Unified identity platform.
Originally posted on Instagram: https://www.instagram.com/share/_94gnxtmi
The song is “Unified” by Unified Highway.
Tag Archives: npe
If Your Identity System Only Manages People, It Is Flawed
This is painful, but it has to be done.
I’ve spent 30 years working with the identities of PEOPLE and ensuring that all PEOPLE accessing a system are properly identified.
In other words, leaving a huge GAPING security hole.
Look at what Okta is doing;
“[N]ew Okta Platform capabilities…help businesses secure AI agents and other non-human identities with the same level of visibility, control, governance, and automation as human ones. The Okta Platform will now bring a unified, end-to-end identity security fabric to organizations for managing and securing all types of identities across their ecosystem, from AI agents to API keys to employees.”
I think that “unified” will take the place of “trust” as the identity buzzword. Thankfully.
If you’re only selling biometrics, or maybe biometrics and ID cards, where will your customers go to get the rest of their systems? Or will you just be a commodity supplier to the companies that provide the REAL systems?
(Unified security AI picture from Imagen 3)
NPEs and Emotions
When I introduced emotions as the seventh question in Bredemarket’s seven questions, I was thinking about how a piece of content could invoke a variety of emotions in a human reader.
Oh, John, your thinking is so limited.
In a piece in Freethink, Kevin Kelly discussed emotions…in non-person entities (NPEs).
“Like anything else, I think in some cases robots with emotions will be really good. It’s good in the sense that emotions are one of the best human interfaces. If you want to interface with us humans, we respond to emotions, and so having an emotional component in robots is a very smart, powerful way to help us work with them.”
More here.
Another Take on NPEs and Security
I learned about the following story via the Identity Jedi, which leads me to my early and self-serving call to action:
If you’re interested in identity, The Identity Jedi Newsletter is a must-read. It’s packed with educational and insightful content. And if you would like to subscribe to the newsletter, please use my referral link: https://www.theidentityjedi.com/subscribe?ref=YoUVK0Uos1&_bhlid=7fecfad9eb7fd8bcdb529e945e11346b5897acdc I’m in the running to get an Identity Jedi mug. Thanks.
Enough self-serving content. Let’s get to what I learned about in the newsletter: namely, this article from CSO Online, “The urgent reality of machine identity security in 2025.”
As you know, I’ve been spending more and more time concentrating on identity issues when a person is not present. This is what the attribute-based access control folks refer to as “non-person entities” (NPEs).
In the article, CyberArk’s Scott Carter makes the following points:
- Today there are many more machine identities than human ones.
- They may have a short shelf life. Unlike humans, who usually access your systems for months or years if not decades, machine identities may be “created and discarded dynamically in minutes.” (Incidentally, I just wrote a LinkedIn article that delves into this in more detail.)
- These identities are being breached. “Half of the surveyed organizations experienced security breaches tied to compromised machine identities within the past year.”
What does this mean?
Well, for CyberArk, it means that it endorses technologies such as automating certificate lifecycle management. And by the strangest coincidence, CyberArk offers a solution…
But for us, it means that we don’t only need automation, but we also need governing processes to ensure that ALL the people and NPEs that are accessing our systems are properly managed, quickly commissioned, and quickly decommissioned.
(Image from Imagen 3. Yes, I’m falling into the habit of reusing images for multiple use cases. It’s easier that way.)
You Can’t Prove that an International Mobile Equipment Identity (IMEI) Number is Unique
I’m admittedly fascinated by the parallels between people and non-person entities (NPEs), to the point where I asked at one point whether NPEs can use the factors of authentication. (All six. Long story.)
When I got to the “something you are” factor, which corresponds to biometrics in humans, here is what I wrote:
Something you are. For simplicity’s sake, I’ll stick to physical objects here, ranging from pocket calculators to hand-made ceramic plates. The major reason that we like to use “something you are” as a factor is the promise of uniqueness. We believe that fingerprints are unique (well, most of us), and that irises are unique, and that DNA is unique except for identical twins. But is a pocket calculator truly unique, given that the same assembly line manufactures many pocket calculators? Perhaps ceramic plates exhibit uniqueness, perhaps not.
But I missed one thing in that discussion, so I wanted to revisit it.
Understanding IMEI Numbers
Now this doesn’t apply to ceramic plates or pocket calculators, but there are some NPEs that assert uniqueness.
