Notifications
Clear all
Topic starter
10/06/2026 10:32 pm
TL;DR: Identity verification, AML checks, and fraud controls can now be moved into registration and login flows, letting businesses gate access before granting application use and reduce custom engineering effort, according to SumSub. The shift matters because access decisions now depend on stronger proof-of-identity at the point of entry, not just authentication alone.
NHIMG editorial — what this means for NHI practitioners
By the numbers:
- Only 5.7% of organisations have full visibility into their service accounts.
- 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.
Questions worth separating out
Q: How should security teams handle identity verification during login for regulated applications?
A: Security teams should treat login-time verification as a gating control for high-risk access, not as a cosmetic check.
A: Because authentication only proves control of credentials, while proofing establishes whether the user is eligible for access.
Q: How do you know if login-based verification is actually improving access governance?
A: Look for lower volumes of unverified access attempts, fewer manual exceptions, and audit trails that clearly show why access was granted or denied.
Practitioner guidance
- Map access gating to regulated use cases Identify which registration and login journeys must require verification before access is granted, then apply stricter rules to high-risk features and sensitive transactions.
- Define failure handling before rollout Document what happens when verification times out, fails, or returns an incomplete result so the application does not create ambiguous access states.
- Align audit records across systems Ensure authentication logs, verification outcomes, and compliance evidence can be correlated for a single access attempt without manual reconstruction.
What's in the full announcement
Sumsub's full article covers the operational detail this post intentionally leaves for the source:
- How the Auth0 Marketplace integration is configured inside existing authentication journeys.
- Which verification, AML, and fraud-check triggers can be bound to registration or login events.
- How audit-ready records are retained and surfaced inside Sumsub for compliance review.
- Where the marketplace approach reduces custom engineering effort compared with bespoke orchestration.
👉 Read Sumsub’s integration details for Auth0-based identity verification →
Auth0 identity verification in login flows: what changes for IAM teams?
Explore further
11/06/2026 2:37 am
Identity verification at the point of access is becoming an access governance control, not a back-office KYC task. The important shift is that authentication alone no longer answers the question of whether access should be granted in regulated environments. By moving verification into login and registration, the control becomes part of the decision to admit a user into the application boundary. Practitioners should treat this as a change in access governance architecture, not just workflow convenience.
A few things that frame the scale:
- 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which is why access governance often fails to extend cleanly from identity proofing into downstream privilege control.
A question worth separating out:
Q: Who should own identity verification when it sits inside authentication workflows?
A: Ownership should sit jointly across IAM, risk, and compliance, with a clearly defined system of record for the decision and its evidence. If authentication owns the workflow but compliance owns the policy, the organisation needs explicit accountability for failure handling and audit retention.
👉 Read our full editorial: Auth0 identity verification integration raises the bar for access gating
