Business verification in 2026: why KYB now needs risk-based design

At a glance

What this is: This is Sumsub’s 2026 guide to KYB, and its central finding is that business verification now has to be designed as a risk-based governance process, not a simple onboarding checklist.

Why it matters: It matters to IAM practitioners because KYB increasingly intersects with access governance, third-party risk, and lifecycle controls for non-human and organisational identities.

By the numbers:

• 170 countries now implementing beneficial ownership requirements.
• registry checks in 220+ countries

👉 Read Sumsub's complete guide to business verification in 2026

Context

KYB, or know your business, is the control layer used to verify that an organisation is real, properly owned, and appropriate for onboarding. In practice, the challenge is no longer just identity verification at the front door, but proving beneficial ownership, screening for AML risk, and keeping that assessment current as corporate structures and registry data change.

For IAM and governance teams, KYB sits at the boundary between customer onboarding, third-party risk, and lifecycle controls for organisational access. The article argues that static checks are too weak for complex ownership chains, while over-automation can create blind spots when manual review is needed for high-risk cases.

Key questions

Q: What breaks when KYB is treated as a one-time onboarding check?

A: A one-time KYB check breaks the trust model because ownership, control, and risk can change after approval. If the programme does not include ongoing monitoring, stale registry evidence, and escalation paths for complex structures, it cannot justify continued trust in the business entity once onboarding is complete.

Q: How should security and compliance teams handle complex ownership structures in KYB?

A: They should route complex ownership structures to manual review and treat them as exception cases, not as a problem automation can always solve. Layered entities, cross-border registries, and unclear UBO chains require evidence correlation, analyst judgment, and documented decision criteria.

Q: When should organisations prioritise KYB controls over onboarding speed?

A: They should prioritise KYB controls whenever the entity has high-risk geography, opaque ownership, sanctions exposure, or weak registry evidence. Speed is appropriate only when the risk model supports it. If the evidence is incomplete or the structure is complex, governance should override convenience.

Q: Who is accountable when a business entity is approved with weak KYB evidence?

A: Accountability usually sits with the compliance, risk, and onboarding owners who approved the entity and the policy designers who allowed weak evidence to pass. The practical test is whether the organisation can explain and defend the decision later, using the evidence collected at the time.

Technical breakdown

How KYB workflows balance automation and manual review

Modern KYB platforms separate low-friction cases from complex ones using risk rules, document extraction, registry lookups, and screening workflows. Straightforward entities can move through automated checks quickly, but layered ownership, inconsistent registry data, or sanction hits force escalation to manual due diligence. This is not just process optimisation. It is a control design choice that determines whether onboarding speed degrades governance quality or supports it.

Practical implication: define which entity types can be auto-approved and which must route to analyst review before access or onboarding completes.

UBO verification, ownership thresholds, and AML screening

UBO verification is the core KYB control because it connects the legal entity to the natural persons who ultimately control it. Thresholds vary by jurisdiction, so a useful KYB programme cannot treat ownership as a single global rule. It also has to combine registry evidence, documentary proof, and AML screening so that ownership claims are tested against external risk signals, not just declared by the onboarding subject.

Practical implication: align threshold logic and screening rules to jurisdictional requirements instead of reusing a single global policy.

Why fragmented registry data creates governance risk

Registry fragmentation means the same company may appear differently across countries, formats, and data freshness windows. That weakens confidence in automated decisions and increases false positives, especially when ownership structures are layered or cross-border. The operational issue is not simply data quality. It is that KYB decisions become harder to defend when the evidence base is inconsistent or stale across sources.

Practical implication: require evidence provenance and freshness checks before registry data is used as an approval signal.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Schneider Electric credentials breach — exposed credentials gave attackers access to Schneider Electric Jira, exfiltrating 40GB.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

KYB is becoming identity governance for organisations, not just onboarding compliance. Once beneficial ownership, AML screening, and ongoing monitoring are part of the workflow, the subject is no longer a form-fill exercise. The control question becomes whether the organisation can continuously justify trust in a business entity as its structure, ownership, and risk profile evolve. Practitioners should treat KYB as a lifecycle control, not a point-in-time gate.

Fragmented registry data creates a verification debt that automation cannot erase. Automated extraction and registry checks reduce friction, but they do not solve the underlying inconsistency in source data across jurisdictions. When evidence is incomplete or stale, the programme inherits a governance debt: decisions look fast, but they are harder to audit and harder to defend. Practitioners should assume registry variability is a permanent operating condition.

