Your Admissions Portal Is the Breach. The Receipts Are In.

Your Admissions Portal Is the Breach. The Receipts Are In.

Last month I called a friend who runs admissions at a mid-sized community college. I asked her one question. Between the moment a student is admitted and the moment that student has a working campus account, what happens, and how long does it take?

She laughed. Then she went quiet. Then she said, let me get back to you.

That pause is the column this week.

For two months I've been writing about deprovisioning. The 30-minute Entra sync. The terminated employee who still has Workday access on Friday afternoon. The orphaned account three years past graduation. I stand by every word of it. But I've been writing about the back door while the burglars walked in through the front. The bigger structural failure in higher-ed identity right now is not the account we forget to close. It is the account we open for someone who was never a person to begin with.

The receipts are in. Let me walk you through them.

California Already Ran the Experiment. The Results Are Not Subtle.

The California community college system has been the canary on ghost-student fraud for three years running. In 2021, about one in five applications across the system was flagged as fraudulent. By January 2024 that number was one in four. By early 2025 it peaked near 34%. The Los Rios District, in a single grim quarter, suspected 64% of its January through March 2025 applications were fake. CalMatters has been documenting this in detail.

Between January and March 2025 alone, scammers stole nearly $5.6 million in federal aid and over $900,000 in state aid through California community colleges. That is one quarter, one state, one sector.

Here is the part that should be on every CIO's desk this week. The same quarter, one year later, after the system actually deployed identity verification and bot filtering at the application gate, federal losses dropped to roughly $1.5 million and state losses to about $330,000. A two-thirds reduction in twelve months. Not from a new platform migration. Not from a five-year roadmap. From instrumenting the front door.

EdTech Magazine and ABC7 have both documented how the threat evolved. Ghost students are not Russian teenagers with a credit card generator anymore. They are AI-generated composites with plausible essays, bot-submitted at speed, designed to clear human review because no human is reviewing. Federal investigators are sitting on more than $350 million in ghost-student fraud across roughly 200 open investigations.

I made a prediction last year. At 18 months out, ghost accounts and aid fraud would still be unresolved at community colleges and smaller-budget institutions. That prediction is hardening into receipts, but with a twist I didn't call. California proved the bleed can be cut by two thirds in a single fiscal year, with technology that exists today, when leadership decides to deploy it. Which means the institutions still watching their own losses grow are not facing a hard technical problem. They are facing a leadership problem with a technical disguise.

Congress Just Made Your Onboarding a Federal Audit Target

In early June 2026, the U.S. House passed a bill 249 to 172 requiring the Department of Education to stand up a FAFSA identity fraud detection system. Every FAFSA filed on or after October 1 would be assessed for reasonable suspicion of identity fraud. Mandatory annual audits. Program reviews prioritized for institutions that demonstrate a pattern of disbursing aid to suspected fraudulent applicants. Community College Daily has the breakdown.

That last clause is the one I want you to read twice. A pattern of disbursing aid to suspected fraudulent applicants. The bill does not just create a federal screening system. It creates a federal list of institutions that kept paying out aid after the federal government flagged the application. When that list publishes, your institution's name on it is not a compliance footnote. It is the opening sentence of the next board meeting and the lead paragraph of your local newspaper's higher-ed coverage for the next fiscal year.

This sits on top of work the Federal Student Aid office has already done. APP-25-16, published in June 2025, set NIST IAL2 as the acceptable third-party proofing floor for first-time FAFSA applicants, with in-person or live video verification as alternatives. FSA's real-time fraud detection system went live in spring 2026. The Department of Education's identity verification posture has been clearly telegraphed for over a year.

Here is what most CIOs missed in the noise. The FSA guidance is explicit that the verification record must be retained at the institution, by name, with date. That is identity authority living outside the SIS by federal mandate. If you are an Ellucian, Workday, or Jenzabar shop hoping your student information system vendor's roadmap covers this, read the guidance again. You are responsible for the retention. You are responsible for the audit trail. You own the record.

The structural argument I've been making in this column just became a regulatory one. Identity authority does not live in the SIS. It cannot. The federal government has now said so out loud.

Mohave County Is the Canary. Auditors Are Looking at Onboarding Now.

In May 2026, Arizona published the Mohave County Community College District Single Audit for the fiscal year ending June 30, 2025. Buried in the findings was a callout on Information Technology Security. The auditor flagged the need for effective internal controls over user access rights aligned with credible industry sources. The language was deliberately broad, which is the tell. It signals auditor focus on the full lifecycle of access provisioning, not just the deprovisioning side that everybody has been wringing their hands about.

Single Audits are how state auditors propagate practice. When one auditor in one state writes that finding into a community college report, the language gets templated and copy-pasted into every other audit of the same type across the next two fiscal cycles. This is not paranoia. This is how the audit profession works.

CSO Online framed the underlying question better than I've heard it framed anywhere else. Can you prove, at any moment, that the identities behind your highest-impact actions belong to real, accountable humans? That is the question your next state auditor is going to ask, in some variant, and your answer cannot be a screenshot of the application form.

The median time between SIS admit status and credential issuance is a number almost no institution can produce on demand. EdTech Magazine and Identity Automation have both documented that higher-ed IT teams still rely on scripting to bridge the gap, with lag measured in days rather than minutes. The workflow runs across three departments and two cron jobs that nobody owns. The load-bearing human is a 0.4 FTE in admissions running PowerShell because the connector to the SIS broke in 2023 and nobody had budget to fix it.

