Fraud is accelerating. Is the government ready?

Federal and state agencies are at a turning point in the fight against fraud. The Government Accountability Office estimates that the federal government loses between $233 billion and $521 billion annually to fraud. The Labor Department’s inspector general estimates over $100 billion in identity-related fraud losses in unemployment programs during the pandemic alone.

The rise of fraud is well known, and agencies have invested significant resources in prevention programs at both the federal and state levels. Yet even with new programs and modernization efforts, fraud continues to rise. The rapid growth and widespread availability of generative AI and other modern tools have opened numerous new attack vectors.

Meanwhile, citizens are caught in the middle. They are asked to scan the same ID, retype their name and date of birth, and answer “secret” questions whose answers were stolen and resold years ago — then repeat the process at another agency, and again at the next. The result isn’t stronger security. It’s slower access, higher abandonment and sprawling warehouses of personal data that become liabilities the moment they’re breached. The paradox is that a system meant to verify identity increasingly undermines both security and public trust.

The government isn’t starting from scratch. Agencies are laying the foundation for a more robust defense and modernized key infrastructure. For example, the National Institute of Standards and Technology’ issued Revision 4 of its digital identity guidelines (SP 800-63-4) provides a comprehensive framework for end-to-end identity programs. And recent FedRAMP changes have streamlined and improved the authorization process for software-as-a-service vendors, making it faster and more scalable for agencies to adopt modern identity tools. Furthermore, 22 states have launched or piloted mobile driver’s licenses (mDLs), offering an extremely high-assurance, secure method for digital identity verification.

But these developments need to be pulled together and leveraged to create a comprehensive government response to fraud. To this end, in order to effectively counter the accelerating fraud threat and modernize identity verification, government agencies must take three additional and essential high-impact steps.

First, government agencies should recognize and take advantage of key FedRAMP program changes that are creating a more competitive and innovative vendor marketplace. More specifically, agencies now have more opportunities to consider and evaluate newer entrants capable of meeting public-sector requirements and that have proven track records preventing fraud in industry. Historically, identity verification has been dominated by a small set of vendors, shaped largely by compliance barriers rather than today’s threat environment. Recent FedRAMP changes have simplified the path for vendors to reach Moderate Ready and Moderate Authorized status — long required to handle sensitive personal information — opening the door to a broader range of capable providers. As new providers’ public-sector footprints grow, agencies have the opportunity to benefit from solutions that deliver consumer-grade experiences without compromising security or mission outcomes.

Second, agencies must shift decisively from check-the-box compliance to risk-based layering. NIST’s SP 800-63-4 provides an excellent, comprehensive framework for identity verification, but treating Identity Assurance Levels (IAL) as a rubber stamp for compliance undermines its intent. Assurance is not determined by a single label; it emerges from how multiple signals work together in context.

Agencies must accordingly heed NIST’s own guidance to promote a risk-based approach over a compliance-oriented one, recognizing that stronger security comes from layering multiple, real-time signals, akin to a Swiss-cheese model of security. In practice, an IAL2 flow using modern technologies — such as a mDL — can easily deliver higher assurance than many alternative IAL3 flows. Stronger security doesn’t require funneling every user through a single IAL2 gate. It requires layering complementary signals based on risk. Modern verification platforms already combine passive signals, such as device reputation, IP and network risk and behavioral patterns, with active signals like document verification and biometrics. When layered and cross-validated, these signals significantly raise the cost of fraud while reducing friction for legitimate users.

Lastly, regulatory bodies and agencies should accelerate adoption of mDLs as a core fraud-fighting tool. An mDL isn’t a JPEG of a plastic card — it’s an issuer-attested, cryptographically signed credential with real-time revocation and selective disclosure. It lets agencies confirm key identity attributes (e.g., Is the license valid? What is this person’s legal name?) without collecting unnecessary personal details. That means less breach risk, less stored data and far stronger privacy for citizens.

Critically, greater selectivity and less data do not mean lower assurance. The issuer-attested, cryptographically signed identity data is virtually impossible to forge, tamper with or spoof. Agencies should implement acceptance of mDLs as quickly as possible to facilitate faster, higher assurance, more secure identity verification that simultaneously protects privacy and builds trust with citizens.

The technology to dramatically reduce fraud and modernize government systems already exists. Citizens want access without endless re-verification. Agencies want the best that technology has to offer, fewer fraud losses and fewer data breaches. Privacy advocates want less personal data circulating. These goals are aligned. What’s missing is not some new, undiscovered technology, but execution. Fraud is accelerating — and the question is whether government systems will move fast enough to counter it.

Bobby Kozyra is public sector lead at Persona and a former U.S. Navy SEAL Officer and U.S. diplomat. 

Copyright © 2026 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.