Identity verification in iGaming is colliding with AI fraud

At a glance

What this is: This report argues that iGaming identity verification is under pressure from rising fraud, deepfakes, and synthetic identities.

Why it matters: It matters to IAM practitioners because the same verification gaps that weaken player onboarding also expose broader identity governance, escalation, and fraud controls across digital programmes.

👉 Read Sumsub's State of Identity Verification in iGaming 2025 report

Context

Identity verification in iGaming now sits at the intersection of fraud, regulation, and user friction. When attackers can use AI-generated faces, synthetic identities, and timed abuse patterns, the issue is no longer only whether a person is real, but whether the trust signal behind the identity flow is strong enough to hold up under pressure.

For IAM teams, the lesson extends beyond gaming. Verification design, step-up logic, and assurance thresholds are becoming governance questions across customer identity, non-human identity, and emerging autonomous workflows, because weak identity proofing creates downstream access decisions that are hard to unwind.

Key questions

Q: What breaks when players can skip full verification too often?

A: When players can skip full verification too often, the identity programme loses assurance consistency and creates a repeatable fraud path. The control fails because exceptions stop being exceptional. Over time, that turns onboarding into a policy drift problem, where the business accepts weaker proofing just to keep conversion moving.

Q: Why do deepfakes make iGaming identity checks harder to govern?

A: Deepfakes make iGaming checks harder to govern because they attack the trust signals behind document capture, face matching, and liveness checks. The issue is not only false positives or false negatives. It is that attackers can adapt quickly, which means static verification rules fall behind adversarial behaviour.

Q: How can security teams tell whether verification controls are actually working?

A: Security teams should look at fraud attempt trends, abandonment rates, exception usage, and manual-review queues together. If fraud drops but abandonment spikes, the control may be too strict. If completion stays high but exceptions rise, the assurance model may be too weak.

Q: Who is accountable when identity verification fails in regulated gaming markets?

A: Accountability sits with the organisation that defines the assurance policy and signs off on exceptions, not with the fraudster who exploits them. In regulated markets, compliance, risk, product, and identity teams all share responsibility for keeping the verification model aligned with local requirements.

Technical breakdown

AI-driven identity fraud in iGaming verification

AI-driven fraud in identity verification combines synthetic media, deepfakes, and automated testing of onboarding flows. In iGaming, that matters because attackers can iterate at machine speed until they find the weakest path through proofing, document checks, or liveness verification. The control problem is not just detecting a fake face. It is detecting coordinated abuse across capture, submission, and account creation stages. Once fraud becomes adaptive, static rules age quickly and assurance has to move from point checks to layered confidence signals.

Practical implication: teams should treat identity proofing as an adaptive control surface, not a one-time verification event.

Verification friction and player abandonment

Verification flows fail when they assume every user can tolerate the same level of friction. In iGaming, excessive document requests, repeated retries, and slow manual review can push legitimate players away while still failing to stop high-quality fraud. The governance challenge is balancing assurance and completion rate, because an overly rigid process can create shadow onboarding workarounds, while an overly permissive one invites abuse. Identity security here is a business control, not just a compliance control.

Practical implication: measure abandonment, exception rates, and manual-review bypasses together, not in isolation.

Regional benchmarks and compliance pressure

Regional variation matters because fraud patterns and regulatory expectations change by market. A control that is sufficient in one jurisdiction can become inadequate in another if proofing standards, age checks, or source-of-funds requirements shift. Regional benchmarks therefore function as governance input, not just reporting context. They tell security and compliance leaders where their identity process is drifting out of tolerance relative to the market they operate in.

Practical implication: align verification policy to jurisdiction-specific assurance needs rather than relying on a single global onboarding standard.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Identity verification in iGaming is now a fraud-control problem, not a point-in-time onboarding problem. The article shows a market where attackers adapt faster than static proofing workflows can respond. That shifts the governance question from whether a user can be verified once to whether the verification model can keep pace with adversarial behaviour across the full player lifecycle. Practitioners should treat this as a continuous assurance issue, not a form-filling exercise.

