TL;DR: Enhanced due diligence extends customer identity verification, risk scoring, and ongoing monitoring for high-risk relationships, occupations, jurisdictions, and transaction patterns according to 1Kosmos. The broader lesson is that stronger identity proofing does not remove governance burden; it shifts it toward evidence quality, escalation discipline, and auditability.
NHIMG editorial — based on content published by 1Kosmos: enhanced due diligence and identity verification for high-risk customers
By the numbers:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities , 46% confirmed, 26% suspected.
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
Questions worth separating out
Q: How should security teams apply enhanced due diligence to high-risk identities?
A: Security teams should treat enhanced due diligence as a risk-based control path, not a universal process.
Q: Why do standard due diligence checks fail for higher-risk relationships?
A: Standard checks fail because they are designed for baseline trust, not elevated exposure.
Q: What do organisations get wrong about ongoing monitoring in KYC programmes?
A: They often treat monitoring as a compliance formality instead of the operational core of the control.
Practitioner guidance
- Define explicit EDD triggers Map the cases that require enhanced review, including high-risk jurisdictions, politically exposed persons, unusual transaction patterns, and adverse reputation signals.
- Separate baseline CDD from enhanced review Document what every customer receives at onboarding and what additional evidence is required when risk rises.
- Tie monitoring to escalation and reporting Ensure suspicious activity alerts route to a named reviewer, preserve the underlying evidence, and support filings to the appropriate authority when required.
What's in the full article
1Kosmos's full article covers the operational detail this post intentionally leaves for the source:
- The exact EDD steps used for high-risk customer onboarding, including what gets collected and when.
- The verification methods the vendor describes for identity proofing, including on-prem and video-based checks.
- The product-specific identity authentication and privacy architecture details that matter during implementation.
- The integration and deployment notes for teams evaluating how the workflow fits existing systems.
👉 Read 1Kosmos's article on enhanced due diligence and identity verification →
Enhanced due diligence and identity verification , where teams miss risk?
Explore further
EDD is a governance model, not a verification feature. The article makes clear that enhanced due diligence is meant to separate ordinary identity checks from higher-risk relationships that need deeper review. That distinction matters across regulated identity programmes because risk-based treatment is the only way to scale assurance without treating every user or customer as equally dangerous. Practitioners should treat EDD as a lifecycle governance decision, not a point solution.
A few things that frame the scale:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to the Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which means many identity programmes cannot prove what they govern.
A question worth separating out:
Q: Who is accountable when enhanced due diligence reveals suspicious activity?
A: Accountability should sit with the function that owns the review workflow, usually compliance with support from fraud or security operations. The organisation must also define when the issue is escalated to regulators or a financial intelligence unit. Clear ownership matters because EDD fails when everyone sees the risk but no one closes the case.
👉 Read our full editorial: Enhanced due diligence shows where identity verification still breaks