Real Identities, Wrong Person: Why Identity Verification Is Failing

Identity verification has been a foundational investment for enterprises for over a decade. But the frameworks built to support it are no longer holding up. Real personal data is now widely available, generative AI has collapsed the cost of document forgery, and injection attacks bypass the device camera entirely.

The scale of the shift is already measurable. During the discussion, panelists referenced more than 18,000 data breaches over the last decade, including 3,300 in 2025 alone. Attackers now pair stolen PII with AI-generated documents that cost as little as $15 to produce. Roughly 30% of fraudulent verification attempts involve generative AI, and deepfake-related losses have tripled in just twelve months. AI-enabled fraud losses are projected to approach $40 billion within the next year.

These trends point to a structural change in identity fraud. Attackers are using real data, their own faces, and delivery methods built to defeat the camera and liveness checks that many current systems still depend on.

One central theme from our webinar Real Identities, Wrong Person: Why Identity Verification Is Failing in 2026 was the growing gap between verifying a document and verifying a person. As authentic credentials become commodity inputs and AI drives the cost of convincing forgery toward zero, identity assurance can no longer rest on the document alone.

So how should fraud, identity, and risk leaders reassess their verification architecture, vendor capabilities, and long-term identity strategy? The conversation explored exactly that.

‍

• Luis Felipe Segura, Field CTO, Incode
• Reuben Stewart, Director of Identity, PNC
• PJ Rohall, Host, Fraud Fight Club (Moderator)

‍

• The threat has shifted from synthetic identity creation to real-identity impersonation. Attackers now pair authentic stolen PII with AI-generated documents and their own faces, defeating many checks traditional IDV systems still rely on.
• Injection attacks are the delivery mechanism making deepfake fraud operational at scale. Effective defense requires controls across device integrity, session behavior, and media-stream forensics — not just image analysis.
• Traditional IDV solves three problems but often misses a fourth: does the identity being presented actually match the identity held by the issuing authority? Many existing verification stacks were not designed to answer that question.
• Source-of-truth verification is emerging as a critical layer. Matching against issuing-agency records produces a far higher-confidence outcome than probabilistic document analysis alone, while preserving privacy because personal data never leaves the agency environment.
• Higher-assurance identity ownership checks strengthen fraud defenses without the conversion friction created by increasingly aggressive probabilistic controls.
• Fraud follows the path of least resistance. As attackers adapt to stronger defenses, institutions that lag on injection detection and source-of-truth verification become increasingly attractive targets.

Identity verification was built on a simple assumption: if the document looked real and the face matched, the identity could be trusted. AI has broken that assumption. Attackers now use real stolen data, AI-generated credentials, deepfakes, and injection attacks to bypass verification flows that were never designed for this threat model. Incode closes that gap.

By combining document verification, biometric matching, liveness detection, deepfake and injection attack defense, and source-of-truth verification into a single workflow, organizations verify identity ownership with far higher assurance.

‍The threat is already here. The technology to address it exists. The only question is whether your verification stack is ready.

Request a demo today.

‍