Subscribe to the Non-Human & AI Identity Journal

Why do identity and fraud teams need shared controls?

Because the same attacker journey often starts with identity abuse and ends with fraud. Account creation, login, and transaction controls all consume overlapping signals, so separate teams can create gaps or duplicate friction. Shared governance helps ensure trust decisions remain consistent across the customer lifecycle.

Why This Matters for Security Teams

Identity and fraud operations are often treated as separate disciplines, but attackers do not respect that boundary. A credential stuffing campaign can become account takeover, then payment abuse, then synthetic identity activity. When teams use different thresholds, different evidence sources, or different escalation paths, the organisation ends up with inconsistent trust decisions and avoidable customer friction. NIST’s control guidance in NIST SP 800-53 Rev 5 Security and Privacy Controls is useful here because it reinforces that identity assurance, monitoring, and response are not isolated functions.

The real issue is not only false positives or false negatives. It is the loss of a shared operating picture. Identity teams may optimise for login success and account recovery, while fraud teams focus on loss prevention and chargeback risk. Without common control objectives, both can be “right” locally and wrong globally. Shared controls create a single logic for trust, so the same signal can support step-up authentication, transaction review, or case creation without contradiction. In practice, many security teams encounter fraud patterns only after account compromise has already been normalised by an unrelated identity workflow.

How It Works in Practice

Shared controls usually start with agreed decision points across the customer lifecycle: registration, enrolment, authentication, recovery, device binding, payment initiation, and high-risk change events. The objective is to reuse the same core signals where possible, then apply different actions based on context. That might include device reputation, behavioural anomalies, velocity checks, proofing results, session risk, and prior abuse history. Good control design ensures the signals are comparable even if the action differs.

Operationally, this requires a shared data model and a common vocabulary. Identity teams need to understand what fraud teams consider suspicious patterns, and fraud teams need to know which authentication events are strong or weak evidence. The most effective programmes align on:

  • shared event logging and case tagging so both teams see the same sequence of actions
  • consistent risk scoring inputs, even if thresholds differ by workflow
  • clear ownership for step-up challenges, lockouts, and recovery overrides
  • joint tuning for exceptions such as travel, device changes, and failed proofing

Control mapping can also help. Security teams often map shared decisioning to CISA Zero Trust Maturity Model principles and to monitoring practices that support detection across the full journey. For identity-heavy environments, that also means preserving evidence quality so a fraud analyst can trust what the identity stack recorded. If the same customer event triggers both authentication and fraud workflows, the handoff must be designed, not improvised. These controls tend to break down in high-volume consumer platforms with legacy recovery flows because duplicated decision engines create conflicting outcomes and no single team owns the full trust policy.

Common Variations and Edge Cases

Tighter shared controls often increase review overhead and can add friction to legitimate users, requiring organisations to balance stronger abuse prevention against conversion and support burden. That tradeoff is especially visible in mobile banking, marketplaces, and fintech platforms where identity proofing, authentication, and transaction monitoring overlap heavily. Best practice is evolving, and there is no universal standard for exactly where identity control ends and fraud control begins.

Some environments need stronger separation. For example, regulated payment workflows may require distinct approvals, while privacy-sensitive jurisdictions may limit how much identity data can be reused across fraud models. In those cases, the shared-control principle still applies, but the sharing may be at the signal or score level rather than raw data level. Another edge case is agentic AI, where automated support or onboarding agents can become part of the identity journey. That creates new governance needs around tool access, recovery triggers, and abuse detection, especially when the agent can initiate actions on behalf of a user. Guidance from OWASP guidance for LLM applications and emerging AI risk practices can help teams think about trust boundaries, but current guidance suggests those controls should complement, not replace, identity and fraud governance.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Agentic AI Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5, NIST Zero Trust (SP 800-207) and NIST AI RMF set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
NIST CSF 2.0 GV.OV-01 Shared controls need joint governance and oversight across identity and fraud teams.
NIST SP 800-53 Rev 5 IA-2 Identity assurance depends on strong authentication at shared trust points.
NIST Zero Trust (SP 800-207) AC-6 Least privilege limits what compromised identities can do across systems.
OWASP Agentic AI Top 10 Agentic workflows can influence onboarding, recovery, or customer trust decisions.
NIST AI RMF GOVERN Shared control design needs governance, accountability, and risk ownership.

Harden authentication and recovery so fraud controls build on trustworthy identity events.