In modern cybersecurity, the traditional perimeter has not just dissolved, it has been replaced by a sprawling lattice of human and machine identities. Two recently released reports—the Intellicheck Identity Verification Threat Report 2026 and the Osterman Research report on Strengthening Identity Security—provide a sobering look at this new reality.
While they approach the problem from different angles—Intellicheck focusing on the point of entry and Osterman on the lifecycle of a credential—their combined message is clear: if cybersecurity professionals cannot confidently verify who (or what) is accessing their systems, existing defenses are essentially decorative.
For CISOs and their teams, these reports signal a mandatory shift from traditional Identity and Access Management (IAM) toward a more robust, "identity-first" security posture that accounts for both sophisticated human fraud and the explosion of non-human entities.
The common ground: a crisis of confidence
Despite their different methodologies, both reports converge on several critical findings that should keep security leaders awake at night.
-
The professionalization of fraud: Both reports highlight how AI has become a force multiplier for attackers. The Intellicheck report warns that AI tools can now create synthetic IDs that are virtually indistinguishable from real ones to the human eye. Similarly, the Osterman Research report identifies the use of AI to create highly-personalized, machine-speed social engineering attacks as one of the fastest-growing threats.
-
The help desk as a high-value target: Both studies identify the help desk as a primary vulnerability. Attackers are increasingly social engineering support staff to reset passwords or MFA factors, with Intellicheck noting a 158% year-over-year increase in transactions related to password resets as IT teams struggle to verify the actual person behind the request.
-
The inadequacy of human verification: A shared conclusion is that relying on human judgment to verify identity is no longer a viable security strategy. Whether it is a bartender checking a driver's license or a SOC analyst reviewing a login attempt, the speed and sophistication of modern identity theft require automated, real-time technical validation.
While their shared alarms are loud, the two reports provide distinct lenses through which to view identity risk.
Intellicheck: the front door and physical-digital convergence
Intellicheck's report is uniquely grounded in the analysis of nearly 100 million real-world identity verification transactions. Its focus is primarily on the validity of the underlying identity document. It reveals that identity fraud almost always starts with a fake ID—whether stolen, manufactured, or synthetic.
A key differentiator for Intellicheck is its industry-specific breakdown. For instance, it notes that online-only banks experienced a staggering 5.5% identity fraud attempt rate in 2025, while retail-branded credit cards face high-volume losses due to account takeovers initiated via "card-not-present" lookups. The report emphasizes that effective security begins with proprietary analysis of DMV-issued IDs to ensure the person is who they say they are before a relationship even begins.
Osterman Research: the 'shadow identity' and persistent visibility
In contrast, the Osterman Research report, sponsored by Enzoic, focuses on the internal security posture and the lifecycle of a credential once it exists within an organization. A major theme here is the rise of "Non-Human Identities" (NHIs), such as service accounts and AI agents, which now outnumber human identities by 50 to 1.
Osterman highlights a massive visibility gap: nearly 80% of organizations lack full visibility into the actions and behaviors of their service accounts. While Intellicheck focuses on stopping the fraudster at the gate, Osterman focuses on detecting the "valid" but compromised credential already inside the network. They both advocate for autonomous remediation—systems that can automatically lock an account if its credentials appear on the dark web or if behavioral baselining detects "abnormal usage patterns."
Implications for the modern enterprise
The synergy of these reports suggests a three-pronged mandate for organizations of all sizes.
-
Verify the human, not just the credential: As UMMC and other recent victims have discovered, an attacker with a valid password is indistinguishable from an employee unless you verify the biological person. Organizations must move beyond security questions and email links toward DMV-validated or hardware-based identity proofing, especially for high-risk actions like password resets.
-
Illuminate the non-human shadow: The explosion of AI agents means your attack surface is growing autonomously—and exponentially. CISOs must implement specialized tools to govern service accounts and non-human identities, ensuring they have a defined owner and are subject to the same behavioral monitoring as human users.
-
Bridge the visibility gap with automation: The "time-to-impact" for identity attacks is now measured in minutes. Manual processes for revoking compromised credentials or investigating account takeovers are no longer sufficient. Investing in autonomous remediation—where the system acts instantly to isolate a compromised identity—is no longer a luxury; it is an operational necessity.
