Part of the process is that new node providers must upload a self-declaration document and an identity document to the IC Wiki (not a personal wiki) and provide the hashes of these documents for verification. In my review process, I’ve maintained an expectation that the hashes should be included in the text of the NNS proposal for adding the new NP. This, however, does not necessarily prove the authenticity of these documents. In some jurisdictions (e.g. Delaware) it is very easy to verify the authenticity of a company document whereas in some other jurisdictions it is very difficult or impossible. I note that even this kind of check does not necessarily prove the identity of the individual(s) behind the business entity concerned.
Some while back I queried whether some sort of KYC process could be involved here but it was felt that this might not be in keeping with the goal of having a decentralised and trustless network, as well as having its own technical challenges.
So the community has decided to place a limit of 42 on the number of nodes that can be controlled by a single individual or entity, but enforcing this is very difficult and I’m not aware of anything yet in place that can achieve this with a high degree of rigour. I appreciate that you have some suggestions as to how this could be solved. A couple of years ago I took part in a project to address the Sybil attack issue in another network. The approach might not be relevant to the issue here—I’ve just included it as an example—but it might be possible for some other technical methods to be developed that could help to address this.