The Growing Concern of Insider Risk in Know Your Customer (KYC) Systems
As breaches mount and identity data proves irreversible, confidential A.I. challenges the assumption that verification requires visibility. Unsplash+
Modern Know Your Customer (KYC) systems were designed to enhance trust in financial services by verifying the identity of customers. However, in practice, they have become a significant source of vulnerability. The greatest risk no longer comes from external hackers, but from insiders and vendors who have access to sensitive information. According to recent data, insider-related activity accounted for roughly 40 percent of incidents in 2025, highlighting the need for a more secure approach to KYC.
The Risks of Centralized Identity Data
KYC workflows often require highly sensitive materials, such as identity documents, biometric data, and account credentials, to be shared across multiple parties, including cloud providers, verification vendors, and manual review teams. Each additional person, tool, or system granted access increases the risk of a data breach. Recent breach data shows that misconfiguration and third-party vulnerabilities are two of the most common causes of incidents, with misconfiguration alone accounting for an estimated 15 to 23 percent of all breaches in 2025.
A notable example of the risks associated with centralized identity data is the breach of the “Tea” app, which exposed passports and personal information of its users. The breach occurred when a database was left publicly accessible, highlighting the importance of robust architectural safeguards to protect sensitive identity data.
The Scale of Vulnerability in Centralized Identity Systems
The scale of vulnerability in centralized identity systems is staggering, with over 12,000 confirmed breaches in 2025, resulting in hundreds of millions of records being exposed. Supply-chain breaches were particularly damaging, with nearly one million records lost per incident on average. The permanent nature of identity data makes these breaches especially concerning, as compromised information can have long-lasting consequences for individuals and organizations.
For financial institutions, the damage extends far beyond breach-response costs. Trust erosion directly impacts onboarding, retention, and regulatory scrutiny, turning security failures into long-term commercial liabilities. The Identity Theft Resource Center (ITRC) reports that breach volumes in the financial services sector have been rising, with over 730 incidents in each of the past two years, closely tracking the growing reliance on third-party compliance tools and outsourced review processes.
The Need for Confidential A.I. in KYC
Confidential A.I. offers a solution to the insider risk problem in KYC by executing code inside hardware-isolated environments, known as trusted execution environments (TEEs). This approach ensures that sensitive data remains encrypted not only at rest and in transit but also during processing, even from administrators with root access. Research has demonstrated that technologies such as Intel SGX, AMD SEV-SNP, and remote attestation can provide verifiable isolation at the processor level, applied to KYC, confidential A.I. allows identity checks, biometric matching, and risk analysis to occur without exposing raw documents or personal data to reviewers, vendors, or cloud operators.
By reducing insider visibility, confidential A.I. changes who bears risk and reassures users that submitting identity documents does not require blind trust in unseen employees or subcontractors. Institutions can shrink their liability footprint by minimizing plaintext access to regulated data, and regulators can gain stronger assurances that compliance systems align with data-minimization principles rather than contradict them.
A Necessary Shift in KYC Thinking
KYC will remain a mandatory requirement across financial ecosystems, including crypto markets. However, the architecture used to meet this obligation is not fixed. Continuing to centralize identity data and grant broad internal access normalizes insider risk, an increasingly untenable position given current breach patterns. Confidential A.I. challenges the long-standing assumption that sensitive data must be visible to be verified, offering a more secure approach to KYC.
For an industry struggling to safeguard irreversible personal information while maintaining public trust, this challenge is overdue. The next phase of KYC will not be judged by how much data institutions collect, but by how little they expose. Those that ignore insider risk will continue paying for it, while those that redesign KYC around confidential computing will set a higher standard for compliance, security, and user trust, one that regulators and customers are likely to demand sooner than many expect. Read more about the growing concern of insider risk in KYC systems and the case for confidential A.I. Here
Image Source: observer.com
