.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by SumSub: Are you real? white paper on AI-generated deception and trust in online dating. Read the original.

NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-06-30.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org