Compliance in AI-Driven Identity Verification: What Businesses Need to Know

AI processes information using computer algorithms inspired by the structure of the human brain. It can interpret and generate text, create and recognize images, and—most importantly—learn from data to improve performance.

In IDV software, AI typically refers to neural networks (NNs), a subset of machine learning. NNs are designed and trained to handle various tasks, from general functions like image processing to specific applications such as identifying ID document types. 

Large language models (LLMs), like those used in ChatGPT, represent AI 2.0. While also based on NNs, they can interpret complex, natural-language queries and remember context. This capability extends beyond text-related tasks, allowing LLMs to contribute to IDV. For instance, ChatGPT can identify document types, extract data from ID scans, and read barcodes.

In practice, using NNs or LLMs resembles a “query-response” dialog, either between a human and a machine or between two machines. A query can be any data input—text, audio, images, or a dataset like a machine-readable zone code or a selfie. Some queries may also involve decision-making, such as evaluating true or false, better or worse, or choosing between A and B. The next steps in AI evolution will definitely involve more “active” versions, where algorithms can not only make decisions but also take action based on these decisions—advancements comparable to the invention of nuclear weapons.

First and foremost, AI powers IDV automation, enabling algorithms to complete various routine tasks in seconds. However, it’s crucial to note that, like any other algorithm, NNs and LLMs can be used and trained differently by vendors. This raises legal concerns and, as a result, prompts authorities to regulate AI use.  

A key issue for regulators is that AI, especially more advanced models like LLMs, can’t be used in IDV without restrictions. Unregulated use can lead to:

• AI-generated decisions or outputs that may discriminate against individuals whose data is processed this way.

• Third-party AI-powered tool providers involved in IDV gaining access to citizens’ identification data, which is a matter of national security.

AI regulation is still a brand-new concept for regulators worldwide. One major reason for this legal delay is that no one fully understands what we’re facing or the potential consequences of uncontrolled AI use. It’s also challenging to objectively assess the technology’s presence in the public domain, as its capabilities keep evolving, uncovering new, unexplored areas. Just when an idea seems clear, everything shifts the next day. However, no one doubts that regulation needs to be introduced. 

As a result, most countries have hardly begun implementing specific requirements. Nevertheless, there are some regulations which have already entered into action.

Importantly, since regulations apply to AI developers (including IDV providers and vendors) and businesses using IDV solutions, all parties share the responsibility for compliance. 

Let’s take a look at the requirements concerning most IDV actors across the globe:

Coming into force on August 1, 2024, this legislation is one of the first to shape regulations for AI-powered identity verification. Its primary goal is to protect businesses and customers from AI misuse. The law applies to both AI developers and deployers operating within the European Union (EU).

The AI Act categorizes AI use cases into four risk levels: unacceptable, high, limited, and minimal, with separate requirements for each. Many IDV-related applications—such as CV-sorting software and border control management—are classified as high-risk.

To comply, organizations must:

• Implement a risk assessment and security framework, including logging all system activities and preparing detailed documentation for regulatory review.
• Use high-quality datasets to train NNs and minimize biased outcomes.
• Ensure human oversight of AI-driven systems to mitigate security risks.

The AI Act introduces a gradual transition to new rules for affected organizations. It will become generally applicable by August 2026, with intermediate stages providing companies with additional guidelines to prepare their systems for complete compliance by August 2027. 

Notably, violations of the regulation carry significant penalties. For instance, fines for using prohibited AI applications can reach €35 million or 7% of global annual turnover, whichever is higher.

Originally a data privacy law, the CCPA is planned to be expanded to cover AI regulation. In November 2023, the California Privacy Protection Agency (CPPA) introduced draft regulations applying to businesses in California that meet at least one of these criteria:

• Annual revenue exceeding $25 million.
• Buying, selling, or sharing personal data of 100,000+ California residents.
• Deriving at least 50% of total revenue from selling California residents’ data.

The regulation applies to companies using AI for significant decision-making, customer profiling, or AI tool training. To comply, businesses must:

• Provide customers with a pre-use notice explaining AI usage.
• Offer an opt-out option for customers.
• Conduct risk assessments before deploying AI tools.

Enacted in the EU in 2008, the GDPR is a key regulation that intersects with AI, requiring both developers and end users to follow strict data protection measures.

For AI models, such as LLMs, that process EU citizens’ data, compliance includes obtaining user consent, anonymizing or pseudonymizing data to prevent personal identification, and adhering to strict security measures to prevent misuse. 

The core principle is to collect only the necessary data that users voluntarily provide, store it securely, and ensure it can be completely erased upon request.

Of course, there are more attempts to develop public and business sector policies and laws for regulating AI. For instance, in the period from 2023 to 2024, Italy, China, Australia, New Zealand, the Philippines, and US states such as Tennessee and Utah announced their intention to develop national AI strategies, and started work on them. 

Currently, there are three major approaches countries pursue when trying to address the AI problem: a market-driven approach, a state-driven approach, and a rights-driven approach.

Probably, in the future, companies relying on AI-powered tools in their daily routine will have to consider these three silos when complying with requirements.

Regula ensures full compliance with existing regulations, including the GDPR and the AI Act, while adhering to strict rules for AI use in our products—Regula Document Reader SDK and Regula Face SDK.

From a technical standpoint, we don’t use LLMs or any third-party AI-based identity verification solutions for data processing and decision-making. All NNs in our SDKs are developed in-house and trained on high-quality datasets, including ID specimens and selfies. Our R&D team continues to enhance these NNs to counter emerging fraud techniques such as deepfakes and presentation attacks, using dedicated datasets and attack-simulation tests involving silicone masks, mannequins, on-screen images, etc. 

NN training is always conducted in a secure, closed local environment where we control all data and document every process. Additionally, these NNs are fully autonomous, operate in a fixed and static state, and don’t learn in the field. Our NNs are designed solely to enhance the accuracy of our detection algorithms.

Such systems are not recognized as high-risk AI-powered identity verification tools, such as LLMs and other generative models that interact directly with end users and use real-world selfies and document scans for self-training.

Despite its rapid expansion, AI in identity verification is still in its early stages. Future tech developments, such as China’s DeepSeek, will continue to disrupt the market, prompting more refined AI regulations. While global ICAO-like standards are unlikely, regional and state-specific laws will emerge.

Both developers and users must stay compliant, and Regula is here to help navigate current regulations. If you have any questions about AI use in our SDKs, feel free to book a call—we’ll be happy to answer them.