Identity fraud used to be easier to describe: a forged passport, a spoofed face, a fake account. Those threats still exist, but they no longer capture the full problem.
Today, identity verification systems don’t evaluate a single artifact. They evaluate multiple identity signals: document data, biometric matches, device context, session metadata, and more. Each signal helps answer whether this person is real, legitimate, and eligible for the action they want to take.
At the 2026 InCyber Forum, I discussed a growing issue in digital identity: signals can still look legitimate even when their origin can no longer be trusted. That is the problem this article is about.
In brief:
-
Identity verification now depends on multiple signals, not one artifact.
-
An identity signal may look valid and still be unreliable if its origin, capture process, or relationship to other signals is unclear.
-
AI makes identity signals harder to trust because they can be generated, replayed, proxied, injected, or manipulated.
-
Identity signal integrity helps teams evaluate whether identity evidence is strong enough for the decision being made.
-
The goal is not to run every possible check, but to apply the right level of assurance for the risk of the action.
What are identity signals?
Identity signals are data points used by an identity verification system to decide whether a person behind a digital interaction is real, legitimate, and eligible for a specific action.
They can come from identity documents, biometric checks, devices, sessions, databases, user behavior, or previous interactions with the same person. A signal matters because it helps the system answer a decision question: should this person be onboarded, authenticated, allowed to recover an account, approved for a transaction, or escalated for review?
Identity verification systems today are essentially signal-processing systems, but their reliability depends on the integrity of the signals they receive.
Not every data point is an identity signal. A data point becomes a signal when it contributes to an identity decision. A raw timestamp, for example, may be just metadata. But if it helps you bind a selfie to a specific session, detect a replay attempt, or explain a failed verification, it becomes part of the identity evidence.
| Identity signal | Example | What it helps answer |
|---|---|---|
| ID document | Document data from VIZ, MRZ, barcode, RFID chip, as well as the results of their validity and authenticity checks | Is the claimed identity anchored in an official identity artifact? |
| Biometrics | Selfie, face match, liveness result, fingerprint, voice | Can the person be linked to the identity document? |
| Device | Device integrity, rooted/jailbroken status, real camera, live capture | Was the evidence captured on a real, trustworthy device? |
| Session metadata | Session binding, timestamp, IP address, geolocation, VPN/proxy indicators, retry patterns | Does the evidence belong to the right interaction and the surrounding context make sense? |
| Behavior | Movement, typing, navigation patterns, anomaly signals | Does the interaction look human and consistent with the expected user journey? |
| Lifecycle signal | Previous verifications, account recovery history, transaction history | Does the current interaction fit the identity’s previous history? |
Why are identity signals becoming harder to trust?
Identity signals are becoming harder to trust because fraudsters are no longer limited to altering the visible artifact, such as a document image or selfie. They can also interfere with the capture process, device environment, session context, or data stream behind it:
-
A document image can be generated or edited
-
A selfie stream can be replayed or injected
-
A device signal can come from an emulator or rooted phone
-
A session can be routed through a proxy
Each signal may look plausible on its own, while its origin remains uncertain.
Alt: identity signal provenance gap When the origin of signals becomes uncertain, the system can no longer rely on them as proof — only as probabilities.
AI makes this problem worse by lowering the cost and skill barrier. As AI tools become more accessible and affordable, advanced attacks such as deepfakes and injection attacks become easier to attempt, repeat, and scale.
That is why identity verification now can’t stop at checking whether something looks real. It also needs to evaluate the context behind each signal: where it came from, how it was captured or generated, and whether it is strong enough for the decision being made.
Case in point
In February 2026, Commonwealth Bank of Australia flagged roughly A$1 billion of home loans as potentially obtained using AI‑assisted document forgeries.
Criminal networks are combining leaked personal data (names, dates of birth, addresses) with generative AI to produce highly convincing payslips, employment letters and income statements that mimic real formatting, fonts and metadata. As a result, they got plausibly personalized fake identities that pass automated screening and broker review, increasing the risk that fraudulent applications are approved at scale.
Banks are now racing to counter this with stronger provenance checks (direct employer/agency verification), AI‑powered forensic detection of synthetic content, and tighter broker oversight to stop the automated manufacture of “perfect” supporting documents.
Why trust depends on identity signal integrity
Identity signal integrity is the ability to evaluate whether the signals behind an identity decision are trustworthy enough for the action being requested. A signal can pass one check and still be too weak to support the decision. Signal integrity requires a combination of reliable answers to these three questions:
-
Origin: Where did the signal come from?
