Agentic AI is changing the economics of fraud prevention

At a glance

What this is: This is an analysis of how agentic AI is changing fraud economics, with attacker cost, scale, and adaptability now outpacing detection-only defenses.

Why it matters: It matters because IAM, fraud, and access teams now have to govern human, bot, and agent traffic together, or risk treating legitimate automation and malicious agentic abuse as the same problem.

By the numbers:

• Deloitte’s Center for Financial Services projects that AI-facilitated fraud losses in the US will reach $40 billion by 2027, up from $12.3 billion in 2023.
• FraudGPT is available for $1,700 per year.
• Gartner predicts that by 2028, 25% of enterprise breaches will trace back to AI agent abuse.

👉 Read Arkose Labs' analysis of how agentic AI is changing fraud economics

Context

Agentic AI changes fraud because it compresses the attacker’s cost of entry. What once required tooling, labor, and time can now be assembled quickly enough that even low-skill operators can run sophisticated abuse campaigns against registration, login, payment, and API flows.

The governance problem is not simply that more automation exists. It is that platforms now have to distinguish legitimate AI agents from malicious ones without blocking accessibility use cases, enterprise workflow automation, or customer-facing assistance. That makes fraud prevention a control problem across identity, intent, and session behaviour, not just a detection problem.

Key questions

Q: How should security teams classify AI agent traffic in fraud prevention flows?

A: Security teams should classify AI agent traffic by intent and behaviour, not by whether automation is present. A useful model separates self-disclosing good agents, non-disclosing good agents, and malicious agents. That approach preserves legitimate automation while giving fraud controls a way to target abuse without blanket blocking.

Q: Why do agentic AI systems make fraud harder to stop with static rules?

A: Agentic AI systems can adapt their tactics faster than manual policy updates or fixed rules can respond. They can change proxies, timing, and interaction patterns within the same session, which means defenders are often reacting after the bypass has already been learned. Adaptive session intelligence is therefore essential.

Q: What do security teams get wrong about blocking bots and automation?

A: The common mistake is treating all automation as the same risk. Some agents are legitimate and user-serving, while others are built to evade controls and scale abuse. If teams block everything, they harm valid users. If they allow everything, they invite fraud. The policy has to be intent-aware.

Q: What should organisations measure if they want to know fraud controls are working?

A: Organisations should measure whether controls are increasing attacker cost, reducing campaign success rates, and forcing repeated abuse to become uneconomic. A control can reduce one attempt and still fail strategically if attackers can immediately retry at low cost. The right metric is not only detection, but deterrence.

Technical breakdown

Agentic AI fraud economics and attacker ROI

Fraud economics are built on a simple ratio: if attack cost stays lower than expected gain, abuse continues. Agentic AI lowers that cost by reducing the effort needed to build, adapt, and run campaigns at scale. That shifts the defender’s task from stopping every attempt to changing the attacker’s return on investment. In practice, the most effective systems add friction, intelligence, and challenge at the points where attackers spend time and compute. The objective is not perfect blocking. It is to make repeated abuse too expensive to sustain.

Practical implication: design controls that increase attacker time, cost, and operational uncertainty rather than relying on detection alone.

Three-tier agent classification for web traffic

A useful fraud model now has to separate self-disclosing good agents, non-disclosing good agents, and malicious agents. Self-disclosing agents operate within declared parameters. Non-disclosing agents may be legitimate but ambiguous. Malicious agents mimic normal use while executing fraud at machine speed. The point of classification is not identity purity, but policy precision. If every automated session is treated the same, security teams either overblock legitimate use or underblock abuse. Behavioural context across the full session becomes the deciding signal.

Practical implication: classify agent traffic by intent and behaviour before applying enforcement, challenge, or access policy.

Session intelligence and adaptive enforcement

Static rules decay because attackers iterate faster than manual policy updates. Agentic attackers can test, adapt, and re-run campaigns without waiting for human approval loops. That means enforcement has to learn from every session and carry that learning forward. The deeper architectural shift is from isolated blocking actions to cumulative intelligence that improves the next decision. This is where classification, device intelligence, and challenge mechanisms work together. Without adaptive feedback, even strong controls become a lagging indicator of abuse.

Practical implication: connect session telemetry to adaptive enforcement so new fraud patterns are learned before they spread.

Threat narrative

Attacker objective: The attacker aims to scale fraud cheaply enough that the value extracted from each campaign exceeds the cost of running it.

1. Entry occurs when an attacker uses low-cost agentic tooling to automate credential stuffing, fake account creation, or payment abuse across target flows.
2. Escalation follows when the agent iterates on bypass strategies in real time, shifting proxies, timing, and session behaviour to defeat static controls.
3. Impact arrives when repeated abuse becomes economically viable at scale, increasing fraud losses while legitimate automation remains difficult to separate from malicious traffic.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• AI LLM hijack breach — attackers used stolen AWS access keys to hijack Anthropic LLM models on Bedrock.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Agentic AI turns fraud prevention into an economics problem, not just a detection problem. When the cost of launching abuse falls faster than the cost of defending against it, the security model breaks at the incentive layer. Static blocking can still stop individual attempts, but it does not change the attacker’s business case. Practitioners should treat attacker ROI as a control objective, not a side effect.

