Agentic AI fraud exposes the limits of bot detection

At a glance

What this is: This is Arkose Labs’ analysis of how agentic AI fraud changes the economics and detection model of online fraud.

Why it matters: It matters because identity, access, and fraud teams now have to govern automated actors that can look legitimate while acting adversarially across human, NHI, and emerging agentic workflows.

By the numbers:

• Consumers lost over $12.5 billion to fraud in 2024, according to FTC data cited by Arkose Labs.
• U.S. fraud losses are projected to reach $40 billion by 2027, driven by generative AI, according to Deloitte figures cited by Arkose Labs.
• Arkose Labs’ November 2025 study found that 8 in 10 enterprises report improved cybersecurity posture from AI adoption, even though only 44% feel very well prepared for AI-powered volumetric attacks.

👉 Read Arkose Labs' analysis of agentic AI fraud and Know Your Agent controls

Context

Agentic AI fraud is the use of autonomous or semi-autonomous systems to adapt, decide, and execute fraud steps in real time. The governance problem is that many current controls still assume a fixed bot pattern or a human operator behind the attack, which breaks when the actor can change tactics mid-session.

For IAM and fraud teams, the important shift is not just more automation. It is the emergence of adversarial agents that can blend into legitimate machine traffic, making authentication strength, session assurance, and behavioural signals part of the same control surface.

The article frames this as a readiness gap rather than a future theory. That starting position is now typical across high-value digital channels, where defenders are already facing automated abuse that outpaces point-in-time detection.

Key questions

Q: What fails when fraud controls are built only for bots and not agentic attackers?

A: Static bot controls fail because agentic attackers do not behave like fixed scripts. They can vary rate, path, and timing, then pivot after a challenge or rejection. That makes simple velocity checks and one-time blocking insufficient. Teams need continuous session risk analysis that can evaluate whether the actor is legitimate automation or adversarial behaviour.

Q: Why do legitimate AI agents complicate fraud and access decisions?

A: Legitimate AI agents complicate decisions because they can share the same technical signals as malicious automation while still being authorized to act. Security teams therefore need to verify provenance, ownership, and scope, not just traffic type. The practical goal is to know whether the agent is expected to transact on behalf of a user or workload.

Q: How do teams know whether machine traffic is becoming a fraud risk?

A: Look for growing use of shared login patterns, repeated challenge failures, unusual transaction sequencing, and machine activity that changes behaviour after friction is introduced. Those are signs that adversarial automation is adapting. The key indicator is not volume alone but whether the traffic can still complete actions that were meant to be protected by authentication.

Q: Who is accountable when an automated agent causes financial fraud?

A: Accountability should sit with the programme that authorized the automation, the team that owns the transaction, and the control owners who accepted the residual risk. If the organisation cannot prove the agent’s origin, purpose, and scope, it cannot credibly defend the decision after loss or regulatory review. That is now a governance issue, not only an incident issue.

Technical breakdown

Why credential stuffing becomes agentic fraud

Credential stuffing is the baseline attack pattern the article uses because it shows how little sophistication is needed when password reuse and weak friction already exist. Agentic AI does not invent a new entry vector so much as it improves decision-making around targeting, timing, and evasion. Instead of hammering a login page at a fixed rate, an agent can vary attempts, rotate infrastructure, and choose the next best account or channel after each rejection. That changes the operational meaning of authentication telemetry, because velocity alone is no longer a reliable signal of abuse.

Practical implication: treat login telemetry as a decision-support input, not a standalone detector.

Know your agent and machine identity assurance

Know Your Agent, or KYA, is the article’s central control idea. It extends the identity question from 'is this a bot?' to 'is this automated actor authorized, attributable, and operating within its intended scope?' That matters because legitimate machine-to-machine activity, consumer agents, and adversarial agents can all share similar technical footprints. In practice, this pushes teams toward provenance, origin, and intent checks, plus tighter linkage between the agent, the user it represents, and the transaction it is trying to complete.

Practical implication: bind automation to accountable identity and session provenance before trusting the transaction.

Why point-in-time fraud controls fail against adaptive agents

Point-in-time checks assume the threat will look the same long enough for a control to catch it. Adaptive agents invalidate that assumption because they can test, retreat, and re-engage inside the same campaign without losing state. That means blocking one attempt often just teaches the attacker what to change on the next. The architecture problem is not merely detection latency. It is that the control model is built around static patterns while the attacker is operating as a learning system.

Practical implication: shift from single-event blocking to continuous prevention and session-level risk management.

Threat narrative

Attacker objective: The attacker objective is to gain unauthorized account access and convert that access into direct financial loss before fraud controls or identity checks can intervene.

1. Entry begins with stolen credentials and large-scale credential stuffing against consumer and financial login pages, using automated scripts to test leaked username-password pairs at volume.
2. Escalation occurs when automation adapts to friction, varies traffic patterns, and pivots into legitimate-looking sessions or account takeover flows before defenders can reliably distinguish the actor.
3. Impact is fraudulent access to retirement and financial accounts, monetary loss, and an expanding attack economy that lowers the cost of abuse while increasing the scale of harm.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• AI LLM hijack breach — attackers used stolen AWS access keys to hijack Anthropic LLM models on Bedrock.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Agentic fraud turns identity assurance into a provenance problem: once automated traffic can reason, adapt, and transact, the security question is no longer only whether a session is authenticated. The real question is whether the actor behind the session is authorized to act with that degree of independence. That shifts governance from coarse bot blocking toward binding automation to origin, ownership, and acceptable scope. Practitioners should treat this as a change in identity semantics, not just a fraud-control update.

