Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

You've built rigorous identity verification flows. You're running liveness detection, document checks, and behavioral analysis. And when users make it through, you rightfully clear them as trusted. But when users aren’t in a verification flow, you lose insight into the device, network, and behavioral signals that could flag a major risk. Sentinel extends passive signal collection to any moment in the user's life cycle.

When I joined Persona's Marketplace team as the product manager in August 2025, we had around 25 integrations. Our goal was to make Persona a seamless fit in every customer's stack: easy to get started with and even easier to grow with. Less than a year later, we've tripled the size of our marketplace to include more than 75 integrations. Here's how we've approached our Marketplace strategy this year.

Anthropic released a pre-built KYC Screener agent last month. It runs a four-step workflow on onboarding records to extract structured data from KYC documents, evaluate that data against a firm's KYC rules, screen named parties, and escalate exceptions to a compliance file for human review. The Anthropic template is purpose-built for meeting basic KYC compliance requirements during onboarding, and it lowers the cost of getting it right.

We believe trust is earned through demonstration and transparency, not promises. That’s why we worked with Trail of Bits, an independent security firm that has spent years reviewing the code behind widely-used software from cryptography libraries to critical open-source infrastructure. Persona regularly undergoes independent third-party audits across our security, privacy, and product programs.

Across Europe, two major regulatory deadlines are arriving that will reshape the mechanics of identity verification for EU-regulated businesses. By the end of 2026, eIDAS 2.0 will require organizations to accept EUDI Wallets for online services where electronic identification or authentication is necessary. That obligation covers state, regional, and local authorities; bodies governed by public law; and certain private entities that are required to provide public services.

On May 22, Brazil’s National Data Protection Agency (ANPD or Agência Nacional de Proteção de Dados) published new draft guidance on age assurance (aferição de idade) mechanisms. The guidance provides companies with their clearest picture yet of how to comply under the Digital ECA. Part of a broader rollout of Brazil’s Digital ECA framework, the guide emphasizes risk-based proportionality and privacy by design (privacidade desde a concepção).

Identity verification helps prevent fraud by requiring would-be fraudsters to verify that they are real people and who they say they are. But what about a user who opens an account with their legitimate ID and selfie and then hands the keys to a bad actor? That’s exactly what happens with identity muling, and this type of second-party fraud can be difficult to detect.

In April 2026, Mexican President Claudia Sheinbaum announced that individuals will no longer need a Federal Taxpayer Registry (RFC) number to open an N2 or N3 bank account. As the country continues its transition to cashless payments, this move has the potential to bring more than 32 million unbanked, informal workers into the financial system. But it doesn’t come without risk.

For many security teams, the 2023 MGM Resorts cyberattack was a wake-up call. A single vishing attack exploited weak identity assurance in help desk workflows and disrupted casino and hotel operations for days, causing hundreds of millions in losses and reputational damage. The breach revealed a disconcerting new reality: Just one compromised employee account can enable attackers to bypass the entire security perimeter, regardless of an organization’s size or security budget.

Addressing these potentially competing priorities is difficult with today’s technology, and it's an active area of work for government agencies and private organizations alike. But we think there’s a potential path forward if regulations and organizations limit what you have to share, who you have to share data with, and how your data can be used.