Synthetic identities reduce the value of controls that rely on spotting obviously fake profiles at signup. AI can create convincing identities quickly, so the stronger control is whether the downstream behaviour remains plausible, consistent, and bounded across sessions, devices, and payment activity.
Why This Matters for Security Teams
Synthetic identities weaken controls that depend on obvious signup fraud because the identity itself is no longer the clearest signal. Once AI can generate plausible names, addresses, device traces, and even payment patterns, the real question becomes whether the account behaves like a coherent customer over time. That shifts fraud detection from static verification to behavioural integrity, session continuity, and transaction plausibility. Current guidance increasingly aligns with continuous risk assessment rather than one-time onboarding checks, as reflected in the NIST Cybersecurity Framework 2.0 emphasis on ongoing governance.
For NHI Management Group, the practical lesson is that identity proofing alone cannot absorb the burden of fraud prevention when synthetic personas are cheap to manufacture and easy to iterate. Controls also need to account for the persistence of linked artefacts such as emails, payment instruments, browser fingerprints, and device reputations. The Ultimate Guide to NHIs — Standards reinforces that durable identity risk is usually discovered through lifecycle and governance gaps, not just at the point of creation. In practice, many security teams encounter synthetic identity abuse only after downstream losses, rather than through intentional signup-stage detection.
How It Works in Practice
Effective control design starts by treating synthetic identities as a lifecycle problem, not a registration problem. A fake profile may pass onboarding if each individual field looks plausible, but fraud teams should assess whether the identity remains internally consistent across sessions, geographies, devices, and payment attempts. This is where static rule sets often underperform: a rule that flags mismatched data at signup can be bypassed by AI-generated profiles that are coherent enough to survive the first check, yet still drift over time in subtle ways.
Practitioners typically combine several layers:
- Device and session correlation to see whether the same infrastructure is recycling many “new” identities.
- Behavioural baselining to identify unnatural velocity, repetition, or perfectly regular customer actions.
- Graph analysis to connect shared emails, phones, payment rails, IP ranges, and recovery channels.
- Step-up verification when downstream activity exceeds expected risk, rather than relying on the initial signup event.
This approach fits the broader direction in NIST Cybersecurity Framework 2.0, where governance, detection, and response are continuous rather than one-time checks. It also complements NHIMG’s observation that identity compromise often persists because organisations lack full visibility into linked accounts and secrets exposure, as discussed in Ultimate Guide to NHIs — Standards. One relevant NHIMG data point is that only 5.7% of organisations have full visibility into their service accounts, which is a useful warning signal for any environment trying to detect coordinated synthetic activity.
These controls tend to break down in high-volume onboarding environments because fraud systems are forced to make fast decisions on sparse data, giving synthetic identities enough time to establish legitimacy before patterns emerge.
Common Variations and Edge Cases
Tighter identity checks often increase friction, requiring organisations to balance fraud reduction against conversion loss and customer support burden. That tradeoff is especially sharp for markets with thin credit files, shared devices, prepaid accounts, or cross-border customers, where legitimate users can resemble synthetic ones. There is no universal standard for this yet, so current guidance suggests using risk-based escalation rather than blanket rejection.
Another edge case is “low-and-slow” abuse, where a synthetic identity remains dormant or lightly active until it acquires reputation. In those environments, a single transaction may look benign, but the aggregate pattern reveals coordinated abuse across multiple accounts. The most effective response is to tie identity trust to ongoing behavioural evidence, not to assume a passed verification step means the account is authentic forever. The same principle is echoed in the JetBrains GitHub plugin token exposure case, where downstream credential and trust assumptions mattered more than the initial point of compromise.
For high-risk payments, customer onboarding, and account recovery flows, the best practice is evolving toward layered proof, continuous scoring, and explicit lifecycle revocation when behaviour no longer fits the profile.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | GV.RM | Synthetic identity abuse is a governance and risk-management problem. |
| OWASP Non-Human Identity Top 10 | NHI-01 | Weak identity lifecycle controls let synthetic accounts persist unchecked. |
| NIST AI RMF | MAP | Fraud models need traceable context and ongoing monitoring for synthetic behavior. |
Apply lifecycle visibility and revocation discipline to identities that outlive initial verification.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 9, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
