en

Language

30 Jun 2026 in Business use cases

Identity Verification Under AI Pressure: 6 Key Stats for 2026

Henry Patishman

Executive VP, Identity Verification solutions

In Part I of our “The New Shape of Identity Threats” report, we looked at how the overall threat configuration is changing: AI agents acting on behalf of users, deepfake impersonation, scripted behavior, and limited visibility into AI-assisted activity. 

In this article, we will look at what happens next: how teams respond when identity checks become harder to trust. For example, we found that 92% of organizations report impact from incorrect identity verification results, including financial loss, regulatory or compliance exposure, reputational damage, operational disruption, and customer churn.

This is why the operational side of ID verification now matters more than ever. When AI-assisted activity enters the flow, teams need to understand whether the biometric was captured live, whether the session showed automation, and who owns the response if something goes wrong.

This is original data from Regula’s global study of AI-assisted identity activity and identity risks in banking, financial services, crypto, telecom, government, and gaming in the UK, US, Germany, Singapore, the UAE, Brazil, and Mexico.

Subscribe

Subscribe to receive a bi-weekly blog digest from Regula

Human presence controls are common, BUT confidence in them is limited

76% of organizations reported having capabilities for verifying human presence. 

However, only 48% consider those capabilities reliable.

Most teams now have some kind of technical control meant to verify that a real person is present during remote identity verification. However, things get slightly more complicated when the interaction may no longer be a normal “human session”. AI-assisted actors can now move through onboarding, login, recovery, support, or transaction flows in ways that look user-like from a product perspective, while the actual actor behind the session is unclear.

The main risk here is not even fraud itself, but misclassification: legitimate assistance can be sent to fraud review, whereas scripted abuse blends into normal user friction if the ID verification system is lacking. That’s why human-presence checks need to preserve enough context to tell whether the interaction was user-controlled, assisted, automated, manipulated, or still uncertain.

Some data points worth tracking for reliable human-presence controls:

  • Capture path: expected camera path, virtual camera signals, emulator use, remote desktop activity, browser injection, malware indicators, altered capture routes.

  • Liveness depth: coverage against photos, masks, screen replays, prerecorded video, face swaps, generated faces, and injection attacks.

  • Session continuity: consistency between person, document, device, timestamp, and verification attempt, including retries, handoffs, device changes, and repeated failures.

  • Automation behavior: scripted timing, copied interaction patterns, unusual retry sequences, bulk attempts, or signs that the user no longer controlled the session directly.

  • Allowed assistance: accessibility tools, translation help, password managers, support-guided flows, and approved delegates separated from automation used to test or bypass controls.

  • Review evidence: rule hits, liveness results, capture-path findings, retry history, reviewer notes, and final rationale for every pass, fail, or manual-review outcome.

The strongest human-presence controls will therefore combine policy and evidence. Policy defines which assisted actions are acceptable and which ones require step-up. Evidence shows whether the biometric was captured live, through a trusted path, during the same session, with enough context to defend the decision after a fraud case, complaint, audit request, or regulator question.

Biometric checks are in place, BUT live capture is still hard to definitively prove

Only 46% of organizations say they can fully verify that biometric data was captured live. 

Another 52% have partial or no verification, while 2% are not sure.

It’s clear that the vast majority of organizations have biometric controls in place, but, at the same time, not everyone can fully prove the integrity of the capture event.

As a result, a biometric match can look persuasive while still resting on weak capture integrity. Recorded media, injection attacks, masks, generated faces, manipulated streams, and compromised capture paths all challenge the assumption that the person was physically present during verification.

The likely missing pieces are: presentation attack detection, signal injection resistance, session binding, quality and retry analysis, and evidence retention.

The team must be fully aware of which attack types are tested, whether camera injection is covered, how live capture is tied to the document and session, what happens after low-confidence results, and what evidence remains for audit. A good control should help the team decide whether the person was present, whether the biometric came through a trusted path, and whether the decision can be defended later.

However, teams should also consider the business impact: stronger liveness controls can reduce false acceptance, but poor configuration can increase user friction or false rejection. That’s why there need to be risk-based rules in place: liveness checks for higher-risk sessions, review triggers for low-confidence capture, and documented rationale for any manual override.

Synthetic-content detection exists, BUT coverage is often partial

58% of organizations say they have established capabilities to detect AI-generated or manipulated content.

41% still report partial or no capability.

This comes as little surprise as IDV teams are constantly dealing with a vast array of AI-related risks — and it’s not always easy to have full protection against every tool at fraudsters’ disposal.

The gaps typically are:

  • Synthetic media detection for AI-generated faces, videos, selfies, and altered images.

  • Document manipulation detection for tampered scans, generated IDs, altered fields, and reused document images.

  • Injection and replay resistance so attackers cannot bypass camera capture or submit pre-recorded media.

  • Liveness checks tied to the session, rather than a generic biometric match without proof of live capture.

  • Session and device intelligence to catch automation patterns, emulator use, suspicious retries, or scripted timing.

  • Case-level evidence retention so analysts can see why a session was flagged and defend the decision later.

The recommendation here is to view AI-content detection not as a standalone feature, but a critical part of the whole identity decision. 

To test your own efficiency, you can take a suspicious onboarding session and ask whether the team can reconstruct why it was allowed, rejected, or escalated. If the answer depends on scattered logs, missing vendor outputs, or analyst notes with no supporting evidence, then the detection capability may be technically present but operationally incomplete.

