By NHI Mgmt Group Editorial TeamPublished 2026-06-02Domain: Governance & RiskSource: Incode

TL;DR: Deepfakes can now be created for under $10 a month, and the source article argues they have shifted from a media-trust problem to an identity verification and access-control problem in high-stakes government workflows. The practical issue is that visual inspection is no longer a dependable assurance layer, so verification must move toward liveness and session-context controls.


At a glance

What this is: This is an analysis of why deepfake detection has become an identity verification control, not just a misinformation defense.

Why it matters: It matters because IAM, IGA, and fraud teams need higher-assurance proofing for onboarding, privileged access, and benefits workflows where visual cues are no longer trustworthy.

👉 Read Incode's analysis of why deepfake detection must go deeper


Context

Deepfake detection has moved into identity governance because the core failure is no longer simply misleading media, but weak assurance at the point of verification. When an organisation uses photos, video, or voice as proof of presence, it is really making an access decision based on signals that can now be synthesized cheaply and at scale.

For public sector identity proofing, contractor access, and other high-impact workflows, the control question is whether the system can validate a real person in the moment rather than inspect a convincing image after the fact. That makes the topic relevant to human IAM, fraud prevention, and any programme that depends on remote proofing as an access gate.


Key questions

Q: How should organisations verify identity when photos and video can be faked?

A: Organisations should move from visual inspection to higher-assurance proofing that validates the live interaction. That means combining liveness detection, device integrity checks, and workflow context before granting access or accepting an identity claim. The goal is to verify a real person in a real moment, not to judge whether media merely looks convincing.

Q: Why do deepfakes create an identity verification problem for government and enterprise workflows?

A: Deepfakes lower the cost of impersonation and make visual evidence unreliable at the exact point where access decisions are made. That turns account opening, contractor onboarding, and benefits access into fraud-prone identity gates. The risk is not only deception. It is the creation of unauthorised trust in a synthetic identity signal.

Q: What breaks when identity proofing relies on human review of screenshots or video?

A: Human review breaks because attackers can generate convincing images, replay video, or manipulate the capture stream faster than reviewers can detect artifacts consistently. Once the verification workflow depends on eyeballing media quality, the control becomes brittle and easy to bypass. High-risk identity decisions need machine-validated context, not manual guesswork.

Q: Who is accountable when a deepfake leads to unauthorised access or fraud?

A: Accountability sits with the organisation that accepted the identity evidence and defined the assurance threshold for the workflow. Security, IAM, and business owners should jointly set the required level of proof for the transaction. If the control does not match the risk, the failure is governance, not just technology.


Technical breakdown

Why visual inspection no longer provides reliable identity assurance

Deepfakes defeat the old assumption that human reviewers can spot manipulation by looking for artifacts such as lighting inconsistencies, facial symmetry, or odd edges. Those cues are already fading as generation quality improves. The deeper problem is that image authenticity and identity authenticity are no longer the same thing. A perfectly convincing face, voice, or document can still be synthetic, replayed, or injected into a verification flow. That means the control boundary has shifted from media review to proof-of-presence and session integrity.

Practical implication: treat visual review as a weak signal and move high-risk verification flows to controls that validate the interaction itself.

How liveness detection and device signals raise assurance

Liveness detection tests whether a live person is present during the interaction rather than a photo, looped video, or synthetic face. The stronger implementations combine active challenge-response with device and session telemetry, which helps expose screen-replay attacks, hijacked cameras, and jailbroken devices. In identity terms, that matters because the biometric is only one input. The trust decision depends on whether the capture moment is real and whether the device path has been altered before the identity evidence reaches the verifier.

Practical implication: require liveness plus device and session checks for any workflow where remote proofing leads directly to access or account creation.

Why synthetic documents and fake websites expand the fraud surface

The article is right to widen the lens beyond image and video fraud. AI can now be used to forge identity documents, impersonate support interactions, and build fake sites that mimic legitimate government or enterprise portals. That creates a compound risk: the user may be deceived into the wrong workflow before proofing even begins. For IAM teams, this means assurance cannot stop at the biometric step. The surrounding channel, URL, and workflow context also need to be governed as part of the identity control plane.

Practical implication: align identity proofing with channel validation, domain checks, and workflow risk scoring rather than treating biometrics as a standalone control.


NHI Mgmt Group analysis

Deepfake risk is now an identity assurance problem, not a media literacy problem. The source article shows that visual cues are no longer enough to distinguish real from synthetic in high-stakes workflows. That shifts the governance burden onto proofing, access gating, and fraud-resistant identity verification. Practitioners should stop treating deepfakes as content noise and start treating them as failed assurance at the point of entry.