-
Process: How was it captured or generated?
-
Consistency: Does it make sense in relation to other signals?
The first two questions become concrete at capture. A system should not only receive a document image, selfie, or biometric sample. It should also understand how that evidence entered the workflow: the device, session, and technical controls around the capture.
In the AI era, maintaining identity signal integrity is becoming much harder.
That context changes the weight of the signal. A passport photo uploaded from storage, a document scanned in a guided session, and data read from an RFID chip may all describe the same person. But they don’t carry the same level of credibility. Each path gives the system a different level of confidence in who controlled the signal before it was used.
The third question is consistency. A signal becomes stronger when it aligns with other evidence: document data matches across available sources, the selfie matches the document portrait, and device or session context supports the same interaction. It becomes weaker when signals conflict, disappear, or cannot be explained.
Which identity signals carry the most authority?
Government-issued identity documents remain among the strongest and most structured identity signals. They contain standardized data, security features, machine-readable elements, and often cryptographically protected chips.
But a document becomes a strong anchor only when its integrity is verified. The system needs to check that the document is authentic, that its data is consistent across available sources, and that the person presenting it can be linked to it.
How should businesses apply identity signal integrity in practice?
Identity signal integrity doesn’t mean applying every possible check to every user. That would make the flow harder, slower, and more expensive than many use cases require.
The goal is to reach enough confidence for the decision without adding unnecessary friction. What counts as “enough” depends on the use case, risk appetite, regulation, and potential impact of a wrong decision. A routine login may run mostly on device, session, and behavioral signals. Account recovery may require step-up verification because the cost of trusting the wrong signal is higher.
Here are the core principles for applying identity signal integrity in business workflows:
1. Configure for risk
Businesses need to balance two pressures: fraud and compliance teams want fewer false approvals, while product and growth teams need users to complete the journey. Identity signal integrity works best when checks are configurable by risk level, geography, regulation, transaction value, and user segment.
Opening a bank account may require a stricter setup: document authenticity checks, proof that the document was physically present during capture, active liveness, screening, and sometimes more than one ID document. By contrast, a car-sharing onboarding flow may be lighter. In many cases, a driver’s license and selfie are enough to confirm that the person is a licensed driver and can be linked to the submitted license.
💡Design the flow as a decision route: what evidence is required, which checks must run, what fails the user, what allows a retry, and what goes to review.
2. Weight signals by authority, but evaluate them together
Multiple checks can improve protection, but only when their results are interpreted together. A document authenticity check, biometric match, liveness result, device signal, and session pattern all answer different questions. If they stay disconnected, the business gets more results, but not necessarily a clearer decision.
The value comes from seeing how these signals support or contradict one another in the same identity profile and context.
When signals conflict, the system needs a clear route. A mismatch between document data and biometric data, or between capture context and user behavior, may lead to repeat capture, stronger evidence, step-up verification, manual review, or rejection.
💡Treat signals as connected evidence, not isolated results.
3. Preserve lifecycle evidence
Identity questions don’t stop after onboarding. The same identity may later appear in account recovery, authentication, transaction approval, privilege escalation, or re-verification. Each event can either reinforce trust or expose new risk.
An optimal workflow preserves the context behind identity decisions and keeps audit logs. This helps teams understand not only what decision was made, but why it was made.
Over time, this creates a stronger foundation for identity orchestration. Instead of treating onboarding, re-verification, and high-risk actions as disconnected checks, the business can manage identity confidence across the lifecycle.
💡Store enough decision context to explain why the system trusted or challenged the identity later.
Move from identity verification to identity decision infrastructure
Identity verification is no longer just about checking a document or matching a face. Those checks still matter. But the harder question is what happens when signals need to be weighed together.
Does the biometric sample belong to the document holder? Was the evidence captured in a trustworthy flow? Do the session, device, and context support the same story? Can the decision be explained later if something goes wrong?
That is the work identity teams now need to manage, and Isolated checks with their own scores and logs make that work much harder.
A platform approach helps when it connects those pieces into one workflow: document verification, biometric verification, review logic, and configurable decisions. That is the practical role of Regula’s Identity Verification Platform in signal integrity: helping teams evaluate evidence together instead of treating every check as a separate pass/fail result.
If your identity workflow still relies on disconnected checks, it may be time to look at how those signals come together. Book a demo to see how Regula’s Identity Verification Platform helps build defendable identity decisions from connected identity signals.
