Identity Without Control: The Emerging Risk—and a Structural Fix

Deepfake technology challenges a foundational legal assumption: that a person controls their identity. That assumption no longer holds. Companies now face exposure where third parties—or their own AI systems—create or use synthetic representations without authorization. This is no longer theoretical. It is a failure of identity governance.

The risk is already operational:

• False attribution of statements by executives or public figures

• Unauthorized use of likeness or voice in marketing or AI training, reflecting gaps in identity and access management (IAM)

• Synthetic impersonation enabling fraud or internal compromise, exposing weaknesses in privileged access management (PAM)

• Model training on identifiable biometric data without consent, evidencing a deficient access control framework

  
  

Existing doctrines—right of publicity, privacy, defamation—are reactive and fragmented. They do not operate as a zero trust identity system. The result is a widening gap between technological capability and enforceable protection.

How the Proposed Twenty-Eighth Amendment Closes the Gap

The proposed Personal Digital Liberty Amendment reframes identity as a protected, enforceable asset and aligns legal rights with modern governance principles:

• Uniform identity right: Establishes a national baseline for name, likeness, voice, and biometric identity, providing a consistent foundation for identity governance

• Consent-first model: Requires prior, knowing, and revocable consent for AI and synthetic use, functioning as a legal analogue to identity and access management (IAM)

• Control of attribution: Prohibits deceptive synthetic use, aligning with privileged access management (PAM)principles that restrict who may act as or represent an individual

• Transparency mandate: Requires disclosure of synthetic content, reinforcing an external access control framework

• Durability of rights: Extends protection beyond death, treating identity as a long-term governed asset

• First Amendment balance: Preserves journalism, commentary, and parody while restricting deceptive or substitutive uses

• Direct enforceability: Self-executing across U.S. jurisdictions and digital platforms, creating a clear compliance baseline

  
  

Practical Implication

The amendment does not eliminate deepfake risk. It reallocates control.

Identity shifts from a reactive legal interest to a governed asset operating within a zero trust identity framework. For companies, this converts deepfake exposure into a defined compliance obligation integrated with IAM, PAM, and access control frameworks.

The current environment rewards speed. This framework imposes accountability.

Craig S. Gilgallon

Attorney at Law

(973)605-8800