Our smartphones, each of which has an International Mobile Equipment Identity (IMEI) number.
Let’s start off with the high level explanation.
IMEI stands for International Mobile Equipment Identity. It’s a unique identifier for mobile devices, much like a fingerprint for your phone’s IMEI number.
Now some of you who are familiar with biometrics are saying, “Hold it right there.”
- Have we ever PROVEN that fingerprints are unique?
- And I’m not just talking about Columbia undergrads here.
- Can someone assert that there has NEVER been two people with the same fingerprint in all of human history?
But let’s stick to phones, Johnny.
Each IMEI number is a 15-digit code that’s assigned to every mobile phone during its production. This number helps in uniquely identifying a device regardless of the SIM card used.
This is an important point here. Even Americans understand that SIM cards are transient and can move from one phone to another, and therefore are not valid to uniquely identify phones.
What about IMEIs?
Are IMEIs unique?
I won’t go into the specifics of the 15-digit IMEI number format, which you can read about here. Suffice it to say that the format dictates that the number incorporate the make and model, a serial number, and a check digit.
- Therefore smartphones with different makes and models cannot have the same IMEI number by definition.
- And even within the make and model, by definition no two phones can have the same serial number.
Why not? Because everyone says so.
It’s even part of the law.
Changing an IMEI number is illegal in many countries due to the potential misuse, such as using a stolen phone. Tampering with the IMEI can lead to severe legal consequences, including fines and imprisonment. This regulation helps in maintaining the integrity of mobile device tracking and discourages the theft and illegal resale of devices.
IMEIs in India
To all of the evidence above about the uniqueness of IMEI numbers, I only have two words:
So what?
A dedicated person can create or modify multiple smartphones to have the exact same IMEI number if desired. Here’s a recent example:
The Indore Police Crime Branch has dismantled two major digital arrest fraud rackets operating in different parts of the country, seizing a massive database containing private details of 20,000 pensioners in Indore….
A dark room in the flat functioned as the nerve centre of the cyber fraud operation, which had been active since 2019. The group specialised in IMEI cloning and used thousands of SIM cards from select mobile networks.
IMEIs in Canada
“Oh, but that’s India,” you say. “That couldn’t happen in a First World country.”
A Calgary senior is warning others after he was scammed out of $1,000 after buying what he thought was a new iPhone 15 Pro Max.
“I didn’t have any doubt that it was real,” Boyd told Global News….
The seller even provided him with the “original” receipt showing the phone had been purchased down east back in October 2023. Boyd said he also checked the phone’s serial number and the International Mobile Equipment Identity (IMEI). All checked out fine.
Boyd said the first sign of a problem was when he tried to update the phone with his own information and it wouldn’t update. It was only after he took it to a representative at a local Apple retailer, that he realized he had been duped.
IMEIs in general
Even IMEICheck.net, which notes that the threat of stealing one’s phone information is overrated, admits that it is possible (albeit difficult) to clone an IMEI number.
In theory, hackers can clone a phone using its IMEI, but this requires significant effort. They need physical access to the device or SIM card to extract data, typically using specialized tools.
The cloning process involves copying the IMEI and other credentials necessary to create a functional duplicate of the phone. However, IMEI number security features in modern devices are designed to prevent unauthorized cloning. Even if cloning is successful, hackers cannot access personal data such as apps, messages, photos, or passwords. Cloning usually only affects network-related functions, such as making calls or sending messages from the cloned device.
Again, NOTHING provides 100.00000% security. Not even an IMEI number.
What this means for IMEI uniqueness claims
So if you are claiming uniqueness of your smartphone’s IMEI, be aware that there are proven examples to the contrary.
Perhaps the shortcomings of IMEI uniqueness don’t matter in your case, and using IMEIs for individualization is “good enough.”
But I wouldn’t discuss war plans on such a device.
(Imagen 3 image. Oddly enough, Google Gemini was unable, or unwilling, to generate an image of three smartphones displaying the exact same 15-digit string of numbers, or even a 2-digit string. I guess Google thought I was a fraudster.)
Oh, and since I mentioned pocket calculators…excuse me, calcolatrici tascabili…
How Much Does Synthetic Identity Fraud Cost?
Identity firms really hope that prospects understand the threat posed by synthetic identity fraud, or SIF.
