Identity verification moves to the front line of commercial risk

At a glance

What this is: This is iProov’s outlook on 10 identity and security shifts for 2026, with synthetic identity fraud, passkey recovery, and agent verification as the most consequential themes.

Why it matters: It matters because identity teams have to govern humans, NHIs, and agent-mediated flows across enrolment, recovery, and privileged access, not just authentication at the edge.

By the numbers:

• A major bank will uncover over a million "sleeper" and "legend" accounts in the predicted 2026 synthetic identity fraud wave.
• 25 million Americans are expected to adopt mobile, obile driver’s licenses in 2026, according to the article’s forecast.

👉 Read iProov's 2026 identity predictions on synthetic identity and agent trust

Context

Identity management is no longer just an authentication layer. In this article, iProov frames 2026 as the year identity becomes a central operational control for commercial growth, national security, and machine-mediated trust, especially where verification, recovery, and privileged access intersect.

The recurring pattern is not that login fails, but that the surrounding trust lifecycle fails. That matters for IAM, IGA, PAM, and non-human identity programmes because the attack surface increasingly sits in recovery paths, synthetic enrolment, and the question of who or what is acting on behalf of a legitimate user.

Key questions

Q: How should security teams reduce account-takeover risk in recovery flows?

A: Treat recovery as a primary attack path, not a support function. Use the same assurance level for password reset, device replacement, and recovery enrolment that you apply to sign-in for high-risk accounts. If recovery can be completed with weaker checks than login, attackers will route around the stronger control instead of defeating it directly.

Q: Why do synthetic identities create a different risk profile from ordinary fraud?

A: Synthetic identities are dangerous because they can be engineered to pass trust checks, accumulate history, and reach privileged workflows without triggering obvious anomalies. That makes them a governance problem, not only a detection problem. The risk grows when proofing, employment validation, and access assignment are managed in separate silos.

Q: What do teams get wrong about passkey adoption?

A: They often assume a strong sign-in method removes takeover risk across the whole identity lifecycle. In practice, attackers target the weakest adjacent process, usually recovery. Passkeys reduce phishing exposure, but they do not eliminate the need for strong enrolment, backup, and recovery controls.

Q: Who should be accountable when an identity failure affects critical infrastructure or delegated AI access?

A: Accountability should sit with the owner of the trust decision, not only the team operating the tool. For critical infrastructure, that may be the identity and access owner, the privileged access owner, or the business function that approved delegation. When agentic access is involved, the sponsoring human and the system owner both need clear responsibility.

Technical breakdown

Synthetic identity verification failures in enrolment and access

Synthetic identity attacks succeed when verification is treated as a one-time gate instead of a lifecycle control. A synthetic identity can pass weak onboarding, impersonate a real person, and then accumulate access or credibility over time. In IAM terms, the problem is not just authentication strength, but whether proofing, account creation, and privileged assignment are aligned to the same trust standard. The article’s bank and critical-infrastructure examples show how fraud and infrastructure compromise can converge when identity vetting is shallow. For high-risk roles, strong identity proofing has to precede access assignment, not trail it.

Practical implication: tighten identity proofing and privileged onboarding so access cannot outpace assurance.

Passkey recovery as the new account-takeover weak point

Passkeys reduce phishing exposure at sign-in, but they do not remove the recovery problem. If the recovery process relies on weaker legacy channels, the attacker simply bypasses the stronger front door and targets the back door instead. This is a governance issue as much as an authentication issue because recovery policies often sit outside the core MFA and SSO controls teams monitor most closely. The article’s claim is that high-assurance verification will move from optional hardening to the decisive control in recovery flows. In practice, recovery becomes part of the authentication surface, not an administrative afterthought.

Practical implication: treat passkey recovery as a primary control path and subject it to the same assurance as login.

Agent verification and the control problem behind autonomous access

The article’s rogue-agent scenario points to a broader shift: identity programmes will increasingly need to verify not only a person, but whether an agent is acting under the right person’s authority at that moment. That is a different governance problem from human authentication alone. It introduces delegated intent, runtime control, and revocation questions that legacy liveness checks do not answer. For NHIs and agentic systems, the critical issue is whether the actor’s authority can be continuously bounded when the system itself can initiate actions. That pushes teams toward tighter linkage between human identity, delegated agent identity, and session-level control.

Practical implication: define who authorises the agent, what it can do, and when that authority expires.

Threat narrative

Attacker objective: The attacker aims to convert weak identity assurance into durable trusted access that can be used for disruption, fraud, or control.

1. Entry occurs through weak synthetic identity proofing or compromised recovery paths that let an attacker obtain a trusted account foothold.
2. Escalation follows when the attacker uses that foothold to access critical systems, accumulate privileges, or impersonate a legitimate worker, contractor, or agent.
3. Impact appears as infrastructure disruption, account takeover, or large-scale fraud that outlives the original point of compromise.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• AI LLM hijack breach — attackers used stolen AWS access keys to hijack Anthropic LLM models on Bedrock.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Identity verification is moving from a login control to a business continuity control. The article is right to frame identity as commercial infrastructure, not just user access. Once synthetic identities can pass onboarding and reach privileged functions, the failure is no longer confined to IAM operations. The implication is that proofing quality, access assignment, and lifecycle governance now sit on the same risk path.

