Phronia Counsel

Who Owns Your Face?

Identity ownership is the defining battle of 2026 and almost nobody is talking about who actually owns the thing being faked.

By Howard Holton · Phronia Counsel

Someone on your hiring team was probably fooled by a deep fake interview this year.

They didn't tell you. They're embarrassed. But statistically, it's happening. And the person who showed up on day one wasn't the person on the video call.

This is the tip of a much larger iceberg. And almost nobody is talking about who actually owns the thing being faked: your identity.

What this means for the CIO, CTO, and CISO

Deep fake detection will improve in 2026, but detection always lags generation. Don't rely solely on technology to solve this. Build human verification into your processes.

The deeper problem isn't fake content. It's undefined identity ownership. Who owns your likeness? Your voice? Your digital representation? These questions don't have legal answers yet, and that gap is being exploited.

My position is simple. You must own your identity. No one else should have that right. This will be a defining issue of the next decade.

The inside perspective

When I was responsible for security, identity was the hardest problem. Not because the technology was complex, though it was. But because identity is fundamentally a human problem dressed up as a technical one.

I could authenticate credentials. I could verify access rights. I could monitor for anomalous behavior. What I couldn't do was verify that the human on the other end of the connection was actually who they claimed to be. At some point, every authentication system trusts that the identity was established correctly in the first place.

We built elaborate systems on top of that assumption. Multi-factor authentication. Behavioral analytics. Zero trust architectures. All of them improve security within the system. None of them solve the fundamental problem: proving that a digital identity actually corresponds to a real human being.

We built elaborate security systems on one assumption: that we can verify human identity through digital channels. Deep fakes have blown that assumption apart. The foundation we built everything on is crumbling.

The outside observation

Now I watch the industry scramble to address deep fakes as a detection problem.

Every security conference has deep fake detection sessions. Vendors are launching AI-powered fake detection tools. The message is: we can detect the fakes, so deploy our solution and you're protected.

It's the wrong framing entirely.

Detection is an arms race where the defenders are permanently behind. The generation models improve faster than the detection models. Every detection breakthrough gets incorporated into better generation. It's asymmetric warfare where the attackers have structural advantages.

More importantly, the detection focus misses the real problem: we don't have clear ownership of our own identities. My face. My voice. My likeness. My patterns of speech. Who owns these? Who has the right to create synthetic versions? Who has the right to deploy them?

These questions don't have answers. And in the absence of answers, the people with the most to gain from ambiguity are exploiting it.

The uncomfortable truth

Not all deep fakes are created to deceive. This is what makes the problem so complex. Deep fakes exist on a spectrum.

Some are clearly legitimate: entertainment with disclosed AI actors, historical recreations for education, accessibility applications like voice cloning for the disabled, artistic expression clearly marked as synthetic.

Some sit in a gray area: marketing using synthetic spokespersons, customer service avatars, virtual influencers, AI-generated content without explicit disclosure.

Some are concerning: non-consensual synthetic media of real people, identity appropriation without permission, impersonation for access or influence.

And some are clearly malicious: fraud and financial crime, reputation destruction, election interference, harassment and exploitation.

We need clear rules that distinguish these cases. Right now, we have almost none. The ethical use of AI identity technology is undefined, which means both legitimate innovators and malicious actors operate in the same legal vacuum.

The hiring fraud epidemic

Let's talk about the immediate, practical problem that's happening right now.

Deep fake interviews are happening now. Candidates appear on video calls who aren't the people who will show up on day one. The technology is good enough to fool most interviewers. The financial incentive is high enough to justify the effort.

This isn't theoretical. HR teams are dealing with it. They're just not talking about it publicly because it's embarrassing. Nobody wants to admit they hired a deep fake.

The practical solution is almost absurdly simple: meet people in person before making significant commitments.

Anyone fooled by a deep fake interview should have bought a $1,000 plane ticket and met the human in person. When it costs tens of thousands of dollars to make a bad hire, salary, benefits, onboarding, productivity loss, termination costs, spending $1,000 on travel won't break the bank. And it dramatically improves your post-90-day retention because you actually know who you hired.

This isn't scalable for all hiring. But for significant roles, for positions with access to sensitive systems, for anyone who matters, verify in person. It's the only defense that actually works.

The trust problem

Deep fakes are a symptom of a deeper problem: we've built systems that assume digital representations can be trusted. Those assumptions are breaking.

We built an enormous amount of business, social, and political infrastructure on these assumptions. Employment. Banking. Voting. Relationships. All of it assumes we can trust digital representations of identity.

That assumption is now questionable for any high-stakes interaction. And we haven't rebuilt the trust infrastructure for this new reality.

The ownership question

Here's the question no one is adequately addressing: who owns your identity?

Your face. Your voice. Your likeness. Your patterns of speech and behavior. These are you. But legally, the ownership is murky at best.

Can someone create a synthetic version of you without permission? In most jurisdictions, the answer is unclear. Can someone use your likeness commercially without consent? It depends. Sometimes yes. Sometimes no. Usually undefined. Can someone create a digital twin of you and deploy it for purposes you'd object to? Right now, probably yes.

My stake in the ground is this. You must own your identity. No one else should have that right. This seems obvious, but it's not currently protected by law in most places. It's not enforced by technology. It's not even widely discussed as a principle.

