Subscribe to the Non-Human & AI Identity Journal

How should security teams stop bot fraud without hurting onboarding conversion?

Use layered identity signals and risk-based challenge steps instead of forcing every user through the same verification path. The best control pattern is adaptive: low-risk users move quickly, while suspicious automation receives stronger checks or blocking. Pair fraud loss metrics with abandonment data so you can see whether the control is actually working.

Why This Matters for Security Teams

Bot fraud is not just a conversion problem. It is a trust problem that distorts risk scoring, pollutes analytics, and can quietly create exposure across onboarding, account creation, and recovery flows. When teams overcorrect with rigid verification, legitimate users drop out. When they undercorrect, automated abuse can scale quickly and become expensive to unwind. Security, product, and fraud teams need a control path that is adaptive rather than uniform.

This is also where identity governance and NHI risk start to overlap. Fraud crews increasingly use scripted workflows, rotating proxies, and compromised credentials that behave like non-human identities in practice. NHIMG research shows that 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, a reminder that machine-to-machine trust can be weak even before a user completes onboarding. For broader control design, NIST SP 800-53 Rev 5 Security and Privacy Controls remains a useful baseline for access, monitoring, and incident response alignment.

In practice, many security teams encounter fraud only after conversion has already fallen or account abuse has already scaled, rather than through intentional feedback between risk signals and user experience design.

How It Works in Practice

The strongest pattern is risk-based onboarding: collect low-friction signals first, then escalate only when the session or identity profile looks suspicious. That means combining device intelligence, velocity checks, behavioral signals, IP reputation, email and phone reputation, and known abuse patterns into a decision engine. High-confidence users pass through quickly. Low-confidence users may receive step-up verification, document checks, or delayed approval. The key is to tune thresholds against both fraud loss and abandonment, not just one metric.

For identity-heavy flows, current guidance suggests pairing these controls with strong assurance principles from FATF Recommendations and KYC guidance where regulated onboarding applies. If the flow includes automated agents, scripts, or backend service interactions, that becomes an NHI governance issue as well. NHI Management Group’s research on the Ultimate Guide to NHIs is especially relevant when fraud tooling, login automation, or third-party integrations can mimic legitimate system actors.

  • Start with friction-light screening, then escalate only on abnormal risk.
  • Use adaptive challenge steps instead of one fixed verification gate.
  • Feed blocked attempts back into fraud intelligence and SOC detection pipelines.
  • Review false positives by segment, channel, geography, and device class.
  • Set explicit thresholds for when product conversion loss outweighs fraud reduction.

Operationally, this works best when engineering can separate signup risk, login risk, and account recovery risk instead of applying one control to all three. These controls tend to break down when attackers can replay trusted device profiles, farm disposable identities at scale, or exploit overly permissive third-party onboarding APIs because the risk engine loses signal quality.

Common Variations and Edge Cases

Tighter verification often increases abandonment and support overhead, so organisations have to balance fraud suppression against growth targets. There is no universal standard for the exact mix of checks yet, because optimal friction depends on the market, the threat model, and the value of the account being created.

One common edge case is high-growth consumer onboarding, where forcing document checks too early can suppress legitimate signups. Another is enterprise or marketplace onboarding, where fraud may arrive through synthetic identities, reseller abuse, or automated account farms. In those environments, step-up controls should be segmented by use case rather than applied globally. If the flow touches payments, the anti-fraud design should also be reviewed alongside KYC and AML obligations, not just general cyber controls.

NHIMG’s Schneider Electric credentials breach illustrates a broader lesson: once trusted access paths are abused, remediation is much harder than prevention. Teams should therefore treat onboarding as a security control surface, not only a marketing funnel. The practical rule is simple: if the challenge step cannot be explained, measured, and tuned, it will eventually either block too much good traffic or let too much abuse through.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Agentic AI Top 10 and MITRE ATLAS address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-63 and NIST AI RMF set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
NIST CSF 2.0 DE.CM-1 Fraud detection depends on continuous monitoring of suspicious onboarding activity.
NIST SP 800-63 IAL2 Risk-based identity proofing helps right-size verification without over-friction.
NIST AI RMF GOVERN Adaptive fraud scoring needs accountable AI governance and model oversight.
OWASP Agentic AI Top 10 A1 Automated agents can be abused to scale onboarding fraud and evade checks.
MITRE ATLAS AML.TA0002 Fraud automation can use evasion and proxying patterns similar to adversarial AI abuse.

Track adversary tactics that degrade model-based fraud detection and identity scoring.