TL;DR: Deepfake attacks now target onboarding as a primary fraud path, with multi-step attacks rising 180% to 28% of global fraud detected in 2025 and real-time verification increasingly measured in seconds, according to AU10TIX. Identity teams now need layered detection because liveness checks alone do not cover injected video, synthetic documents, or face swaps.
At a glance
What this is: This is an analysis of how deepfake detection has become a core part of digital identity verification, with layered controls now needed to detect face swaps, replay attacks, injection attacks, and synthetic documents.
Why it matters: For IAM, KYC, and fraud teams, the shift matters because identity proofing controls must now distinguish genuine human presence from AI-generated media without slowing onboarding or weakening auditability.
By the numbers:
- In 2025, the share of multi-step attacks soared by 180%, reaching 28% of all fraud detected globally.
- According to a recent Gartner report, 40% of government organizations are expected to establish dedicated trust operations functions by 2028 to combat deepfakes.
- Results delivered in under 8 seconds, with a multi-layer approach that catches 70% more fraud attempts than conventional measures
👉 Read AU10TIX's deepfake detection analysis for digital identity verification
Context
Deepfake detection has moved from a niche media problem into an identity proofing problem. Digital onboarding now faces synthetic faces, replayed video, virtual camera injection, and AI-generated documents, which means verification stacks must judge both whether a person is present and whether the media is authentic.
The governance gap is straightforward: many identity programmes were built around static document checks or single-mode liveness tests, but fraudsters now probe the whole verification chain. In KYC, that turns media authenticity, device integrity, and audit evidence into core controls rather than optional extras.
Key questions
Q: How should security teams handle deepfake risk in digital onboarding?
A: Security teams should treat deepfake risk as a verification design problem, not only a fraud detection problem. Use layered controls that combine liveness detection, document forensics, device integrity checks, and behavioural signals. The goal is to confirm both a real person and authentic media, while keeping the decision fast enough for live onboarding.
Q: Why do single-method biometric checks fail against synthetic identity fraud?
A: Single-method checks fail because attackers do not need to defeat every control, only the one you rely on most. A live face can still arrive with a synthetic document, and a strong document check can still miss injected video. Fraudsters exploit the gap between signal types, so one control rarely covers the full attack path.
Q: What signals indicate that onboarding verification is being manipulated?
A: Look for mismatches between device metadata, camera behaviour, and session timing, especially where video appears to come from a virtual camera or repeated capture pattern. Also review whether challenged submissions fail in unusual clusters, which can indicate probing for a weak point rather than normal user error.
Q: Who is accountable when deepfake-enabled fraud gets through KYC controls?
A: Accountability sits with the team that owns identity proofing governance, not just the fraud tool vendor. IAM, KYC, fraud operations, and compliance all share responsibility for defining acceptable evidence, escalation paths, and auditability. If the approval logic is unclear, the organisation cannot explain why a synthetic identity was accepted.
Technical breakdown
Why liveness detection and deepfake detection are not the same control
Liveness detection asks whether a live person is physically present. Deepfake detection asks whether the submitted image, video, or document is synthetic, manipulated, or AI-generated. Those are different questions and they fail differently. A selfie can be live but still accompanied by an AI-generated identity document, while a document can be real-looking but fabricated. In practice, this is why one control does not replace the other. Strong identity proofing needs both signal types, plus evidence that the verification event itself was not replayed through a virtual camera or injected stream.
Practical implication: treat liveness and media authenticity as separate acceptance criteria in KYC and onboarding design.
How injection attacks bypass biometric verification workflows
Injection attacks do not defeat face matching directly. They sidestep the camera path by feeding manipulated video into the verification session, often through a virtual camera or software layer that the application trusts as a real input device. That means the control failure is often outside the biometric engine itself, in device telemetry, session integrity, and stream provenance. Defences therefore need to inspect metadata, device signals, and behavioural anomalies around the capture event, not just the pixels in the frame. This is where identity proofing becomes a systems problem, not a model problem.
Practical implication: verify capture integrity and device provenance, not only face similarity scores.
Why speed and audit trails now matter in identity verification
Real-time onboarding changes the security trade-off. If a verification workflow takes too long, users abandon it; if it is too shallow, fraud slips through. The article points to decisions being made in seconds, which means the control must operate in-line and still preserve an evidentiary trail for compliance review. That makes explainability, flag reasons, and workflow integration as important as raw detection accuracy. For identity teams, the operating model is no longer a back-office fraud review queue. It is a live decisioning path with regulatory consequences.
Practical implication: require sub-minute verification with case evidence that compliance and fraud teams can review later.
Threat narrative
Attacker objective: The attacker’s objective is to pass identity verification at scale and obtain approved accounts or credentials under a synthetic or stolen identity.
- Entry begins when an attacker uses a synthetic face, replayed video, or AI-generated document to enter a digital onboarding flow as if they were a legitimate applicant.
- Escalation occurs when the attacker bypasses liveness and capture checks through injected video streams or virtual camera tooling, preserving the appearance of a valid session.
- Impact follows when the fraudulent identity is approved, allowing account creation, access to financial services, or subsequent abuse of the onboarding trust chain.
Breaches seen in the wild
- MITRE ATT&CK Enterprise Matrix — MITRE ATT&CK Enterprise — adversary tactics and techniques, threat detection, attack chain mapping, credential access, lateral movement, privilege escalation.
- Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Deepfake detection is now an identity governance control, not a niche fraud filter. Once AI-generated faces, documents, and injected video can all enter the onboarding path, the control boundary moves from document review to trust in the entire capture process. That changes how IAM, KYC, and fraud teams should think about verification evidence, because the decision is no longer only about who the applicant claims to be. It is about whether the identity proofing transaction itself can still be trusted.
