Deepfakes Are Now a Board-Level Risk & Regulators Are Watching

The rapid democratization of generative AI has turned deepfakes from a curiosity into a weapon capable of bypassing traditional verification methods. While early incidents were isolated, the past two years have seen high‑profile frauds where cloned faces and voices convinced senior executives to wire tens of millions in seconds. This escalation is driven by cheap, open‑source tools and the ability to stream synthetic media in real time, expanding the attack surface beyond email to video conferencing and messaging platforms.

In response, the UK has introduced two pivotal regulatory levers. The Economic Crime and Corporate Transparency Act, effective September 2025, creates a strict “failure to prevent fraud” offense that can levy unlimited fines on large firms that cannot demonstrate reasonable steps against deepfake‑enabled fraud. Simultaneously, Provision 29 of the corporate governance code, due January 2026, mandates board‑level declarations on the effectiveness of controls covering cyber and fraud channels, including synthetic media. These measures shift responsibility upward, making senior managers directly accountable for risk oversight and forcing organizations to embed deepfake mitigation into their compliance programs.

Practically, firms must adopt a layered defense. Governance policies should require multi‑person approvals and callback verification for high‑value transactions. Technical controls need to be embedded in security operations centers and conferencing gateways, employing real‑time detection engines that flag anomalous facial or vocal patterns. Regular scenario‑based drills, such as the VOICE checklist—verify, observe, involve, confirm, escalate—train staff to recognize and respond to deepfake attempts. Finally, boards should approve crisis playbooks, ensure cyber‑insurance coverage reflects synthetic media risk, and embed third‑party verification clauses to close supply‑chain gaps. Early adopters that integrate these practices will not only avoid regulatory penalties but also safeguard their reputations in an increasingly AI‑driven threat landscape.