Identity verification is overtaking passwordless as AI risk grows

At a glance

What this is: HYPR’s report shows identity assurance is shifting from passwordless adoption to identity verification as AI-driven impersonation and deepfakes become the dominant identity risk.

Why it matters: For IAM teams, the finding matters because human authentication, NHI governance, and emerging autonomous identity controls are converging on the same assurance problem: proving who or what is acting before abuse scales.

By the numbers:

• The majority of organizations 87% have encountered audio or video deepfakes in identity-based attacks.
• Despite passkey literacy surging to 64%, enterprise-wide adoption remains stalled at 43%.
• 65% of enterprises indicate using IDV, yet implementation remains siloed, with most deploying to less than a quarter of their workforce.
• Identity impersonation incidents surged by 35%, with candidate fraud emerging as the second most prevalent threat after credential misuse.

👉 Read HYPR's report on identity verification, passwordless adoption, and AI risk

Context

Identity verification is the set of controls used to confirm that a person, account, or interacting system is genuinely who it claims to be before access is granted or continued. HYPR’s report argues that this assurance problem is no longer dominated by stolen passwords alone, but by AI-assisted impersonation, synthetic media, and the failure to scale identity checks beyond a narrow set of users.

The article frames a familiar governance gap in a new way: technical awareness has improved, yet operational adoption has lagged. That disconnect matters to IAM, PAM, and identity architects because the same trust assumptions that leave human sign-in exposed also affect service accounts, API-driven workflows, and any future agentic identity that can participate in business processes without manual review.

Key questions

Q: How should security teams implement identity verification alongside passwordless authentication?

A: Use passwordless to remove reusable secrets, then add identity verification at the points where impersonation risk is highest, such as onboarding, recovery, and privileged approvals. The goal is not to replace passwordless, but to ensure that a strong login method is paired with stronger proof when a transaction can change access, money, or trust.

Q: Why do deepfakes create a new identity security problem even when passwordless is deployed?

A: Deepfakes attack the trust layer around the workflow, not just the login screen. A strong authenticator can still be undermined if help desks, recruiters, or approvers accept synthetic audio or video as proof. Passwordless reduces stolen-secret abuse, but it does not eliminate impersonation risk in human decision points.

Q: What do organisations get wrong when they treat identity verification as a pilot project?

A: They usually limit it to a small set of users or high-visibility use cases and leave the rest of the enterprise on older, weaker processes. That creates coverage gaps in recovery and exception handling, which are exactly the paths attackers target when they cannot break the primary login flow.

Q: How should IAM teams respond when AI makes identity impersonation easier to scale?

A: They should reassess every process that relies on human judgement alone and add independent checks where a false identity can trigger access or payment changes. The right response is not only more authentication friction, but better assurance at the workflow level and consistent lifecycle coverage across people and systems.

Technical breakdown

Identity verification versus passwordless authentication

Passwordless authentication removes shared secrets from the login flow, but it does not by itself prove that the party holding the device or session is the intended user. Identity verification adds a stronger check on the person behind the transaction, often using document, biometric, or risk-based evidence. In HYPR’s framing, the problem is not whether passkeys work, but whether organisations can establish identity assurance at scale when fraud now uses synthetic voices, video, and impersonation playbooks. That distinction matters because passwordless can reduce credential theft without closing the impersonation gap.

Practical implication: treat passwordless as an authentication control, then add identity verification where fraud, onboarding, recovery, or high-risk transactions need stronger proof.

The literacy-action gap in identity assurance

The report describes a literacy-action gap, meaning teams understand modern identity methods yet fail to operationalise them across the enterprise. This usually happens when pilots stay limited to executives, customer-facing teams, or a small subset of workers while legacy credentials remain in parallel use. That creates a split control plane in which policy says one thing and access practice says another. For identity governance, the important lesson is that awareness metrics do not equal control coverage. If a programme is not measurable across onboarding, recovery, and offboarding, it is still partial by design.

Practical implication: measure how many identities are covered end to end, not how many teams have approved a passwordless strategy.

Synthetic media and impersonation risk in identity workflows

Deepfakes change identity risk because the attacker no longer needs only a stolen secret or a phishing link. They can use fabricated audio or video to impersonate employees, candidates, or executives in workflows that still depend on human judgement. That elevates assurance requirements in help desks, recruiting, finance approvals, and access recovery. The core failure mode is that many identity workflows still trust the channel too quickly. Once social proof is synthetic, the control question becomes whether the workflow verifies the actor through independent evidence before it authorises a change.

Practical implication: harden recovery and high-risk approval paths with independent verification steps, not just stronger login factors.

Threat narrative

Attacker objective: The attacker aims to exploit identity trust itself, gaining authorised access or approval through synthetic impersonation rather than direct credential theft.

1. Entry occurs through AI-generated impersonation, including deepfake audio or video that convinces a help desk, recruiter, or employee to engage a sensitive identity workflow.
2. Credential or identity access is obtained when the target workflow accepts the impersonation as sufficient proof and releases account recovery, onboarding, or transaction approval.
3. Impact follows when the attacker uses that trusted identity path to move into privileged accounts, divert funds, or exfiltrate data without needing to break the underlying authentication mechanism.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Identity assurance is becoming the common control plane for human, NHI, and agentic identity. HYPR’s findings are not just about sign-in friction. They show that the trust problem now spans onboarding, recovery, verification, and lifecycle governance, which is exactly where human IAM and NHI governance start to converge. When synthetic media can impersonate a person and AI can accelerate fraud workflows, identity assurance becomes a cross-domain control issue, not a single authentication project. Practitioners should therefore stop treating passwordless, IDV, and lifecycle controls as separate programmes.

