The tools for proving who you are have never been more sophisticated. But these solutions, from multi-factor authentication to biometrics, assume the person logging in is, well, a person.
Generative AI has changed who—and what—shows up at our digital doorsteps. Deepfakes can impersonate people in real time, and agentic AI doesn’t bother with impersonation at all. These autonomous systems act on a human’s behalf, with real credentials and real permissions.
What’s more, agentic AI is being deployed at scale: A 2025 Gartner survey found that 64% of technology executives plan to increase investment in agentic AI over the next 24 months.
It’s no longer enough to ask, “Is this the right person?” The question now is, “Is this a person at all?”
As the assumption of human identity behind every login breaks down, security leaders need tools built to address this new question—not just who is logging in, but what is logging in.
That’s the verification gap: the distance between what the old identity model was built to confirm and what the new one demands.
3 forces widening the verification gap
For the last decade, identity was about mastering the login. But today, traditional methods, like document uploads and SMS codes, are no match for the forces reshaping identity verification, according to the National Institute of Standards and Technology (NIST). Here are three of the most pressing challenges organizations face, and how verifiable digital credentials (VDCs), a cryptographically secured digital representation of identity, offer a direct counter to the verification gap:
1. The deepfake threat: The $40 billion problem
In the US alone, generative AI fraud loss is predicted to hit $40 billion by 2027, according to the Deloitte Center for Financial Services. Deepfakes are already being used to impersonate executives in wire fraud schemes, bypass voice and facial recognition systems at financial institutions, and create synthetic identities that pass initial know-your-customer (KYC) checks.
The world's leading standards bodies are issuing updated guidance on these emerging risks. NIST emphasizes that credentials must be "presented and cryptographically verified" directly from a smartphone to ensure they are tamper-proof.
How VDCs address this: Hardware-bound credentials tied to a specific device help make deepfakes and synthetic identity fraud virtually impossible.
2. The regulatory wave: Compliance is now mandatory
From the EU's eIDAS 2.0 mandate (2026) to the UK Online Safety Act updates, governments are demanding higher standards for identity verification.
By “higher standards,” regulators mean identity assurance mechanisms that can cryptographically prove who a user is—moving beyond simple passwords or SMS codes to stronger, tamper-resistant methods. These aren’t guidelines; they’re legal requirements with material consequences for non-compliance.
How VDCs address this: Organizations can now meet these stringent requirements through cryptographically verified credentials that leave audit trails automatically, creating compliance-ready evidence by design.
3. The data liability trap: Every PII record is a target
Every time a company stores a user's personally identifiable information (PII) to verify them, it creates a "honeypot" for attackers. The cost of this model is staggering: $173 per record lost in a breach, according to IBM's 2024 Cost of a Data Breach Report. Companies must verify users, but the act of doing so currently introduces a massive opportunity for hackers.
This creates an impossible choice: verify users and accumulate liability or stay vulnerable to fraud.
How VDCs address this: Organizations can verify high-assurance claims ("this person is a licensed employee" or "this person is over 18") without ever seeing or storing a birthdate, address, or ID number. Verification without possession helps reduce liability.
From ‘guesswork’ to ‘cryptographic truth’
These challenges are symptoms of the same underlying problem: The old identity model was built for a world where documents were hard to fake and the entity behind them was assumed to be human. That world no longer exists.
VDCs move us from verifier trust (inspecting a document and guessing if it's real) to issuer trust (relying on a cryptographically signed attestation from a trusted source, like a DMV or an employer).
By acting as the neutral orchestrator of this trust triangle, organizations can:
Bind credentials to hardware: All deployed VDCs can be bound to a device, requiring physical possession. Something a deepfake cannot replicate.
Enable privacy through selective disclosure: Verify a user is over 18 or a licensed employee without revealing their actual birthdate or home address.
Enable interoperability: Built on open standards, VDCs work across wallets, platforms, and devices, regardless of vendor or system.
Why this matters now
Enterprises will be defined by their ability to confidently assess both who and what is logging in. By 2028, Gartner predicts that 50% of organizations will implement a Zero Trust posture for data governance due to the flood of unverified AI-generated data.
The organizations that move first—that treat VDCs as the foundation of their identity infrastructure—will be the ones equipped to handle the real-world challenges already emerging. They’ll be able to confidently answer “Who is really logging in?” in this new reality of deepfakes and AI agents. Everyone else will be playing catch-up.
Learn how Okta is building verifiable digital credentials into the identity stack.
