DSAR automation under GDPR Art. 15 — how to handle complex identity verification

Our team handles DSARs for a SaaS platform with ~50K EU users. The 30-day clock starts ticking the moment we receive a request, but identity verification often takes 10-15 days when users provide ambiguous proof (screenshot of account settings, expired ID, wrong email address). GDPR Art. 15 gives us the right to request additional information for identity verification, but the EDPB guidelines are vague on what constitutes "reasonable" verification. We've been using a tiered approach: Tier 1 (email verification): For basic data export requests — automated, instant Tier 2 (ID upload): For rectification or deletion requests — manual review, 3-5 days Tier 3 (notarized): For disputes involving third-party data sharing — legal team review The bottleneck is Tier 2. We're seeing 30% of requests fail initial verification and require follow-up. Some DPA guidance suggests we should not over-verify — but under-verification risks disclosing personal data to the wrong person. How did your team operationalize DSAR identity verification at scale? Did you find a defensible middle ground between speed and security?