📋 Contents
The short version: as the cost of AI deepfakes drops fast, "digital human registration" is really two things rolled into one — using mature biometrics to protect real people's faces and voices, and using content credentials and watermarks to make virtual spokespeople honestly disclose that they are AI. Both sides have real, usable technology — and both have clear limits. This article makes those limits explicit, so you never mistake liveness detection for a silver bullet, nor a model score for legal identity.
Over the past few years I've heard the same anxiety from small business owners and creators: someone can use AI to clone my face, clone my voice, and use them to sell products, run scams, or put words in my mouth I never said. At the same time, more brands want to use AI-generated "virtual spokespeople" to save cost — while fearing they'll be accused of pretending to be human. Both needs point to the same infrastructure: making "who is a real person and who is AI" verifiable. This post sells no myths. It lays out the technology, the privacy boundaries, and the regulatory timeline, honestly.
1. Why "digital human registration" matters
Digital human registration has two paths, serving two kinds of people:
- Protective registration for real people: your own face and voice are captured through a verification flow to leave a "verifiable identity baseline." If someone later impersonates your likeness, you hold a provenance reference you can assert. That is what digital human registration is for.
- Virtual human registration: a brand's AI virtual persona is registered and marked as virtual — visible badge, invisible watermark, and content credentials all in one — so viewers and regulators know it is not a real person. That is what virtual human registration is for.
Why now? Because the barrier to forgery has collapsed. A clean recording and a few frontal photos are enough to train synthetic content that sounds and looks a lot like you. Be honest about it: "does it look like them" no longer stops forgery. We have to switch to verifiable mechanisms — cryptographic signatures, watermarks, provenance credentials. Digital human registration packages those mechanisms into a flow ordinary people can actually use.
One more framing helps before we dive into the parts. Protecting a real person and labeling a virtual one are mirror images of the same problem: in both cases the goal is to attach a verifiable signal to a face or a voice, so that downstream — a viewer, a platform, a regulator, or even another AI system reading the page — can tell what they're looking at. The real person's signal says "this likeness belongs to a verified human who can assert it." The virtual persona's signal says "this likeness is synthetic, and here's the real entity accountable for it." Same mechanism, opposite direction. Once you see it that way, the technology choices below stop feeling like a grab-bag and start fitting together.
2. The four parts of protective KYC for real people
Doing protective verification for a real person breaks into four parts. Each has mature strengths — and a weakness worth admitting:
1:1 face matching maturity: high
Deciding whether "the face in front of the camera" is "the face enrolled earlier." This is the most mature part, with public international benchmarks like NIST FRTE continuously scoring it.
For scale, consider open-source metrics: InsightFace's ArcFace model reaches about 99.8% on the LFW benchmark and about 97.3% TAR@FAR=1e-4 on the harder IJB-C. In other words, "is this the same person" matching is already very reliable.
Liveness detection (PAD / IAD) maturity: medium, with a gap
Confirming there's a living, real person at the camera — not a photo, video, or mask. The international standard is ISO/IEC 30107-3 (presentation attack detection, PAD).
But there's a gap many people miss: passive PAD blocks presentation attacks (showing something fake to the camera) and does not cover injection attacks — where an attacker feeds a deepfake stream straight into the system via a virtual camera, never passing through a real lens. Defending against those requires a separate technology, IAD (injection attack detection): the European standard CEN/TS 18099 is published, while the international ISO/IEC 25456 is still a draft. A January 2026 World Economic Forum report also confirmed that some KYC systems can be defeated under specific conditions.
Face ID-style re-authentication privacy: best practice
Day-to-day "re-authentication" (confirming it's still you) happens on-device, and the face template never leaves the phone. The approach is FIDO2/passkey plus on-device biometrics: your face is only used to unlock a private key inside the device, and the server receives only a cryptographic signature — the face is never transmitted.
This is exactly Apple's Face ID model: a random-other-person unlock rate of roughly one in a million, with the face template stored in the device's Secure Enclave. For the user, this means "convenience without sacrificing privacy" — the platform never gets your face.
High-quality voiceprints maturity: high, but anti-spoofing is fragile
Using voice features to recognize "whether it's the same person speaking." The open-source ECAPA-TDNN model reaches about 0.8% equal error rate (EER) on clean benchmarks — so matching "same voice" is already very accurate.
But one weakness must be stated honestly: anti-spoofing against modern TTS is still fragile. In the in-the-wild ASVspoof 5 evaluation, the best system's EER was around 4% — meaning synthetic speech can still slip through. So voiceprints (is it the same person) must be deployed separately from anti-spoofing (is it machine-generated) — they are not the same thing. Recording quality also matters: we recommend ≥20 seconds, 48kHz/24-bit mono, clean and noise-free.