I’m here to help.
(Synthetic identity AI image from Imagen 3.)
Estimated SIF costs in 2020
In an early synthetic identity fraud post in 2020, I referenced a Thomson Reuters (not Thomas Reuters) article from that year which quoted synthetic identity fraud figures all over the map.
- My own post referenced the Auriemma Group estimate of a $6 billion cost to U.S. lenders.
- McKinsey preferred to use a percentage estimate of “10–15% of charge offs in a typical unsecured lending portfolio.” However, this may not be restricted to synthetic identity fraud, but may include other types of fraud.
- Thomson Reuters quoted Socure’s Johnny Ayers, who estimated that “20% of credit losses stem from synthetic identity fraud.”
Oh, and a later post that I wrote quoted a $20 billion figure for synthetic identity fraud losses in 2020. Plus this is where I learned the cool acronym “SIF” to refer to synthetic identity fraud. As far as I know, there is no government agency with the acronym SIF, which would of course cause confusion. (There was a Social Innovation Fund, but that may no longer exist in 2025.)
Back to synthetic identity fraud, which reportedly resulted in between $6 billion and $20 billion in losses in 2020.
Estimated SIF costs in 2025
But that was 2020.
What about now? Let’s visit Socure again:
The financial toll of AI-driven fraud is staggering, with projected global losses reaching $40 billion by 2027 up from US12.3 billion in 2023 (CAGR 32%)., driven by sophisticated fraud techniques and automation, such as synthetic identities created with AI tools.
Again this includes non-synthetic fraud, but it’s a good number for the high end. While my FTC fraud post didn’t break out synthetic identity fraud figures, Plaid cited a 2023 $1.8 billion figure for the auto industry alone, and Mastercard cited a $5 billion figure.
But everyone agrees on a figure of billions and billions.
(I had to stop writing this post for a minute because I received a phone call from “JP Morgan Chase,” but the person didn’t know who they were talking to, merely asking for the owner of the phone number. Back to fraud.)
Reducing SIF in 2025
In a 2023 post, I cataloged four ways to fight synthetic identity fraud:
- Private databases.
- Government documents.
- Government databases.
- A “who you are” test with facial recognition and liveness detection (presentation attack detection).
Ideally an identity verification solution should use multiple methods, and not just one. It doesn’t do you any good to forge a driver’s license if AAMVA doesn’t know about the license in any state or provincial database.
And if you need an identity content marketing expert to communicate how your firm fights synthetic identities, Bredemarket can help with its content-proposal-analysis services.
On Marketing Personas
(Imagen 3)
Marketing personas are like NIST biometric tests.
They’re not real.
Use them with caution.
This part isn’t in the video:
Yes, I know that marketing personas are representations of your hungry people (target audience) that wonderfully focus the mind on the people interested in your product or service. But if we’re being honest with ourselves, a software purchase is not greatly influenced by a non-person entity’s go-to coffee shop order.
Or whether the purchasing manager is 28 or 68.
So don’t go overboard in persona development.
That is all.
Except for the Bredemarket content-proposal-analysis promo.
P.S. Dorothy Bullard’s article can be found here.
NPE Comments That Fall Flat
(NPE Image from Imagen 3. It’s like rain…)
Have you ever seen a piece of content that makes you ill?
I just read a week-old comment on a month-old LinkedIn post. The original poster was pursuing a new opportunity, and the commenter responded as follows:
“Incredible achievements! Your journey with GTM teams is truly inspiring. It’s exciting to see you ready to tackle the next challenge. What qualities do you value most when looking for your next venture?”
At least it didn’t have a rocket emoji, but the comment itself had a non-person entity (NPE) feel to it.
Not surprisingly, the comment was not from a person, but from a LinkedIn page.
And not a company page, but an industry-specific showcase page for the tech industry.
Needless to say, I see nothing wrong with that. After all, Bredemarket has its own technology LinkedIn showcase page, Bredemarket Technology Firm Services.
But when Bredemarket’s LinkedIn pages comment on other posts, I write the comments all by myself, and don’t let generative AI draft them for me. So my comments have none of these generic platitudes or fake engagement attempts that don’t work.
I have absolutely no idea why the “incredible achievements” comment was, um, “written” or what its goals were.
Awareness? Consideration? Conversion? Or mere Revulsion?
