Video call identity verification is becoming an IAM control

At a glance

What this is: This is a product announcement about authenticating participants in video calls, with the key finding that video conferencing has become a fraud and impersonation risk when deepfakes and virtual cameras are used.

Why it matters: It matters because identity teams now have to treat live video as part of the access decision path, especially where humans approve payments, hiring, recovery, or other high-risk actions.

By the numbers:

• $25 million.

👉 Read iProov's announcement on verified identity checks for video meetings

Context

Video identity verification is the process of checking whether the person in a live call is genuine before trust is extended. The problem is that screen presence has been treated as a proxy for identity, even though deepfakes and virtual cameras can now defeat that assumption at scale. For IAM teams, this shifts video from a collaboration channel to a high-risk identity checkpoint.

This matters across human identity programmes because the video call increasingly sits upstream of access, approval, and recovery decisions. It also creates a new control boundary for NHI and autonomous workflows when humans are used as the final trust anchor in otherwise automated journeys. The practical question is no longer whether video is convenient, but whether it is reliable enough to support material decisions.

Key questions

Q: How should security teams handle identity verification in high-risk video calls?

A: Security teams should treat high-risk video calls as identity checkpoints, not just collaboration sessions. Use participant verification before approving hiring, account recovery, payments, or privileged changes. The goal is to confirm the human behind the screen and the integrity of the camera source before any trust-sensitive decision is made.

Q: Why do deepfakes create an IAM problem in video meetings?

A: Deepfakes create an IAM problem because the meeting itself can become the point where identity is trusted, approved, or escalated. If the person on screen is synthetic, then hiring, recovery, or payment workflows may grant access or value to an unverified actor. That is an identity assurance failure, not just a fraud issue.

Q: What breaks when organisations rely on video alone to verify participants?

A: Relying on video alone breaks the assumption that visual presence equals real identity. Attackers can use synthetic media and virtual cameras to create convincing sessions that bypass human judgement. When that happens, the control fails exactly where the organisation believes it is strongest: at the moment of trust.

Q: How do you know if video identity verification is actually working?

A: You know it is working when high-risk decisions are consistently preceded by an explicit identity check and when virtual camera or deepfake attempts are flagged before approval. Measure whether the control is embedded in the workflow, how often it is triggered for sensitive cases, and whether suspicious sessions are escalated instead of accepted.

How it works in practice

Deepfake detection in live video streams

Live video authentication works by analysing the visual stream in real time to detect synthetic faces, presentation attacks, and frame-level anomalies that are difficult for humans to spot. In this model, the control is not about proving someone typed the right password. It is about testing whether the image source and facial motion patterns are consistent with a real person operating a real camera. That makes the control useful in workflows where the decision to hire, pay, recover, or approve depends on trust established during the call.

Practical implication: place live deepfake detection at the point where human trust becomes an access or money movement decision.

Hardware integrity and virtual camera detection

A stronger video identity control verifies that the stream originates from physical camera hardware rather than a virtual environment. That distinction matters because synthetic media often combines manipulated imagery with software-based camera masking, creating a plausible but untrustworthy session. Hardware integrity checks reduce the chance that an attacker can deliver convincing video through a controlled pipeline while appearing to be a real participant. In governance terms, this is a device-origin check for identity assurance, not a general fraud score.

Practical implication: require camera-origin assurance for remote hiring, account recovery, and payment approval flows.

Host-triggered risk scoring and silent verification

Host-triggered verification means the trust check runs when the decision-maker initiates it, and the result is presented as a simple risk state in the meeting interface. Silent operation is important because attackers are less likely to adapt mid-session if they do not know they are being evaluated. The design also supports accessibility and low-friction use, which matters because controls that are too disruptive are often bypassed in practice. This is identity assurance embedded in the workflow, not a separate step after the fact.

Practical implication: build verification into the decision point, not as an optional post-call review.

NHI Mgmt Group analysis

Video identity trust has become an access-control problem, not a collaboration problem. The old assumption was that visual presence in a meeting implied a real person behind the screen. Deepfakes, virtual cameras, and AI-assisted impersonation have broken that premise, so the control boundary now sits inside the meeting workflow itself. IAM teams should treat video as part of the identity assurance chain, not as a separate communications layer.