Risk-based routing is the right model because one KYB policy cannot safely fit all entities. The guide’s structure points to a split between routine cases that can be processed quickly and complex ownership chains that require expert review. That is a governance reality, not a compromise. The practical conclusion is that mature KYB programmes must encode risk tiers, exception handling, and manual escalation as standard operating design.

AI-generated document fraud changes the trust model for onboarding evidence. If fraudulent filings can be generated convincingly, then document appearance is no longer a reliable proxy for legitimacy. That shifts KYB from document collection toward evidence correlation, cross-checking, and ongoing revalidation. Practitioners should re-evaluate any workflow that still treats submitted documents as self-authenticating.

Business verification now sits inside broader third-party access governance. Once a counterparty is onboarded, the question is not only whether it passed KYB, but whether its access, permissions, and monitoring remain aligned with the level of trust originally granted. The implication for identity teams is that KYB outputs should feed downstream access decisions, not live in a compliance silo.

From our research:

• 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, according to Ultimate Guide to NHIs.
• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
• The Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs shows why lifecycle controls must extend beyond initial approval into rotation, offboarding, and ongoing review.

What this signals

KYB is moving closer to identity lifecycle governance for external organisations. The practical lesson for programme owners is that onboarding is only the first trust decision. Once an entity is approved, teams need evidence refresh, monitoring, and exception handling that persist through the relationship rather than stop at admission.

Business verification will increasingly inform downstream access governance. If a counterparty is unreliable at onboarding, it should not receive broad permissions, long-lived trust, or unchecked operational access. Teams that connect KYB outputs to access reviews and third-party risk scoring will have a defensible path when auditors ask why a business was trusted.

With 32.4% of security budgets going to secrets management and code security, according to The State of Secrets in AppSec, identity controls are clearly expanding beyond human login experiences. The same discipline now has to apply to external entities, machine identities, and onboarding evidence.

For practitioners

• Separate low-risk automation from high-risk exception handling Define which business types can move through automated review and which must be escalated to manual due diligence. Use ownership complexity, jurisdiction, and screening results as routing criteria, not informal judgment.
• Standardise beneficial ownership thresholds by jurisdiction Map UBO rules by market before onboarding logic is built. Do not assume a single threshold or evidence package will satisfy US, UK, EU, APAC, and Latin American requirements.
• Require evidence freshness and provenance checks Treat registry data as potentially stale until the source, timestamp, and chain of custody are validated. If the data cannot be traced cleanly, it should not be the only basis for approval.
• Use KYB outputs in third-party access decisions Feed KYB risk scores into downstream access, monitoring, and review processes for counterparties, marketplaces, and vendors. Trust decisions should follow the entity through its lifecycle, not end at onboarding.

Key takeaways

• KYB is no longer a simple onboarding check, because beneficial ownership, AML screening, and continuous monitoring now shape whether a business can be trusted at all.
• Automation helps with routine cases, but fragmented registry data, complex ownership structures, and AI-generated fraud still require human escalation and defensible evidence.
• Practitioners should treat KYB as a lifecycle control that feeds downstream access and risk decisions, not as a standalone compliance workflow.

Key terms

• Know Your Business: Know Your Business is the process of verifying that a company is legitimate, properly owned, and suitable for onboarding or continued trust. It goes beyond registration checks by testing beneficial ownership, sanctions exposure, and ongoing risk so organisations can defend why they accepted the relationship.
• Ultimate beneficial owner: An ultimate beneficial owner is the natural person who ultimately owns, controls, or benefits from a company, even when layers of intermediaries obscure that relationship. KYB programmes use UBO verification to connect legal entities to human accountability and to reduce hidden ownership risk.
• Risk-based KYB: Risk-based KYB is a verification model that applies different levels of scrutiny depending on the entity’s ownership complexity, geography, and screening results. It allows low-risk cases to move quickly while forcing higher-risk entities into manual review, stronger evidence checks, and ongoing monitoring.
• Registry data fragmentation: Registry data fragmentation is the inconsistency that appears when company records differ across jurisdictions, formats, and update cycles. It weakens confidence in automated verification because the same entity may produce different evidence depending on which registry is queried, when it was queried, and how complete the source is.

Deepen your knowledge

KYB lifecycle controls and risk-based onboarding are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are extending identity governance beyond users and service accounts, it is worth exploring.

This post draws on content published by Sumsub: Complete Guide to Business Verification (KYB) 2026. Read the original.