Three-tier agent classification is the right governance lens because not all automation is malicious. The field has moved beyond the binary of bot or not. Security programmes now need to distinguish self-disclosing good agents, non-disclosing good agents, and malicious agents if they want to preserve legitimate automation while constraining abuse. The implication is that enforcement policy must be intent-aware, not automation-hostile.

Identity controls built for human-paced sessions do not hold when agents adapt continuously. Fraud operations now iterate within the same session and across many parallel sessions, which means human review cadences and static rule updates arrive too late. The governance gap is not just weak enforcement, but a control model that assumes attackers behave slowly enough to be observed before they change. Practitioners should assume the attacker loop is now shorter than the defender loop.

Economic deterrence is becoming a core identity and fraud governance pattern. The named concept here is attacker ROI compression: the deliberate use of friction, challenge, and adaptive intelligence to make abuse unprofitable. That concept matters because it reframes fraud controls as business logic for adversaries, not just technical safeguards. Teams should measure whether controls actually raise attacker cost across the whole session, not merely whether they block a point attempt.

From our research:

• 1 in 4 organisations are already investing in dedicated NHI security capabilities, with an additional 60% planning to do so within the next twelve months, according to The State of Non-Human Identity Security.
• Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.
• That confidence gap is why identity programmes should pair NHI governance with fraud and agent controls, as explored in the 52 NHI breaches Report.

What this signals

Attacker ROI compression: fraud teams will increasingly be judged on whether they make abuse economically irrational, not merely whether they detect it. That shift pushes identity, fraud, and access teams to share telemetry and policy intent across the same decision loop, because the attacker now optimises across login, registration, payment, and API paths at once.

With 85,500-plus GitHub stars behind toolchains that advertise anti-detect and CAPTCHA-solving capabilities, the market has already normalised commodity agentic abuse. The next maturity step is not stronger blocking alone, but more precise separation of legitimate automation from adversarial automation, especially where accessibility and enterprise workflows depend on AI agents.

Teams that still treat bot management as a perimeter problem will miss the deeper issue: agentic traffic is now an identity and intent problem. The programme signal to watch is whether challenge, classification, and session learning are converging into one governance layer, or remaining fragmented across tools and teams.

For practitioners

• Classify agent traffic before enforcing policy Separate self-disclosing good agents, non-disclosing good agents, and malicious agents using behavioural and session context. Do not rely on IP reputation or fingerprinting alone when legitimate AI assistants, bots, and autonomous abuse can look similar at the network layer.
• Add friction where attackers spend time and compute Apply challenge and step-up controls at registration, login, payment, and API edges so repeated abuse becomes expensive. The goal is to increase attacker cost consistently enough that low-value campaigns stop being profitable.
• Build adaptive learning into enforcement Feed every session outcome into the detection model so new bypass patterns are incorporated quickly. Static rules decay as attackers iterate, so fraud controls need learning loops that are faster than manual policy updates.
• Measure attacker ROI compression Track whether challenge, device intelligence, and policy decisions reduce campaign success rates while raising attacker effort. If controls only move traffic around but do not increase cost, they are not changing the fraud economics.

Key takeaways

• Agentic AI lowers the cost of fraud, which means the defender’s real problem is economics as much as detection.
• The biggest governance mistake is treating every automated session as either trusted or hostile, when the real task is separating legitimate agents from malicious ones.
• Fraud controls now need to raise attacker cost across the full session, or they will be outpaced by autonomous adaptation.

Key terms

• Agentic Traffic: Traffic generated by software that can act on behalf of a user or process with some degree of independent decision-making. In fraud prevention, it includes both legitimate assistants and malicious automation, so the control question becomes intent and behaviour, not automation alone.
• Economic Deterrence: A control strategy that makes abuse too costly to sustain. Rather than relying only on detection and blocking, it increases attacker time, effort, and compute until the expected return from targeting a system becomes unattractive.
• Attacker ROI Compression: The deliberate reduction of an attacker’s return on investment by raising cost and lowering success probability. In practice, it means designing controls that make repeated fraud attempts slower, harder, and less profitable across the whole session.
• Three-tier Agent Classification: A governance model that separates self-disclosing good agents, non-disclosing good agents, and malicious agents. It helps teams apply policy more precisely so legitimate automation is preserved while adversarial automation is constrained.

Deepen your knowledge

Agentic AI fraud economics and three-tier agent classification are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building controls for a mixed human, bot, and agent traffic environment, it is worth exploring.

This post draws on content published by Arkose Labs: Fraud Prevention, The Economics of Fraud Have Changed. Here’s Why. Read the original.