TL;DR: Banking leaders at Money20/20 Europe argued that invisible banking, selective disclosure, and agentic commerce will make fraud signals less obvious while increasing pressure on cross-border trust, regulatory harmonisation, and shared fraud intelligence, according to SumSub. The practical issue is not just reducing friction, but redesigning identity and fraud controls for systems that increasingly behave like normal traffic until they do not.
At a glance
What this is: This SumSub discussion says invisible banking and agentic commerce are pushing fraud and trust decisions deeper into background systems, where normal-looking activity can hide abnormal intent.
Why it matters: It matters because IAM, NHI, and fraud teams will need controls that work for users, workloads, and agentic systems without relying on obvious session cues or visible step-up moments.
By the numbers:
- When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes and as quickly as 9 minutes in some cases.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
- 92% of organisations expose NHIs to third parties, raising concerns about supply chain security.
- NHIs outnumber human identities by 25x to 50x in modern enterprises.
👉 Read SumSub's Money20/20 Europe discussion on AI, trust, and fraud
Context
Invisible banking is the shift where users experience services without seeing the underlying identity, payment, or fraud controls in the foreground. In that model, the real governance problem is not whether transactions are fast, but whether the trust decisions behind them are still intelligible, reviewable, and enforceable across digital identity, payments, and agentic commerce.
The article frames a broader financial-services question: as more activity is delegated to systems that act quietly on behalf of people and businesses, fraud prevention must recognise intent without creating needless friction. That brings NHI-style governance, human identity assurance, and emerging agentic workflows into the same control conversation. For background on the machine identity side of that problem, see the Ultimate Guide to NHIs.
Key questions
Q: How should financial institutions govern fraud controls for invisible banking flows?
A: They should treat invisible banking as a traceability problem, not only a user-experience problem. Every hidden trust decision needs a clear owner, evidence retention, and an audit path that shows why the transaction was accepted or challenged. Without that, fraud teams can detect outcomes but cannot reliably explain decisions.
Q: Why does agentic commerce change fraud detection so much?
A: Because the decision-maker is no longer always a person interacting directly with the system. Software intermediaries can search, compare, and transact at runtime, which weakens traditional behavioural signals and shifts the focus to authorisation scope, delegation, and transaction intent.
Q: What do security and fraud teams get wrong about selective disclosure?
A: They often assume reducing shared identity data preserves the old assurance model. In reality, selective disclosure changes which signals are available for verification, dispute handling, and anomaly detection, so teams must redesign policy, cryptographic assurance, and escalation paths together.
Q: How do cross-border payments complicate identity and fraud governance?
A: Different jurisdictions can require different trust evidence, different verification thresholds, and different accountability models for the same transaction type. That fragmentation makes it harder to operate one consistent control plane, so teams need governance patterns that can be explained and audited across markets.
Background and context
Invisible banking changes where identity assurance happens
Invisible banking moves the assurance layer away from a visible login or checkout step and into the background of product flows. That matters because the identity decision is no longer a one-time gate, but a series of micro-decisions about trust, consent, and transaction context. In payments and digital banking, that usually means stronger linkage between device signals, behavioural cues, account history, and policy logic. The architectural challenge is that the more seamless the experience, the less obvious the control boundary becomes, which makes monitoring and auditability harder.
Practical implication: map every hidden trust decision to a control owner and an audit trail before you simplify the user experience.
Selective disclosure is a fraud control, not just a privacy feature
Selective disclosure limits which identity attributes are revealed during verification, so the relying party sees only what is necessary. That can reduce over-collection, but it also changes the fraud model because defenders lose some of the raw data they traditionally used to correlate risk. The key design question is whether the remaining signals are strong enough to support step-up decisions, dispute handling, and replay detection. In practice, selective disclosure works best when paired with strong cryptographic assurance and clear policy about when additional attributes can be requested.
Practical implication: define which attributes are mandatory, which are optional, and which cannot be deferred when fraud review is triggered.
Agentic commerce will weaken static fraud signals
Agentic commerce introduces software intermediaries that can browse, compare, and transact on behalf of a user or business. That breaks many legacy fraud models because classic behavioural indicators such as mouse movement, device continuity, and predictable checkout timing may no longer describe the real decision-maker. In this environment, the relevant identity question is whether the system acting is authorised, constrained, and attributable at runtime. This is where identity governance starts to overlap with workload identity and non-human decision paths, even when the end customer is a person.
Practical implication: build detection around authorisation scope and transaction intent, not just around human interaction patterns.
NHI Mgmt Group analysis
Invisible banking creates a trust opacity problem: the more financial activity disappears into background flows, the harder it becomes to prove which control made the decision and why. That is not the same as automation risk. It is a governance problem where the trust boundary is no longer visible to the user, the operator, or the auditor. Practitioners should treat this as a control traceability issue across identity, payments, and fraud operations.
Agentic commerce sharpens the failure of human-centric fraud heuristics: traditional signals assume a person is interacting directly with the system in a predictable session. That assumption weakens when software intermediaries can initiate, combine, and complete actions on the user’s behalf. The implication is that fraud teams need to understand not just whether an action happened, but whether the acting system had the right identity and scope at the time.
