Trust in digital identity is weakening under AI-driven fraud

At a glance

What this is: This is a Sumsub podcast on how AI-driven fraud, synthetic identity, and regulation are changing the way businesses think about digital trust.

Why it matters: It matters because IAM, fraud, and identity teams increasingly share the same trust problems across customer identity, verification, and control design.

👉 Read Sumsub's podcast on fraud, digital identity, and trust in the age of AI

Context

Digital identity now sits at the intersection of fraud prevention, verification, and user trust. When AI tools make synthetic identities and deepfakes cheaper to produce, existing assurance models struggle to separate legitimate users from manipulated or fabricated ones.

The article’s central point is that trust is no longer just a user-experience outcome. For IAM and identity governance teams, it becomes a control problem that spans identity proofing, ongoing verification, and the policies that determine when trust can be reused or revoked.

Key questions

Q: How should teams handle trust decisions when AI makes identity evidence easier to fake?

A: Treat trust as a layered decision, not a single check. Combine document, device, behavioural, and policy signals, then require step-up verification when confidence drops or signals conflict. The goal is to make fabricated identity evidence harder to reuse across the journey, not to rely on any one signal as definitive.

Q: When does reusable digital identity create more risk than it reduces?

A: Reusable identity becomes risky when assurance is carried forward without freshness, revocation, or scope limits. If one proof can be replayed across multiple services with little revalidation, the same error scales everywhere. That is a governance problem, not just a user-experience trade-off.

Q: What do security teams get wrong about synthetic identity fraud?

A: They often focus on one verification step instead of the full trust chain. Synthetic identities usually succeed because multiple weak signals line up across onboarding, device context, and policy exceptions. Defending against them means looking for replayability, not just spotting obvious fakes.

Q: Who should own digital identity trust when fraud, IAM, and compliance overlap?

A: Ownership should be shared, but accountability must be explicit. Fraud teams understand attack patterns, IAM teams control access decisions, and compliance teams define evidence requirements. If those groups do not review the same trust rules, the organisation will miss gaps between proofing, access, and auditability.

Technical breakdown

Synthetic identity and deepfake pressure on assurance models

Synthetic identities combine real and fabricated attributes to bypass checks that rely on static validation. Deepfakes add a second layer of deception by imitating face, voice, or video evidence used in onboarding and step-up verification. In practice, this weakens assurance models that assume human signals are stable and difficult to falsify. When fraud tooling and AI generation improve at the same time, verification must shift from one-time checks to layered signal correlation across device, behaviour, and document evidence.

Practical implication: Practitioners should review where proofing still depends on single-signal trust decisions and replace them with layered verification controls.

Reusable digital identity and the governance trade-off

Reusable digital identity aims to let users prove attributes once and carry them across services, reducing friction and repeated verification. The governance challenge is that reusability only works when issuers, relying parties, and policy rules all agree on freshness, revocation, and scope. Without those controls, identity reuse can turn into trust reuse, which amplifies any upstream error across multiple platforms. The question is not whether identity should be reusable, but how much assurance must be revalidated before the next transaction.

Practical implication: Teams should define attribute freshness and revocation rules before adopting reusable identity flows across multiple applications.

Regulation turns trust into an operating requirement

The conversation reflects a broader shift in which identity trust is shaped by regulatory expectations, not just product design. Anti-fraud, transparency, and data handling controls increasingly affect how organisations collect, store, and reuse identity evidence. That creates tension between operational convenience and proof standards, especially where customer onboarding must stay fast while scrutiny increases. For identity teams, compliance is no longer a separate lane from trust design, because the controls that reduce fraud also define what evidence can be relied on.

Practical implication: Identity, fraud, and compliance owners should align proofing, retention, and audit requirements so trust decisions remain defensible under review.

Threat narrative

Attacker objective: The attacker aims to obtain trusted account access or transactional acceptance under a false or manipulated identity.

1. Entry occurs when attackers use synthetic IDs, deepfakes, or fabricated signals to pass weak verification steps and enter digital onboarding flows.
2. Escalation follows when fraudulent identities are reused across services or combined with stolen credentials to extend trust beyond the original proofing event.
3. Impact is measured in fraudulent account creation, bypassed controls, and reduced confidence in identity evidence across the platform.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Trust has become a control surface, not a soft brand attribute. The article is correct to frame trust as the hardest currency in digital identity, because AI now compresses the cost of deception while increasing the volume of identity signals that must be judged. For IAM and fraud teams, this means the boundary between assurance, access, and fraud prevention is disappearing. Practitioners should treat trust decisions as governable security events, not marketing language.

