Products
Solutions
Explore
Company
Try Online

en

Language

Regula Global Research Report · 2026

The New Shape of
Identity Threats

From Verifying Users to Verifying Machine Actors

Respondents
850 decision-makers
Markets
UK · US · DE · SG · UAE · BR · MX
Industries
Banking · Crypto · Gov · Telecom · Gaming
Fieldwork
Sapio Research · March 2026
Confidence
±3.4% at 95%

"Identity verification was designed for a world where every interaction involved a real person. That assumption no longer holds. Today, organizations are not only verifying identities — they are determining whether an interaction itself is genuine, and whether the actor behind it is human or machine. This report helps decision-makers understand how identity threats are evolving, where visibility breaks down, and what it takes to maintain trust in systems increasingly exposed to AI-driven activity."

Henry Patishman
Henry Patishman
Executive VP, Identity Verification Solutions

Key Findings

Five signals that define the 2026 threat landscape

Identity risk is now universal

98%

of organizations report concern about identity-related threats

AI-driven activity is already widespread

87%

report AI-assisted or automated actors attempting to pass identity processes in the past 12 months

Visibility is lagging behind exposure

69%

say AI tools are present in identity flows — but many lack clarity on how they are used

Deepfakes are now among top-tier threat

35%

cite AI-generated impersonation as a major concern, nearing document fraud

Identity risk is now universal

98%

of organizations report concern about identity-related threats

Part I

The Shift: Identity Systems
Under Pressure

Identity verification was built to confirm that a real person is behind a transaction. That assumption is now under pressure.

Who — or what — is on the other side of the interaction?

01

Is this interaction genuine?

02

Is the actor human, a bot, or AI-assisted?

03

Can the identity signals — documents, selfies, voice, behavior — be trusted?

Identity fraud is now nearly universal

98%

of organizations are concerned about identity-related threats.

Identity fraud is no longer a banking problem. Telecoms, government services, gaming platforms, and financial institutions are all exposed.

Every sector is in the line of fire. What separates them is how ready they are when attacks hit.

Distribution of top identity-related threats cited by organizations: identity spoofing (38%), document fraud (36%), deepfakes (35%), biometric spoofing (29%), synthetic identities (26%), AI agents (26%), and 2% reporting no concern. WAYS ATTACKERS ATTEMPT TO PASS IDENTITY CHECKS — TOP CONCERN 0% 10% 20% 30% 40% Identity spoofing 38% Document fraud 36% Deepfakes 35% Biometric spoofing 29% Synthetic identities 26% AI agents acting as users 26% Not concerned 2% Identity threats are tightly clustered — spoofing, document fraud, and deepfakes form a top tier. AI-driven threats — including synthetic identities and AI agents — are already part of the core risk landscape.

A New Threat Appears

26%

are concerned about AI agents acting on behalf of users as a threat to their identity flows.

The top three threats — identity spoofing, document fraud, and deepfake impersonation — are now closely aligned in perceived risk.

But another signal stands out: AI bots that behave like real customers — moving through onboarding, login, and transaction flows built for humans.

1 in 4 organizations already recognize this shift. Many others may be experiencing it — without yet identifying it.

Customer identity journey showing stages (signup, document upload, selfie verification, support interaction, transaction) with potential bot intrusion points including scripted signup, automated uploads, synthetic biometric input, bot-driven support escalation, and delegated transactions WHERE AI AGENTS INTERACT WITH IDENTITY SYSTEMS SIGN UP User visits site or app 1 scripted signup SIGN UP User submits ID 2 automated upload LIVENESS CHECK User takes a selfie 3 synthetic selfie CUSTOMER SUPPORT User contacts support 4 support bot escalation ACCOUNT ACTIONS Transactions or updates 5 delegated transaction Bots mimic real users at every stage — appearing legitimate throughout.

Part II

The Visibility Gap:
AI Use Is Rising. Visibility Is Lagging.

69% of organizations say AI-assisted tools are already common in their identity flows. 87% recognize that AI is present. But far fewer can pinpoint where it operates or what it does.

If you can't see where AI operates in your flows, can you control it?

AI use is common — visibility is not

69%

of organizations say AI-assisted tools are already common in their identity or authentication flows.

Awareness is higher: 87% recognize that AI is present in their systems. But far fewer can pinpoint where it operates or what it does.

That gap matters. Systems cannot control what they cannot clearly detect.

