TL;DR: Generative AI is being applied to eSIM identity verification and security workflows, with zero-knowledge proof used to validate identity and network access without exposing sensitive data, according to Workz Group. The real test is whether telecom security programmes can preserve privacy, interoperability, and compliance while speeding verification across cloud and third-party systems.
NHIMG editorial — based on content published by Workz Group: eSIM security with Generative AI
Questions worth separating out
Q: How should telecom teams use zero-knowledge proof in eSIM identity flows?
A: Telecom teams should use zero-knowledge proof where identity needs to be verified but the underlying data should not be exposed.
Q: Why do eSIM and eKYC workflows increase identity risk?
A: They increase identity risk because they combine high-value credentials, customer identity data, remote provisioning, and multiple handoffs between platforms.
Q: What do security teams get wrong about generative AI in telecom identity?
A: The common mistake is treating generative AI as if it can replace the governance model.
Practitioner guidance
- Identify proofable verification steps Break the eSIM and eKYC journey into discrete checks and isolate the steps where zero-knowledge proof can replace raw data transfer.
- Keep AI decision support separate from authorisation Use generative AI for validation assistance, anomaly scoring, and workflow optimisation, but keep activation and policy enforcement under explicit governance.
- Test against GSMA provisioning standards first Validate any AI-enabled or proof-based workflow against SGP.22 and SGP.32 requirements before considering production rollout.
What's in the full article
Workz Group's full blog covers the implementation detail this post intentionally leaves for the source:
- A closer look at the i-ZKP workflow and how generative AI is used inside the identity verification path.
- The article’s own explanation of how ZKP properties map to confidentiality, soundness, and completeness in eSIM security.
- Examples of AI-driven eSIM use cases, including anomaly detection, contextual security levels, profile generation, and remote activation.
- The discussion of how any implementation must align with GSMA SGP.22 and SGP.32 rather than generic cryptographic ideas.
👉 Read Workz Group's blog on eSIM security with generative AI →
eSIM security with generative AI: what changes for telecom teams?
Explore further
eSIM security is now an identity distribution problem, not just a verification problem. The article’s central risk is that telecom providers want faster eKYC and remote activation while simultaneously shrinking the amount of sensitive data shared with clouds and third parties. That changes the governance question from “is the identity check strong enough?” to “how many systems now hold identity evidence?” Practitioners should treat every additional copy of identity data as an expansion of the attack surface.
A few things that frame the scale:
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%), according to AI Agents: The New Attack Surface report.
- Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation, according to AI Agents: The New Attack Surface report.
A question worth separating out:
Q: How should organisations evaluate AI-enabled eSIM security controls?
A: Organisations should evaluate them first against interoperability, assurance, and lifecycle governance. If a control cannot operate within GSMA SGP.22 and SGP.32 provisioning requirements, or cannot produce clear audit evidence, it is not ready for regulated production use.
👉 Read our full editorial: Generative AI and zero knowledge proof in eSIM security