Verification bypass tolerance: the real failure mode is allowing legitimate users to bypass full verification when friction rises. Sumsub’s finding that up to 30% of players could skip full verification points to a governance gap, not just a UX issue. When exception handling becomes the normal path, the organisation loses assurance consistency and opens a durable fraud window. Practitioners should read this as a policy drift problem that needs tighter control boundaries.

AI-assisted fraud makes regional benchmark drift visible. The report’s regional framing matters because fraud teams often overgeneralise from one market to another. Deepfake-enabled attacks can exploit any mismatch between local compliance demands and global onboarding design. The result is a verification model that looks standardised on paper but is inconsistent in practice. Practitioners should use regional variance as a signal that identity governance is not yet harmonised.

Identity proofing in gaming is becoming a proxy for broader digital trust maturity. iGaming is an early warning environment because high fraud pressure forces organisations to test the limits of verification, escalation, and exception handling. What breaks here is likely to break elsewhere when the same techniques reach consumer finance, marketplaces, and platform onboarding. Practitioners should use this category as a stress test for customer identity governance across the enterprise.

From our research:

• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
• In the same research, only 5.7% of organisations have full visibility into their service accounts, which helps explain why identity exceptions and stale trust signals persist.
• For a broader governance lens on lifecycle, rotation, and offboarding, see Ultimate Guide to NHIs , Regulatory and Audit Perspectives.

What this signals

Verification drift becomes a governance risk when teams optimise for conversion without measuring assurance loss. In iGaming and adjacent consumer journeys, the danger is not just fraud volume but the normalisation of bypass paths that weaken trust over time. Teams should watch for rising exception rates, uneven market handling, and controls that survive policy review but fail in real user flow.

Regional assurance should be treated as a control design variable, not a reporting overlay. Markets with different regulatory pressure need different proofing thresholds, review paths, and escalation rules. If one onboarding model is forced across all jurisdictions, the programme will eventually either over-reject legitimate users or under-protect against adaptive fraud.

For practitioners

• Tighten verification exception policy Define exactly when full verification can be skipped, who approves the exception, and how often exceptions are reviewed for drift. Treat exception volume as a control metric, not an operational convenience.
• Measure fraud and abandonment together Track fraud attempts, completion rates, retry counts, and manual-review fallout in one dashboard so that stronger controls do not simply move risk into abandonment or workarounds.
• Segment assurance by market Apply different identity proofing thresholds for jurisdictions with different regulatory pressure, fraud rates, and document norms instead of relying on a single global flow.
• Stress-test liveness and document checks against deepfakes Run red-team testing against capture flows, document verification, and selfie matching to see where synthetic identities can still get through.

Key takeaways

• Identity verification in iGaming is being tested by AI-assisted fraud that adapts faster than static onboarding controls.
• The report’s scale matters: Sumsub says it analysed more than 3 million fraud attempts, and the findings show how quickly verification shortcuts become governance debt.
• Practitioners should separate conversion metrics from assurance metrics so that easier onboarding does not quietly become weaker identity control.

Key terms

• Identity Verification: Identity verification is the process of confirming that a person matches the identity evidence they present. In digital programmes, it combines document checks, biometric comparison, and risk signals to decide whether onboarding can proceed with acceptable assurance.
• Synthetic Identity: A synthetic identity is a fabricated or blended identity created from real and fake data to pass verification checks. It often looks legitimate enough to avoid basic screening, which makes it a persistent fraud vector in customer onboarding and account abuse.
• Verification Exception: A verification exception is an approved deviation from the normal identity proofing path. It can be necessary for business continuity, but it becomes a control weakness when exceptions are overused, weakly reviewed, or allowed to become the default path for difficult cases.
• Liveness Check: A liveness check is a control that tests whether a biometric subject is physically present and not a replay, spoof, or deepfake. Its value depends on how well it resists automation, image injection, and adversarial adaptation across repeated attempts.

Deepen your knowledge

Identity verification governance and trust assurance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building controls in a high-friction, high-fraud environment, it is worth exploring.

This post draws on content published by SumSub: State of Identity Verification in the iGaming Industry, 2025. Read the original.