Subscribe to the Non-Human & AI Identity Journal

Why do deepfakes and agentic AI make onboarding risk harder to control?

Deepfakes supply convincing content, while agentic AI supplies speed and persistence. Together they let attackers scale impersonation, adapt to challenge-response steps, and create fraudulent accounts faster than manual review can keep up. That turns onboarding into a machine-speed adversarial workflow.

Why This Matters for Security Teams

Onboarding is often treated as a single verification event, but deepfakes and agentic ai turn it into a layered attack surface. A synthetic face, voice, or document can defeat casual checks, while an agent can keep retrying, changing tactics, and harvesting signals from each failure. That combination undermines manual review, weak challenge-response steps, and any onboarding flow that assumes a human attacker behaves like a human. Guidance from the NIST AI Risk Management Framework is useful here because it frames AI risk as a lifecycle issue, not a one-time gate.

The real risk is not only identity fraud at the front door. Once a fake account is established, it can be used for account takeover, payment abuse, mule activity, spam, or insider-like access paths that appear legitimate to downstream systems. Security teams often miss this because onboarding controls are owned by operations, fraud, and compliance in separate workflows. That fragmentation gives attackers room to chain weak signals into a passing case. In practice, many security teams encounter this only after fraudulent accounts have already been issued and linked to trusted business processes, rather than through intentional abuse testing.

How It Works in Practice

Deepfakes raise the quality of the input, and agentic AI raises the volume and adaptability of the attack. In a typical onboarding flow, an attacker may use synthetic media to satisfy liveness, video interview, or document review steps, then use an agent to iterate through retries, vary metadata, alter device fingerprints, or respond to follow-up prompts in real time. That means the control objective shifts from “can this person appear believable?” to “can the workflow detect coordinated deception across multiple signals?”

Current guidance suggests treating onboarding as a risk-scored decision pipeline rather than a binary approval queue. That usually means combining:

  • document authenticity checks with device and network reputation signals;
  • liveness testing with behavioral anomaly detection and velocity limits;
  • manual review for exceptions, especially where identity assurance is material to fraud or AML exposure;
  • step-up verification when signals conflict or when the request pattern looks automated.

Frameworks such as the OWASP Top 10 for Agentic Applications 2026 and the MITRE ATLAS adversarial AI threat matrix are helpful because they remind defenders that automated systems can be manipulated through prompt injection, tool abuse, and iterative adaptation, not just by bypassing a single control. For identity-heavy use cases, the FATF Recommendations also matter because onboarding failures can become KYC and AML failures as soon as a fraudulent identity is accepted into a regulated workflow.

Operationally, teams should log the full decision path, preserve evidence of challenged steps, and watch for clusters of similar applications, repeated device patterns, or identical media characteristics. These controls tend to break down when onboarding is outsourced across multiple vendors because risk signals become fragmented, review standards diverge, and no single team owns the end-to-end fraud decision.

Common Variations and Edge Cases

Tighter onboarding controls often increase friction and false rejects, requiring organisations to balance fraud prevention against conversion, customer experience, and support load. That tradeoff is especially sharp when the business serves remote users, low-bandwidth regions, or people who cannot easily complete video-based checks. Best practice is evolving, and there is no universal standard for how much friction is acceptable in every onboarding flow.

Some environments also create edge cases that simple policies do not handle well. A high-value B2B onboarding process may justify stronger review than a low-risk consumer signup, while regulated sectors may need more evidence before account activation. In some cases, synthetic media is only one part of the attack, with stolen personal data used to make the fake identity pass static checks. In others, the attacker does not seek immediate access at all and instead aims to create aged accounts for later abuse.

That is why control design should align to the threat model, not just the channel. The CSA MAESTRO agentic AI threat modeling framework is useful for understanding how autonomous workflows change the attack surface, while NIST Cybersecurity Framework 2.0 helps teams map identity assurance into broader detect, respond, and recover activities. Where onboarding feeds privileged access, financial access, or delegated AI actions, the identity control plane should be reviewed as seriously as the fraud screen itself.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Agentic AI Top 10 and MITRE ATLAS address the attack and risk surface, while NIST CSF 2.0, NIST AI RMF and NIST SP 800-63 set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
NIST CSF 2.0 PR.AC-1 Onboarding fraud is an access assurance problem before it becomes an incident.
NIST AI RMF AI risk management is needed for synthetic media and automated abuse in onboarding.
OWASP Agentic AI Top 10 Agentic systems can adapt, retry, and manipulate onboarding workflows.
MITRE ATLAS AML.TA0001 Adversarial AI tactics explain how attackers scale deception and evasion.
NIST SP 800-63 IAL2 Identity assurance levels are central when onboarding must resist deepfakes.

Use access governance to verify identities before granting any trusted system entry.