To be an HID, it must announce itself as one (called "driver" even when it just announces itself and requests the default OS driver). To do so, it must authenticate with the host OS. If not, the HID functionality will be disabled.
What? USB devices in general, and HIDs in particular, do not authenticate with the OS when plugged in.
You plug it in, and it negotiates with the host controller automatically. The host controller notifies the OS that the device is there, and then the OS queries the device for its properties. The device is perfectly capable of lying about what it is and what it does.
If the device identifies as a keyboard, mouse, Smart Card reader, or removable storage, by default the OS will load its native drivers and handle the device seamlessly. The device could have nefarious functionality, but the OS has no way of knowing about that.
Various OS security tools and third-party utilities can attempt to restrict the use of USB devices. None of them are pleasant to use---from the standpoint of either the administrator or the end user.
I've been told the problem is when the USB drive is actually a storage device, but leaches power (but no connectivity to the host computer) to broadcast the contents of the device on WiFi to a listening attack machine outside (but in WiFi range).
Not terribly practical or interesting. This idea probably came from someone who watches too many "hacker" movies. Anyone who is concerned about restricting USB devices probably already has a solution for detecting rogue Wifi clients and APs. If not, they can buy one off the shelf. This is something I would expect to see in a Hollywood movie.
Rogue USB devices are not something a hacker is going to use against some random citizen in hopes of scoring access to their checking account. This is something enterprises and governments are going to be worried about, and they have options for mitigating the threat.