Accountability should sit with the teams that own the full assurance workflow, not only the biometric vendor or the mobile endpoint team. If the process accepts a video feed without validating capture integrity, the governance model is incomplete.
Why This Matters for Security Teams
Synthetic video is not just a media integrity problem. It is an assurance failure that can defeat onboarding, account recovery, and privileged access workflows if the organisation treats a video feed as proof of presence without checking capture integrity, liveness, or device provenance. That shifts accountability from a single vendor to the full control owner set: identity, fraud, security engineering, and operations.
The risk is amplified because identity verification is often embedded in customer onboarding or workforce access flows that are designed for scale, not adversarial review. A control that only answers “did a face appear on camera?” does not answer whether the capture was synthetic, replayed, or orchestrated through a compromised endpoint. NIST guidance on governance and detection-oriented security planning, including the NIST Cybersecurity Framework 2.0, makes the point that control ownership must map to outcomes, not just tooling.
NHIMG research shows how often identity systems fail when assurance is weak: in the Ultimate Guide to NHIs, 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, underscoring that identity failures rarely stay isolated at one layer.
In practice, many security teams encounter synthetic impersonation only after a fraudulent account is already active, rather than through intentional assurance testing.
How It Works in Practice
Accountability should follow the control path, not the vendor contract. If synthetic video bypasses identity verification, the responsible owner is the team that designed, approved, and operates the end-to-end assurance workflow. That usually includes the identity governance function, the fraud or risk team, the product owner for onboarding, and the security team that set control requirements. The biometric provider may be accountable for component performance, but not for the full decision to accept weak evidence.
Practitioners should break the problem into discrete control questions: was the video captured live, was the device trusted, was the session bound to the intended applicant, and was the decision made from risk-aware policy rather than a single biometric match? Best practice is evolving toward layered assurance, where verification combines liveness detection, device attestation, transaction context, and step-up review for anomalies. This aligns with current identity guidance and the broader control approach described in the Top 10 NHI Issues, especially the need to treat identity evidence as part of a lifecycle, not a one-time event.
- Assign a single control owner for the entire verification decision.
- Require evidence of capture integrity, not just a successful biometric match.
- Log who approved the workflow design, threshold settings, and exception paths.
- Re-test against replay, deepfake, and endpoint-compromise scenarios.
Frameworks such as NIST Cybersecurity Framework 2.0 help structure accountability around governance and detection, while NHIMG’s Lifecycle Processes for Managing NHIs reinforces that approval, review, and revocation need named owners.
These controls tend to break down when identity checks are outsourced into a single API call because the organisation loses visibility into how trust was decided.
Common Variations and Edge Cases
Tighter verification controls often increase friction, review time, and abandonment rates, requiring organisations to balance fraud prevention against user experience and operational throughput.
There is no universal standard for exactly how much evidence is enough, so current guidance suggests risk-based calibration rather than one fixed rule. Low-risk onboarding may tolerate lighter checks, while high-risk account recovery, financial access, or admin enrolment should trigger stronger review. Synthetic video also creates an edge case when the capture is real but the subject is coerced or using a compromised device. In those cases, facial matching alone can still pass while the assurance objective fails.
NHIMG’s 52 NHI Breaches Analysis is useful here because it shows the broader pattern: identity failures tend to compound when ownership is fragmented and exception handling is weak. For the same reason, organisations should treat exception queues, manual overrides, and vendor false-negative disputes as part of the control surface. The accountable party is the owner of that surface, not the last system to touch the file.
Where biometric assurance is used for regulated workflows, the control model should also define escalation to legal, compliance, or privacy stakeholders. That is especially important when the process affects financial access, healthcare records, or employee onboarding, where a false acceptance can create downstream access risk.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | GV.OC-01 | Synthetic-video failures are governance and ownership failures, not just technical defects. |
| OWASP Agentic AI Top 10 | A01 | Adversarial content and trust bypass map to agentic and AI-driven abuse patterns. |
| NIST AI RMF | AI RMF applies because synthetic media changes the reliability of identity evidence. |
Use AI RMF governance to define assurance, monitoring, and escalation for synthetic media risk.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