High-stakes identity workflows need moment-based trust, not artifact-based trust. A photo, video frame, or voice sample is only useful if the capture moment is trustworthy. Once attackers can inject synthetic media, replay footage, or hijack the capture device, the artefact itself becomes a poor basis for access decisions. The implication is that identity programmes must judge the interaction context as part of the assurance model.

Remote proofing and access control are converging under the same fraud pressure. The article correctly ties benefits access, contractor portals, and system access together because they now share the same attack surface: synthetic identity evidence. That means IAM teams, fraud teams, and public sector security leaders can no longer own these decisions in separate silos. The control model has to unify identity proofing with downstream authorisation.

Deepfake detection should be framed as an assurance tier, not a standalone feature. The important question is not whether a tool can detect a manipulated face in isolation. It is whether the overall verification flow raises confidence enough for the specific access decision being made. That is a governance decision about required assurance level, not a product checkbox. Practitioners should map deepfake controls to the sensitivity of the transaction.

From our research:

  • The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
  • Only 44% of developers are reported to follow security best practices for secrets management, showing that confidence and practice often diverge.
  • For lifecycle and governance context, see NHI Lifecycle Management Guide for provisioning, rotation, and offboarding discipline.

What this signals

Deepfake risk will increasingly be managed as identity assurance debt. The organisations that treat spoofing as a narrow fraud issue will keep underestimating the governance effort required to defend onboarding, access, and service delivery. The better model is to tie proofing strength to the consequence of the decision, then enforce that across IAM and fraud operations.

As remote identity checks spread into more workflows, security teams should expect the assurance bar to rise in the same way passwordless adoption changed authentication expectations. The practical signal is simple: if a workflow can be abused with a convincing fake and the organisation has no session-level evidence to prove presence, the control design is already behind the threat.


For practitioners

  • Define assurance tiers for remote proofing Separate low-risk media screening from high-risk identity proofing. Use stronger liveness, device checks, and workflow controls when verification leads to access, benefits, or account creation.
  • Validate the capture moment, not just the credential image Require signals that indicate a live interaction, including challenge-response and device integrity checks, before accepting biometric or document evidence.
  • Harden the surrounding identity channel Add URL validation, domain inspection, and session integrity checks so fake portals and injected capture flows are treated as part of the identity risk surface.
  • Map deepfake controls to business criticality Apply the strongest verification requirements to privileged access, onboarding, and benefits workflows where impersonation has the highest operational and regulatory impact.

Key takeaways

  • Deepfakes have moved from a trust problem in media to an assurance problem in identity verification and access control.
  • The real risk is not just fake content, but fake capture moments that undermine onboarding, benefits, and privileged access workflows.
  • Security teams should pair liveness, device integrity, and workflow context so identity decisions are based on the interaction, not the image.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST SP 800-63, NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST Zero Trust (SP 800-207) set the technical controls, while GDPR define the regulatory obligations.

FrameworkControl / ReferenceRelevance
NIST SP 800-63SP 800-63AIdentity proofing and remote verification are the core concern in this article.
NIST CSF 2.0PR.AC-1Access control depends on reliable identity verification before granting entry.
NIST SP 800-53 Rev 5IA-5Authenticator and identity evidence management are central when proofing is attackable.
NIST Zero Trust (SP 800-207)Zero trust requires strong verification before trust decisions are made.
GDPRArt.32Identity verification workflows often process personal data and need security safeguards.

Map high-risk onboarding flows to SP 800-63A assurance requirements and raise proofing strength where fraud impact is high.


Key terms

  • Deepfake Detection: Deepfake detection is the process of identifying synthetic or manipulated media that is presented as real. In identity programmes, it is only useful when tied to the access decision, because a detected fake matters most when it appears inside a verification workflow.
  • Liveness Detection: Liveness detection is a control that checks whether a real person is present during biometric verification. It helps distinguish a live interaction from a photo, replayed video, or synthetic face, and is most valuable when combined with device and session signals.
  • Identity Proofing: Identity proofing is the process of establishing that a person is who they claim to be before granting access or creating an account. For high-risk workflows, it must assess both the identity evidence and the trustworthiness of the capture moment.
  • Remote Verification: Remote verification is identity checking performed without a physical in-person encounter. It expands convenience but also increases exposure to replay, injection, fake document, and synthetic media attacks, so assurance must be designed around the channel as well as the credential.

What's in the full article

Incode's full article covers the operational detail this post intentionally leaves for the source:

  • Examples of screen-replay attacks, hijacked cameras, and jailbroken-device indicators in remote verification flows
  • The practical distinction between visual artifact spotting and active liveness detection
  • How synthetic identity documents, fake websites, and forged support interactions expand the fraud surface
  • Why federal and state workflows need different assurance levels for access, benefits, and onboarding

👉 Incode's full article covers the verification controls, attack examples, and government workflow implications in more detail.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-06-02.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org