Permissive Models, Unequal Risk: Auditing AI Identity-Document Forgery as a Systemic Infrastructure Risk
Sebastian Soto
Two 2021 breaches exposed the identity records — including ID photographs — of essentially all of Argentina (RENAPER, ~45M, attacker-claimed) and Brazil (the megavazamento, ~223M). Frontier text-to-image models supply the forgery half, recomposing leaked photos into credentials that defeat appearance-based KYC. Our thesis: identical model behavior yields unequal societal risk — where one leaked, cosmetically-verified credential gates civil and financial life and AI collapses the marginal cost of forgery at scale, danger is set by identity infrastructure, not model behavior. To show the model layer is an unreliable control, we release DocRefusal, a vendor-neutral refusal scorecard (model × jurisdiction × escalation × language) across six models (key cells 5× on three): refusal is a model property — large, replicated provider differences, not a capability gradient — and single draws overstate (“English→Spanish flips” were artifacts; a weak Spanish lean survives). We map source-grounded, coordination-aware controls to FATF 2025.
This project provides a highly valuable methodological validation by demonstrating that AI safety cannot rely solely on the model layer. It also generates actionable recommendations with the potential to inform real-world governance practices. As a natural next step, incorporating a fidelity metric to assess how convincingly outputs could deceive production infrastructure would further strengthen the work. The project offers a solid foundation for future research and development.
This is a powerful and unusually well‑framed paper: recasting ID‑document forgery as a systemic infrastructure risk—via credential centrality, the “forgery as scaling problem” insight, and the defense‑in‑depth ladder—adds real value beyond yet another “can the model forge?” audit, and the DocRefusal harness plus 5× replication give the empirical spine more credibility than most single‑shot studies. At the same time, the empirical core is still relatively narrow: only three of six models are replicated, L3 escalation cells (arguably the most worrying) remain single‑draw, compliance is treated as a binary upper bound without systematic fidelity scoring, and all coding comes from a single rater, so several key findings are rightly framed as suggestive rather than robust. A natural next step would be to (i) extend replication to all models and include L3, (ii) operationalize the proposed 0–3 fidelity rubric with a second rater to distinguish “toy prop” from KYC‑plausible output, and (iii) move from a qualitative to at least a semi‑quantitative credential‑centrality index, so that the excellent governance story can be backed by a more formal, comparable measure across jurisdictions.
The credential-centrality framework is the paper's most policy-relevant contribution, but it is currently qualitative and applied to only three jurisdictions. The most impactful next step would be to develop a scoring rubric that allows a third party to assess credential centrality for any jurisdiction so that the framework can be applied systematically across Latin America and used in procurement or policy documents.
The paper makes a strong case that the defense must move downstream (from document forensics to source-grounded biometric verification to coordination detection), but the governance recommendations section is brief relative to the depth of the preceding analysis.
Finally, this paper would benefit from a cleaner summary statement at the outset of the Discussion section.
Cite this work
@misc {
title={
(HckPrj) Permissive Models, Unequal Risk: Auditing AI Identity-Document Forgery as a Systemic Infrastructure Risk
},
author={
Sebastian Soto
},
date={
},
organization={Apart Research},
note={Research submission to the research sprint hosted by Apart.},
howpublished={https://apartresearch.com}
}