She has a name. The auditors are starting to ask about her. They will not stop.

The Vendor Question Underneath All of This

Houston Community College now requires students to verify identity through ID.me as part of enrollment. Government-issued photo ID upload. Video selfie. Consent to data sharing. Then the institutional account activates. An ID.me case study documents a community college preventing over $425,000 in fraud after deploying high-assurance proofing across the applicant pool. The numbers say it works.

Here is what most identity newsletters will miss. The deployment is not just identity proofing. It is the institution outsourcing identity authority to a federally aligned third party. That solves the fraud problem at the front door. It also moves the identity authority off campus, into a vendor whose roadmap, pricing model, and political risk profile the institution does not control.

I am not arguing against ID.me, or Nametag, or Persona, or any of the consumer-identity-proofing vendors moving into this market. The IAL2 mandate is going to push higher ed toward a small set of them whether we like it or not. The fraud math demands it.

I am arguing that CIOs need to be clear-eyed about what they are buying. The proofing event is one moment in a student's life. The identity it creates lives in your directory for the next forty years. Own the layer underneath. Outsource the moment, not the authority. This is the same mistake higher ed made when it let the SIS become the identity authority by accident in the 1990s. We do not need to make that mistake again with a new vendor and a fresh coat of paint.

Ray's Corner

The thing that keeps me up at night is not that ghost students are getting through. It is that California cut its losses by two thirds in one fiscal year by doing the obvious thing, and most of the institutions I talk to are still evaluating vendors.

We are past the part where this is hard to understand. We are in the part where the institutions that move now look responsible to their boards in 2027, and the institutions that wait look negligent. That is not a technology gap. That is a leadership gap.

Here is your homework. Pick up the phone today. Call your registrar. Ask her what happens between an admit decision and a working account. Time it. If the answer is more than 24 hours, or involves the word spreadsheet, or includes the phrase let me get back to you, you have your summer project.

Twenty-eight years ago I built an identity system at a small university in Arizona because the registrar there couldn't tell me how long an account took to provision either. I thought we had solved that problem. We did, locally, for a while. The industry has spent the intervening three decades unsolving it at scale. The front door is open. The receipts are in. The leadership question is whether you close it before the federal list publishes, or after.

Close it before. Your board will thank you. Your auditor will thank you. The 0.4 FTE running PowerShell at midnight will thank you most of all.

Take The Next Step

Primary: Run a QuickLaunch Identity Lifecycle Management assessment on your current onboarding workflow. We will time the gap between SIS admit and credential issuance for you, document it, and show you what the audit trail looks like before your next state auditor walks in. Start at quicklaunch.io

Secondary: Subscribe to the QuickLaunch column. Wednesday morning, every week. The receipts arrive before the audit findings do.

References

• California community colleges crack down on financial aid fraud - CalMatters. https://calmatters.org/education/2026/05/financial-aid-fraud-california/
• What Are Ghost Students and How Do They Operate? - EdTech Magazine. https://edtechmagazine.com/higher/what-are-ghost-students-perfcon
• Ghost student scammers are using AI to steal financial aid, federal investigators warn - ABC7. https://abc7.com/post/ghost-student-scammers-are-using-ai-steal-financial-aid-federal-investigators-warn/18495539/
• U.S. House passes bill to combat ghost federal student aid applicants - Community College Daily. https://www.ccdaily.com/2026/06/us-house-passes-bill-to-combat-ghost-federal-student-aid-applicants/
• Significant Actions to Prevent Fraud through Identity Verification (APP-25-16) - Federal Student Aid. https://fsapartners.ed.gov/knowledge-center/library/electronic-announcements/2025-06-06/significant-actions-prevent-fraud-through-identity-verification
• U.S. Department of Education Identity Verification Requirements - Nametag. https://getnametag.com/newsroom/department-education-identity-verification-colleges-universities
• FAFSA Real-Time Fraud Detection - Federal Student Aid. https://fsapartners.ed.gov/knowledge-center/library/electronic-announcements/2026-04-15/fafsa-real-time-fraud-detection-updated-may-29-2026
• Mohave County Community College District Single Audit (FY 2025) - Arizona Auditor General. https://www.azauditor.gov/sites/default/files/2026-05/MohaveCountyCommunityCollegeDistrictJune30_2025SingleAudit.pdf
• Can you prove the person on the other side is real? - CSO Online. https://www.csoonline.com/article/4146433/can-you-prove-the-person-on-the-other-side-is-real.html
• How IT Teams Can Help Combat Higher Education Application Fraud - EdTech Magazine. https://edtechmagazine.com/higher/article/2026/01/how-it-teams-can-help-combat-higher-education-application-fraud
• How to Apply for Financial Aid - Houston Community College. https://www.hccs.edu/paying-for-college/financial-aid--scholarships/how-to-apply-for-financial-aid/
• How a Community College Transformed Identity Verification - ID.me. https://network.id.me/case-study/how-a-community-college-transformed-identity-verification/

Raymond Todd Blackwood is the President of QuickLaunch and writes about identity, agentic AI, and the messy reality of higher-ed IT. #ItsExistential