India’s digital economy has grown on the strength of scale, speed, and inclusion. But the same conditions that made digital adoption possible have also made fraud easier to industrialise. Shifting from regulations to risk testing captures a much broader notion of AI. This is because AI is more than just a technology with which our actions can be regulated. Rather, it is something that evolves all the time, and we need to learn continuously with it.
The companies who are ready to adapt their approach in this manner, recognizing AI as something alive and evolving and demanding constant attention, will create the most healthy and robust AI environments. They will be able to work effectively, safely, and confidently in an environment characterized by uncertainty.
In light of this increasing trend towards machines making decisions for us, this is not optional; rather, it is crucial.
A recent Forrester study, cited in news reports, found that 74% of Indian organisations had seen a noticeable rise in GenAI-driven fraud attempts, while 69% said their current KYC and identity verification systems were not equipped to detect AI-generated documents. This should compel enterprises to act. It means the weakness is no longer outside the system; it sits within the verification layer itself.
DPDP changes the equation
This is where the Digital Personal Data Protection (DPDP) framework begins to matter in a more operational way. For a long time, identity verification was treated as a compliance checkpoint. A customer or user was verified, the document trail was stored, and the system moved on. That approach assumed fraud could be filtered at entry, but that assumption is weaker now.
With the DPDP Rules 2025 notified, businesses are being asked to think differently about accountability. Data Fiduciaries are expected to maintain reasonable security safeguards, provide clear notices, and respond credibly in the event of a breach. The penalties are substantial: up to ₹250 crore for failure to maintain reasonable security safeguards, and up to ₹200 crore for failures around breach notification. In other words, the law is no longer asking whether data was collected properly. It is forcing organisations to prove that risk was understood and managed responsibly.
That distinction matters. Identity verification is no longer just a front-end onboarding process, it is becoming a governance layer.
Why static KYC is losing relevance
Most traditional KYC systems were built for a world in which identity was comparatively static. A document was submitted, matched against a database, and treated as proof. But a one-time verification model has limited value in a real-time, adversarial environment where faces can be spoofed, voices cloned, and accounts compromised after onboarding.
The issue is not that KYC has lost relevance. It has not. The issue is that static KYC was designed for a slower fraud cycle. Today’s fraud cycle learns, adapts, and returns.
That creates a familiar problem for enterprises. Many respond by adding more checks, more manual reviews, and more process layers. However, data collection alone does not guarantee improved decision-making. On the contrary, in many instances, the reverse is true. More data is collected than is possible to analyze effectively, fraud indicators are lost amid the flow of work, and the unusual case becomes routine since the underlying architecture was never intended to make the connections.
From verification to identity intelligence
This is why the market is moving from verification to identity intelligence. The shift is not semantic but architectural. Identity can no longer be evaluated at a single point in time and treated as settled. It has to be assessed continuously, using multiple signals to establish whether a person, device, document, and behaviour pattern still make sense together. That means biometric authentication, liveness detection, device intelligence, metadata checks, behavioural analysis, and real-time risk scoring must work together rather than sit in separate compliance boxes.
The business benefit of this is often misunderstood. Better identity controls are not only about blocking bad actors; they are also about allowing legitimate users to move faster. A system that can distinguish genuine users with greater confidence reduces friction where it is unnecessary and adds scrutiny where it is justified. That improves both security and conversion, and at scale, it becomes a significant operational advantage.
India’s scale raises the stakes further
India recorded more than 181 billion digital transactions in 2024, and official statements in early 2026 noted that every second digital transaction in the world is now happening in India. The scale of that magnitude changes the economics of both growth and misuse. Weak controls do not remain local for long; they replicate across platforms, sectors, and user journeys.
That is why digital trust can no longer be treated as an abstract principle. It has to be built into decision systems. Enterprises will increasingly need identity intelligence layers that combine biometrics, liveness detection, document forensics, behavioural signals, and risk-based orchestration into a single decision-making framework. The objective is straightforward: reduce fraud risk, expedite onboarding, and meet regulatory expectations without making trust more expensive than necessary.
India does not lack digital ambition. What it now needs is stronger digital assurance. In the DPDP era, businesses that continue to treat identity verification as a box to tick will struggle to keep pace with evolving fraud. Those who treat it as a living trust infrastructure will be better placed to protect growth, users, and credibility.
