Relying on video alone breaks the assumption that visual presence equals real identity. Attackers can use synthetic media and virtual cameras to create convincing sessions that bypass human judgement. When that happens, the control fails exactly where the organisation believes it is strongest: at the moment of trust.
Why This Matters for Security Teams
Video screening creates a false sense of identity assurance because it verifies appearance, not cryptographic proof, device trust, or session integrity. That gap matters most when participants can be impersonated with synthetic media, replayed feeds, or virtual camera tooling. NIST’s NIST SP 800-207 Zero Trust Architecture is explicit that trust should not be granted based on network position or a single visible signal. In identity terms, video is a weak attestative control when compared with stronger checks such as MFA, device binding, and step-up verification.
The practical risk is not only fraudulent attendance. A convincing video session can be used to pass business approvals, social-engineer staff, or gain access to systems that were assumed to be protected by “face-to-face” verification. NHI Mgmt Group’s Ultimate Guide to Non-Human Identities shows how weak identity assumptions repeatedly fail when organisations rely on a single layer of trust instead of lifecycle controls and continuous verification. In practice, many security teams encounter identity abuse only after a supposedly verified session has already been used to trigger access or approvals.
How It Works in Practice
When organisations rely on video alone, they are effectively treating visual presence as proof of personhood. That breaks down because the control does not answer the security questions that matter: who is behind the screen, what device is being used, whether the session is live, and whether the participant is authorised for the action being taken. The better model is layered verification, where video may support a workflow but never serves as the only gate.
In practice, stronger assurance combines multiple signals:
- Identity proofing at enrolment, with step-up verification for high-risk actions.
- Device and session binding so the participant’s access is tied to a known endpoint.
- Phishing-resistant MFA and explicit re-authentication for approvals or sensitive changes.
- Policy checks that evaluate context at runtime rather than trusting the meeting medium itself.
- Monitoring for anomalies such as synthetic voice, unusual timing, or repeated approval patterns.
This is consistent with Zero Trust guidance in NIST SP 800-207 Zero Trust Architecture, which prioritises continuous evaluation over one-time trust decisions. It also aligns with the operational reality documented by NHI Mgmt Group in the Ultimate Guide to Non-Human Identities, where weak identity hygiene and over-trust create downstream exposure. Current guidance suggests video can support human review, but there is no universal standard for treating it as a standalone authentication factor. These controls tend to break down in remote-first approval flows because the verifier has no independent evidence beyond what the attacker can display on screen.
Common Variations and Edge Cases
Tighter verification often increases friction, requiring organisations to balance user convenience against the cost of stronger assurance. That tradeoff is real in onboarding, executive approvals, and customer-facing identity checks where adding step-up controls can slow time-sensitive work.
Some environments also use video for reasons that are not purely identity-related, such as coaching, support, or regulated meeting records. In those cases, current guidance suggests treating video as supplemental evidence only, not as a credential. If a workflow needs high assurance, organisations should add out-of-band confirmation, signed approval workflows, or privileged access controls rather than depending on the camera feed.
A common edge case is internal trust. Teams sometimes assume that a familiar face means a trusted participant, but impersonation risk increases when attackers exploit known names, reused meeting links, or compromised accounts. NHI Mgmt Group’s Ultimate Guide to Non-Human Identities is a useful reminder that identity failures often stem from over-reliance on convenience, not just overt compromise. The same lesson appears in the JetBrains GitHub plugin token exposure, where trust in a familiar environment still resulted in credential risk. Best practice is evolving toward layered assurance because video alone cannot reliably distinguish live intent from convincing simulation.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-1 | Identity proofing weakness creates access trust failures. |
| NIST Zero Trust (SP 800-207) | 3.1 | Zero Trust rejects single-signal trust like video-only verification. |
| OWASP Non-Human Identity Top 10 | NHI-01 | Identity assurance gaps often lead to misuse of trusted sessions. |
Use continuous verification and explicit policy checks instead of trusting visual presence.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 9, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
