TL;DR: Identity verification is being bypassed by AI-enhanced presentation attacks, real-time face reenactment, multimodal spoofing, device manipulation, and automation that adapt faster than point-in-time checks, according to Incode. Traditional IDV assumes isolated signals can be trusted independently; adaptive fraud breaks that assumption and forces layered risk evaluation.
NHIMG editorial — based on content published by Incode: How Attackers Are Bypassing Identity Verification in the Age of Generative AI
By the numbers:
- Humans can only spot deepfake faces in images about 50% of the time.
- Only 5.7% of organisations have full visibility into their service accounts.
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
Questions worth separating out
A: Security teams should stop treating identity verification as a single biometric or document decision.
Q: Why do AI-generated fraud attempts expose weaknesses in traditional liveness checks?
A: Traditional liveness checks often assume that unpredictable motion or challenge-response prompts prove a live human is present.
Q: What do organisations get wrong about using biometrics as proof of identity?
A: They often confuse biometric resemblance with identity assurance.
Practitioner guidance
- Correlate identity signals before approval Require biometric, device integrity, and network context to align before an onboarding or step-up decision is made.
- Test for capture-path tampering Add scenarios for virtual cameras, emulators, injected streams, and fingerprint spoofing to your fraud testing programme.
- Rebuild liveness around behavioural consistency Use challenge flows that compare timing, movement, and interaction patterns across the session instead of relying on a single prompt.
What's in the full article
Incode's full article covers the operational detail this post intentionally leaves for the source:
- Examples of AI-enhanced presentation attack techniques and how they alter capture quality
- How real-time face reenactment behaves during selfie and liveness flows
- Why device and environment manipulation changes the trust boundary for identity verification
- The role of layered signal correlation in reducing false confidence at the decision point
👉 Read Incode's analysis of how generative AI is bypassing identity verification →
Generative AI and IDV bypass techniques: are controls keeping up?
Explore further
Single-factor identity proofing is now a broken assumption: AI-driven fraud succeeds because many verification stacks still assume one signal can establish trust on its own. Generative attacks can now produce a believable face, document, voice, and device posture at the same time, so the control boundary is no longer the biometric itself but the correlation logic around it. The implication is that identity proofing has become a signal fusion problem, not a point check.
A few things that frame the scale:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to the Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
A question worth separating out:
Q: Who should be accountable when identity verification fails and a fake user is onboarded?
A: Accountability should sit with the product, fraud, and IAM owners who define the proofing threshold and approve the trust model. If verification results are used to create accounts or grant access, then the failure is not just a fraud event. It is an identity governance failure that should be reviewed like any other access-control breakdown.
👉 Read our full editorial: Generative AI is bypassing identity verification controls