There's enormous money to be made by being less than ethical with other people's identities. Synthetic influencers. Fake endorsements. Impersonation scams. Commercial exploitation of likeness. Without clear ownership rules, exploitation is inevitable because exploitation is profitable.

Redefining trust

We need to redefine trust for an era when digital representations can't be automatically believed.

The old trust model said: if I see it, it's real. If it sounds like them, it's them. If the credentials match, the person is verified. The new trust model has to say: I verify independently of what I see. I confirm through multiple channels. I require analog confirmation for anything high-stakes.

Here's a key insight. Trust is an innately human quality. Trust can be returned. Humans can rebuild broken trust through behavior over time. There's reciprocity. There's ethics. There's relationship.

A system cannot trust you. There's no bidirectionality. There's no ethics in the machine. The word "trust" shouldn't mean the same thing when applied to human-machine interactions as it does for human-human interactions.

Maybe the new definition is this. Stop trusting that digital representations are real, true, or accurately associated with the analog world. Assume they might be synthetic until proven otherwise through verification methods that can't be faked.

What will happen in 2026

We'll see meaningful progress on deep fake detection in 2026. The technology will improve. New tools will emerge. Some percentage of fakes will be caught that wouldn't have been caught before. But detection will never be complete. It will always lag generation. And it doesn't address the fundamental problem.

Expect the first serious legislative attempts around deep fakes, likely focused on obvious harms: election interference, fraud, non-consensual intimate imagery. But the legislation will be incomplete, because the underlying question of who owns identity won't be answered.

Identity ownership will become a recognized business and legal issue in 2026. Not solved. Not resolved. But recognized. The conversation will finally start happening at leadership levels.

And a cultural shift will start. Growing awareness that digital doesn't equal real. High-stakes verification becomes more normalized. In-person validation for important commitments becomes expected rather than unusual.

The principles we should be advocating for

These aren't law yet. They need to be.

  1. Consent is required. Creation of synthetic representations requires the explicit consent of the person being represented.
  2. Ownership is inherent. Identity ownership is an inherent human right, not something that can be transferred or sold without explicit, informed agreement.
  3. Commercial use requires permission. Any commercial use of someone's likeness, voice, or digital representation requires their permission and fair compensation.
  4. Verification must be possible. Systems must exist to allow individuals to verify and challenge synthetic representations of themselves.
  5. Accountability is necessary. Creators of synthetic media must be identifiable and accountable for how that media is used.

Signs you're unprepared

Use this diagnostic. If four or more apply, you have critical gaps.

The playbook for identity protection

Five steps to prepare your organization for the identity ownership era.

  1. Add human verification to high-stakes processes. In-person verification for significant hires. Face-to-face confirmation for major transactions. Physical presence for critical access grants. Digital-only verification is no longer sufficient for anything that matters.
  2. Protect executive and high-profile identities. Proactive protection of voices, likenesses, and digital representations for anyone who might be targeted. This includes limiting publicly available recordings and establishing baseline authenticity records.
  3. Create synthetic media policies now. Define acceptable use of synthetic media before you have an incident. Cover creation, use, and incident response. Include guidelines for AI-generated content that represents real people.
  4. Implement multi-channel verification. Never rely on a single channel for important verification. If you receive a request via video, confirm via a different method. If you receive it via email, confirm via phone to a known number. Redundancy defeats single-channel attacks.
  5. Engage in the identity ownership conversation. This will be defined by legislation and industry standards over the next few years. Organizations that engage now will shape the outcome. Organizations that don't will react to rules others created.

What I'd tell my former self

If I had known then what I know now:

I would have built human verification into every high-stakes process. Digital-only verification is no longer sufficient for anything important.

I would have protected executive identities proactively. Voice recordings, video appearances, likeness rights, these need protection before they're exploited.

I would have created policies on synthetic media before needing them. Reactive policy-making after an incident is always worse than proactive framework-building.

I would have started the identity ownership conversation early. This is coming. Organizations that think about it now will shape the conversation. Organizations that don't will react to it.

I would remember that trust is human. Systems don't trust. Machines don't have ethics. The word "trust" needs to mean something different when we're not talking about human relationships.

A note on analyst culture

Most analyst coverage of deep fakes focuses on detection technology. Detection is a vendor market. Vendors sponsor research. Research covers vendor capabilities. The cycle reinforces focus on technological solutions to what is fundamentally a rights and trust problem.

The deeper conversation, who owns identity, what rights people have over their digital representations, how we rebuild trust in an era of synthetic media, gets less attention because it doesn't have a vendor market attached to it.

The detection market matters. But it's not the whole story. Analysts who only cover detection are missing the more important conversation. Identity ownership is a foundational issue that technology alone can't solve, and it deserves principles and frameworks, not just an evaluation of detection tools.

The bottom line

Start treating identity ownership as a strategic issue. This isn't a niche security concern. It's a fundamental shift in how digital trust works. The organizations that recognize this early will build appropriate protections, shape the emerging standards, and avoid the incidents that will embarrass their competitors. The organizations that treat this as someone else's problem will face deep fake fraud, impersonation incidents, and regulatory scrambles when legislation catches up.

You must own your identity. No one else should have that right. This principle seems obvious, but it isn't protected by law. It needs to be.