TL;DR: Enhanced due diligence extends customer identity verification, risk scoring, and ongoing monitoring for high-risk relationships, occupations, jurisdictions, and transaction patterns according to 1Kosmos. The broader lesson is that stronger identity proofing does not remove governance burden; it shifts it toward evidence quality, escalation discipline, and auditability.
At a glance
What this is: This is an overview of enhanced due diligence and how it strengthens identity verification, risk assessment, and monitoring for high-risk customers and transactions.
Why it matters: It matters because IAM, fraud, and compliance teams need governance models that can adapt when identity assurance has to scale beyond ordinary due diligence.
By the numbers:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities , 46% confirmed, 26% suspected.
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
👉 Read 1Kosmos's article on enhanced due diligence and identity verification
Context
Enhanced due diligence, or EDD, is the higher-control version of customer due diligence used when identity risk is not ordinary. In practice, it adds deeper verification, more evidence about source of funds or wealth, and more frequent monitoring when a customer, transaction, or relationship presents elevated exposure.
For IAM and compliance teams, the governance challenge is not the label on the process but the consistency of the evidence chain. EDD only works when verification, monitoring, and escalation are tied together, otherwise high-risk identity decisions become documentation exercises rather than actual risk controls.
The article is typical of regulated identity governance guidance: it treats stronger verification as part of a broader risk-management lifecycle, not as a one-time check.
Key questions
Q: How should security teams apply enhanced due diligence to high-risk identities?
A: Security teams should treat enhanced due diligence as a risk-based control path, not a universal process. Apply deeper verification, richer evidence collection, and more frequent monitoring only when the customer, transaction, or relationship crosses defined risk thresholds. The key is to make the trigger, review, and escalation steps auditable and consistent.
Q: Why do standard due diligence checks fail for higher-risk relationships?
A: Standard checks fail because they are designed for baseline trust, not elevated exposure. High-risk relationships can involve unusual jurisdictions, politically exposed persons, complex transactions, or changing affiliation patterns that require more evidence and ongoing review. Without that added scrutiny, the organisation may verify identity but still miss the actual risk.
Q: What do organisations get wrong about ongoing monitoring in KYC programmes?
A: They often treat monitoring as a compliance formality instead of the operational core of the control. If alerts are not triaged, evidence is not preserved, and escalation is not assigned, the programme cannot distinguish routine activity from suspicious behaviour. Ongoing monitoring must produce a decision, not just a notification.
Q: Who is accountable when enhanced due diligence reveals suspicious activity?
A: Accountability should sit with the function that owns the review workflow, usually compliance with support from fraud or security operations. The organisation must also define when the issue is escalated to regulators or a financial intelligence unit. Clear ownership matters because EDD fails when everyone sees the risk but no one closes the case.
Technical breakdown
How enhanced due diligence changes identity assurance
EDD raises the assurance bar by requiring more than baseline identity checks. It usually adds source-of-funds review, source-of-wealth evidence, transaction-pattern monitoring, and manual review for higher-risk relationships. That makes it closer to an identity risk control plane than a simple onboarding step. In regulated environments, the important distinction is that EDD is triggered by risk signals, not by every identity equally, so the governance model has to support tiered treatment and documented decisioning.
Practical implication: define explicit EDD triggers and make sure every escalation path produces a reviewable decision record.
KYC, CDD, and EDD in the same lifecycle
Know Your Customer, customer due diligence, and enhanced due diligence are layered controls, not interchangeable ones. KYC establishes identity and purpose, CDD applies the standard baseline, and EDD activates when the customer profile, geography, activity, or relationship increases risk. This layering matters because teams often over-rely on initial verification and under-invest in ongoing review. Without lifecycle discipline, the control degrades into a one-time gate that misses later risk drift.
Practical implication: align onboarding, periodic review, and event-driven re-verification so risk treatment changes when the relationship changes.
Why ongoing monitoring is the real control test
EDD is only meaningful if monitoring continues after approval. High-risk customers can change behaviour, move funds in unusual patterns, or alter affiliations after initial verification passes. That is why the control depends on alerts, review queues, documentation, and escalation to the right authority when suspicious activity appears. In practice, the failure mode is not lack of policy language. It is a monitoring model that cannot turn evidence into timely action.
Practical implication: test whether alerts, case handling, and regulatory reporting are connected before treating EDD as operationally mature.
NHI Mgmt Group analysis
EDD is a governance model, not a verification feature. The article makes clear that enhanced due diligence is meant to separate ordinary identity checks from higher-risk relationships that need deeper review. That distinction matters across regulated identity programmes because risk-based treatment is the only way to scale assurance without treating every user or customer as equally dangerous. Practitioners should treat EDD as a lifecycle governance decision, not a point solution.
