TL;DR: Identity verification is moving from one-time document checks to layered, real-time trust decisions that combine biometrics, liveness detection, device signals, and database checks, according to Incode. That shift matters because synthetic identities, account takeovers, and AI-generated fraud now move faster than manual KYC and static review models can handle.
At a glance
What this is: This is Incode's analysis of digital identity verification and how layered checks are used to reduce fraud while preserving user experience.
Why it matters: It matters to IAM and security teams because remote onboarding, age assurance, KYC, and regulated access now depend on identity signals that can withstand synthetic, device-based, and AI-assisted abuse.
By the numbers:
- Only 5.7% of organisations have full visibility into their service accounts.
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
- 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.
👉 Read Incode's analysis of digital identity verification and fraud control
Context
Digital identity verification is the process of confirming that a person is real, present, and entitled to the action being requested, without relying on manual paper checks. In remote and high-risk journeys, that decision now has to hold up against synthetic identities, account takeover attempts, and deepfake-assisted impersonation.
The governance problem is that identity assurance is no longer a single checkpoint. KYC, AML, age verification, and secure access now depend on layered evidence, and the control model has to absorb document validation, biometrics, liveness, device signals, and ongoing fraud intelligence without creating unacceptable friction.
For identity teams, the practical question is not whether to verify. It is how to decide when a verification flow is strong enough to support onboarding, transaction approval, or regulated access in a way that remains auditable over time.
Key questions
Q: How should security teams reduce fraud without adding too much user friction?
A: Use layered verification, not a single hard gate. Combine document checks, biometric matching, liveness detection, and risk context so the system can raise assurance only where the journey demands it. Keep friction low for routine cases, but define explicit step-up paths for suspicious devices, mismatched locations, or abnormal behaviour.
Q: Why do synthetic identities defeat traditional identity checks?
A: Synthetic identities often look consistent enough to pass isolated checks, especially when systems rely on static documents or simple knowledge-based questions. They become much harder to detect when device signals, database checks, and liveness evidence are combined. The failure is not one weak control alone, but a control stack that was built for slower fraud.
Q: What signals should identity teams use beyond documents and biometrics?
A: Use device fingerprinting, IP reputation, geolocation consistency, behavioural patterns, and fraud history alongside document and biometric data. These signals help identify abuse patterns that visual checks miss, especially in remote onboarding and transaction flows. The best programmes treat contextual signals as part of the verification policy, not a separate monitoring layer.
Q: Who is accountable when identity verification fails in a regulated flow?
A: Accountability usually sits with the organisation that defined the verification policy and accepted the risk, not with the user or the individual analyst. In regulated journeys, security, compliance, and product teams should share control ownership and document who approved the evidence threshold, the step-up rules, and the exception process.
Technical breakdown
Layered identity verification and assurance scoring
Modern digital identity verification is built as a sequence of evidence checks, not a single pass or fail event. Document capture establishes an identity anchor, biometrics test whether the same person is present, and database checks compare the declared identity against external records. The result is an assurance decision assembled from multiple weak signals rather than one perfect proof. This is why real-world systems increasingly use risk scoring and policy thresholds instead of binary approval. The architecture matters because attackers only need one weak point, while defenders need a consistent way to combine independent evidence into a defensible decision.
Practical implication: define assurance thresholds for each use case rather than treating every verification journey as the same risk decision.
Liveness detection, deepfakes, and presentation attack defence
Liveness detection exists to answer a narrow but critical question: is the subject physically present, or is the system seeing replayed, injected, or synthetic media? Modern fraud flows use camera injection, virtual camera feeds, face reenactment, and AI-generated imagery to bypass identity checks that only look for visual similarity. Liveness controls use motion cues, depth patterns, lighting behaviour, and interaction consistency to reject non-live attempts. The technical point is that biometrics alone do not prove presence. They only prove resemblance, which is not enough in a deepfake environment.
Practical implication: pair biometric matching with live presence checks wherever remote onboarding or high-risk access can be targeted by synthetic media.
Device and network signals as fraud context
Device fingerprinting, IP reputation, geolocation consistency, and behavioural patterns provide context that a document or face match cannot. These signals are useful because many fraud campaigns are operationally repetitive, even when the identity artefacts look plausible. A new device in an unexpected location, repeated failed attempts from the same network, or suspiciously consistent automation patterns can all indicate abuse before the final identity decision is made. This layer is not a replacement for identity proofing. It is the control that detects when the surrounding environment makes the identity claim less credible.
Practical implication: treat device and network context as part of the verification policy, especially for onboarding, password reset, and transaction approval.
Threat narrative
Attacker objective: The attacker objective is to turn a fabricated or hijacked identity into trusted access that can be monetised through fraud, takeover, or evasion of compliance controls.
- Entry occurs when an attacker presents a synthetic identity, stolen document images, or deepfake-assisted media to enter a remote verification flow.
- Escalation follows when weak liveness controls, limited database checks, or permissive risk scoring allow the false identity to clear onboarding or step-up checks.
- Impact is achieved when the attacker uses the approved identity to commit fraud, take over accounts, or pass regulated access checks at scale.