Most identity decisions can be traced, BUT only half are fully reconstructable

92% of organizations say identity decisions are fully or mostly reconstructable. 

But only 50% can trace the decision chain end to end.

There is a difference between knowing that a decision happened and being able to reconstruct why it happened. Many teams are close to the first part; fewer can fully prove the second.

That gap becomes important in AI-assisted identity cases because the missing details are often the details that explain the risk. If the team cannot see the capture path, retry history, liveness result, device context, reviewer action, active threshold, or reason for override, the case record may be too thin to explain the final decision.

What this means: decision reconstruction should connect the identity evidence, verification results, AI-risk indicators, review actions, and operating context in one case record. Without that, the organization may be able to retrace the route of a case, but not the reasoning behind it.

A mostly reconstructable decision may be enough for routine troubleshooting, but it can fall short when the same decision is challenged by a regulator, auditor, court, customer, partner, or internal fraud team. 

The next question is whether organizations can turn their internal trace into audit-grade evidence.

External scrutiny is common, BUT audit-grade evidence lags behind

82% of organizations have had to justify identity decisions externally.

At the same time, only 56% say they provided audit-grade technical evidence.

It's becoming more and more integral that companies can defend their decisions in case of a regulator inquest. However, the 26-point gap shows that not every company has yet caught up with ever increasing compliance standards.

More specifically, the gap often exists because IDV data is scattered. One vendor may hold capture evidence, another may hold liveness results, a fraud system may hold device or behavior indicators, the case-management tool may hold analyst notes, and a compliance system may hold the final customer-risk decision. 

Even when all checks ran correctly, the organization may struggle to reconstruct the chain later if timestamps, rule hits, model outputs, reviewer notes, and vendor responses were not retained in one defensible case file.

Audit-grade evidence should ideally show:

  • what identity evidence was submitted;

  • whether document, biometric, liveness, sanctions, and fraud checks were run;

  • which warnings, risk rules, or model outputs affected the decision;

  • whether AI-generated content, synthetic evidence, injection, replay, or scripted behavior was suspected;

  • whether the case was auto-approved, auto-rejected, escalated, or manually reviewed;

  • who reviewed or overrode the decision;

  • which vendor tools, thresholds, and policies were active at the time;

  • what final rationale was recorded.

Universal awareness of AI-related identity errors, BUT no clear accountability

Responsibility for incorrect AI-driven identity decisions is divided almost evenly: business leadership, security teams, and risk/compliance teams are each named by 27% of respondents.

Considering the extremely high awareness of identity threats we saw in Part I (98%), it’s alarming that perceived accountability for bad reactions to these threats is so spread out.

It’s worth noting that the 98% figure refers to concern about identity-related threats overall, while the accountability question focuses specifically on AI-driven identity decisions. 

Still, we believe this fact doesn’t undermine the logic: broad awareness of risk does not automatically translate into clear ownership.

On the one hand, the split is fully understandable: AI-related identity decisions involve many actors at once. Business teams focus on conversion and customer experience, risk and compliance teams own KYC policy and audit exposure, security teams track abuse and account takeover, and vendors often provide the checks or data behind the decision. 

On the other hand, the shared concern can easily turn into shared ambiguity.

This creates several risks:

  • Slow response after incidents: teams spend time assigning blame or reconstructing authority instead of fixing thresholds, rules, or vendor settings.

  • Inconsistent decisions: analysts may treat similar AI-related cases differently if escalation rules are vague.

  • Weak vendor control: a provider may supply key detection results, but internal teams may not define who reviews vendor performance or tunes thresholds.

  • Audit exposure: the organization may know which tool made a recommendation, but not who approved the policy behind it.

  • Business friction: growth teams may see false rejections, while risk teams see necessary controls, with no agreed decision forum to resolve trade-offs.

The fix is to separate ownership of policy, ownership of detection, ownership of case decisions, and ownership of remediation. KYC leaders should document who approves risk thresholds, who reviews suspected synthetic evidence or liveness failures, who can override an automated decision, who monitors vendor quality, who handles external requests for decision evidence, and who updates policy after a confirmed AI-assisted attack.

So what separates stronger IDV programs?

Predictably, teams with clear visibility into AI-assisted identity activity report stronger verification, governance, and evidence capabilities than those with limited visibility. What did surprise us, however, is the size of the gap.

This is interesting because visibility is often treated too narrowly, as if it only means detecting whether AI was used in a session. But the data suggests something more: teams that can see AI-assisted activity more clearly also report stronger controls, better liveness assurance, stronger synthetic-content detection, better decision reconstruction, and better audit evidence.

The likely explanation is that clear visibility usually requires connected data: document checks, biometric results, liveness outcomes, device context, session behavior, rules, reviewer actions, and final decisions. Once those pieces are connected, the organization is better positioned to classify what happened and defend the outcome.

More insights on IDV readiness — a few clicks away

The full Regula survey report is publicly available — free, with no strings attached.

Want to know how Regula can help your business strengthen identity verification against AI-assisted threats? Talk to our experts.

Have a Use Case? Let’s Explore.

Speak with our experts to see how you can speed up verification, reduce fraud, and stay compliant.

On our website, we use cookies to collect technical information. In particular, we process the IP address of your location to personalize the content of the site

Cookie Policy rules