Risk-intolerant badges turn compliance into public identity proof

At a glance

What this is: This is a Sumsub initiative that publicly recognises selected companies for fraud prevention and compliance practices, with the key finding that fraud remains widespread and increasingly sophisticated.

Why it matters: It matters because IAM, NHI, and governance teams are being asked to prove control maturity, not just operate it, and that shifts how assurance, audit evidence, and trust are communicated.

By the numbers:

• 40% of global businesses reported being victims of fraud.
• The share of sophisticated fraud has increased by 180% over 2024-2025, reaching 28% of all detected attacks.

👉 Read Sumsub's analysis of the Risk Intolerant trust registry and fraud survey

Context

Risk and compliance programmes often fail when their evidence of control is trapped inside internal reports instead of being visible to the business, customers, and partners. In digital trust programmes, the problem is not only whether controls exist, but whether they can be demonstrated in a way that survives scrutiny across fraud, AML, and operational governance.

Sumsub's registry is positioned as a public proof layer for companies that say they manage fraud and compliance well. That matters because trust is increasingly evaluated as a governance signal, especially where financial services, crypto, gaming, edtech, and mobility intersect with identity risk, account abuse, and regulatory exposure.

Key questions

Q: How should security teams use public trust badges without overclaiming assurance?

A: Use them as a visibility signal, not as proof of continuous control. Security teams should keep the underlying evidence separate from the badge, validate control ownership, and refresh assessment inputs on a defined cadence. The goal is to avoid turning a one-time evaluation into a permanent trust statement.

Q: Why do fraud and compliance programmes need shared identity governance evidence?

A: Because the same identity events often support both fraud detection and regulatory assurance. Shared evidence reduces duplicate work, exposes inconsistencies between teams, and makes it easier to show how controls operate across KYC, AML, and account-risk workflows.

Q: When does a public recognition programme become a governance risk?

A: It becomes a risk when the recognition is reused as a substitute for operational proof. If teams cannot show current logs, review outcomes, exception handling, and control ownership, the badge can create confidence without resilience.

Q: How can teams tell whether fraud controls are actually keeping up?

A: Look for evidence that detection, investigation, and policy updates are moving at the same pace as attack change. If new fraud patterns appear repeatedly in incident reviews but never change governance controls, the programme is reactive rather than adaptive.

Technical breakdown

How public trust registries change assurance signalling

A public registry turns control maturity into a visible claim rather than an internal posture. In practice, this means a company is no longer only relying on audits, policies, and dashboards to show fraud and compliance readiness. It is packaging those controls into a recognisable trust signal for customers and counterparties. The technical limitation is that a badge reflects assessment at a point in time, not continuous protection. For identity and fraud teams, the real question becomes whether the underlying evidence remains current after the assessment window closes.

Practical implication: treat external trust badges as one assurance artefact and keep internal control testing, evidence capture, and recertification independent.

Why fraud exposure and compliance posture are linked

Fraud controls and compliance controls often share the same identity and transaction data, so weaknesses in one area can create blind spots in the other. KYC, AML, account verification, and fraud monitoring are not separate islands when adversaries use impersonation, synthetic identities, or account takeover techniques. A public recognition programme only makes sense if the underlying data pipelines and review processes are stable enough to support it. Otherwise, the outward signal can outpace the actual governance model, which is where many trust programmes lose credibility.

Practical implication: align fraud detection evidence, identity verification workflows, and regulatory review trails before presenting any external assurance claim.

What AI-driven fraud changes for identity governance

When scammers use AI, the velocity and variability of attacks increase, which makes static control narratives less persuasive. Identity governance teams then have to manage more than access and authentication. They also need a defensible story about how anomalies are detected, investigated, and resolved across channels that may include humans, bots, and delegated service identities. The broader point is that fraud resilience now depends on how quickly governance can absorb new attack patterns without waiting for a major incident to reveal the gap.

Practical implication: build fraud-response evidence loops that capture detection quality, investigation cadence, and control updates as part of governance reporting.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Public trust badges are becoming a governance layer, not just a marketing layer. Once a company turns fraud and compliance posture into a visible signal, it creates a new accountability surface for the identity programme. The badge is not the control, but it does force teams to prove that the control story is coherent across KYC, AML, fraud monitoring, and audit evidence. The practitioner conclusion is simple: if you cannot evidence the control, you cannot safely externalise the claim.

