Agentic AI fraud breaks identity-first defenses at the interaction layer

At a glance

What this is: This is an analysis of agentic AI fraud that shows attacks now behave like autonomous factories operating across account creation, login, payment, and API flows.

Why it matters: It matters because IAM, fraud, and identity governance teams need controls that measure behaviour and delegation, not just account identity or static policy.

By the numbers:

• 73% of respondents were personally affected by cyber-enabled fraud in 2025.
• AI agents have already performed actions beyond their intended scope in 80% of organisations.

👉 Read Arkose Labs' analysis of agentic AI fraud and interaction-layer attack patterns

Context

Agentic AI fraud is fraud that is partially or fully executed by systems that can plan, adapt, and complete tasks without a human approving each step. The primary IAM question is no longer whether an identity exists, but whether a system can safely govern behaviour at machine speed across the interaction layer.

The article argues that current response models are lagging because they focus on identity verification while the attack itself evolves through account creation, login, payment, and API flows. That mismatch matters for NHI governance, because compromised credentials and service account abuse are now part of the same fraud chain as synthetic identity generation.

The starting position described here is not typical of legacy bot traffic. It is a more advanced, continuously learning attack pattern that mixes automation, identity spoofing, and autonomous decision-making across sessions.

Key questions

Q: How should security teams stop agentic AI fraud without blocking real users?

A: Security teams should focus on behaviour inside the flow, not only on whether the account is real. That means combining onboarding risk, session telemetry, retry patterns, and transaction intent checks so legitimate users can move quickly while machine-paced campaigns are isolated for step-up review or blocking.

Q: Why do synthetic identities make traditional fraud controls less effective?

A: Synthetic identities reduce the value of controls that rely on spotting obviously fake profiles at signup. AI can create convincing identities quickly, so the stronger control is whether the downstream behaviour remains plausible, consistent, and bounded across sessions, devices, and payment activity.

Q: What do teams get wrong about agent identity and agent behaviour?

A: Teams often assume that proving who the agent is also proves what the agent will do. In practice, identity attestation only answers origin and authorization claims. Behavioural governance must still confirm that the system does not drift into unexpected actions once the session starts.

Q: Who should own response when an AI-driven fraud campaign uses compromised credentials?

A: Ownership should sit across fraud operations, IAM, and NHI governance, because the campaign is using both identity abuse and behavioural manipulation. The right response model assigns responsibility for credential containment, session analysis, and account outcome review rather than treating the event as a single-team issue.

Technical breakdown

Synthetic identity generation as the entry layer for agentic fraud

Synthetic identity generation is the use of AI to create realistic but fraudulent identities at scale. In this model, the first stage is not credential theft but account seeding: the attacker manufactures the personas, documents, and profile details needed to pass onboarding controls. Because generation is cheap and fast, the volume of attempts can overwhelm review processes that assume humans create accounts slowly and imperfectly. That shifts fraud prevention from spotting obvious fake profiles to detecting coordinated generation patterns across attributes, devices, and flow timing.

Practical implication: review onboarding controls for signals of mass-created identities, not just individual high-risk registrations.

Interaction-layer abuse across login, payment, and API flows

Agentic fraud often succeeds at the interaction layer because it behaves like a real user inside normal workflows. The system fills forms, retries failures, handles MFA prompts, and moves through account creation, checkout, and API calls in the same sequence a legitimate user would follow. Network-layer inspection is weak here because the traffic itself may look ordinary. The real differentiation is behavioural, including pacing, retry logic, cross-session memory, and the ability to adapt after friction is introduced. That is why identity checks alone do not stop the campaign.

Practical implication: instrument interaction telemetry so fraud controls can evaluate behaviour inside the flow, not just at the perimeter.

Agent identity is not agent behaviour

Agent identity refers to proving who or what the system claims to be. Agent behaviour refers to what it actually does once access is granted. The article’s key technical distinction is that a cryptographic or declarative identity check can succeed while the system still abuses flows, escalates activity, or changes tactics across sessions. This creates a governance gap for AI agents and NHI-style credentials alike: validation at login does not equal containment during execution. Behavioural trust must be tested after authentication, not assumed from it.

Practical implication: separate identity attestation from runtime behaviour controls in your fraud and IAM architecture.

Threat narrative

Attacker objective: The attacker aims to create, maintain, and monetize fraudulent accounts at scale while minimizing human effort per transaction.

1. Entry occurs through synthetic identity generation or compromised credentials that make the first account interaction look legitimate.
2. Escalation happens when the agent navigates login, MFA, API, or checkout flows while adapting to friction and learning from prior sessions.
3. Impact follows when the attack coordinates account management or cashout at scale, turning one human operator into many autonomous fraud actions.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• AI LLM hijack breach — attackers used stolen AWS access keys to hijack Anthropic LLM models on Bedrock.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Agentic AI fraud is an identity governance problem, not just a fraud problem. Once an actor can adapt, retry, and coordinate across sessions, classic bot detection stops being the primary control boundary. The field has to treat fraud as a delegated identity behaviour problem across human, NHI, and autonomous actors. Practitioners should align fraud telemetry, access governance, and session controls around behaviour, not only account proofing.

