May 11, 2026 | 15 min read
Why Automated Identity Verification Isn’t Enough for High-Stakes Exams
There’s a difference between an algorithm saying “these two images match” and a trained person saying “I reviewed this ID and confirmed it.” One is a data point. The other is evidence. When a result gets challenged, you need evidence.
Here’s something worth knowing about online proctoring vendors: they all say they verify identity. What they don’t all mean is the same thing. And that gap, between capturing an image and actually confirming who someone is, is where a lot of programs are quietly sitting on risk they haven’t fully thought through.
If you’re currently evaluating proctoring platforms, or you’re starting to wonder what your current vendor actually does when a test taker shows up to an exam, this is for you. We’re going to cover what identity verification in online assessment actually looks like, where automated-only systems run into trouble, and what it takes to produce a result that holds up when it counts.
What identity verification actually means in an online exam context
The basics are simple. Identity verification confirms that the person taking your assessment is the person who enrolled for it. Most platforms handle this by asking test takers to hold a government-issued ID up to their camera, capturing a live photo, and comparing the two.
What varies, a lot, is what happens after those images are captured. In a fully automated system, an algorithm makes the comparison and moves on. In Integrity Advocate’s human-reviewed system, a trained reviewer examines the ID and live photo after the session is completed, verifying both that the ID is a genuine match and that the same person was there for the entire assessment. That’s a meaningfully different thing.
The key distinction
Automated identity verification produces a result. Human-reviewed identity verification produces a record. One is a data point. The other is evidence. When outcomes get challenged, you need evidence.
That might sound like a subtle difference right now. It won’t feel subtle when you’re sitting across from an accreditor, or responding to a candidate appeal, or explaining your identity controls to a regulatory body. “Our algorithm flagged it” and “a trained reviewer verified the ID match and confirmed the same person was present for the entire session” don’t carry the same weight in that room.
The actual threats identity verification is meant to stop
Before you evaluate any solution, it’s worth being clear about what you’re actually protecting against. Identity verification in online assessment is mainly a defence against three things.
Candidate impersonation
Someone other than the enrolled candidate sits the exam. Could be a friend, a sibling, or a professional impersonator hired through a contract cheating service. In high-stakes contexts, professional certification, regulatory licensing, safety-critical credentials, the consequences go well beyond academic dishonesty. They touch public trust in the credential itself. That’s a different kind of problem.
Proxy testing and contract cheating services
Proxy testing is impersonation at scale, and it’s growing. The same infrastructure that made remote work possible made organized contract cheating more accessible too. Professional exam-sitters exist. They’ve been around for years and they’ve gotten more sophisticated as online testing has expanded.
What makes proxy testing particularly hard to catch with automation is that the person attempting the ID check is often well-prepared. They may have a convincing fake or borrowed ID. They may have done this before, for other clients, on other platforms. An algorithm looking for obvious facial mismatches isn’t going to catch someone who’s specifically prepared to pass that check.
Years of operation at Integrity Advocate with zero data breaches. That’s not luck, it’s what happens when you’re serious about doing verification properly, not just quickly.
Manipulated or non-standard identity documents
Automated systems compare images. They measure how closely two images match. They’re not built to assess whether a document looks legitimate, whether something about it seems off, or whether the context around the ID presentation is consistent with someone who is genuinely who they say they are.
If you need a recent illustration of just how thin that defense is: a UK nonprofit surveyed around 1,300 children aged 9 to 16 and found that about half believe online age verification checks are easy to bypass. One documented method was drawing a fake mustache on their face with a makeup pencil. A 12-year-old was verified as 15. It worked. Other workarounds included pointing webcams at video game characters and making unusual facial expressions until the software stopped trying. TechCrunch covered it in May 2026.
These are AI systems built specifically for facial verification. A makeup pencil broke them. In an exam context, where a candidate may have a professional credential, a licence, or a career on the line, the motivation to try something is considerably higher; and the workarounds available are more sophisticated than drawn-on facial hair. Automated ID checks in high-stakes assessments face the same fundamental vulnerability, with significantly higher consequences when something slips through.