Distribution of visibility into AI use in identity flows: 39% report common use with clear visibility, 30% common with limited visibility, 18% occasional use HOW WELL ORGANIZATIONS SEE AI IN THEIR VERIFICATION FLOWS 39% 30% 18% 13% 69% AI tools common in identity flows 39% — Common, with clear visibility 18% — Occurs occasionally 30% — Common, but limited visibility 13% — Rarely / unsure AI is widely present in identity systems, but fewer than half of organizations — have clear visibility into its use. 39%

AI bots are already testing identity systems

87%

of organizations report AI-assisted or automated actors attempting to interact with their identity processes in the past 12 months.

These actors are already present across onboarding, authentication, and account access flows.

Some activity is clearly fraudulent. Some reflects legitimate automation. But much of it sits in between — scripted behavior and synthetic evidence that obscures who or what is actually behind the interaction.

That ambiguity is the core risk. When intent is unclear and attribution is hard, the true scale of exposure rarely shows up in incident reports.

Breakdown of how organizations encounter AI-assisted actors: scripted behavior signals (35%), suspected synthetic identity evidence (35%), confirmed cases (32%), blocked attempts (21%), no signals with monitoring (9%), no signals limited monitoring (2%), not sure (2%) EXPERIENCE WITH AI-ASSISTED OR AUTOMATED ACTORS 35% Signals consistent with automated/scripted behavior (attribution uncertain) 35% Suspected use of synthetic/AI-generated identity evidence 32% Confirmed cases identified through investigation 21% Attempts blocked/contained before passing identity controls 9% No signals detected, monitoring in place 2% No signals detected, monitoring limited 2% Not sure / do not actively measure AI actors are invisible — 13% combined AI-driven activity is widespread — but often indistinguishable from legitimate behavior.

The Blind Spot

The Blind Spot: 87% of organizations experienced AI-assisted intrusion attempts, while only 69% have clear visibility into their identity flows — illustrating the gap between exposure and awareness. 87% experienced AI-assisted intrusion attempts 69% have clear visibility ← GAP →

Taken together, these findings point to a deeper issue.

AI-driven activity is already present — but not fully understood. Organizations are detecting signals they cannot reliably track, attribute, or explain.

Exposure is high.
Visibility is partial.
Understanding is incomplete.

Part III

Core Identity Threats:
How Risks Differ Across Markets

Three threats now form a single risk tier — identity spoofing, document fraud, and deepfakes sit within 3 percentage points of each other.

If you can't see where AI operates in your flows, can you control it?

38%

Identity spoofing — #1 globally

36%

Document fraud — #2 globally

35%

Deepfakes — now top-tier

IDENTITY SPOOFING

GLOBAL FINDING

Identity spoofing — the reuse of stolen photos, videos, or credentials — ranks as the most common identity threat globally. But the gap with document fraud and deepfakes is minimal. All three form a single risk tier.

Identity spoofing concern by country. Brazil reports the highest concern at 45%, followed by the USA (41%) and Mexico (40%), above the 38% global average. Germany reports the lowest level at 32%. BY COUNTRY avg 38% 0% 10% 20% 30% 40% 50% Brazil 45% USA 41% Mexico 40% UK 38% UAE 38% Singapore 36% Germany 32% Above global avg Below global avg Global avg Brazil leads at 45%. Germany lowest at 32% — a pattern across all threat categories. Divergence suggests different exposure levels, or different confidence in existing controls.
Identity spoofing concern by industry. Gaming/Gambling shows the highest concern at 42%, followed by Government at 40%. Financial Services and Telecom both score 39%, while Crypto reports the lowest concern at 35%. BY INDUSTRY 42% Gaming/Gambling ▲ highest 40% Government 39% Financial Services 39% Telecom 37% Banking 35% Crypto ▼ Purple — above global avg Grey — below global avg Gaming/Gambling leads at 42%. Crypto ranks lowest at 35% — a reversal from its #1 position on document fraud. Onboarding-heavy sectors feel identity creation risk most; account-based ecosystems face credential reuse pressure.
Identity spoofing concern by company size. Concern peaks among organizations with 5,000–9,999 employees at 43%, above the 38% global average, suggesting elevated exposure among large but not fully mature organizations. BY COMPANY SIZE PEAK CONCERN 43% 5,000–9,999 employees Purple — above global avg Grey — below global avg Concern peaks among organizations with 5,000– 9,999 employees at 43% — higher than both smaller firms and the largest enterprises. Risk appears to concentrate in organizations with large user volumes but without fully mature, layered defenses. Exposure to identity spoofing varies by context — but the attack remains universally relevant across markets, industries, and organization sizes.

Document Fraud

GLOBAL FINDING

Counterfeit, altered, or stolen IDs remain one of the top identity threats globally.

