2025 saw the rise of AI-generated digital fraud, from deepfakes to documents. But this is only half the story: Behind ever-more realistic biometric and document fakes, AI has turned fraud into a continuous, dynamic process, says a new report, one where malicious AI agents are learning to pass as human.
By Trevor Butterworth
Last call, writing on the wall, game over. That’s 2025’s parting message to legacy identity verification is that AI has made fraud a continuous, dynamic, adaptive, and automated process.
“Fraud has entered a biological rhythm—attempt, analyze, adjust, repeat—where deception behaves less like code and more like an adaptive organism,” says a new report by AU10TIX, a Dutch company with over 30-years experience in identity intelligence.
This transformation has been driven by access to AI tools that can easily create realistic biometrics — from faces to voices — and documents. These, say AU10TIX, can be plugged into “agentic AI, or self-directed fraud engines, capable of autonomously creating and adapting synthetic identities,”
The result is the growth of “Fraud-as-a-Service (FaaS), a global market where identity forgery, credential spoofing, and document manipulation are packaged and sold on demand.”
AI agents are learning to pass as humans
You may be old enough to remember the 1993 New Yorker cartoon by Peter Steiner of a dog sitting in front of a desktop computer explaining to another dog that “On the Internet, nobody knows you’re a dog.”
The 2026 version (Iwith apologies to Peter Steiner) is this:
Good AI agents are going to need a way to identify fake people. Real people are going to need a way to identify fake AI agents. Everyone is going to need a way to verify real documents.
With the global, annual bill for digital fraud estimated at $534 billion dollars (Infosecurity Magazine), the prospect of it increasing further and eroding trust in our entire digital (and physical) economy calls for more than cybersecurity band aids.
How to stop the world being engulfed by fake people, fake documents
Keep doing identity authentication the same way but use more sophisticated signals intelligence to identify the precursor anomalies to dynamic fraud. This is AU10TIX and many other company’s solution. Essentially: let’s use good AI to defeat bad AI.
Stop doing identity authentication the same way and shift to decentralized identity and Verifiable Credentials for identity and document authentication. This is what Indicio does, and here are five ways it
1. How Verifiable Credentials mitigate injection spoofing
Injection spoofing involves fooling identity authentication workflows by “injecting” altered or fake biometrics, documents, or deepfake video.
One of the key features of a Verifiable Credential is that you can cryptographically prove the origin of the credential in a way that can’t be spoofed by AI.
If you add an authenticated biometric to the credential (as is the case with Digital Travel Credentials containing authenticated passport biometrics either derived from a passport chip or issued directly by a government), you now have a way to authoritatively cross check any liveness or biometric check.
A real person presents their authenticated biometric when they present for a liveness check. The software automatically compares the tamper-proof biometric in the credential against the live image.
The software can prove who issued this biometric credential in a way that can’t be spoofed by AI, stolen, or shared by the credential owner.
And you don’t need to centrally store biometric or any personal data to perform the verification. Verifiable Credential technology radically simplifies authentication infrastructure while making compliance with data privacy simple.
This is how Indicio technology is being used for border management and travel.
2. How Verifiable Credentials can give AI agents verifiable identities
Simple: an organization issues its AI agents and its customers or users with Verifiable Credentials.
They connect by establishing a secure communications channel. Each party can cryptographically prove they control their end of the channel.
Then, they verify each other’s identity by cryptographically proving that the issuer is trusted source for each identity credential and that the information in the credential hasn’t been altered.
This means a person can be sure they’re interacting with a legitimate AI agent before they share their data.
Just as important, AI agents can verify other AI agents before sharing a person’s data with that person’s permission.Machine-readable governance files determine which AI agents are to be trusted within an ecosystem and which information needs to be shared and to which agent.
Verifiable Credentials make automated AI-systems and ecosystems secure and compliant.
3. Verifiable Credentials are a way to mitigate fake documents
There are multiple ways to address this problem. Indicio has partnered with Regula to provide document authentication as part of the credential issuance process. Regula is the leading provider of document identification in the world.
Documents can also be structured as Verifiable Credentials. There is a size limit, but if you want the ultimate in line-by-line verifiability, this is an option. Also, an image of a document can be included in a Verifiable Credential. Documents can also be attached to Verifiable Credential by using a hash link.
4. Verifiable Credentials prevent identity drift
Identity drift is where the metadata associated with an identity — access, device, behavior — subtly change over time, signalling that it has been compromised.
Verifiable Credentials prevent identity drift by virtue of the credential data being digitally signed in a way that’s resistant to alteration — even by AI. The credential is bound to its holder through multiple layers of cryptography and biometric access.
If a person loses their phone, the credential is revoked and reissued following the same original identity assurance process. The old credential is gone. It will be recorded as dead on a revocation list written to a global ledger.
Critically, Verifiable Credentials usage is non-correlatable. The peer-to-peer communications protocol used in presenting and verifying credential data is uniquely encrypted for each verifier.
5. Verifiable Credentials prevent credential replay
A Verifiable Credential is cryptographically bound to a person, an organization, a device, or a person. It’s not something that can be shared or stolen and reused by another party. And because the data is under the owner’s control, it can only be shared by their consent.
2026 — the year of decentralized identity
While we can’t have too many defenses in our anti-fraud armory, prevention is better than remediation.
And what makes decentralized identity so powerful isn’t just that it’s a superior preventive technology: it’s also an implementation technology for better digital interaction, delivering significant practical benefits to people and organizations alike. It allows organizations to implement simpler seamless processes and deliver faster and better user experiences.
Similarly, Verifiable Credentials provides an implementation solution for developing and expanding AI agents and automated systems while meeting compliance and security requirements.
Both of these business value propositions align with where the market is going: The end of 2026 is the deadline for delivering European Digital Identity (EUDI) and the EU digital wallet to all EU citizens, residents, and businesses. This means hundreds of millions of people will start using Verifiable Credentials.
This is the real signal that it’s game on for Verifiable Credentials.
Talk with one of our digital identity experts about how you can gain a competitive edge with Verifiable Credentials and build the internet of tomorrow, today.
