TL;DR: Prove’s Improve 2025 summit gathered 200+ leaders to discuss digital identity, fraud prevention, customer experience, and the launch of an identity graph spanning nearly half the world’s population across 227 countries and territories. The shift matters because persistent trust models are replacing one-time checks, and that changes how identity, authentication, and lifecycle controls are governed.
At a glance
What this is: Improve 2025 was a Prove-hosted summit focused on digital identity, fraud prevention, customer experience, and the introduction of an identity graph designed to support persistent trust.
Why it matters: It matters to IAM practitioners because persistent identity linkage changes how onboarding, authentication, lifecycle events, and fraud controls must work across customer journeys and digital channels.
By the numbers:
- The summit brought together more than 200 leaders from fraud prevention, digital identity, and customer experience.
- The new Identity Graph covers nearly half of the world’s population across 227 countries and territories.
- Prove says it is trusted by 2,500+ leading companies to reduce fraud and improve consumer experiences.
👉 Read Prove Identity's coverage of Improve 2025 and the Identity Graph launch
Context
Digital identity programs fail when they treat authentication as a one-time checkpoint rather than a lifecycle problem. In practice, fraud pressure, customer friction, and identity recovery all converge around the same question: can the organisation maintain trust after the first login or onboarding event?
Improve 2025 positioned that problem around persistent identity rather than isolated verification events. For IAM, fraud, and CX teams, the key issue is not whether identity can be checked once, but whether it can be continuously recognised, revalidated, and governed across accounts, devices, and lifecycle changes.
Key questions
Q: How should teams govern persistent identity signals across customer journeys?
A: Teams should govern persistent identity signals as lifecycle controls, not just authentication metadata. That means defining who can create, refresh, reuse, and retire linkage between users, devices, credentials, and accounts. The goal is to preserve continuity where it is legitimate while preventing weak identity reuse from becoming a fraud path.
Q: Why do persistent identity models change fraud and IAM decision-making?
A: Persistent identity models change decision-making because they turn a single verification into an ongoing trust relationship. Instead of asking whether a user passed one check, teams must decide whether later actions are still consistent with the original proofing, device history, and recovery state.
Q: What breaks when customer identity is treated as a one-time check?
A: When customer identity is treated as a one-time check, organisations lose the ability to distinguish legitimate continuity from fraudulent reuse. That creates blind spots in account recovery, step-up authentication, and cross-channel recognition, where attackers can exploit stale trust instead of fresh credentials.
Q: Who should own identity graph governance in an enterprise?
A: Identity graph governance should be shared across IAM, fraud, and customer experience, with clear accountability for linkage quality and trust expiry. If one team owns the data while another owns the risk decision, the organisation will struggle to correct false trust outcomes quickly.
Technical breakdown
Persistent identity graphs and deterministic linkage
A persistent identity graph links a person, device, credential, and account history into a single trust fabric. The architectural shift is from point-in-time verification to deterministic association, where signals from previous interactions influence future recognition and step-up decisions. That matters because modern fraud controls increasingly depend on whether the system can recognise the same entity across sessions, channels, and account events without forcing repeated proofing. The security trade-off is that graph quality, entity resolution, and false linkage risk become governance concerns, not just product features.
Practical implication: review how your customer identity stack records, reconciles, and expires linkage signals across onboarding and recovery flows.
Why authentication is becoming a lifecycle control
Authentication is no longer just about granting initial access. In digital identity programmes, it now sits inside a broader lifecycle that includes onboarding, device recognition, account recovery, and ongoing trust decisions. That means the control objective shifts from verifying a login to maintaining a reliable identity record over time. If an organisation cannot connect new events to prior proofing, it ends up overusing one-time checks, which increases friction and weakens fraud detection at the exact moments when trust should be recalibrated.
Practical implication: map authentication decisions to lifecycle states so onboarding, recovery, and step-up controls share the same trust record.
KYC, fraud prevention, and customer experience now share the same control plane
The event reflected a broader convergence: KYC, fraud prevention, and customer experience are increasingly governed through the same identity layer. That convergence is operationally useful because it reduces duplicated checks, but it also creates dependency on the quality of identity assertions and the governance around their reuse. Once identity becomes a shared control plane, weak data quality or poor refresh logic affects both fraud exposure and customer friction at the same time.
Practical implication: treat identity data quality and refresh rules as shared controls for fraud, onboarding, and experience teams rather than isolated programme settings.
Threat narrative
Attacker objective: The objective is to inherit trust from prior identity events and use that continuity to commit fraud or take over accounts without triggering fresh verification.
- Entry begins when a fraudster or manipulated user attempts onboarding, account recovery, or session reuse through channels that trust weak identity signals.
- Escalation occurs when the attacker leverages persistent identity weaknesses, such as recycled attributes or weak account linkage, to move from one verified event into another trusted context.
- Impact is fraud loss, account takeover, or degraded customer trust because the system over-accepts continuity signals that were never meant to be authoritative across the lifecycle.
Breaches seen in the wild
- Coupang Signing Key Breach — Unrevoked signing key credentials expose 33.7 million records after employee offboarding failure at Coupang.
- Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Persistent trust is replacing isolated identity proofing as the governing problem in digital identity. The summit’s central idea is that identity now has to survive beyond the first successful login or onboarding step. That changes the control question from “was this user verified?” to “can this identity be recognised, refreshed, and governed across later events?” For practitioners, this shifts the programme from point controls to lifecycle trust management.
Identity graphs create a governance layer, not just a fraud feature. Once devices, credentials, and accounts are linked into a persistent fabric, the organisation inherits responsibility for linkage quality, expiry, and reuse conditions. False linkage can create over-trust, while weak linkage forces repeated friction. The implication is that identity graph governance belongs in IAM, fraud, and risk operating models together, not in a silo.
Customer experience and security are converging on the same identity decision. The article shows that friction reduction and fraud prevention are no longer separate design goals. When trust becomes persistent, every bad identity decision can echo across future interactions, which means the cost of poor governance increases with scale. Practitioners should treat identity continuity as a control surface, not a convenience layer.
Digital identity is moving from verification to recognition, and that changes accountability. The more an organisation relies on persistent identity, the more it must define who owns linkage rules, recovery logic, and trust expiry. That is a governance issue as much as a technical one, and it becomes more visible as identity spans more channels and jurisdictions. Teams need explicit ownership for trust lifecycle decisions.
From our research:
- NHIs outnumber human identities by 25x to 50x in modern enterprises, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which is why persistent trust models need governance as much as instrumentation.
- For a broader control baseline, see Top 10 NHI Issues for the operational gaps most teams still miss.
What this signals
Persistent trust is now a programme design problem, not just a product capability. Identity teams should expect greater pressure to connect onboarding, authentication, and recovery logic into one governed trust record. The organisations that separate fraud rules from IAM controls will keep paying for duplicate decisions and inconsistent risk outcomes.
The practical next step is to treat identity linkage as a lifecycle object with ownership, expiry, and review requirements. That includes documenting where continuity is assumed, where it should be broken, and which teams can change it without creating a new attack path.
For practitioners
- Map persistent identity dependencies Identify where onboarding, authentication, recovery, and device recognition reuse the same identity record. Look for places where a single trust signal can unlock future access without revalidation.
- Review linkage and expiry rules Document how identity links are created, refreshed, and retired across customer journeys. Pay special attention to when a prior verification event stops being valid for future decisions.
- Align fraud and IAM ownership Assign shared governance for identity data quality, step-up policy, and recovery paths so fraud, IAM, and customer experience teams are working from the same trust model.
- Test account recovery as a trust boundary Treat recovery flows as privileged identity events. Validate whether recovery mechanisms can be abused to inherit trust from previous sessions or linked devices.
Key takeaways
- Improve 2025 framed digital identity around persistent trust, not one-time verification, which changes how IAM and fraud controls must be governed.
- The Identity Graph model links accounts, devices, and authenticators across lifecycle events, so linkage quality and expiry become security controls, not just data issues.
- Practitioners should align IAM, fraud, and customer experience ownership around a shared trust record so continuity does not become a fraud path.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST SP 800-63 and NIST Zero Trust (SP 800-207) set the technical controls, while ISO/IEC 27001:2022 and GDPR define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-1 | Persistent identity and authentication decisions map to access control governance. |
| NIST SP 800-63 | SP 800-63C | Federation and assertion trust matter where identity is reused across journeys. |
| NIST Zero Trust (SP 800-207) | 3.1 | Persistent trust still needs continuous verification and narrow access assumptions. |
| ISO/IEC 27001:2022 | A.5.15 | Access control governance is relevant to reusable identity trust decisions. |
| GDPR | Art.32 | If identity graphs process personal data, security of processing becomes relevant. |
Assess identity graph data handling, retention, and access controls under Article 32 if personal data is included.
Key terms
- Persistent Identity Graph: A persistent identity graph is a trust model that links a person, device, credential, and account history across interactions. It helps organisations recognise returning users, but it also creates governance obligations around accuracy, expiry, and misuse of linkage signals.
- Identity Continuity: Identity continuity is the ability to recognise the same subject across multiple digital events without repeating proofing every time. It is useful for reducing friction, but it must be governed so that legitimate recognition does not become stale trust or fraud reuse.
- Trust Expiry: Trust expiry is the point at which a prior identity signal should no longer be treated as valid for future decisions. In practice, it defines when onboarding, recovery, or device recognition must be revalidated because the underlying context has changed.
- Recovery Flow: A recovery flow is the process used to restore access when a user cannot authenticate normally. It is often treated as a support function, but it can become a privileged identity event if it allows an attacker to inherit trust from earlier sessions or linked devices.
What's in the full article
Prove's full blog covers the operational detail this post intentionally leaves for the source:
- Session-by-session event recap covering fraud strategy, digital payments, and customer experience transformation.
- Product discussion on the Identity Graph foundation and how persistent recognition is intended to work across accounts and devices.
- Panel and keynote highlights from banking, fintech, and customer experience leaders involved in the summit.
- Examples of the live customer stories and use cases that were only summarised here.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org