Identity verification fails when the attack objective is execution, not entry. The article shows that synthetic identities, legitimate credentials, and interaction-layer navigation can all coexist in the same campaign. That means the control gap is not simply missing MFA or weak onboarding, but a governance model that assumes authenticated identity is a stable proxy for intent. Practitioners need to reassess where authentication ends and behavioural accountability begins.

Interaction-layer visibility is now a named concept worth tracking: identity-to-action drift. This is the gap between proving an account exists and proving the actions behind that account remain within expected scope. Agentic systems can keep the identity constant while the behaviour changes session by session. That creates a failure mode where governance reports look clean until the actual abuse has already been executed. Practitioners should treat drift between identity and action as a first-class risk signal.

Autonomous fraud collapses the assumption that a human operator is the durable source of intent. The model in the article depends on one operator setting strategy once while agents execute the rest, which means accountability, review, and intervention points are no longer anchored to a single decision-maker per action. The implication is that conventional review cadences and case workflows are built for human-paced fraud, not machine-paced delegation.

AI agent governance, NHI governance, and fraud prevention are converging on the same control question. If an agent can use compromised credentials, spoof a legitimate user, and self-adjust across sessions, then identity controls, lifecycle controls, and behavioural controls all have to be read together. Practitioners should stop treating this as a niche fraud pattern and start treating it as a broader identity security model shift.

From our research:

• 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%), according to AI Agents: The New Attack Surface report.
• 52% of companies can track and audit the data their AI agents access, leaving 48% without full visibility into agent behaviour.
• That visibility gap is why the OWASP Agentic AI Top 10 matters for practitioners who need behaviour-level control, not only identity attestation.

What this signals

Agentic fraud forces programmes to move from identity proofing to identity-to-action monitoring. The practical shift is toward controls that see how a session behaves after authentication, especially where AI agents or compromised credentials can complete tasks without human pacing.

Identity-to-action drift: this is the emerging control gap where a trusted identity continues to operate while the behaviour behind it changes materially. With 80% of organisations already reporting out-of-scope agent actions, the issue is no longer theoretical, and teams should map where delegated execution escapes existing review and fraud workflows.

The governance response will increasingly align with behavioural zero trust principles and agent-specific risk models. Practitioners should be watching for stronger convergence between IAM, fraud, and agent governance, including references to the OWASP Agentic AI Top 10 and NIST AI Risk Management Framework.

For practitioners

• Instrument interaction-layer behaviour signals Capture field-by-field completion patterns, retry cadence, device changes, and session progression across signup, login, checkout, and API flows so controls can detect machine-paced adaptation.
• Separate identity proof from runtime trust Require a second decision layer after authentication that evaluates session behaviour, transaction intent, and cross-session consistency before allowing high-value actions.
• Treat compromised credentials as fraud accelerants Add service account abuse and delegated credential use to fraud models so legitimate-looking access paths are scored for behavioural drift and unusual escalation.
• Map governance ownership across fraud, IAM, and NHI teams Define which team owns synthetic identity prevention, delegated access review, and response when a legitimate identity is used for fraudulent execution.

Key takeaways

• Agentic AI fraud turns identity into a runtime problem, because the attack can adapt inside legitimate user flows after authentication.
• The evidence points to scale and speed, with autonomous campaigns able to combine synthetic identities, session learning, and credential abuse into one fraud chain.
• Practitioners should shift from account-centric controls to behaviour-centric governance across fraud, IAM, and NHI programmes.

Key terms

• Agentic Fraud: Fraud executed by systems that can plan, adapt, and complete tasks with limited or no human intervention during the session. The control problem is not only account creation, but whether the system can continue to behave within approved bounds after access is granted.
• Identity-To-Action Drift: The gap between an identity that appears legitimate and the actual actions performed under that identity. In agentic environments, drift can happen within a single session, which means authentication alone does not prove safe execution or bounded intent.
• Interaction Layer: The part of a digital journey where a user or agent actually completes forms, handles challenges, submits data, and triggers business actions. For fraud defence, this is where behaviour becomes visible, and where static perimeter controls often lose effectiveness.
• Synthetic Identity: A fabricated identity built from invented or mixed personal data to pass onboarding and build trust over time. In fraud operations, synthetic identities are less about one fake record and more about a scalable entry point for downstream abuse.

Deepen your knowledge

Agentic AI fraud defence is covered in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your team is responsible for delegated access, session trust, or identity-led fraud controls, this course is a practical starting point.

This post draws on content published by Arkose Labs: AI The Attack Runs Itself, what agentic AI fraud actually looks like. Read the original.