Identity assurance fails when evidence collection is disconnected from ongoing monitoring. The article’s workflow shows that high-risk cases need more information, more frequent review, and clear escalation. That is the same control logic IAM teams use for privileged access and lifecycle reviews: if the evidence is static while the risk is dynamic, the control becomes performative. Practitioners should design EDD so monitoring and documentation stay linked.
High-risk identity handling depends on documentation quality as much as verification depth. EDD only has value when institutions can prove what they reviewed, why they escalated, and what action followed. That makes auditability part of the control, not an afterthought. For security and compliance leads, the lesson is that governance failure often appears first as incomplete records, not failed authentication.
Named concept: risk-tiered identity assurance. The article describes a control pattern in which identity verification depth changes with the assessed risk of the relationship, transaction, or jurisdiction. That pattern is useful beyond banking because it captures a broader governance principle: assurance should scale with exposure, but only when the organisation can defend the trigger, the evidence, and the outcome. Practitioners should use that tiering deliberately rather than relying on a single baseline process.
EDD exposes the difference between proving identity and governing trust. A customer can be identified and still remain high risk, which means identity proofing alone does not solve the governance problem. This is the same distinction IAM teams face when they assume authentication equals trust. Practitioners should recognise that trust decisions need separate controls from identity verification itself.
From our research:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to the Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which means many identity programmes cannot prove what they govern.
- For the broader control picture, read NHI Lifecycle Management Guide for the lifecycle controls that keep identity evidence current.
What this signals
Risk-tiered identity assurance: EDD is a preview of where identity governance is heading across human, machine, and autonomous programmes. Organisations will need clearer triggers for when baseline trust is no longer enough, plus stronger evidence chains that survive audit and regulatory review.
The practical signal for IAM and compliance leads is that lifecycle discipline will matter more than static verification. If review cadence, escalation ownership, and documentation quality are weak, the organisation will struggle to defend its decisions even when the initial identity check passed.
For teams building modern identity programmes, the question is no longer whether to add more verification. It is how to make higher-assurance treatment repeatable, explainable, and connected to the right control owners.
For practitioners
- Define explicit EDD triggers Map the cases that require enhanced review, including high-risk jurisdictions, politically exposed persons, unusual transaction patterns, and adverse reputation signals. Make the trigger list auditable and review it with compliance and fraud teams on a fixed schedule.
- Separate baseline CDD from enhanced review Document what every customer receives at onboarding and what additional evidence is required when risk rises. Keep the enhanced path distinct so teams do not dilute ordinary due diligence or over-apply expensive manual checks.
- Tie monitoring to escalation and reporting Ensure suspicious activity alerts route to a named reviewer, preserve the underlying evidence, and support filings to the appropriate authority when required. The workflow should show who decided, when they decided, and what they escalated.
- Audit documentation for defensibility Test whether your case files show source-of-funds evidence, risk rationale, monitoring history, and closure notes in one place. If reviewers cannot reconstruct the decision from the record, the control is not defensible.
Key takeaways
- Enhanced due diligence extends identity assurance beyond baseline verification and is triggered by risk, not routine.
- The strongest EDD programmes connect evidence collection, ongoing monitoring, and escalation into one auditable workflow.
- Identity proofing alone does not resolve trust when the relationship, transaction, or customer profile remains high risk.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST SP 800-63 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AA-01 | EDD depends on identity evidence and risk-based access decisions. |
| NIST SP 800-63 | IAL2 | Higher-risk identity proofing needs stronger evidence than baseline onboarding. |
| NIST Zero Trust (SP 800-207) | ID.AM | Risk-based trust decisions align with zero-trust identity verification principles. |
Map elevated customer verification to higher assurance requirements and keep proofing records complete.
Key terms
- Enhanced Due Diligence: Enhanced due diligence is the higher-intensity version of customer identity and risk review used when a relationship is judged to be above normal risk. It adds more evidence, more scrutiny, and more frequent monitoring so organisations can justify trust decisions in regulated environments.
- Customer Due Diligence: Customer due diligence is the baseline identity and risk assessment process used for ordinary onboarding and account maintenance. It verifies who the customer is, what they do, and whether their profile fits expected risk, providing the starting point before enhanced controls are applied.
- Politically Exposed Person: A politically exposed person is an individual who holds, or has recently held, a prominent public role, along with close associates and family members. These identities are treated as higher risk because public position can increase exposure to corruption, coercion, or reputational abuse.
- Ongoing Monitoring: Ongoing monitoring is the repeated review of identity, account, or transaction behaviour after initial approval. It is the control that turns a one-time verification into a living risk process, allowing teams to detect changed circumstances, suspicious patterns, and escalation triggers.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
This post draws on content published by 1Kosmos: enhanced due diligence and identity verification for high-risk customers. Read the original.
Published by the NHIMG editorial team on 2023-04-20.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