Beyond outright manipulation, non-standard ID documents from other countries are a real operational headache for automated systems. A document that an algorithm can’t parse correctly – because it looks different from its training data, often gets flagged for the wrong reasons. Not because anything is wrong. Just because it looks unfamiliar. That’s a fairness problem as much as it is a fraud one.
See how human-reviewed ID verification works
A live walkthrough of the full identity check process.
Where automated identity verification falls short
Speed and scale, those are the real advantages of fully automated ID verification. They’re genuine. The problem is that optimising for speed and scale means accepting trade-offs that start to matter the moment your results have any real consequence attached to them.
It produces a log, not a defensible record
When a fully automated system approves an identity check, what it creates is a timestamp and a confidence score. That score tells you how closely two images matched according to the model. It doesn’t tell you that a human looked at the documents and made a judgment call.
The moment an outcome is challenged, that distinction is everything. There’s a big difference between “our algorithm scored the match at 94.3%” and “a trained reviewer examined the ID and the live photo and confirmed the identity match.” One is data. The other is documentation. If you’ve ever had to respond to an accreditor asking about your identity controls, you know which one you want to be holding.
Edge cases aren’t actually that rare
Facial recognition systems are trained on datasets. Those datasets have gaps, and those gaps don’t affect all test takers equally. People with darker skin tones, older candidates, people with facial differences or disabilities, and test takers presenting documents from underrepresented countries, these populations consistently get worse outcomes from automated systems.
In a program serving thousands of test takers across many countries, these aren’t rare edge cases. They’re a predictable share of your assessment cycle. A system that handles them badly is a system that consistently disadvantages specific groups of people. That’s both a fairness problem and a real compliance exposure under frameworks like WCAG and AODA.
Accommodations are invisible to algorithms
A lot of programs serve test takers with documented accommodations. Some of those accommodations affect how a test taker looks at the identity check stage. A test taker with a visual impairment may present their ID differently. Someone with a facial difference may not match their ID photo the way an algorithm expects.
An automated system has no way to know an accommodation exists. A human reviewer can, because that information can be passed to them before the check happens. They apply the context, the check goes smoothly, and the test taker isn’t penalized for something their program already knew about and approved.
What human-reviewed identity verification actually adds
Human review at Integrity Advocate isn’t a fallback for when automation fails. It’s the standard for every single check. That changes what the whole process produces, and what you can do with the results.
Judgment, not just pattern matching
A trained reviewer looking at an ID document and a live photo is doing something different from what a facial recognition model does. They’re not just asking “do these two images match?” They’re assessing whether the identity claim is plausible, taking in the quality of the document, the context of the photo, whether something feels off. That’s judgment. It’s not something you can fully replicate with a model.
It also means programs can explain what happened. Not just cite a score. “A trained reviewer examined the ID and the live photo and confirmed the match” is a sentence a human can understand, investigate, and stand behind.
A record that travels with the session
At Integrity Advocate, every identity check creates a time-stamped record permanently attached to the session. What was verified, when, and by whom. If an outcome from that session ever gets challenged, the identity verification record is already part of the documentation, not sitting in a separate system you have to dig through.
Appeals rarely come with advance warning. Programs that have a complete, human-confirmed record don’t have to reconstruct anything after the fact. The evidence was created at the moment of verification. It hasn’t changed.
Deterrence, not just detection
Here’s something that doesn’t get talked about enough: people behave differently when they know a human is watching. A test taker who knows their government-issued ID will be examined by a trained reviewer before the exam starts isn’t approaching that check the same way as someone who knows it’s algorithmic.
Programs that shift from automated-only to human-reviewed verification consistently see a change in the behaviour of the small slice of candidates who were willing to try something. The check itself becomes a deterrent. You catch less because less gets attempted.
