In brief: Proof of Personhood confirms that a user is a human — not a bot or someone’s AI agent. As AI-generated actors become more commonplace, it’ll increasingly matter as one additional layer in a broader security stack.
For most of the internet's history, we assumed the person on the other side of a digital interaction was, in fact, a person. That assumption no longer holds. According to the Imperva Bad Bot Report, for the first time in a decade, automated traffic has surpassed human activity in 2024, accounting for 51% of all web traffic.
AI agents can fill out forms, complete onboarding flows, write reviews, and conduct conversations indistinguishably from humans. Deepfakes can impersonate real individuals in video calls. Synthetic accounts can pass basic verification checks. And the tools to build all of this are widely available and improving fast.
Why "prove you're human" became a business problem
Businesses now face automated activity at every stage of the user journey.
Some of it is legitimate. AI agents can help users fill out forms, book appointments, summarize information, or complete repetitive tasks faster. In many workflows, that kind of automation is useful and expected.
The problem starts when a business cannot tell the difference between authorized automation, unwanted bots, and fake human participation. Fake accounts distort platform metrics. Promo abuse drains marketing budgets. Fake reviews manipulate purchasing decisions. Bot-driven ticketing blocks real customers. Synthetic users can pass weak signup checks and later be used for fraud, spam, or other manipulation.
According to Regula's own research, half of all companies have already experienced fraud involving audio or video deepfakes.
The questions businesses have to answer right now are:
-
Is there a real person participating in this interaction?
-
If automation is involved, is it an authorized bot or AI agent acting with user approval, or abusive automation pretending to be legitimate activity?
-
Does this situation require simple bot filtering, proof that each participant is unique, or full identity verification?
Proof of Personhood can support cases where a business needs to know that a participant is human and unique, without necessarily knowing their legal identity. That makes it useful for fighting fake accounts, duplicate participation, review manipulation, promo abuse, and other forms of automated or scaled behavior. But it is not the right answer for every trust problem.
Get posts like this in your inbox with the bi-weekly Regula Blog Digest!
How businesses check for real human activity today
Most businesses already use some controls to detect automation, suspicious behavior, and fake participation. These tools help, but they were not all designed to answer the same question:
| Method | What it helps check | Where it works well | Main limitation |
|---|---|---|---|
| CAPTCHAs | Whether a user can pass a challenge | Basic bot filtering and low-risk forms | Creates friction and can be solved by modern AI agents |
| Email or phone verification | Whether a user controls a communication channel | Signup confirmation and account recovery | Does not prove a user is human or unique. Disposable email services and virtual numbers are trivially easy to obtain |
| Rate limiting and bot management | Whether traffic volume or access patterns look abusive | Network-level and application-level protection | Does not verify the human behind accepted traffic |
| Face matching | Whether a live face (selfie or video) matches a trusted reference image | Identity binding, repeat-user checks, account recovery, and step-up checks | Requires a trusted reference, such as an ID portrait or verified account profile |
| Liveness detection | Whether a real person is present during the session | Remote onboarding, account recovery, and step-up checks | Proves presence, not identity or uniqueness by itself |
| Device fingerprinting | Whether the device or browser looks suspicious | Duplicate-account detection and fraud pattern analysis | Can be spoofed, rotated, or hidden behind emulators and proxies |
| Behavioral analytics | How the user moves, types, clicks, or navigates – and does it look human | Background risk scoring and anomaly detection | Works best as a supporting signal, not a final decision |
Each of these tools has value, but individually, each one answers a different slice of the trust problem. And the distinction between wanted automation from unwanted is getting harder to make, especially with low-effort methods like CAPTCHA.
What is Proof of Personhood
Proof of Personhood (PoP) is a mechanism that confirms a user is a unique, real human being. The core idea: if you can prove your humanity once, you should be able to carry that proof across different services without re-submitting personal data each time. That proof can be issued as a verifiable credential — a cryptographically signed claim about you that others can check without accessing your underlying data.
That makes it different from basic bot detection. A bot-detection tool may decide that a session looks automated. Proof of Personhood goes further by trying to establish that each participant corresponds to one real human.