Know Your Agent is the right control concept because it names the missing decision layer: traditional fraud tooling asks whether traffic is human or machine, but agentic environments need a judgment about whether the machine is legitimate, attributable, and acting within mandate. That distinction matters across consumer identity, payment flows, and NHI-style delegated automation. The field needs controls that can explain who the agent represents and why the transaction should be trusted.

Session persistence is now the attacker’s advantage, not the defender’s: point-in-time fraud prevention assumes the attacker can be interrupted between attempts. Adaptive agents can keep state, learn from rejection, and return with a different tactic almost immediately. That means the governance model itself is changing from single-event authentication to continuous confidence in the actor and the action. Practitioners should re-evaluate any control that only works at login.

Machine-to-machine fraud is collapsing the line between fraud operations and identity governance: the same programme now has to understand user authentication, NHI assurance, and automated decision rights in one view. The article shows why fraud teams cannot isolate themselves from IAM and why IAM teams can no longer assume all automation is benign. The implication is a shared governance model across identity, risk, and fraud operations.

Regulatory pressure will increasingly target the traceability of automated decisions: the article’s FinCEN and EU AI Act discussion points to a future where attribution, logging, and oversight become compliance issues, not just control preferences. That broadens the requirement from stopping abuse to being able to demonstrate how an automated actor was authorized and monitored. Practitioners should expect auditability to become part of the fraud-control baseline.

From our research:

• Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation, according to AI Agents: The New Attack Surface report.
• Our research also found that 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, sharing sensitive data, and revealing access credentials.
• For the governance angle, see OWASP Agentic AI Top 10 for the control patterns that address agent misuse and scope drift.

What this signals

Agentic fraud will force IAM and fraud teams onto a shared control plane: the next stage of maturity is not better bot blocking alone, but a governance model that can classify authorised automation, consumer agents, and hostile scripts differently. With 33% of organisations already reporting AI agents accessing inappropriate or sensitive data beyond their intended scope, per the AI Agents: The New Attack Surface report, the problem is already operational, not hypothetical.

The practical signal for practitioners is that authentication strength, session monitoring, and transaction authorisation can no longer be owned in separate silos. If fraud operations cannot explain agent provenance, IAM cannot explain delegated access, and compliance cannot audit the decision trail, the programme is behind the threat. That is especially true where machine-to-machine activity is scaling faster than human review cycles.

Identity provenance gap: this is the gap between an authenticated machine action and a defensible machine action. It will become a board-level question because regulators will expect evidence of ownership, logging, and oversight across automated decision paths. Teams that can already separate trusted automation from adversarial traffic will have a material advantage in incident response and audit readiness.

For practitioners

• Define a Know Your Agent policy Create identity requirements for every automated actor that touches customer or payment flows. Record origin, owner, authorization basis, and allowed transaction scope so the security team can distinguish legitimate automation from adversarial automation.
• Move from point-in-time blocking to continuous prevention Use controls that evaluate behaviour across the full session, not just at login, because adaptive agents can change tactics after every denial. Feed challenge decisions, device signals, and transaction context into one risk decision.
• Tighten authentication defaults for high-value channels Make MFA mandatory where it is still optional, especially for financial and retirement accounts. Pair authentication with session monitoring so credential reuse does not become immediate account takeover.
• Separate legitimate automation from suspicious machine traffic Build policies that classify trusted service automation, consumer-facing agents, and unauthorised scripts differently. If every automated request is treated the same, defenders lose the ability to prioritise real abuse.

Key takeaways

• Agentic fraud is different from traditional bot abuse because the attacker can reason, adapt, and re-enter the transaction path.
• The evidence points to a material scale problem, with billions in fraud losses already reported and far larger losses projected as AI-enabled abuse grows.
• The practical response is not just stronger blocking, but provenance, continuous session control, and a defensible model for who or what the agent is allowed to do.

Key terms

• Agentic Fraud: Fraud carried out by systems that can choose actions, adapt to feedback, and continue a campaign without step-by-step human control. In identity terms, it moves abuse from scripted volume to decision-driven execution, which makes static bot checks less reliable and increases the need for provenance and continuous verification.
• Know Your Agent: A control concept for verifying whether an automated actor is authorized, attributable, and operating within its intended scope. It extends identity assurance beyond user or device checks to include origin, ownership, mandate, and the transaction the agent is trying to complete.
• Session-Level Risk Management: A control approach that evaluates behaviour across the life of a session rather than only at login or first authentication. It matters for adaptive automation because the attacker can change tactics after each challenge, so the risk decision has to move with the session.
• Machine-to-Machine Traffic: Automated traffic generated by systems, services, or agents rather than human users. For fraud and identity teams, the issue is not whether the traffic is machine-originated, but whether it is trusted, traceable, and aligned to the scope that was actually approved.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or governance in your organisation, it is worth exploring.

This post draws on content published by Arkose Labs: AI The Financial Cost of Agentic AI Fraud. Read the original.