Reviewer Impersonation
T15 · Human Workflow Exploitation →Review workflows route a great deal of trust through *claimed role*: a senior moderator, a QA lead, Trust & Safety, the audit or security team. Reviewer Impersonation assumes one of these identities to issue an instruction that the target reviewer (or an automated approval step) executes as if it came from a legitimate internal authority. It exploits hierarchical authority bias — humans comply readily with apparent superiors and trusted internal functions — combined with weak in-workflow authentication: many systems display a stated role or a name in a comment without cryptographically binding the action to a verified identity.
- Identity-binding verification: Flag any privileged directive (approve, pre-clear, exception) whose authority is *claimed* in content rather than tied to an authenticated, role-authorized account.
- Role-action authorization checks: Compare the action against what the asserting role is actually entitled to do in the system-of-record; deny role claims that don't match provisioned permissions.
- Anomalous-authority pattern detection: Watch for sudden "senior/T&S/security" directives arriving through user-facing or low-trust channels.
- Impersonation honeypots: Periodically inject scripted impersonated directives to measure reviewer/gate susceptibility.
Impersonation is the high-authority end of T15-AT-002 and the engine behind T15-AT-007 (claimed authority escalates cleanly up appeals tiers) and T15-AP-007J's phantom-approval pretext. A forged "T&S pre-cleared" or "security authorized" directive functions like an injected procedure, overlapping T15-AT-005.