Breaches seen in the wild
- Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
- DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Digital identity verification is now an identity governance control, not just a fraud tool. The article frames verification as a way to balance security and user experience, but the governance reality is broader: a failed identity proofing decision becomes an access decision with compliance consequences. That means IAM teams, fraud teams, and compliance leads are now operating on the same trust boundary. Practitioners should treat verification policy as part of the access model, not a separate onboarding task.
Layered trust is the right architectural response to AI-assisted impersonation. Document checks, biometrics, liveness detection, and device intelligence each fail differently, which is why a single control no longer carries enough assurance. This is the same pattern that shows up in NHI governance: one credential or one signal is rarely sufficient when the adversary can adapt. The implication is that identity programmes should be judged by how well they combine independent evidence under risk, not by how quickly they can approve users.
Continuous trust is the named concept this market is converging on. The article makes clear that one-time checks are no longer sufficient because identity risk changes across the customer lifecycle. That shift matters because the decision made at onboarding can be invalidated by a later device, network, or behaviour change. Practitioners should think in terms of ongoing assurance rather than static verification events.
Verification failures now carry operational and regulatory weight, not just conversion loss. In regulated environments, a weak identity check can trigger audit findings, AML exposure, or age-verification failure. The important point is that poor assurance does not stay inside the product team. It becomes an enterprise control issue that affects legal, compliance, and security ownership. Identity leaders should map verification outcomes to accountable control owners, not leave them buried inside a user journey.
AI-generated fraud narrows the value of human judgment unless policy is explicit. The article highlights automated verification to reduce manual review, but that only works when the decision logic is tightly governed. If review teams are used as a catch-all for uncertain cases, the process becomes slow, inconsistent, and easy to game. Practitioners should measure how much of the verification workload is policy-driven versus analyst discretion.
From our research:
- Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
- From our research: 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to Ultimate Guide to NHIs.
- If remote verification can be bypassed by fabricated identity signals, the adjacent control problem is lifecycle discipline, which is covered in Ultimate Guide to NHIs.
What this signals
Continuous trust: identity programmes are moving toward decisioning that persists after initial verification, because static onboarding checks no longer absorb synthetic media, device anomalies, and behavioural drift. That shift matters for regulated access as much as for consumer identity, because the assurance model has to survive the full customer lifecycle.
The operational risk is that identity and fraud teams will keep tuning individual signals while the programme gap remains structural. Security leaders should map verification policy, escalation logic, and exception handling to a single ownership model before audit pressure forces the issue.
For practitioners
- Set assurance thresholds by risk tier Define different approval standards for onboarding, transaction step-up, age assurance, and account recovery so each journey has a clear evidence bar.
- Require liveness on high-risk remote flows Use active or passive liveness detection wherever remote presentation attacks or deepfake-assisted impersonation are plausible.
- Combine device context with identity proofing Add device fingerprinting, geolocation consistency, and network risk signals to the identity decision instead of using them only for post-event investigation.
- Define escalation rules for manual review Create policy for which signals force analyst review, which can auto-deny, and which should trigger step-up verification before access is granted.
Key takeaways
- Digital identity verification now functions as a frontline access control, not just a user onboarding step.
- Layered evidence, including liveness and device context, is necessary because synthetic identities and AI-assisted fraud can defeat single-point checks.
- Practitioners should manage verification as a governed assurance model with explicit thresholds, escalation rules, and accountability.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST SP 800-63, NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the technical controls, while GDPR define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST SP 800-63 | SP 800-63A | Identity proofing and remote verification are central to this article. |
| NIST CSF 2.0 | PR.AC-1 | Access control depends on trustworthy identity verification decisions. |
| NIST Zero Trust (SP 800-207) | 3.4 | Zero Trust requires continuous verification, not one-time trust. |
| GDPR | Art.32 | Biometric and identity data handling raises security and privacy obligations. |
Treat identity verification as part of continuous verification, not a one-off gate.
Key terms
- Digital Identity Verification: Digital identity verification is the remote process of confirming that a person is real, present, and entitled to proceed. It combines document, biometric, and contextual evidence so organisations can make a defensible trust decision without relying on manual in-person checks.
- Liveness Detection: Liveness detection is the control that checks whether a biometric subject is physically present rather than replayed, injected, or synthetic. It matters because face similarity alone does not prove presence, especially when attackers use deepfakes, virtual cameras, or media injection.
- Continuous Trust: Continuous trust is the practice of treating identity assurance as a living decision rather than a one-time event. The trust level can rise or fall as device, network, behavioural, or fraud signals change across the journey, which is increasingly necessary in remote and regulated environments.
- Synthetic Identity: A synthetic identity is a fabricated or blended identity built from real and fake attributes to pass initial checks. It is dangerous because it can look coherent enough to survive isolated verification steps while remaining difficult to link to a legitimate person or account history.
What's in the full article
Incode's full article covers the operational detail this post intentionally leaves for the source:
- The end-to-end verification workflow for document, biometric, and liveness checks.
- The platform's fraud intelligence signals and how they are combined in decisioning.
- The KYC, AML, and age-verification use cases that shape real deployment choices.
- The product-level description of how continuous trust is applied across the customer lifecycle.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
Published by the NHIMG editorial team on 2026-05-08.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org