Synthetic identity is the pressure test for identity proofing. When fabricated and real attributes are blended well enough to survive onboarding, the failure is not just verification quality but the assumption that a single successful proofing event is durable. That assumption collapses once identity can be repackaged, replayed, or reissued at scale. The implication is that identity programmes must think in terms of evidence freshness and replay resistance, not one-time validation.

Trust reuse debt: reusable digital identity creates operational value only when downstream relying parties can detect stale, over-broad, or mis-scoped assertions. Without that governance, every convenience gain becomes a trust liability that propagates across services. This is where identity governance and fraud strategy converge: the system needs a way to limit how far any single proof can travel. Practitioners should stop treating reusability as inherently safe.

Regulation is increasingly shaping how identity trust is engineered. The article points toward a world where transparency, auditability, and fraud controls are not optional overlays but part of the identity design itself. That matters because regulators and security teams are now asking similar questions about provenance, evidence, and accountability. Practitioners should align identity proofing with governance requirements early, before friction is locked into production flows.

From our research:

• 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage, according to Ultimate Guide to NHIs.
• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
• For the governance layer: review NHI Lifecycle Management Guide for how lifecycle controls shorten the time between risk identification and access removal.

What this signals

Trust programmes need a fraud-ready operating model. As AI-generated identity evidence becomes cheaper to produce, the practical dividing line is no longer between human and machine sign-in alone. It is between identity decisions that can be replayed and those that are tied to fresh evidence, explicit policy, and revocation paths.

Identity teams should expect assurance to move from point-in-time to continuous validation. That shift aligns with broader zero-trust thinking and with the need to track evidence provenance across onboarding, recovery, and high-risk transactions. Teams that still treat verification as a one-off event will struggle to detect reused or manipulated identity signals.

Where identity, fraud, and lifecycle controls meet, governance gets sharper. The organisations that will adapt fastest are the ones that can trace evidence, revoke trust quickly, and expose stale assertions before they become fraud vectors. For practitioners, that means linking identity proofing decisions to the same operational discipline used for access and secrets management.

For practitioners

• Map trust decisions to specific assurance levels Document which onboarding and transaction steps rely on weak, medium, or strong evidence, then require escalation when the evidence source changes or confidence drops. Use this to separate low-risk convenience flows from higher-risk verification paths.
• Test identity proofing against synthetic and deepfake scenarios Run red-team style exercises that simulate fabricated documents, face swaps, and replayed identity signals so you can see where single-factor trust still passes. Feed the results into policy updates for step-up checks and exception handling.
• Define freshness and revocation rules for reusable identity Set clear limits on how long attributes remain valid, who can issue them, and what conditions force re-validation before reuse. Without these rules, reusable identity turns into reusable risk across every connected relying party.
• Align fraud, IAM, and compliance ownership Create shared review points for proofing, retention, and audit evidence so identity trust failures are handled as one programme issue rather than separate team problems. This avoids control gaps between onboarding, access, and regulatory review.

Key takeaways

• AI-driven fraud is pushing digital identity away from one-time verification and toward continuous trust governance.
• Synthetic identities and deepfakes expose the weakness of proofing models that still rely on reusable signals without freshness checks.
• Practitioners need shared ownership across fraud, IAM, and compliance so trust decisions are traceable, revocable, and auditable.

Key terms

• Synthetic Identity: A synthetic identity combines real and fabricated attributes to create a convincing but false person or account record. In identity programmes, the danger is not just fraud at signup, but the ability to reuse that identity across services, transactions, and recovery flows.
• Reusable Digital Identity: Reusable digital identity is a model where verified attributes or credentials can be presented across multiple services without repeating the full proofing process. It improves usability, but it also requires strict rules for freshness, scope, and revocation so one stale assertion does not become widely trusted.
• Trust Signal: A trust signal is any piece of evidence used to judge whether an identity should be accepted, challenged, or denied. Examples include documents, device context, behaviour, and policy state. Strong programmes combine multiple signals rather than treating a single check as decisive.
• Identity Proofing: Identity proofing is the process of establishing that an account holder or applicant is real and matches the claimed identity. The quality of proofing depends on the evidence used, how it is validated, and how easily that evidence can be replayed or manipulated later.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or identity governance in your organisation, it is worth exploring.

This post draws on content published by Sumsub: Fraud, Digital Identity, Trust. Where do we go from here? Read the original.