---
title: "Identity Graphs and Entity Resolution in Fraud Investigation"
description: "Entity resolution decides which scattered signals belong to the same person; an identity graph is the scored, sourced result. A guide to both, and why confidence on every link is what makes a graph usable as evidence."
canonical: https://defencecore.com/blog/identity-graphs-and-entity-resolution
published: 2026-07-03
modified: 2026-07-03
---

# Identity Graphs and Entity Resolution in Fraud Investigation

When an investigation starts with a scattered set of signals — an email here, a phone there, a wallet, a username — the core problem is not gathering more data. It is deciding which of that data belongs to the same person. That problem is called entity resolution, and its output is an identity graph. This guide explains both, and why they sit at the center of modern fraud and trust & safety work.

---

## What Entity Resolution Is

Entity resolution is the process of deciding whether two pieces of information refer to the same real-world entity. A breach record lists an email and a name. A submitted profile lists a different name. A username appears on four platforms. Are these the same person, three people, or a deliberate attempt to look like more than one?

Resolving that is the difference between a pile of data points and an investigation. Get it wrong in one direction and you merge two unrelated people into a false identity. Get it wrong in the other and you miss that a "new" account is a returning banned user. Entity resolution is where investigations are won or lost.

---

## What an Identity Graph Is

An identity graph is the structured result of entity resolution. Nodes are attributes — an email, a phone, a username, a wallet, a discovered alternate email. Edges are the links between them, and each edge carries a **confidence score** expressing how strongly the two attributes belong to the same identity.

A useful identity graph is not a flat list of "related" data. It shows:

- **Your input signals** — the identifiers you started with.
- **The resolved entity** — the identity everything is being linked to.
- **Discovered attributes** — what the investigation surfaced that you did not provide.
- **Confidence on every edge** — so certain links and circumstantial ones are visibly different.

The graph is what lets a reviewer see the whole identity at once, rather than reconstructing it from a report's prose.

---

## Confidence Is Not Optional

The single most important property of a defensible identity graph is that every link is *scored*, and scored transparently.

Linkage confidence should be computed from **corroboration count and source reliability** — how many independent sources agree on a link, and how much each source is worth — not from a model's guess. A link supported by two independent breach corpora that agree with each other is stronger than one inferred from a single circumstantial match, and the graph should say so numerically.

This is what makes an identity graph usable as evidence. A reviewer can act on the 0.96 links with confidence, treat the 0.74 links as leads to corroborate, and never has to wonder how sure the system was.

---

## Where It Breaks Down Manually

Analysts resolve entities in their heads and in spreadsheets. It works, but it is slow and it does not show its work. The confidence judgment lives in the analyst's memory, not in the artifact. When the case is reviewed — or challenged — the reasoning is hard to reconstruct.

An automated identity graph fixes both problems: it resolves entities across many more pivots than a person would run by hand, and it records the confidence and the source for every link, so the artifact is auditable.

---

## In Practice

In a DefenceCore investigation, entity resolution and the identity graph are the first layer of the report. The agent expands your input signals across open sources, links discovered attributes back to the resolved entity, and scores every connection — then the risk signals in the next layer fire against those resolved findings. The identity graph is not a visualization bolted on at the end; it is the substrate the rest of the case is built on.

See a sample report to view a resolved identity graph, with confidence scores on every link, on a fictional case.
