By NHI Mgmt Group Editorial TeamDomain: Identity Beyond IAMSource: GlobalSignPublished August 7, 2025

TL;DR: AI is making phishing, impersonation and payment fraud more scalable, while digital identity controls such as qualified electronic signatures and verified credentials are being pulled into the centre of transaction security, according to GlobalSign. The governance shift is clear: identity proofing and cryptographic assurance now sit alongside fraud prevention, not after it.


At a glance

What this is: This analysis argues that digital identity verification, qualified electronic signatures and cryptographic trust are becoming core controls for online fraud resistance as AI boosts impersonation and payment scams.

Why it matters: It matters because IAM, fraud, and compliance teams need to treat identity verification as a control boundary for transactions, delegated approvals and document execution, not just onboarding.

By the numbers:

👉 Read GlobalSign's analysis of digital identity, fraud and qualified signatures


Context

Digital identity assurance is moving from a back-office compliance concern to a frontline fraud control. The article links rising AI-enabled deception, online transaction growth and verified signatures to a single governance problem: organisations need stronger ways to prove who or what is authorised before value moves or legal commitments are made.

For IAM and fraud teams, the key intersection is not only human identity verification but also the identity of systems that initiate, approve or transmit transactions. That includes service accounts, document-signing workflows and delegated approvals, where weak trust chains can be exploited even when the human-facing process looks legitimate.


Key questions

Q: How should organisations secure high-value payment and approval workflows against AI-enabled fraud?

A: Organisations should raise assurance where the action creates financial or legal consequence. That means stronger authentication, verified signer identity, step-up checks for anomalies, and cryptographic controls such as qualified electronic signatures where enforceability matters. The goal is to validate authority before execution, not to investigate after the transfer or signature is complete.

Q: Why do weak identity checks increase fraud risk in digital onboarding?

A: Weak checks allow unverified identities to enter trusted workflows, which means fraud can start before the organisation has enough evidence to stop it. Once an account is opened or a transaction approved, remediation becomes slower, costlier, and more visible to customers and regulators.

Q: What do security teams get wrong about electronic signing workflows?

A: Teams often treat e-signature tools as document automation rather than identity and evidence systems. That mistake leads to weak authentication, poor role control, and incomplete audit records, which can leave organisations unable to prove approval legitimacy when it matters most.

Q: Who should be accountable when digital identity verification fails in a payment or signing process?

A: Accountability should sit with the business owner of the transaction process, the identity team responsible for assurance policy, and the compliance function that defines evidentiary requirements. If payments, approvals or signatures fail, the issue is usually shared control design rather than a single tool failure. Clear ownership prevents gaps between fraud, IAM and legal teams.


Technical breakdown

Why AI-assisted fraud is changing identity assurance

AI lowers the cost of impersonation, social engineering and scale. That changes the economics of fraud because attackers can generate convincing messages, fabricate supporting artefacts and target more people with less manual effort. In payment and document workflows, the issue is not just whether a user can be persuaded, but whether the organisation can cryptographically verify the sender, approver and transaction context. Traditional knowledge-based checks struggle here because they are easy to imitate and hard to audit after the fact.

Practical implication: replace weak identity checks in high-value workflows with stronger assurance, cryptographic verification and step-up controls.

Qualified electronic signatures as a transaction control

A qualified electronic signature is a legally binding signature backed by a trusted identity and a qualified trust service. It gives the transaction a stronger assurance layer than a simple digital signature because the signer’s identity and the signature’s integrity are anchored in a certificate-based trust model. In regulated environments, this matters for invoices, contracts and approvals because it reduces ambiguity about origin and tampering. The control value is not just authenticity, but non-repudiation and evidentiary strength.

Practical implication: use QES where legal enforceability and signer accountability matter, especially in regulated finance and procurement.

Digital wallets and reusable identity credentials

European digital identity wallets are designed to let people store and present verified credentials selectively. The security gain is less data exposure during transactions, because organisations can request only the attribute they need rather than a full identity document. That improves privacy and can reduce fraud surface, but it also shifts governance toward credential issuer trust, wallet lifecycle controls and revocation handling. If the underlying credential or issuer trust breaks down, the wallet simply becomes a more convenient container for compromised trust.


Threat narrative

Attacker objective: The attacker wants to convert deception into authorised value transfer or legally binding approval before the organisation can detect the fraud.

  1. Entry begins with AI-assisted phishing, impersonation or fabricated executive communications that persuade a target to trust a false transaction context.
  2. Escalation occurs when the attacker exploits weak identity verification in approval, signing or payment workflows to gain legitimacy inside the process.
  3. Impact follows when funds move, documents are signed, or fraudulent transactions are accepted as authentic, creating financial and legal loss.

NHI Mgmt Group analysis

AI has turned identity verification into a live fraud-control layer, not a one-time onboarding check. The article’s core message is that digital transactions now need continuous assurance about who is requesting, approving and executing them. That shifts identity verification into the operational path of payments, invoicing and document workflows. For practitioners, the lesson is to treat identity trust as a runtime control, not a static record.