Human approval steps are now a fraud target when they sit downstream of unverified video. Hiring, onboarding, account recovery, and financial approvals all depend on a human making a trust decision in real time. If the participant cannot be authenticated first, the process is effectively authorising unknown identity. The implication is that identity governance must cover decision moments, not just accounts and credentials.

Screen appearance is no longer a stable identity signal. The specific failure mode here is visual confirmation bias, where staff assume real-time video is equivalent to presence. That assumption was designed for a world in which synthetic video was rare and costly. It fails when low-cost generative tools can produce convincing personas at scale, which means practitioners need to rethink where assurance is actually being established.

Video-call verification belongs in the broader human identity assurance stack alongside MFA and recovery controls. This is not a replacement for existing identity controls, but it closes a gap that traditional SSO and passwordless journeys do not address. The category is moving toward layered assurance across device, session, and interaction, which is the right direction for high-risk remote workflows.

Named concept: video-call assurance gap. This is the gap between believing a participant is real and proving it with machine-assisted checks before trust-sensitive actions occur. Once organisations accept that gap as a governance issue, they can stop treating deepfake defence as a niche fraud problem and start treating it as part of identity risk management.

From our research:

• Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
• Another finding shows that 97% of NHIs carry excessive privileges, which broadens the attack surface when identity checks are weak.
• For a broader baseline on hidden identity risk, see 52 NHI Breaches Analysis for repeated failure patterns across real incidents.

What this signals

Video-call assurance gap: identity teams should now treat live video as a policy-controlled trust surface, not an informal human signal. That means the control model has to account for meeting-triggered approvals, remote screening, and recovery flows where a single synthetic participant can distort the outcome.

With only 5.7% of organisations having full visibility into their service accounts, per Ultimate Guide to NHIs, most enterprises already struggle to see non-human trust paths clearly. The same visibility gap is now emerging on the human side when deepfakes are allowed to stand in for identity.

The next control frontier is cross-domain assurance, where human identity, device integrity, and workflow authorisation are evaluated together. Teams that already govern privileged access and session trust should extend those principles to any call that can unlock money, onboarding, or recovery.

For practitioners

• Classify video calls by decision risk Identify which meetings can trigger hiring, onboarding, recovery, payment, or access decisions, then require stronger participant assurance for those flows. Low-risk collaboration meetings do not need the same control level, but any session that can alter trust or entitlement should be treated as identity-sensitive.
• Require participant verification before material approvals Make authentication of the human behind the screen a prerequisite for approving funds, credentials, or privileged workflow changes. The control should run before the decision is finalised, not after the session is over or the workflow is complete.
• Test for camera-origin spoofing paths Validate whether your meeting stack can distinguish a physical camera from a virtual environment, especially on remote hiring and account recovery calls. If the platform cannot separate those paths, your approval process is exposed to synthetic media and presentation attacks.
• Map meeting trust checks into IAM governance Document where live video assurance sits in your identity journey, then align it with access review, recovery, and fraud escalation procedures. That gives IAM, security operations, and business approvers a shared control model for high-risk interactions.

Key takeaways

• Video meetings now sit on the identity path when they are used to approve hiring, recovery, or payments.
• Deepfakes and virtual camera injection can turn a trusted conversation into a fraud or access decision with no genuine identity check.
• Practitioners should govern high-risk calls like any other assurance control, with verification before the decision is finalised.

Key terms

• Video-call assurance gap: The gap between seeing a participant on screen and proving that participant is real enough to trust for a material decision. In practice, it is a control failure where visual presence is mistaken for identity assurance, especially in hiring, recovery, and payment workflows.
• Synthetic media impersonation: The use of AI-generated audio or video to present a false person as genuine in a live interaction. For identity governance, the important point is not the realism of the fake, but that it can move a human approver to grant trust, access, or value.
• Camera-origin integrity: A verification check that confirms a video stream comes from a physical camera rather than a virtual or manipulated source. This matters because a convincing face is not enough when the channel itself can be spoofed. It strengthens assurance by testing the device path, not only the person shown.

Deepen your knowledge

Video-call identity verification and trust-boundary design are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are extending identity governance into human approval flows, it is worth exploring.

This post draws on content published by iProov: Solution enables organizations to authenticate the identity of participants in video calls. Read the original.