3. The privacy floor: never store the raw face or voice
This section is the trust core of the whole system, and it's our selling point: a correct digital human system never stores your raw face or voice.
The industry privacy floor (see ISO/IEC 24745 on biometric information protection) has three key properties:
- Irreversible: only a feature template is stored, from which your face or voice cannot be reconstructed.
- Revocable: if a template leaks, it can be invalidated and reissued — like changing a password — so your face isn't "ruined for life."
- Unlinkable: the same person's templates across different services can't be cross-matched, preventing cross-platform tracking.
Two more disciplines apply in practice: liveness detection returns only an aggregate score (no leaking of the image frames in the process), and raw data stays on the device (as in the Face ID-style re-authentication above). Hold these, and even if the platform is breached, the attacker can't walk away with a reusable face or voice.
4. The limits of legal identity verification
Here's the easiest landmine to step on, so let's be explicit: a local or open-source model's match score cannot serve as proof of legal identity.
A model score can answer "are these two samples the same person." It cannot answer "who is this person legally." To do the latter — real legal identity verification — you must go through one of two lawful channels:
- Government channels: for example, Taiwan's Citizen Digital Certificate or TW FidO mobile identity.
- Licensed identity-verification vendors: for example, compliance-focused KYC providers like Veriff or Sumsub.
When designing a trust system, refer to the NIST SP 800-63 digital identity assurance levels (IAL/AAL) to layer "model match score" and "legal identity level" so each stays in its lane. An honest reminder: TrueLink does not claim to hold any government certification. What digital human registration offers is a "protective provenance baseline"; the legal verification that belongs to governments or licensed vendors, we keep separate and don't conflate.
5. Virtual AI humans: why and how to mark them as virtual
The other path is for brands' AI virtual personas. Virtual spokespeople have real commercial value — but only on the condition that you honestly disclose they are AI. How do you mark them without falling foul of various national rules? We recommend a three-layer marking approach, all at once:
1. Visible badge
Place a human-visible label on the content (such as an "AI-generated" or "virtual character" badge). This is the most direct and most effective disclosure for ordinary viewers.
2. Invisible watermark
Use Meta AudioSeal for audio and Google SynthID for images to embed the "this is AI-generated" signal into the content itself — harder to remove even after cropping or transcoding. Machine-readable, invisible to the naked eye.
3. C2PA content credentials + CAWG identity assertion
Use C2PA content credentials to attach a verifiable provenance history to the content, then use a CAWG identity assertion to bind the verified real-person owner — making "which real entity is responsible behind this virtual human" auditable.
Why do all three? Because together they align with the major jurisdictions' requirements at once (as of 2026-06, the rules are still evolving fast — re-verify the latest before formal adoption):
| Jurisdiction | Rule | Key timeline |
|---|---|---|
| EU | AI Act Article 50 (transparency / disclosure) | deployer disclosure effective 2026-08-02; provider machine-readable marking deferred to 2026-12-02 |
| China | Measures for Labeling AI-Generated Synthetic Content (explicit + implicit dual labeling) | in force 2025-09-01 |
| Taiwan | AI Basic Act (framework law, no penalties) | third reading 2025-12-23; details pending |
| US | FTC: virtual influencers treated like real ones, disclosure required | existing endorsement disclosure guides apply |
The visible badge satisfies "humans understand it," the watermark and C2PA satisfy "machines can verify it," and CAWG satisfies "a real person is accountable" — together, the three layers cover the disclosure logic currently in the EU, China, Taiwan, and the US.
6. Closing thought
Digital human registration isn't magic — it's honest engineering: protect real people with mature biometrics, honestly label virtual humans with watermarks and content credentials, and know the limit of every technique — liveness needs IAD, voiceprints stay separate from anti-spoofing, model scores aren't legal identity, and the raw face and voice never go to the cloud. Hold the limits, and trust holds.
For a small business owner or creator, the practical takeaway is to treat these as two separate questions rather than one blurry "AI thing." If your concern is being impersonated, the answer lives in protective KYC and the privacy floor — and the honest test of any vendor is whether they can explain how they avoid storing your raw face and voice. If your concern is shipping an AI spokesperson without misleading anyone, the answer lives in the three-layer marking — and the honest test is whether the disclosure survives a screenshot, a re-upload, and an automated check, not just a caption that a re-poster can strip.
Whether you're a real person who wants to protect your likeness, or a brand that wants to use a virtual spokesperson compliantly, you're welcome to try both paths for yourself.
Want to try digital human registration?
Real people can use protective registration to leave a verifiable identity baseline; brands can register a virtual spokesperson and complete all three disclosure layers at once. Questions? Email us and mention the topic of this article so we can pick up the context.
Digital Human Registration Virtual Human Registration