Selective disclosure exposes an identity signal trade-off: reducing visible attributes can improve privacy and reduce data hoarding, but it also removes some of the weak signals fraud teams relied on for cross-checking. That makes assurance more dependent on policy design, cryptographic integrity, and shared trust frameworks. The practitioner takeaway is that privacy-preserving identity cannot be bolted on after fraud controls are designed.
Cross-border payment trust is now a regulatory architecture problem: harmonisation matters because fragmented rules force firms to maintain multiple trust models for the same transaction class. That slows controls, complicates evidence, and increases friction for legitimate users. The broader lesson is that payment governance, identity proofing, and fraud analytics increasingly need a common policy language rather than separate local interpretations.
Normal traffic is becoming the primary fraud disguise: when automation, invisible banking, and background identity checks converge, the strongest attack pattern is to look ordinary long enough to pass routine controls. That changes the defender’s job from spotting obvious anomalies to proving that the control plane still understands the actor and the intent behind each transaction. Practitioners should build for explainable trust decisions, not just for faster approvals.
From our research:
- 92% of organisations expose NHIs to third parties, raising concerns about supply chain security, according to Ultimate Guide to NHIs.
- From our research: Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
- As payment ecosystems and delegated workflows expand, use 52 NHI Breaches Analysis to examine how third-party exposure and lifecycle failures turn background access into operational risk.
What this signals
Invisible trust debt: as banking becomes quieter, organisations accumulate control decisions that users never see and auditors often cannot easily reconstruct. That makes evidence retention and policy traceability a first-class requirement, not a documentation afterthought.
With 92% of organisations exposing NHIs to third parties in our research, any payment flow that relies on delegated systems now inherits a wider trust chain than the customer ever sees. The practical implication is that fraud controls have to cover every background identity in the path, not just the visible user session.
The next phase of payments governance will be judged less by how little friction it adds and more by whether it can explain decisions across identity, delegation, and jurisdiction. Teams that cannot line up those three elements will struggle to scale agent-assisted commerce safely.
For practitioners
- Map hidden trust decisions to control owners Inventory every background identity, payment, and fraud decision point in invisible banking flows. Assign a named control owner, define what evidence is retained, and make sure reviewers can reconstruct why a transaction was allowed.
- Separate privacy from fraud assurance design Decide which identity attributes are essential for dispute handling, replay detection, and step-up review before you implement selective disclosure. Do not assume a smaller attribute set will still support the same fraud outcomes.
- Rebuild fraud analytics for non-human decision paths Update detection models so they look at authorisation scope, delegation, and transaction intent, not only at human interaction patterns. This is critical when software intermediaries act on behalf of customers or business users.
- Test cross-border policies against audit evidence needs Compare how the same transaction is evidenced across jurisdictions, especially where local regulatory expectations differ. If a reviewer cannot explain the decision in one consistent language, the policy is too fragmented to scale.
Key takeaways
- Invisible banking shifts fraud defence into the background, where control decisions must still be explainable and auditable.
- Agentic commerce weakens human-centric fraud signals and forces teams to focus on authorisation scope, delegation, and intent.
- Cross-border payment governance now depends on identity controls, evidence standards, and regulatory harmonisation working together.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 address the attack and risk surface, while NIST Zero Trust (SP 800-207) and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST Zero Trust (SP 800-207) | PR.AC-1 | Hidden trust decisions and delegated access map to continuous verification in payment flows. |
| NIST CSF 2.0 | PR.AA-01 | Identity assurance and accountability are central when controls move into background flows. |
| OWASP Agentic AI Top 10 | AGENT-03 | Agentic commerce introduces runtime action by software intermediaries and scope drift risks. |
Constrain agent actions to explicit policy and review runtime authorisation before each transaction.
Key terms
- Invisible Banking: A banking model where core identity, payment, and fraud decisions happen behind the user interface rather than in visible steps. It improves convenience, but it also hides control boundaries, so teams need stronger traceability, evidence retention, and policy ownership to prove why a transaction was trusted.
- Selective Disclosure: A verification approach that reveals only the minimum identity attributes needed for a relying party to make a decision. It reduces unnecessary data sharing, but it also changes the fraud model because fewer attributes may be available for cross-checking, dispute handling, and anomaly detection.
- Agentic Commerce: Commercial activity where software acts on behalf of a person or organisation to search, compare, and complete transactions. In governance terms, the acting entity may no longer be the human customer, so authorisation scope, delegation, and runtime intent become more important than visible user interaction.
- Trust Traceability: The ability to reconstruct which identity, policy, and control decision allowed an action to proceed. In background financial flows, traceability is what turns a silent approval into an auditable security decision, and without it, fraud teams lose the ability to explain or defend outcomes.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or governance maturity, it is worth exploring.
This post draws on content published by SumSub: Part 2 of special coverage from Money20/20 Europe on AI, trust, and fraud. Read the original.
Published by the NHIMG editorial team on 2026-06-19.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
