Audience: Marketing Operations, Data Engineers, CMOs.
Your customer searches on mobile, browses on desktop, abandons cart, comes back via email, and finally buys in-store. Five sessions, three devices, two channels, one human. Your data system records five separate records and treats them as five separate people. You buy media against the same person five times in the same week.
The identity graph is the data structure that fixes this. It links scattered identifiers into a single persistent profile. According to LiveRamp's 2026 industry analysis, consumers interact with brands on an average of 21 connected devices per household. Without identity resolution, every household looks like 21 strangers.
This article explains how identity graphs work, the two main matching methods, where each one breaks, and how to evaluate identity quality inside your own stack. Identity resolution is one of the operational areas measured inside KScore under Data Maturity.
What an identity graph is
An identity graph is a database of relationships between identifiers. Each node is an identifier: an email address, a phone number, a hashed user ID, a device ID, a cookie, a customer ID from your CRM. Each edge is a confidence-scored claim that two identifiers belong to the same person.
A customer profile is built by traversing the graph. You start from one known identifier and follow edges to find all the others that match. The system assembles every interaction, transaction, and signal tied to those identifiers into one record. That record is what your marketing tools, your AI agents, and your analytics queries read when they ask "who is this customer?"
Identity graphs are not new. What changed in 2026 is that AI agents now query them millions of times per minute for autonomous decisions. The accuracy of the graph directly determines whether your AI makes correct decisions or expensive wrong ones at scale.
Deterministic matching: how it works
Deterministic matching links two identifiers when they share an exact, verified attribute. The classic example is a user logging in to your website. They provide an email address. That email matches the email in your CRM record from a year ago. The graph creates a verified edge between the website session and the historical CRM profile. Same person, proven.
Deterministic identifiers fall into a small list. Email addresses. Phone numbers. Hashed personally identifiable information. Loyalty IDs. Logged-in user IDs. Each requires the customer to explicitly provide the data or to log in to a known account.
The advantage of deterministic matching is accuracy. When two identifiers share a verified email, the match is essentially certain. False positives are rare. AI agents acting on deterministic data make decisions with high confidence.
The disadvantage is reach. Most customer interactions happen anonymously. A first-time website visitor has no email yet. A mobile app user might never log in. Deterministic-only matching captures roughly 30 to 50 percent of customer interactions in a typical D2C operation, leaving the rest as disconnected records.
Probabilistic matching: how it works
Probabilistic matching links identifiers based on statistical inference. If two browser sessions consistently come from the same IP address, use the same WiFi network, share browser fingerprints, and follow similar usage patterns, the system infers they probably belong to the same person. The edge is assigned a confidence score between 0 and 1.
Common probabilistic signals include IP address, device type, browser, operating system, time-of-day patterns, location signals, and behavioral patterns. None of these alone is conclusive. Combined, they produce confidence scores that range from weak (around 0.4) to strong (above 0.9).
The advantage of probabilistic matching is reach. It extends identity resolution to anonymous traffic, cross-device journeys without login, and pre-purchase research patterns. A well-tuned probabilistic system captures 70 to 85 percent of customer interactions.
The disadvantage is error rate. Probabilistic matches are inferences, not proofs. A typical probabilistic system runs at 85 to 95 percent accuracy depending on signal quality and tuning. According to Treasure Data's 2026 industry guidance, when AI agents trigger thousands of autonomous actions per minute on probabilistic data, even a 5 percent error rate means hundreds of wrong actions every minute.
Where each method breaks
Both methods fail in predictable ways. Understanding the failure modes is critical because each failure produces different downstream problems.
Deterministic failures.
- Customer uses different emails across channels. Work email at checkout, personal email for newsletter. The graph sees two people.
- Customer logs out, browses anonymously, never re-authenticates. The anonymous behavior is invisible to the deterministic graph.
- Customer's identifiers change. Email updated, phone changed. Without rolling updates, the graph fragments into two profiles.
Probabilistic failures.
- Shared devices. Family members on the same iPad get merged into one profile. The household looks like a single bizarre person.
- Privacy tools. VPNs, private browsing, and ad blockers strip the signals probabilistic matching relies on. Coverage drops sharply on privacy-aware users.
- Mobile carrier IP rotation. Mobile devices change IP frequently. A weak probabilistic system splits one person into ten profiles across a day.
The hybrid approach
Mature identity systems do not choose between deterministic and probabilistic. They use both, with explicit policy about when each one applies.
Hightouch, LiveRamp, Experian, and Salesforce Data Cloud all describe similar hybrid architectures in their 2025 and 2026 documentation. The pattern is consistent. Use deterministic matching as the verified backbone. Use probabilistic matching to extend reach. Apply each method to the use cases that match its risk profile.