Document fraud concern by country. Mexico reports the highest concern at 38%, followed by Brazil, the UAE, and the UK at 37%, around or above the 36% global average. Germany reports the lowest concern at 29%.
Document fraud concern by industry. Crypto reports the highest concern at 44%, followed by Government at 43%, both well above the 36% global average. Telecom and Gaming align near the average, while Financial Services reports the lowest concern at 32%.
Document fraud concern by company size. Concern increases with organizational scale, rising from 29% among companies with 250–499 employees to 41% among organizations with more than 10,000 employees, above the 36% global average.

Deepfakes — Country Perspective

Deepfakes are no longer an emerging threat

AI-generated faces and videos used to mimic real users in onboarding and authentication now rank among the top identity concerns globally, just behind identity spoofing.

Deepfake and AI-generated impersonation concern by country. Singapore reports the highest concern at 42%, followed by the UK at 41%, both above the 35% global average. Germany and the UAE align with the global average at 35%, while Brazil reports the lowest concern at 28%. The chart suggests earlier recognition of synthetic media risks in digitally mature, high-volume onboarding markets. avg 35% 0% 10% 20% 30% 40% 50% Singapore 42% UK 41% Germany 35% UAE 35% Mexico 34% USA 32% Brazil 28% Above global avg Below global avg Global avg Singapore and UK lead — mature fraud ecosystems and high-volume digital onboarding drove earlier recognition of synthetic media risks.
SINGAPORE AND THE UK LEAD Mature fraud ecosystems and high-volume digital onboarding have pushed earlier recognition of synthetic media risks. UAE SITS AT THE GLOBAL AVERAGE Notable given its high awareness of AI agents — suggesting different threat prioritization rather than lower exposure. THE US FALLS BELOW AVERAGE Deepfake risk may be absorbed into adjacent categories such as synthetic identity or social engineering. BRAZIL RANKS LOWEST Consistent with a broader pattern of lower concern toward AI-driven identity threats.

Deepfakes — Industry Perspective

Widest variation of any identity threat

Deepfakes show the widest variation across industries of any identity threat — a sign that adoption and awareness are uneven. Some sectors have already operationalized this risk. Others have barely begun.

Deepfake concern by industry. Gaming/Gambling reports the highest concern at 40%, followed by Banking and Crypto at 37%, above the 35% global average. Financial Services aligns near the average at 36%, Telecom reports 35%, and Government shows the lowest concern at 27%. The chart highlights significant variation in deepfake awareness and exposure across industries, with digitally intensive sectors reporting higher concern levels. 40% Gaming/Gambling ▲ highest 37% Banking 37% Crypto 36% Fin. Services 35% Telecom 35% Government ▼ Purple — above global avg Grey — below global avg Gaming leads at 40%; Government lowest at 27% — where in-person verification still dominates, synthetic media is not yet a front-line threat.
Gaming/Gambling leads High-velocity onboarding and video-based interactions make synthetic impersonation a tested attack vector. Banking and Crypto remain above average Both have direct exposure to deepfake-enabled fraud, including account takeover and onboarding bypass. Government sits lowest Where in-person and document-based verification still dominates, synthetic media is not yet perceived as a front-line threat.

Deepfakes — Deeper Cut

What else the data reveals about deepfake awareness

Organizations aware of AI-agent threats are significantly more likely to recognize deepfake risks. Among respondents aware of AI agents, 41% identify deepfakes as a concern, compared with 18% among organizations unaware of AI-agent activity. AWARENESS CLUSTERS AI threat recognition generalizes. 41% aware of AI agents vs 18% unaware of agents Organizations aware of AI-agent risk are 2× more likely to flag deepfakes — detection capability generalizes.
Organizations with more than seven years of identity verification experience report lower deepfake concern at 28%, compared with the 35% global average, suggesting operational maturity does not always translate into faster adaptation to emerging AI-driven threats. EXPERIENCE ≠ ADAPTATION Tenure builds confidence. It doesn't always update it. 28% 7+ years in IDV vs 35% global average Veterans sit 7 points below global average. Confidence doesn't always update.
Organizations with dedicated fraud roles report higher deepfake concern at 38%, compared with 29% among organizations where fraud responsibilities are shared, indicating that clear ownership increases threat visibility and recognition. OWNERSHIP MATTERS Diffused ownership diffuses risk perception. 38% dedicated fraud role vs 29% shared duties 9-point gap between dedicated and shared fraud responsibility.

Part IV

AI Agents as a New Risk Layer:
Machine Actors Enter Identity Systems

AI agents remain a poorly defined threat category. No country reports high concern. The signal is present — the response is absent.

26%

of organizations already identify machine-operated actors acting on behalf of users

AI Agents — Country Perspective

A poorly defined threat category

AI agents remain a poorly defined threat category. No country reports high levels of concern. Across all markets, AI agents rank as the least urgent identity threat.