Media authenticity failure is the named concept practitioners should track. The problem is not just spoofing, it is the collapse of confidence in whether submitted media was produced by a real person in a real session. That matters because AI-generated content can pass visual inspection while the session path is manipulated through injection. Practitioners should treat this as a distinct control class inside identity proofing, with its own telemetry, exception handling, and audit requirements.
Single-method verification is a weak assumption in industrialised fraud. Liveness alone, document checks alone, or behavioural scoring alone each leaves a gap that attackers can probe at scale. The article’s own framing shows that fraudsters now combine face swaps, replay attacks, synthetic documents, and session injection. The implication is that identity programmes need layered verification logic, not a single high-confidence gate, if they want to keep pace with modern fraud operations.
Speed is now part of the control, not just the user experience. When onboarding decisions must happen in seconds, any solution that cannot analyse multiple attack surfaces in-line will either create friction or defer risk. That makes operational latency, evidence capture, and workflow integration central to governance. Practitioners should stop treating verification time as a front-end metric and start treating it as part of control effectiveness.
Identity teams should expect deepfake detection to converge with trust operations and compliance oversight. The Gartner reference in the source is directionally consistent with what we see across IAM programmes: once media fraud becomes routine, verification evidence, adverse decision handling, and audit support move into governance territory. Practitioners should plan for deeper alignment between IAM, fraud operations, and compliance review rather than isolated point solutions.
From our research:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which is why identity proofing and verification controls need stronger operational oversight.
- For lifecycle context, the NHI Lifecycle Management Guide shows why provisioning, rotation, and offboarding discipline must extend to any identity workflow that can be abused at scale.
What this signals
Media authenticity failure will increasingly sit alongside credential hygiene as a board-level identity issue. If organisations cannot prove whether a submitted face, document, or session was genuine, the verification decision itself becomes fragile, which is exactly why governance teams should align IAM, fraud, and compliance evidence models now.
The operational signal to watch is not just false positive rate, but whether verification workflows can still produce defensible evidence under attack. That is where layered controls, audit trails, and channel-specific telemetry become programme requirements rather than implementation details.
With only 5.7% of organisations reporting full visibility into their service accounts, per Ultimate Guide to NHIs, the broader lesson is that identity programmes often fail when they cannot see the full trust chain, whether the actor is a person, a bot, or a synthetic fraud session.
For practitioners
- Separate liveness from authenticity requirements Write policy so that a passing liveness check does not automatically satisfy identity proofing. Require explicit coverage for synthetic documents, replayed media, and injected video, and define which evidence each control must produce for audit.
- Test for injection attack resistance in real workflows Validate how your onboarding stack behaves when the camera feed is replaced by a virtual camera or manipulated stream. Include mobile and web channels, because device metadata and capture integrity often differ between them.
- Require layered decisioning before approval Combine document forensics, liveness, and behavioural signals in the same decision path so that a single signal failure cannot be bypassed by a convincing synthetic identity.
- Keep an evidence trail for every declined or challenged session Store the specific reason a submission was flagged, plus the capture metadata and decision timestamp, so fraud operations and compliance teams can review the case without re-running the verification event.
Key takeaways
- Deepfake fraud is no longer a fringe issue because onboarding workflows now face synthetic faces, replay attacks, and injected video at scale.
- The control gap is not a single missing feature, but the assumption that one biometric or document check can prove identity on its own.
- Practitioners should design layered, auditable verification paths that stay fast enough for real onboarding while still capturing evidence for compliance and fraud review.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack surface, NIST CSF 2.0 and NIST SP 800-53 Rev 5 set the technical controls, and ISO/IEC 27001:2022 define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-05 | The article centres on identity proofing gaps that let synthetic identities pass. |
| NIST CSF 2.0 | PR.AC-1 | Identity proofing and access approval sit inside protective access control outcomes. |
| NIST SP 800-53 Rev 5 | IA-2 | Verifier assurance and identity proofing map directly to identification and authentication controls. |
| ISO/IEC 27001:2022 | A.5.15 | Access control policy should define when proofing evidence is sufficient for onboarding. |
Map onboarding controls to NHI-05 and require layered evidence before approving identities.
Key terms
- Deepfake Detection: Deepfake detection is the process of identifying whether submitted images, video, audio, or documents were generated or manipulated by AI. In identity workflows, it protects proofing decisions by checking media authenticity, not just whether the claimant looks convincing.
- Liveness Detection: Liveness detection determines whether a real person is physically present during a verification session. It reduces spoofing risk, but it does not prove media authenticity on its own, which is why it must be paired with document forensics and session-integrity checks.
- Injection Attack: An injection attack in identity verification occurs when an attacker feeds manipulated media into the session path instead of using a genuine camera or capture source. The control gap is often device or stream trust, not facial matching accuracy.
- Identity Proofing: Identity proofing is the set of checks used to establish that a person, account applicant, or claimant is who they say they are. In modern onboarding, it includes document validation, liveness, device checks, and evidence capture for later audit.
What's in the full article
AU10TIX's full article covers the operational detail this post intentionally leaves for the source:
- Product-specific comparison of liveness, document forensics, and behavioural analysis capabilities across the evaluated platforms
- Per-platform deployment notes for mobile and web onboarding, including where injection attack detection is strongest
- Implementation-oriented guidance on matching fraud controls to KYC, AML, and audit requirements
- Practical performance and coverage figures for supported document types and geographies
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an IAM, fraud, or identity governance programme, it is worth exploring.
Published by the NHIMG editorial team on 2026-06-08.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org