TL;DR: AI-generated voice clones, deepfake video, synthetic employee fraud, MFA bypass, and third-party access gaps defined workforce identity risk in 2025, according to Incode's analysis. Conventional onboarding, MFA, and offboarding controls failed because they were built for static trust signals, not adversarial identity manipulation across the employment lifecycle.
NHIMG editorial — based on content published by Incode: The Workforce Identity Crisis of 2025 and what it exposed about modern attacks
Questions worth separating out
Q: How should security teams reduce workforce identity risk beyond onboarding checks?
A: They should connect onboarding, access provisioning, periodic re-verification, and offboarding into a single lifecycle model.
Q: Why do conventional MFA methods struggle in workforce identity attacks?
A: Because attackers increasingly target the weakest assurance path rather than the strongest one.
Q: What breaks when third-party access is managed outside identity governance?
A: Access can outlive the business relationship, remain over-provisioned, and evade normal recertification or offboarding.
Practitioner guidance
- Rebuild workforce verification around lifecycle assurance Connect candidate verification, onboarding, access provisioning, and periodic re-verification into one control path so identity trust does not end at hire date.
- Move high-risk access to phishing-resistant MFA Prioritise FIDO2 or passkey-based authentication for privileged users and sensitive workforce roles, then remove SMS and push methods where session theft would be high impact.
- Bring third-party access into the same governance process Inventory contractor and vendor accounts, assign owners, and enforce recertification and offboarding through the same identity governance workflow used for employees.
What's in the full article
Incode's full article covers the operational detail this post intentionally leaves for the source:
- The article's breakdown of AI-augmented fraud patterns across voice cloning, deepfake video, and personalised phishing.
- The specific workforce assurance changes Incode argues for across onboarding, MFA, and employment lifecycle verification.
- The vendor's perspective on how identity verification tooling fits into workforce and third-party access governance.
- The closing implications for 2026 identity strategy and where verification controls are expected to tighten.
👉 Read Incode's analysis of the 2025 workforce identity crisis →
AI-augmented workforce identity attacks: what IAM teams missed?
Explore further
Identity assurance, not endpoint control, is the primary failure surface in workforce attacks. The article's pattern is consistent with what identity teams see across modern breach chains: attackers do not need to break every control if they can get a legitimate identity to carry the session for them. That shifts the centre of gravity from network visibility to issuance, verification, and lifecycle governance. Practitioners should treat workforce identity as an assurance programme with measurable failure modes, not a collection of point tools.
A few things that frame the scale:
- The average organisation believes more than 1 in 5 of their non-human identities are insufficiently secured, according to The 2024 ESG Report: Managing Non-Human Identities.
- Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, according to The 2024 ESG Report: Managing Non-Human Identities.
A question worth separating out:
Q: Who is accountable when a synthetic employee gains access and causes harm?
A: Accountability sits with the organisation that issued the access, not with the attack narrative. HR, IAM, security, and business owners all share responsibility for the lifecycle controls that failed. The governing question is whether the process could have detected fabrication, limited privilege, and removed access fast enough to matter.
👉 Read our full editorial: Workforce identity controls are failing under AI-augmented attacks