Concern about AI agents acting on behalf of users by country. The UAE reports the highest concern at 32%, followed by Singapore at 30%, both above the 26% global average. Mexico reports 27%, while the UK and USA both report 25%, slightly below average. Germany reports 23%, and Brazil the lowest level at 21%. The chart suggests digitally advanced markets recognize AI-agent risks earlier than others. avg 26% 0% 10% 20% 30% 40% UAE 32% Singapore 30% Mexico 27% UK 25% USA 25% Germany 23% Brazil 21% Above global avg Below global avg Global avg UAE and Singapore lead — digital-first markets encounter emerging risks earlier. The US falls below average despite high threat awareness: AI-agent activity may not yet be classified as a distinct strategic risk.

AI Agents — Industry Perspective

Recognized — but not yet operationalized as a core threat

Concern is remarkably flat across sectors, with just an 8-point spread between highest and lowest. No industry has clearly "claimed" this risk. Government and Crypto report identical concern levels despite fundamentally different risk profiles. This suggests that AI agents do not yet fit into established threat models — making them harder to categorize, prioritize, and address.

Concern about AI agents acting on behalf of users by industry. Financial Services and Telecom report the highest concern at 29%, above the 26% global average. Crypto and Government both report 27%, near the average, while Banking and Gaming/Gambling report the lowest concern at 21%. The narrow spread across industries suggests AI-agent risk is still emerging and not yet strongly differentiated by sector. avg 26% 0% 10% 20% 30% 40% Financial Services 29% Telecom 29% Crypto 27% Government 27% Banking 21% Gaming/Gambling 21% Above global avg Below global avg Global avg Just 8 points from highest to lowest — no industry has claimed this risk. Government and Crypto report identical concern (27%) despite fundamentally different risk profiles. AI-agent risk is evenly distributed across industries — not because exposure is equal, but because understanding is still limited.
AI-agent concern varies by only 8 percentage points across industries, from 21% in Banking and Gaming/Gambling to 29% in Financial Services and Telecom. 8-POINT SPREAD — NARROWEST OF ANY THREAT 29% Financial Services & Telecom (highest) 21% Banking & Gaming (lowest) No industry has clearly "claimed" this risk. Government and Crypto report identical concern (27%) despite fundamentally different risk profiles.

AI Agents — Company Size Perspective

Exposure does not increase linearly with size

AI-agent risk is most visible where detection exists but control is still incomplete.

Bar chart showing concern about AI agents acting as users by company size, peaking at 31% among organizations with 1,000–4,999 employees. AI AGENTS ACTING AS USERS: CONCERN BY COMPANY SIZE avg 26% 29% 250–499 emp. 28% 500–999 emp. 31% ▲ PEAK 1,000–4,999 emp. 20% ↓ sharp drop 5,000–9,999 emp. 24% ↗ returns 10,000+ emp.
31% — peak concern. Large enough to encounter AI-agent activity at scale, not yet equipped with enterprise-grade detection. Mid-market (1,000–4,999) 20% — sharp drop. Stronger tooling and dedicated teams reduce perceived urgency, even if exposure remains. Large enterprises (5,000–9,999) 24% — returns near average. Scale brings better defenses, but also more channels and regions to defend. Very large (10,000+) 29% / 28% — just above average. Present but not yet a defining concern. Smaller orgs (250–999)

Key Conclusions

What the data means for businesses

"The next challenge is software entering systems that were built to deal with people."

— Regula Global Research Report, 2026

1

Identity risk is now universal across identity verification systems.

Consistent with a broader pattern of lower concern toward AI-driven identity threats.

2

Identity spoofing, document fraud, and deepfakes now form a single risk tier.

No single threat dominates. All three demand equal operational attention within IDV processes.

3

Deepfakes moved into the mainstream faster than defenses adapted.

What was recently an emerging threat is now a top-tier concern in identity verification.

4

AI-driven actors are already inside identity systems.

Automated and AI-assisted activity is no longer theoretical — it is actively interacting with onboarding, authentication, and account access flows.

5

Visibility has not kept pace with exposure.

Most organizations know AI is present in their identity flows, but lack the ability to track, attribute, or respond to it effectively.

6

Risk concentrates where growth outpaces control.

Mid-market organizations and fast-digitizing environments face the highest pressure — where identity verification must scale faster than detection capabilities.

Verify identity with precision — in 2026 and beyond

Explore Regula’s customizable, on-premises, and reliable solutions for document and biometric verification.

On our website, we use cookies to collect technical information. In particular, we process the IP address of your location to personalize the content of the site

Cookie Policy rules