See the full product page for identity verification
How it works, what the process looks like, how it fits the full assessment security lifecycle, and what it means for your program’s defensibility.
What to look for when you’re evaluating
If you’re shopping around, or starting to question what your current vendor actually does, here are the questions that cut through the noise.
Is a human involved in every check, or just the flagged ones?
A lot of platforms say “human review.” What they mean is that a human reviews AI-flagged sessions only, and only when the algorithm decides something is worth escalating. At Integrity Advocate, a trained reviewer looks at every session after it’s completed, verifying the ID match and confirming the same person was present throughout. That’s the question to ask: is every session reviewed, or only the ones the algorithm flags?
What does the record actually contain?
Ask to see a sample identity verification record. If the answer is a confidence score and a timestamp, that’s an automated log. A defensible record includes the ID image, the live photo, the match determination, who made it, and when. If you can’t show an accreditor a complete documentation trail, the check isn’t giving you what you actually need.
How does it handle non-standard IDs and accommodations?
Ask specifically what happens when a test taker shows up with an ID from a country with an unfamiliar format, or when an accommodation affects how they look at the check stage. If the answer is vague or relies heavily on “the algorithm handles it,” that tells you something important about how these scenarios were thought about when the product was designed.
Where does the privacy risk sit?
Identity verification collects sensitive data. Ask specifically what’s collected, how long it’s retained, and whether it’s used for anything beyond the identity check. If you have GDPR, FERPA, or PIPEDA obligations, and most programs doing anything at scale do, you need clear answers here before you commit.
Automated vs human-reviewed: a direct comparison
Here’s how automated-only identity verification, Integrity Advocate’s human-reviewed approach, and in-person proctoring stack up against each other across the things that actually matter to a program issuing real results.
Automated vs human-reviewed: a direct comparison
Here’s how automated-only identity verification, Integrity Advocate’s human-reviewed approach, and in-person proctoring stack up against each other.
| What programs need | AI-only | IA Human-reviewed | In-person |
|---|---|---|---|
| Human judgment on every check | ✗ Algorithm only | ✓ Every session reviewed | ✓ Proctor present |
| Defensible audit record | ✗ Confidence score only | ✓ Full human-confirmed record | ~ Paper-based |
| Handles non-standard IDs | ✗ Fails on unfamiliar formats | ✓ Any government ID accepted | ✓ Proctor applies judgment |
| Accommodation-aware | ✗ No accommodation context | ✓ Reviewer applies context | ✓ Proctor applies context |
| Works on any device, no install | ~ Varies | ✓ Browser-based, zero install | ✗ Physical presence required |
| Proxy testing deterrence | ~ Algorithmic only | ✓ Human raises barrier significantly | ✓ Physical presence |
| Privacy-compliant | ~ Varies by vendor | ✓ GDPR, FERPA, PIPEDA | ~ Depends on policy |
| Scales without overhead | ✓ Scales automatically | ✓ Scales, IA manages review | ✗ Requires staffing |
✓ Fully supported · ~ Partial support · ✗ Not supported
The bottom line
Automated identity verification is better than nothing. That’s true. But if your program issues results that actually mean something, credentials that affect career progression, licences that protect public safety, certifications that carry professional weight, “better than nothing” isn’t where you want to land.
What you need is a check that creates a record you can stand behind. Something that answers not just “did the algorithm approve this?” but “can we show that a qualified person verified this person’s identity before the exam began?” Those are different questions, and they get different responses from the people who ask them.
Identity fraud isn’t a maybe. It’s a risk. A login won’t stop impersonation. Human-reviewed ID verification will.
Integrity AdvocateThe cost of getting identity verification wrong doesn’t show up at the time of the exam. It shows up later, when results are challenged, when accreditors start asking questions, when credential fraud surfaces somewhere down the line. By then, piecing together what happened is hard. Having a complete record from the moment of verification isn’t.