It is also different from identity verification. Proof of Personhood doesn’t necessarily confirm a person’s legal name, nationality, date of birth, or document details. The whole point is to prove humanity and uniqueness without exposing identity.
How World ID pushed the PoP topic into the mainstream
No single project did more to bring Proof of Personhood into mainstream conversation than World ID, co-founded by OpenAI CEO Sam Altman. World ID built a global network around a proprietary iris-scanning device called the Orb, issuing cryptographic World IDs to users who verified their humanity in person.
The project has since announced integrations with major enterprise platforms — Zoom, DocuSign, Shopify, and others — positioning World ID as infrastructure for verifying human presence in the age of AI agents and deepfakes.
Why can Proof of Personhood be hard to implement at enterprise scale
Some Proof of Personhood models require users to complete biometric enrollment through a specific capture method, such as an iris scan with a dedicated device. Iris-based PoP may be technically powerful, but enterprise adoption depends on whether users will accept the capture method and whether the business can carry the privacy risk.
First, the user needs access to the capture point. If verification depends on a proprietary device or in-person enrollment location, it becomes harder to fit into remote onboarding, global customer journeys, or high-volume digital workflows.
Second, the user has to be willing to provide sensitive biometric data. Even when a system uses privacy-preserving architecture and does not store raw biometric images centrally, many users will still see an iris scan as a higher-trust request than a selfie, document scan, or device check.
Finally, businesses usually need something more operational: a verification flow they can control, configure, audit, and adapt to different risk levels. Standalone Proof of Personhood may confirm that a user is human and unique, but it does not automatically tell a business what to do next, when to step up verification, when to reject, or when to send the case to manual review.
PoP regulatory pushback
The regulatory picture adds another layer of risk. World ID has faced restrictions or outright bans across a growing list of markets:
-
Spain's data protection authority ordered World ID to halt operations and delete user data after finding GDPR violations, with the country's High Court later upholding a temporary ban.
-
Brazil banned the project entirely in January 2025, citing concerns that financial incentives for biometric data undermined the principle of voluntary and informed consent.
-
Hong Kong’s privacy office has announced the results of its investigation into WorldID, and found that the iris biometrics project runs afoul of data privacy laws.
-
In 2024 Portugal's data regulator banned WorldID from collecting biometric data for 90 days due to GDRP violations.
-
Kenya's High Court ultimately declaring the platform's operations illegal in May 2025.
- Indonesia suspended operations in early May 2025 over concerns about iris data collection.
For any organization with cross-border operations, building on infrastructure with this kind of regulatory footprint is a meaningful compliance risk.
What businesses actually need to decide
Before choosing Proof of Personhood, bot detection, identity verification, or authentication, businesses need to define the question they are actually trying to answer.
.svg)
When should a business use identity verification instead
Proof of Personhood is a useful signal. As AI-generated actors become harder to detect, having a cryptographic proof of human uniqueness will increasingly matter as one layer in a broader security stack. But many enterprise workflows require a different answer. There may be simple workflows where PoP is sufficient, such as preventing bots from creating multiple accounts to abuse a promotion or manipulate an online poll.
However, a bank, healthcare provider, employer, marketplace, or signing platform usually needs to know who the person is, whether the evidence is genuine, whether the person is present now, and whether the decision can be reviewed later. That is where Proof of Personhood becomes one possible signal, not the whole verification strategy.
Regula's IDV Platform is built for exactly that: verifying not just that someone is human, but who they are — across the full user lifecycle, from onboarding to high-risk actions, without proprietary hardware or blockchain dependencies. It covers:
-
Document and identity binding — verify that a real person is behind a real document, backed by 16,000 templates from 254 countries and territories.
-
Liveness and facial recognition — confirm the face matches the document and block spoofing attempts: static images, video replays, deepfakes, and masks in real time.
-
Compliance and auditability — AML/PEP screening, database validation, session management, and full analytics built into the flow.
The question isn't whether Proof of Personhood matters — it does. The question is whether it's sufficient for what your business actually needs to verify. In most cases, it isn't. But combined with robust identity verification, it can be a meaningful part of a layered, future-ready approach to trust.
Looking for identity verification that works at enterprise scale? Get in touch with our team.