Qualified electronic signatures sharpen the boundary between convenience and evidentiary trust. Where legal enforceability matters, weak e-signatures and email-based approvals leave too much room for repudiation and impersonation. QES introduces stronger identity binding, but only if the certificate and trust service lifecycle are properly governed. For practitioners, the conclusion is that signature assurance belongs in the control design, not as an afterthought in the workflow.

Digital identity wallets create a selective-disclosure model that can reduce over-sharing, but they also concentrate trust risk. Wallets can lower unnecessary data exposure, which is valuable for privacy and fraud resistance. But the trust now depends on issuer assurance, revocation processes and the integrity of the credential lifecycle. For practitioners, the implication is that wallet adoption must be paired with governance over issuer trust and credential revocation.

Identity and fraud programmes are converging around a shared failure mode: unverified delegation. The article highlights payment fraud, signed documents and regulatory change as separate themes, but the underlying issue is the same. Organisations are often too willing to accept a request, an approval or a signature as legitimate without enough proof of origin or authority. For practitioners, the right control strategy is to close that delegation gap across human and machine workflows.

Verification trust gap: the growing mismatch between the confidence organisations place in digital identities and the actual assurance behind them. AI-driven fraud exploits that gap by making fabricated context look routine, so practitioners should close it with stronger authentication, signature assurance and lifecycle governance.

What this signals

Verification trust gap: the practical challenge for programmes is no longer whether a digital identity can be issued, but whether it can still be trusted at the point of action. That means IAM, fraud and legal teams need shared controls for authority, evidence and revocation, especially when AI can manufacture convincing intent at scale.

Qualified electronic signatures and digital wallets will increasingly be judged by lifecycle governance, not by interface design. If credential issuance, revocation and issuer trust are weak, the assurance model collapses even when the user experience is smooth.

For identity-led programmes, the next step is to connect transaction assurance to lifecycle control, because a credential that cannot be revoked or proven is a liability in a fraud-heavy environment.


For practitioners

  • Reclassify high-value workflows as identity assurance points Map invoices, approvals, payment changes and contract execution to explicit assurance levels so that weaker identity checks are no longer accepted for high-impact actions. Tie approval rights to verified identity rather than email presence or role alone.
  • Deploy cryptographic verification for binding transactions Use qualified electronic signatures or equivalent certificate-backed controls for actions that require legal enforceability, non-repudiation or clear signer accountability. Keep signer certificates, trust services and revocation paths under formal lifecycle management.
  • Reduce trust in human-looking approvals Add step-up checks when payment instructions, banking details, delegate approvals or executive requests deviate from normal patterns. Require out-of-band confirmation for changes that can transfer funds or alter contractual obligations.
  • Treat document and approval systems as governed identity surfaces Review where document platforms, e-signature services and automation accounts issue, accept or relay authority. Ensure those systems have clear ownership, logging and offboarding so that delegated access does not become a hidden fraud path.

Key takeaways

  • AI is accelerating impersonation and payment fraud, which makes digital identity assurance a frontline control rather than a compliance extra.
  • Qualified electronic signatures and verified credentials strengthen trust only when certificate lifecycle and revocation are governed end to end.
  • Practitioners should align IAM, fraud and legal workflows so that authority is validated before high-value transactions or approvals are executed.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST SP 800-63, NIST CSF 2.0 and NIST SP 800-53 Rev 5 set the technical controls, while GDPR define the regulatory obligations.

FrameworkControl / ReferenceRelevance
NIST SP 800-63SP 800-63BDigital identity assurance and verification are central to the article's fraud-control theme.
GDPRArt.32Identity wallets and verification flows can process personal data and require security safeguards.
NIST CSF 2.0PR.AC-1Identity proofing and access governance support the article's transaction assurance model.
NIST SP 800-53 Rev 5IA-2Authentication strength is relevant to verified signing and payment authorization.

Map approval and signing workflows to PR.AC-1 and reduce reliance on weak identity cues.


Key terms

  • Qualified Electronic Signature: A higher-assurance signature backed by certificate-based identity and trust service provider controls. It is used where legal recognition and stronger evidentiary value are required, especially in cross-border or regulated workflows where the identity chain must remain defensible.
  • Digital Identity Wallet: A digital identity wallet is software that stores and presents credentials for a person or organisation. It is a portability layer, not an authorization system. The wallet moves verified proof between parties, while the relying party still has to decide whether the proof is sufficient for the requested action.
  • Identity Assurance: The confidence an organisation has that a person or system is truly who it claims to be before access or action is granted. In modern IAM, assurance depends on evidence quality, channel trust, and the strength of verification around high-risk decisions.

What's in the full article

GlobalSign's full article covers the operational detail this post intentionally leaves for the source:

  • Discussion points from Dave Birch, Andreas Brix and Maxwell Chen on the direction of digital identity and fraud
  • The article's explanation of how PSD2 and new EU invoicing requirements use qualified identity in payment processes
  • The practical role of SignNow integration in simplifying secure signature workflows
  • The forward-looking commentary on post-quantum encryption and PSD3 implications

👉 GlobalSign's full article covers the panel discussion, payment controls and regulatory changes in more detail.

Deepen your knowledge

The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security and secrets management. It helps practitioners connect identity assurance to the controls that support resilient security programmes.
NHIMG Editorial Note
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org