Think Digital Partners recently reported that the UK government is considering introducing digital ID to tackle illegal migration. Government supporters of the scheme point out that digital ID would also help UK citizens to prove their identity to prospective employers.
The Estonian government’s digital identity system, which has been in place for more than two decades, is being studied as a model for providing access to a range of UK government services.
Think Digital Partners followed this up with a report that similar unified digital ID systems have been introduced by the United Arab Emirates, South Africa, and Taiwan as part of their digital transformation programmes.
These recent news reports have brought the issue of proof of identity back to the fore.
KYC – Know Your Citizens
Traditional identity checks for remote workers are being challenged by new technologies.
In August, the BBC reported that 14 North Koreans were indicted by a US court in 2024 for working in IT roles for multiple US firms simultaneously. The group’s salaries reportedly amounted to $88 million, 85 percent of which was sent back to support the North Korean regime. Another four North Koreans were indicted earlier this year for using fraudulent identities to gain remote employment with a US cryptocurrency firm.
The BBC spoke to recruiters who had spotted that deepfake technology was being used to disguise candidates’ faces during video interviews. More worryingly, a North Korean defector reported that some Europeans and British people were renting out their identities to North Korean job applicants.
Several of the North Korean employees were reported to have gone on to misuse their IT access to extort their employers.
The Rise of Non-human Identities
In addition to managing traditional identity and access management risks relating to employees and citizens, public sector organisations also have to govern an increasing number of non-human identities (NHIs) such as Devices, Applications, IoT devices, containers, service accounts, and RPAs. All of these need access to systems and applications to be able to exchange information and complete automated tasks.
There have been reports that some of these NHIs, or machine identities, still have access to sensitive systems up to two years after a project’s completion. This lack of visibility and governance creates a risk that orphan tokens could be exploited further down the line.
I make the distinction between NHIs and machine identities because One Identity’s software is used by one organization to identify and manage firearms. Another organization uses our software to identify logistics vehicles. However, these non-human identities are not behavioural. Machine identities, and agentic AI clients are behavioural.
Do We Need a Non-HR Department?
Given that NHIs can now outnumber human employees by anything from 10:1 to 92:1 in the largest organizations, there have been calls for the establishment of a Non-Human Resources department.
An NHR department would oversee onboarding, auditing, and offboarding of machine identities. It would govern the entire lifecycle of identities that are digital in nature, behavioural, and able to complete tasks much faster than humans. I believe that this will manifest as a business function akin to HR, requiring a software layer that registers, governs, offboards, and audits machine identities.
DNA: The Undeniable Identity Factor
Biometrics such as facial recognition, fingerprint, and iris scanners offer robust access control mechanisms. However, they could prove problematic if someone subsequently suffers an injury or undergoes cosmetic surgery.
DNA is the quanta of identity.
The mechanism for collecting and storing DNA ‘keystrings’ has not yet been established for use in the public or private sector. However, DNA is an undeniable identifier that could be used to rapidly confirm a person’s identity and humanity, particularly as deepfakes become more sophisticated and machine identities continue to proliferate.
As AI continues to gain capabilities, that too will require careful governance. DNA could be used to prove human identity and provide privileged access management that enables NHIs to be overridden by a qualified software engineer in the event that AI goes awry.
Every machine identity, and particularly AI, needs to have an owner to ensure accountability.
DNA holds potential not just for identity verification, and application authentication, but also to show where within a chain of events an individual holds accountability.
DNA as the Master Key
Security will continue to be the baseline. If someone can simply copy and paste a DNA sequence as a text file, then it too can be compromised.
However, if DNA is used as the source of generating new encryption keys, and each new key is tied to a blockchain and assigned to an individual, this could provide the required verifiable accountability. Bitcoins have served as a proof of concept that this is a viable way forward.
For sectors such as healthcare and finance, identity and access management is required not only to authenticate access to sensitive data, but also to provide visibility and accountability if data is mishandled.
Having DNA-based identity and access management, added to a blockchain, would provide organisations with an indelible chain of evidence of who did what, when, and where.
Consolidation on the Cards
In recent months we have seen several acquisitions that signal the IT industry’s recognition that identity is the true security perimeter.
At the end of July Palo Alto Networks acquired CyberArk for $25 billion, the second largest cyber security acquisition on record. Palo Alto Networks intends to establish a new core platform that combines privileged access management with its own AI-powered security platform.
The following month Okta acquired Axiom to bolster its privileged access management offering.
In September Accenture acquired IAMConcepts.
Conclusion
While debate continues about the introduction of digital IDs in the UK, it’s clear that identity is recognised as the kernel of security within government bodies and regulated industries.
As organisations in the public and private sector counter a range of new threats, including the proliferation of machine identities, the race to implement agentic AI, and deepfake technology being employed to disguise candidates’ true identities, not to mention invasive AI vs AI immune systems, DNA is the logical future perimeter.