Have You Been Falsely Accused of NPE Use? You May Be Entitled To Compensation.
(From imgflip)
Yes, I broke a cardinal rule by placing an undefined acronym in the blog post title.
99% of all readers probably concluded that the “NPE” in the title was some kind of dangerous drug.
And there actually is something called Norpseudoephedrine that uses the acronym NPE. It was discussed in a 1998 study shared by the National Library of Medicine within the National Institutes of Health. (TL;DR: NPE “enhances the analgesic and rate decreasing effects of morphine, but inhibits its discriminative properties.”)
But I wasn’t talking about THAT NPE.
I was talking about the NPEs that are non-person entities.
But not in the context of attribute-based access control or rivers or robo-docs.
I was speaking of using generative artificial intelligence to write text.
My feelings on this have been expressed before, including my belief that generative AI should NEVER write the first draft of any published piece.
A false accusation
A particular freelance copywriter holds similar beliefs, so she was shocked when she received a rejection notice from a company that included the following:
“We try to avoid employing people who use AI for their writing.
“Although you answered ‘No’ to our screening question, the text of your proposal is AI-generated.”
There’s only one teeny problem: the copywriter wrote her proposal herself.
(This post doesn’t name the company who made the false accusation, so if you DON’T want to know who the company is, don’t click on this link.)
Face it. (Yes, I used that word intentionally; I’ve got a business to run.) Some experts—well, self-appointed “experts”—who delve into the paragraph you’re reading right now will conclude that its use of proper grammar, em dashes, the word “delve,” and the Oxford comma PROVE that I didn’t write it. Maybe I’ll add a rocket emoji to help them perpetuate their misinformation. 🚀
Heck, I’ve used the word “delve” for years before ChatGPT became a verb. And now I use it on purpose just to irritate the “experts.”
The ramifications of a false accusation
And the company’s claim about the copywriter’s authorship is not only misinformation.
It’s libel.
I have some questions for the company that falsely accused the copywriter of using generative AI to write her proposal.
- How did the company conclude that the copywriter did not write her proposal, but used a generative AI tool to write it?
- What is the measured accuracy of the method employed by the company?
- Has the copywriter been placed on a blocklist by the company based upon this false accusation?
- Has the company shared this false accusation with other companies, thus endangering the copywriter’s ability to make a living?
If this raises to the level of personal injury, perhaps an attorney should get involved.
A final thought
Seriously: if you’re accused of something you didn’t do, push back.
After all, humans who claim to detect AI have not been independently measured regarding their AI detection accuracy.
And AI-powered AI detectors can hallucinate.
So be safe, and take care of yourself, and each other.
Jerry Springer. By Justin Hoch, CC BY 2.0, https://commons.wikimedia.org/w/index.php?curid=16673259.
Your LMM Pharmacy
On Threads, Dr. Jen Gunter called our attention to the newly-introduced H.R. 238, “To amend the Federal Food, Drug, and Cosmetic Act to clarify that artificial intelligence and machine learning technologies can qualify as a practitioner eligible to prescribe drugs if authorized by the State involved and approved, cleared, or authorized by the Food and Drug Administration, and for other purposes.”
Ultra-modern healthcare?
Presumably these non-person entities would not be your run-of-the-mill consumer generative AI packages, by rather specially trained Large Medical Models (LMMs).
Kinda like my “Dr. Jones, NPE.”
Even so, don’t count on this becoming law in the next two years. For one, Rep. David Schweikert introduced a similar bill in 2023 which never made it out of committee.
Why is Rep. Schweikert so interested in this and related topics? Because medical bills are too damn high:
““How do I make sure we’re embracing technology and using it to bring disruptive cures to market, or other opportunities to market?” Schweikert asked. “And does that also now help lower drug pricing?””
Before you reject this idea entirely, Rep. Schweikert cited one example of technology decision-making:
“Schweikert noted that the FDA last month approved Apple Watch’s atrial fibrillation feature for use in clinical trials — the first such digital health tool approved for inclusion in the agency’s Medical Device Development Tools program.”
But before anything like this will ever happen with prescriptions, the FDA will insist on extremely rigorous testing, including double-blind tests in which some prescriptions are written by currently-authorized medical professionals, while other prescriptions are written by LMMs.
And even when the ethical questions surrounding this are overcome, this won’t happen overnight.
Bredemarket 