Fraud visibility is now part of identity governance because attack quality is rising faster than manual assurance cycles. Sumsub's survey data shows both breadth and acceleration in fraud exposure, which means governance teams cannot treat fraud as a narrow case management problem. The identity stack, customer trust model, and compliance narrative are becoming coupled. The practitioner conclusion is that the assurance model has to keep pace with adversarial behaviour, not just with policy updates.

Control theatre is the named risk when external recognition runs ahead of operational proof. A badge programme can help signal diligence, but it also creates a temptation to confuse recognition with resilience. That is especially dangerous where the same evidence is reused across compliance, fraud, and trust claims without independent validation. The practitioner conclusion is to separate recognition from assurance and preserve the right to fail internally before anything is celebrated externally.

Risk-intolerant positioning is a market signal that identity trust is being judged end to end. The market is moving from isolated compliance checkpoints toward continuous proof of trustworthy behaviour. That affects how IAM, fraud, and governance leaders talk to regulators, partners, and customers because the evidence must be understandable outside the control team. The practitioner conclusion is to build a trust narrative that can be defended operationally, not just presented publicly.

From our research:

• 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
• Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months.
• That pattern is one reason to pair public trust claims with the Ultimate Guide to NHIs , Regulatory and Audit Perspectives when building an evidence-led assurance model.

What this signals

Risk-intolerant proof will push identity teams toward evidence-rich governance. Public recognition only becomes useful when it is backed by controls that can survive internal review, partner due diligence, and regulator scrutiny. With 72% of organisations having experienced or suspecting an NHI breach in our 2024 ESG Report: Managing Non-Human Identities, the gap is not awareness but verifiable operational discipline.

Control theatre is easier to spot when the trust story is tied to lifecycle evidence. Teams should expect more pressure to show provisioning, review, and offboarding records that match the claims they make about fraud resilience. That is where the Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs becomes operationally relevant.

For practitioners

• Separate recognition from assurance evidence Keep badge or certification claims distinct from the operational controls that generated them. Maintain independent logs, review artefacts, and recertification records so the external signal does not become the only proof available.
• Map fraud controls to identity governance controls Link KYC, AML, account verification, and fraud monitoring to a single governance view so teams can see where the same identity data supports multiple risk decisions. This helps expose blind spots before they become audit gaps.
• Track AI-driven fraud patterns as governance inputs Feed emerging fraud techniques into incident review, policy tuning, and access-risk reporting. If attack methods are changing faster than review cycles, the programme is already behind the threat surface.
• Validate trust claims with repeatable evidence checks Require a periodic re-test of the specific evidence used to support any public trust claim, including source data freshness, control ownership, and exception handling. A one-time assessment is not a durable assurance model.

Key takeaways

• This initiative turns fraud and compliance into a visible trust signal, which raises the bar for evidence, not just intent.
• The scale of fraud exposure in the source data shows why assurance claims must be backed by current operational proof.
• Teams should separate external recognition from internal control validation so public credibility does not outpace actual governance.

Key terms

• Trust Registry: A trust registry is a public or shared record that lists organisations or entities that have met a defined assurance threshold. In practice, it turns private evidence into a visible signal, but it remains only as reliable as the assessment method, the freshness of the evidence, and the scope of what was actually checked.
• Fraud Exposure: Fraud exposure is the degree to which an organisation is vulnerable to fraud attempts, successful attacks, or repeat abuse across its customer and operational workflows. It reflects both attack frequency and the quality of controls in place to detect, prevent, and respond to identity-driven fraud.
• Control Theatre: Control theatre is the appearance of strong governance without the underlying operational proof to support it. It often shows up when badges, policies, or reports are treated as substitutes for current evidence, making the organisation look safer than it actually is.

Deepen your knowledge

Fraud governance, identity evidence, and control assurance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your team is building a trust model around public recognition or compliance posture, it is worth exploring.

This post draws on content published by Sumsub: Risk-intolerant badges and fraud exposure survey findings. Read the original.