Passkey recovery is the new front line because recovery has become the easiest place to bypass strong authentication. Passkeys narrow the phishing window, but legacy recovery channels reintroduce weaker trust assumptions. That means organisations can improve sign-in security and still remain exposed to account takeover through the back door. Practitioners should treat recovery as part of the authentication boundary, not as a support workflow.

Verifying the human behind the agent is a distinct governance problem from verifying the human at the keyboard. The article’s rogue-agent prediction exposes a delegated identity gap: systems must determine whether an agent is acting under the right authority, not merely whether the human exists. That matters because delegated access can persist after the operator changes, the context shifts, or the session should have expired. IAM and NHI teams need a shared model for runtime authority.

Synthetic identity is becoming a cross-domain control failure, not a niche fraud problem. The same weak assurance logic can enable hiring fraud, infrastructure abuse, and privileged system access. That is why identity teams cannot leave synthetic identity detection to a single programme line. The practitioner implication is to align proofing, verification, and privileged access controls across HR, IAM, and security operations.

High-assurance verification is becoming the new boundary condition for critical access. The article’s infrastructure examples point to a future where governments and enterprises will expect stronger proof before privilege is granted. That does not remove fraud or compromise, but it raises the cost of getting trusted access in the first place. Practitioners should plan for assurance standards to tighten around the highest-risk roles first.

From our research:

• 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
• A separate finding from the same research shows that lack of credential rotation is cited as the top cause of NHI-related attacks by 45% of organisations.
• That visibility gap makes the next step obvious, so review Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs for lifecycle controls that close the governance gap.

What this signals

Identity recovery will become a board-level resilience issue, not just an authentication issue. Teams that only harden sign-in will still be exposed where trust is weakest, especially in reset, re-enrolment, and delegated access flows. The practical signal is that IAM roadmaps need to absorb recovery assurance, privileged proofing, and identity lifecycle controls into the same operating model.

With 1 in 4 organisations already investing in dedicated NHI security capabilities, the market is moving toward lifecycle-based control rather than point-in-time verification. That trend matters because the article’s scenarios all depend on identities that survive beyond a single login, whether human, synthetic, or delegated. Practitioners should align identity governance with Ultimate Guide to NHIs concepts such as rotation, offboarding, and privilege scoping.

Synthetic identity pressure will force tighter joins between HR, IAM, and security operations. When a fabricated person can reach a privileged system, the failure is usually spread across proofing, onboarding, and access approval. Teams should expect assurance standards to tighten first around contractors, recruiters, and other high-impact roles where the trust chain is easiest to exploit.

For practitioners

• Separate recovery from routine authentication Move account recovery into the same governance tier as primary login. Require high-assurance checks for reset, re-enrolment, and device replacement flows, especially for privileged users and high-impact systems.
• Revalidate privileged onboarding paths Review how contractors, recruiters, and other high-risk roles gain access to critical systems. Require stronger identity proofing before account creation and before any privileged assignment is made.
• Bind agent authority to the human sponsor For AI agents and delegated workflows, make the approving human, permitted scope, and expiry conditions explicit. Reassess whether the agent still has valid authority whenever the underlying human context changes.
• Extend IAM reviews beyond sign-in events Include recovery, enrolment, delegated access, and privileged activation in review cycles. If a control only checks successful login, it is missing the paths that the article shows are most likely to fail.

Key takeaways

• Synthetic identity, weak recovery, and delegated agent authority are now the most exposed trust paths in identity governance.
• The article’s scale signals are material, including over a million predicted sleeper accounts and more than 25 million projected mobile driver’s license adopters.
• Practitioners should reframe identity controls around assurance at enrolment, recovery, and delegation, not only at sign-in.

Key terms

• Synthetic Identity: A synthetic identity is a fabricated or blended identity built from real and fake attributes to pass verification and gain trust. In identity programmes, the risk is not only fraud at onboarding, but the long tail of access, privilege, and reputation that can be built after the initial deception succeeds.
• Passkey Recovery: Passkey recovery is the process used to restore access when a user loses or replaces a device or authenticator. It matters because the recovery path often becomes the weakest part of an otherwise strong authentication model, especially if the fallback process uses legacy checks or lower assurance than normal sign-in.
• Delegated Identity: Delegated identity is access exercised by one actor on behalf of another, such as an AI agent acting under human authority. The key governance question is whether the delegation is bounded, auditable, and still valid at the moment of use, especially when access outlives the original intent.
• Identity Proofing: Identity proofing is the process of establishing that a person or entity is who it claims to be before access is issued. In practice, it sits upstream of authentication and determines whether the rest of the access stack is protecting a real identity or a convincing impostor.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by iProov: November 20, 2025 identity predictions for 2026. Read the original.