Enhanced due diligence is a governance test for high-risk identity

At a glance

What this is: This is an analysis of enhanced due diligence as a risk-based control for high-risk customers, transactions, and relationships, with a focus on how the process works and where it fails when controls are fragmented.

Why it matters: It matters to IAM practitioners because the same lifecycle logic applies across identity programmes: once risk changes, governance must reclassify, escalate, evidence, and monitor rather than rely on static onboarding checks.

By the numbers:

• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.

👉 Read Sumsub's guide to when enhanced due diligence is required

Context

Enhanced due diligence is the risk-based layer that separates routine customer checks from higher-scrutiny investigations. In identity governance terms, it is the point where the programme stops trusting the initial classification and starts demanding more evidence, more monitoring, and more accountable decisions.

That matters beyond AML. Any identity programme that handles human users, service accounts, or autonomous systems eventually faces the same question: what happens when the risk profile changes after access has already been granted? EDD is useful because it shows how mature governance treats risk as dynamic, not static.

The strongest control failures in this space are usually not about missing a single checklist item. They come from treating due diligence as a one-time event instead of a lifecycle process that must keep pace with new signals, new relationships, and new exposure.

Key questions

Q: How should compliance teams decide when standard due diligence is no longer enough?

A: Teams should move to enhanced due diligence when risk signals materially change the expected exposure of the customer, transaction, or relationship. Typical triggers include PEP status, high-risk jurisdictions, complex ownership, unusual transaction patterns, or evidence gaps. The decision should be documented and repeatable so analysts apply the same threshold consistently.

Q: Why does enhanced due diligence need ongoing monitoring after onboarding?

A: Because risk does not stay fixed after the initial review. Counterparties change, transaction behaviour shifts, and new adverse information can emerge. Ongoing monitoring keeps the original due diligence decision valid and prevents an organisation from relying on outdated assumptions about a relationship that has already evolved.

Q: What breaks when beneficial ownership is not verified in high-risk cases?

A: The organisation loses visibility into who actually controls the relationship and whether hidden parties are driving illicit activity. That creates blind spots for sanctions, corruption, and money laundering risk, while also weakening auditability because the decision was made without understanding the real ownership structure.

Q: Who is accountable when enhanced due diligence fails to catch a high-risk relationship?

A: Accountability usually sits with the institution’s AML governance chain, including the analysts, approvers, and compliance leadership that defined the review standard. The practical test is whether the organisation can show it applied a risk-based process, documented the rationale, and maintained monitoring when risk changed.

Technical breakdown

Risk-based due diligence and customer reclassification

EDD is a decisioning layer built on risk-based assessment. Standard due diligence establishes identity and basic purpose, while EDD adds deeper review when indicators such as jurisdiction exposure, complex ownership, or politically exposed status raise the likelihood of money laundering or terrorist financing. The key mechanism is reclassification: the programme must be able to move an identity from normal review to enhanced review when evidence changes. In practice, that means risk scoring, human escalation, and evidence requests have to be linked, or the control becomes ceremonial. Practically, teams need a governed path from risk trigger to enhanced review.

Practical implication: tie reclassification rules to documented escalation thresholds, not ad hoc reviewer judgment.

Source of funds, beneficial ownership, and third-party evidence

EDD goes beyond self-declared identity data. It asks for source of funds, source of wealth, beneficial ownership, and supporting corporate evidence because higher-risk relationships cannot be assessed reliably from customer attestation alone. This is an evidence architecture problem as much as a compliance one. The programme must correlate internal profile data with external records, banking relationships, and legal documents, then preserve why each item was accepted or rejected. Without that, the organisation can perform more checks while still learning less. The practical lesson is that evidence quality matters more than evidence volume.

Practical implication: define what evidence is required for each risk trigger and standardise how it is reviewed and retained.

Ongoing monitoring and escalation after onboarding

EDD is not complete at onboarding. Ongoing transaction monitoring, sanctions screening, adverse media review, and periodic reassessment are what keep the original risk decision valid. The architecture matters because business relationships evolve, counterparties change, and transaction patterns drift. A one-time approval does not stay trustworthy when the underlying behaviour changes. This is the same governance mistake seen in identity programmes that certify access once and then assume the answer remains true. The control objective is continuity of assurance, not one-off verification.

Practical implication: connect monitoring outputs to review cadences so changed behaviour forces a new due diligence decision.

Threat narrative

Attacker objective: The objective is to move illicit funds or abuse the financial system through a relationship that should have been subject to enhanced scrutiny.

1. Entry occurs when a higher-risk customer or relationship is accepted on the basis of standard checks that are insufficient for the actual risk profile.
2. Credential access or abuse appears when weak customer vetting fails to surface source-of-funds issues, beneficial ownership opacity, or high-risk jurisdiction links.
3. Impact follows when the organisation unknowingly facilitates illicit activity, exposing itself to regulatory enforcement, financial penalties, and reputational damage.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

EDD is a governance filter, not a documentation exercise. The article shows that enhanced due diligence only works when risk assessment changes the depth of review, not just the size of the file. That is the same failure mode identity teams see when onboarding checklists are treated as proof of control. Practitioners should treat EDD as a decision gate that must reclassify risk and trigger escalation.