Three policy decisions define a good hybrid system.
Decision one. Which actions require deterministic-only data? Typically: legal communications, financial transactions, sensitive content delivery, and autonomous AI agent decisions on revenue-affecting workflows. These need verified identity. Probabilistic inference is too risky.
Decision two. Which actions can run on probabilistic data? Typically: audience expansion for advertising, cross-device frequency capping, broad personalization signals, and analytics that tolerate some noise. The cost of an occasional mismatch is low.
Decision three. What confidence threshold separates the two? Most enterprise systems use 0.85 or higher for high-stakes workflows and 0.65 or higher for broad reach. Below 0.65, the inference is too weak to act on.
Why this matters more in 2026
Three shifts in the last 18 months have raised the stakes on identity resolution.
First, AI agents have moved from recommendation to action. When a human marketer reviews a campaign, they spot-check the segment list and catch obvious mismatches. When an AI agent runs thousands of personalized actions per minute, mismatches compound at machine speed with no human in the loop. Identity quality becomes the cap on what AI can be trusted to do autonomously.
Second, privacy infrastructure has tightened. iOS 18, expanded GDPR enforcement, and Chrome's third-party cookie phase-out have reduced the signals probabilistic matching relies on. Teams that depended on cookie-based stitching are losing 20 to 40 percent of their match rate. First-party data and hashed identifiers are now the foundation.
Third, identity resolution has moved from batch to real-time. According to Treasure Data, batch resolution that runs nightly is no longer acceptable for AI-driven workflows. The profile must update at 2:14 PM when the customer visits at 2:14 PM, not at midnight when the next batch runs.
How to audit your own identity quality
You can run a simple identity audit in two days of focused work.
Day one. Sample 1,000 customer profiles from your CDP. For each profile, count the number of identifiers linked. Calculate the average and distribution. A healthy operation shows 4 to 7 identifiers per known customer on average. Below 3 indicates fragmented profiles. Above 12 indicates over-aggressive probabilistic merging.
Day two. Run a known-customer test. Pick 50 customers your team knows personally. Look up each in the CDP. For each, verify that all their interactions are linked to one profile. Count the misses. A healthy operation finds 90 percent of known interactions correctly linked. Below 75 percent indicates serious resolution problems.
If the audit reveals problems, the fix order is consistent. First, implement server-side tracking to recover signal lost to client-side blocking. Second, codify identifier hierarchy so the system knows which identifiers to trust when they conflict. Third, tune probabilistic thresholds based on your false-positive tolerance.
What to ask your CDP vendor
Three questions reveal whether a CDP has serious identity resolution or marketing language wrapped around weak matching.
First, ask for the match rate distribution. Not the average. The distribution. Real systems show clear separation between high-confidence deterministic matches and lower-confidence probabilistic ones. Fake systems show a single peak that looks suspicious.
Second, ask for the false positive rate. Specifically, what percent of merged profiles contain interactions from two or more distinct people? Mature vendors disclose this number. Weak vendors deflect.
Third, ask how the system handles a customer logging in with new credentials. Does it create a new profile, attempt to merge, or stop and ask for confirmation? The right answer depends on your use case, but the vendor should have an explicit answer documented.
What to do this week
Pull your CDP profile count. Compare to your customer count from finance. The gap tells you how fragmented your identity resolution is. A healthy ratio is 1.1 to 1.3 profiles per customer. Higher ratios indicate fragmentation that is hurting personalization, attribution, and AI decision quality.
Then run the two-day audit above on a sample. Identity resolution is the foundation of every other marketing capability. Fix it before you scale anything else. If you want to see how identity resolution fits inside an integrated operating system, talk to the KlindrOS team or review pricing for the CDP module.
References and further reading
LiveRamp, Identity Resolution: What It Is, How It Works, Why It Matters. Average household uses 21 connected devices. Hybrid identity strategy guidance. Published March 2026. Read the LiveRamp article.
Treasure Data, What Is Identity Resolution? From Unified Profiles to AI Agent Action. Real-time resolution is non-negotiable for AI workflows. Published March 2026. Read the analysis.
Hightouch, What Is Identity Resolution and How Does It Work? Adaptive resolution and hybrid deterministic-probabilistic patterns. Published March 2025. Read the guide.
Experian Marketing Services, AI-Powered Identity Resolution. Match rate impact on ROAS and personalization. Published February 2026. Read the post.
KlindrOS Complete Compendium V7. Module 8: Customer Data Platform, identity resolution architecture, deterministic and probabilistic matching specifications. Available under NDA.