Prove It: How the AI Labs Started Checking Who You Are
Four of the six major labs now verify your identity or your age. The checking has narrowed to two companies, and one of them has already had a security exposure.
When Anthropic added identity verification to Claude's privacy policy this summer, effective July 8, 2026, the reaction outran the facts within hours. People said Claude would demand your papers before it answered a question, that a face scan was now required to log in, that this was surveillance under a friendlier name.
Most of that was false. The real change is narrower, and the first job is to read it. But reading Anthropic's page alone misses the larger story. Line up all six frontier labs and something shows up that no single announcement does: the industry is settling on a handful of outside companies to decide whether you are who you say you are.
Requirement is not verification
The headlines tend to blur a distinction that matters.
An age requirement is a line in the terms. You must be 13, or 18, or whatever your country sets. You type a birthday, and nobody checks it. Google's Gemini works this way today. Its own sign-in page asks you to be "13 (or the applicable age in your country) or over," and 18 or over for work accounts, then takes your word for it. No document, no photo, no vendor.
Age verification asks you to prove the claim, with a government ID, a photograph of your face, or a biometric estimate of your age from a selfie. That is a change in kind. It takes a sensitive document, and often your face, out of your hands and into a company's systems.
Sorted by that line, the labs fall into three groups.
Who checks, and how
They make you prove it, through a vendor. OpenAI, Anthropic, and Meta all require documentary or biometric proof under some conditions, and all three hand the checking to an outside firm.
OpenAI runs the most elaborate version. By its own account (announcements in late 2025 and early 2026, plus its help center), ChatGPT uses an age-prediction model that guesses from behavioral signals such as account age, hours of use, and usage patterns whether an account belongs to someone under 18. If it flags you and you disagree, or you are an adult who wants teen restrictions lifted, you verify through Persona by uploading a selfie or a government ID. Where the law requires an age check, OpenAI turns to a second vendor, Yoti. A third Persona flow screens new sign-ups against sanctions lists.
Anthropic's is simpler. Its support page says it "selected Persona Identities as our verification partner," that verification takes a government-issued photo ID plus a live selfie, and that "your ID and selfie are collected and held by Persona, not on Anthropic's systems." It applies to flagged or appealing accounts, and took broader effect on July 8.
Meta uses Yoti's facial age estimation, alongside ID, when someone tries to change a birthday from under 18 to over 18, or is otherwise suspected of misstating age. That relationship goes back to 2022.
They make you prove it in-house. xAI is the outlier. To satisfy the UK's Online Safety Act, X asks users to confirm age with a selfie that, in its own words, is estimated "by our artificial intelligence systems," meaning its own Grok models, or with a government ID. So the estimation is native rather than outsourced. (X's privacy policy still mentions a "verification partner" for handling the ID itself, so a third party is probably somewhere in the chain. The estimate is what runs on Grok.)
They take your word for it. Google's Gemini self-declares, as above. For DeepSeek, we found no evidence of an age- or identity-verification program for its consumer product, which is not the same as confirming there is none. We simply could not source one.
It runs through two companies
Now stack the vendors instead of the labs.
Persona verifies for OpenAI and for Anthropic. Yoti verifies for OpenAI and for Meta. Between them, two companies now sit behind the identity checks of the biggest names in consumer AI. Prove yourself to Claude and later to ChatGPT, and the same firm may take the request both times, holding a government ID from one and a selfie from the other.
That is a single point of failure, and it stopped being hypothetical in February 2026, when security researchers reported that Persona had left part of its verification front-end exposed. A vendor holding identity documents for several AI platforms is a richer target than any one platform on its own, and the incentive to breach it grows with every logo it adds.
The arrangement at both ends
One more fact belongs here, and it needs care, because the framing is contested.
Sam Altman runs OpenAI. He also co-founded World, formerly Worldcoin, which in March 2026 launched AgentKit, a system that lets people whose irises have been scanned by World's "orb" attach that verified identity to AI shopping agents. World reports roughly 18 million people scanned. So the head of a leading maker of AI agents also helps run the biometric identity layer being built to verify the humans behind AI agents. Critics, among them writers at TIME and The Hill, call that a structural conflict of interest. Agree or not, both roles are real, and they sit at opposite ends of the same loop.
In fairness
None of this makes the vendors careless, and leaving out the safeguards would repeat the conspiracy theories' mistake in the opposite direction.
Yoti says it deletes the age-estimation selfie the moment it produces an estimate, shares no facial images with its clients, and has that deletion audited independently by the UK's ICO, KPMG, NCC Group, and the Age Check Certification Scheme. Persona deletes the ID and selfie within seven days for OpenAI's flow, and OpenAI says it never receives the images at all. Those are real safeguards. Whether they hold depends on someone continuing to check.
What we're watching
The Anthropic episode is less about identity verification than about sequence. The loud version of a story lands first. The accurate version takes reading the policy, and then reading the other five.
Do that, and the development in front of you is clear: fewer and fewer companies get to hold proof of your identity for the AI you use, and at least one of them has already slipped. It is worth following. No single change is alarming on its own; the direction is what matters, and it is easy to miss one announcement at a time.
This is the work Frontier Watch does: reading what the labs change, across all six, in plain language, and telling you what moved. The baseline is free, because you should be able to see where the frontier stands without paying for the privilege.
Sources
- OpenAI — "Our approach to age prediction," "Building towards age prediction"; Help Center 12652064, 8411987; Persona customer page (withpersona.com/customers/openai)
- Anthropic / Claude — Help Center, "Identity verification on Claude" (support.claude.com/en/articles/14328960)
- Meta — "New AI-Powered Age Assurance Measures," Meta Newsroom, May 2026
- Yoti — Age Verification Privacy Policy (yoti.com/privacy/age-verification)
- xAI / X — "Age assurance," X Help Center; Social Media Today
- Google — "What you need to sign in to Gemini Apps," Gemini Apps Help 13278668
- Persona exposure — Malwarebytes Labs, February 2026
- World / AgentKit — World announcements, March 2026; eMarketer; TIME; The Hill