Identity verification is the missing assurance layer when passwordless removes secrets but not impersonation. Passkeys reduce reliance on reusable credentials, but they do not answer every trust question raised by deepfakes, call-centre fraud, or account recovery abuse. The report’s 43% enterprise adoption figure against 64% literacy shows the market has understood the concept faster than it has operationalised it. The practical lesson is that control maturity is defined by coverage and workflow integration, not by awareness or pilot success.

Identity verification literacy-action gap: This is the named failure mode the report exposes. Organisations know passwordless and IDV are useful, yet they still leave most of the workforce outside consistent implementation and continue to rely on legacy pathways for recovery and exception handling. That assumption fails when attackers industrialise impersonation, because a narrow deployment footprint leaves the weakest workflows exposed. The implication is that identity programmes must be designed around coverage gaps, not technology preference.

AI-driven impersonation shifts the economics of identity abuse. The report’s focus on generative AI and agentic AI displacing stolen credentials as the leading concern signals a structural change in attacker behaviour. Fraud now scales through automation, synthetic media, and repeated social engineering, which means a control that only reduces password theft no longer addresses the dominant risk. For identity governance leaders, the market signal is clear: assurance design has to account for adversary scale, not just adversary technique.

The future identity programme will be judged by whether it can prove identity continuously. The article’s emphasis on enterprise-wide execution points toward a model where trust is established and re-established across the lifecycle, not only at login. That is relevant to NHI and autonomous identity governance as well, because machine identities and agentic systems also need proof, scope, and lifecycle controls. Practitioners should read this as a call to unify assurance policy across identity types before the next wave of impersonation makes fragmented controls obsolete.

From our research:

• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
• From our research: Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• Forward pivot: The 52 NHI Breaches Analysis shows how standing credentials and weak offboarding turn identity failures into repeatable attack paths.

What this signals

Identity assurance is now a lifecycle issue, not a login feature. As AI-assisted impersonation grows, teams that only modernise authentication will still leave recovery, onboarding, and approval flows exposed. The programme question becomes whether proofing, access control, and offboarding are aligned for the same identity, including service accounts and future agentic systems.

The strongest programmes will separate authenticator strength from identity assurance coverage. That means treating deepfake resilience, recovery hardening, and workforce-wide rollout as operational controls rather than awareness goals. It also means measuring the exception paths that remain outside passwordless and IDV coverage, because attackers will keep finding the narrowest route.

For practitioners

• Expand identity verification beyond executive-only workflows Apply stronger identity proofing to onboarding, account recovery, help desk resets, vendor changes, and other high-risk flows where impersonation produces outsized impact.
• Measure identity coverage across the full workforce Track whether passwordless and identity verification are deployed across all users, not just a pilot group or a few high-value personas, and close the remaining exception paths.
• Harden recovery and exception handling paths Add independent verification steps for high-risk requests so a synthetic voice, video, or social-engineering pretext cannot satisfy the workflow on its own.
• Align human and machine identity governance Use the same assurance mindset for users, service accounts, and AI-driven workflows so lifecycle controls, proofing, and access review do not diverge by actor type.

Key takeaways

• Identity assurance is moving beyond passwordless because AI-driven impersonation now targets the trust layer around access, not just the secret used to log in.
• HYPR’s survey shows strong literacy but weak execution, with adoption lagging behind awareness and deepfake attacks already common across organisations.
• Practitioners should harden recovery, approval, and lifecycle workflows so proof of identity is maintained where human judgement and synthetic media meet.

Key terms

• Identity Verification: Identity verification is the process of confirming that a person or system is genuinely the one it claims to be before a sensitive action is allowed. In practice, it extends beyond login and is used to validate recovery, onboarding, and high-risk approvals when authentication alone is not enough.
• Passwordless Authentication: Passwordless authentication replaces reusable passwords with stronger authenticators such as passkeys, biometrics, or device-bound credentials. It reduces stolen-secret risk, but it does not by itself prove identity in workflows where impersonation, recovery abuse, or synthetic media can still mislead human decision-makers.
• Synthetic Media: Synthetic media is audio, video, or image content generated or altered by AI to imitate a real person or event. In identity programmes, it creates a trust problem because a convincing fake can influence help desks, approvers, recruiters, or employees before technical controls are even triggered.
• Identity Assurance: Identity assurance is the degree of confidence an organisation has that the right person or system is accessing the right resource at the right time. It combines proofing, authentication, verification, and lifecycle controls, and it fails when any one of those layers is left inconsistent or incomplete.

Deepen your knowledge

Identity verification, passwordless authentication, and lifecycle coverage are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are aligning assurance controls across users, service accounts, and emerging AI-driven workflows, it is worth exploring.

This post draws on content published by HYPR: 2026 State of Passwordless Identity Assurance Report. Read the original.