Risk-based review is the real control, not the amount of data collected. The value of EDD lies in connecting customer profile, beneficial ownership, source of funds, and transaction behaviour into a single judgment. More evidence without a coherent decision model produces noise, not assurance. The implication for practitioners is that review quality, not evidence accumulation, is what stands up under audit.

High-risk relationship offboarding is the hidden weakness in many governance programmes. The article makes clear that EDD must continue through ongoing monitoring, not stop at onboarding. That same blind spot appears in identity lifecycle governance when access is granted but never revisited. Practitioners should recognise that approval without continuous reassessment is a structural control gap.

Dynamic risk scoring is the named concept this article reinforces. EDD depends on moving from static onboarding labels to continuously updated risk status as customer activity, counterparties, and jurisdiction exposure change. Static classification was designed for predictable relationships. That assumption fails when risk evolves after the initial decision, and the implication is that governance must be built for reclassification, not just admission.

EDD failures expose the cost of weak accountability chains. The Canaccord example shows that when risk-based due diligence is incomplete, illicit actors can retain access to the financial system long enough to create enforcement exposure. That is not just a compliance miss, it is a lifecycle governance failure. Practitioners should read it as a reminder that accountability must survive beyond initial approval.

From our research:

• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to the Ultimate Guide to NHIs.
• Our research also shows that 97% of NHIs carry excessive privileges, which is why lifecycle governance has to include both access scope and removal discipline.
• For a broader control lens, NIST Cybersecurity Framework 2.0 helps teams connect due diligence, monitoring, and response into one programme.

What this signals

Risk reclassification is the programme design issue most teams underestimate. If a case can move from routine review to enhanced scrutiny, then your workflow has to preserve that state change, not just the latest verdict. The operational lesson is to build review queues that reopen cleanly when risk signals change, rather than relying on email escalation and manual follow-up.

EDD also shows why governance needs a durable audit trail. Once the case is closed, the organisation still needs to explain what evidence was used, who approved it, and why the decision was reasonable at the time. That same requirement now shapes identity programmes across IAM, PAM, and NHI governance, especially where lifecycle decisions affect regulatory exposure.

Dynamic risk scoring: the real value is not faster intake, but earlier detection of when a relationship no longer fits its original classification. That framing helps practitioners design controls around change detection instead of static approvals.

For practitioners

• Map risk triggers to explicit enhanced review paths Define which signals, such as jurisdiction risk, PEP status, or ownership complexity, move a case from standard review into EDD. Make the escalation route visible to analysts and auditors so the next action is always clear.
• Standardise the evidence set for high-risk cases Require the same minimum set of documents and external checks for each risk category, including source of funds, beneficial ownership, and corporate records. This reduces reviewer inconsistency and makes defensible decisions easier to reproduce.
• Bind monitoring results to re-review thresholds Set formal triggers for transaction monitoring alerts, adverse media hits, or sanctions screening changes to reopen due diligence. If behaviour changes but the case never re-enters review, the control has already failed.
• Preserve the rationale behind every EDD decision Record why a customer was escalated, what evidence was reviewed, and why the final decision was accepted or rejected. That audit trail is what allows compliance, legal, and regulators to reconstruct the decision later.

Key takeaways

• Enhanced due diligence is a risk reclassification control, not a longer checklist.
• The evidence burden matters because high-risk relationships cannot be governed from self-declared information alone.
• Programmes fail when monitoring, escalation, and recordkeeping are separated from the initial decision.

Key terms

• Enhanced Due Diligence: Enhanced due diligence is a higher-scrutiny review applied when a customer, transaction, or relationship presents elevated risk. It collects deeper evidence than standard checks and uses that evidence to support a documented decision about whether the relationship can proceed safely.
• Risk-Based Approach: A risk-based approach is a governance method that adjusts the depth of review according to the level of exposure. Instead of treating every case the same, it allocates more scrutiny, more evidence, and more monitoring to relationships that show stronger risk indicators.
• Ultimate Beneficial Owner: An ultimate beneficial owner is the person or entity that ultimately controls or benefits from an organisation or asset, even if that control is hidden behind layers of ownership. In high-risk reviews, identifying the UBO is essential because nominal ownership often obscures the real source of influence.
• Ongoing Monitoring: Ongoing monitoring is the repeated review of transactions, behaviour, and risk signals after onboarding. It ensures that a customer or relationship still matches the original risk decision and creates a trigger for re-review when activity, ownership, or jurisdictional exposure changes.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or governance in your organisation, it is worth exploring.

This post draws on content published by Sumsub: Enhanced Due Diligence (EDD): When It Is Required and How It Works. Read the original.