How Identity Threats Are Evolving in 2026: Five Key Findings

Deepfakes have already shown us how quickly an AI threat can turn from a niche topic into a mainstream KYC scenario. And while they are as prominent as ever, now may be the time for a brand new kind of danger to enter the scene.

As per our latest survey, 26% of respondents already cite AI agents acting on behalf of users as an identity threat. That means one in four organizations is already thinking about a question IDV teams have rarely had to answer before: who, or what, is completing the verification flow?

And there is more.

In this article, we break down five key numbers from Regula’s “The New Shape of Identity Threats” report that show how decision-makers across the globe perceive identity threats, and what that implies for the future of ID verification.

This is original data from Regula’s global study of AI-assisted identity activity and identity threats across banking, financial services, crypto, telecom, government, and gaming in the UK, US, Germany, Singapore, the UAE, Brazil, and Mexico.

Hardly a surprising figure in 2026, such a high concern rate gains more weight when viewed against the survey’s respondents.

The sample was not limited to KYC officers or fraud analysts: it included a range of decision-makers such as owners/founders, directors, C-level executives, and general managers. Respondents also differed in how close they were to fraud work: for some, fraud detection/prevention was their main responsibility; for others, it was one of several responsibilities.

This means identity risk is being flagged not only by specialists who work with onboarding fraud, but also by people with other business priorities. This is something that KYC leaders can use to their advantage when talking to leadership: the nearly universal concern figure can help with prioritization and investment in robust controls.

That said, investment needs to be smart. The key focus should not be adding more checks to the workflow, but building a solid IDV ecosystem that can secure full identity signal integrity.

The key finding here is not that deepfakes outrank other threats, but that they now occupy the same concern band as two classic KYC problems: stolen and reused identity data and fake or altered documents.

That is a major finding, as the other two have been familiar problems for decades, whereas deepfakes are taking the KYC world by storm. Synthetic media has officially moved from a specialist fraud topic into mainstream identity-risk planning.

Moving from one AI threat to another, we have an entry that ranked surprisingly high — AI agents. While fewer people see them as a danger than deepfakes, they present a totally new kind of IDV problem: identity systems may need to verify not only the evidence, but the actor behind the session.

Some of that may be legitimate: a real customer may use accessibility software, a browser assistant, translation tools, autofill, or an approved delegate. More broadly, AI assistants are starting to perform ordinary digital tasks on a user’s behalf: filling out forms, comparing offers, booking tickets, contacting companies, or helping users complete multi-step online processes.

Other cases may be abusive: a fraudster using an agent to test many onboarding variations, drive account takeover, submit synthetic evidence, or complete verification steps at scale.

That’s why, if software completes part of the identity flow, teams need to know whether the user authorized it, whether the action is permitted, whether stronger confirmation is needed, and whether the case should be reviewed.

While large portions of respondents indicated suspected or confirmed AI misuse (35% and 32% respectively), an equally sizable group witnessed “automated/scripted behavior”. This is worth looking into because automated behavior doesn’t automatically mean attempted identity fraud, as discussed in the previous section.

Automated-looking behavior may come from fraud scripts, bots, or attack tools, but it may also come from password managers, accessibility tools, managed devices, support-assisted flows, or legitimate user-side automation. And the big risk here lies in treating every such identity signal as either harmless or fraudulent too quickly. 

That’s why KYC teams must make sure their IDV systems and review teams can label the difference between legitimate assistance, suspicious automation, synthetic evidence, and confirmed abuse. 

This also changes vendor evaluation: IDV providers must be asked how they detect AI-generated documents, deepfake media, injection attacks, replayed biometrics, and scripted sessions, but also how those findings are recorded for analyst review and audit.

As we discussed, AI use may include a genuine customer relying on accessibility software, translation tools, autofill, password managers, or other assistance. At the same time, it may also include a script, bot, fraud operator, or AI system helping someone submit synthetic identity evidence.

Given how common AI has become, limited visibility creates practical risk. If visibility is weak, legitimate assistance can be treated as suspicious, while risky automation can look like ordinary user behavior. Analysts may see odd timing, repeated retries, unusual capture behavior, or inconsistent evidence, but still lack enough context to decide whether the case should pass, fail, or go to manual review.

That’s why KYC teams should build a customer-side and external-actor AI-use taxonomy for IDV.

The taxonomy should connect directly to review rules. Some cases may require step-up verification, some may go to manual review, some may be blocked, and some may be allowed with the right evidence.

From the results of our survey, we have identified two compelling correlations that show certain groups as more likely to recognize AI-native identity threats, especially deepfakes, than others.

NOTE: these should not be treated as cause-and-effect claims.

If organizations have low visibility into AI-assisted tool use, they are much less likely to flag deepfakes as threats (18%) and more likely to flag document fraud (45%), compared to those with high visibility. 

If organizations have high visibility, an impressive 41% flag deepfakes and only 32% flag document fraud.

Deepfake concern is higher among respondents whose main responsibility is fraud detection/prevention: 38%, compared with 29% among those for whom fraud is one of several duties.

That is especially important for deepfakes because they rarely arrive as an isolated “fake face” event. They can come with stolen identity data, manipulated documents, replay attempts, injection risk, or scripted behavior. Without dedicated review, those pieces can be treated as unrelated friction instead of one coordinated identity attempt.

The two correlations are united by one hypothesis: AI identity risk becomes clearer when teams can name it, see it, and own it.

They do not prove causation, but they do show where KYC teams can improve. Deepfakes and AI-assisted identity threats are easier to manage when they are not buried under generic labels, scattered between teams, or treated as isolated technical alerts.

The full Regula survey report is publicly available — free, with no strings attached. 

Want to know how Regula can help protect your business from AI-powered identity fraud? Talk to our experts.