By NHI Mgmt Group Editorial TeamPublished 2026-06-25Domain: AnnouncementsSource: Arkose Labs

TL;DR: 71% of organisations are concerned about generative AI threats to business apps, while 62% report decreased customer acquisition due to cyberattacks, underscoring how fraud, bots, and AI-driven abuse are now hitting revenue and trust at the same time, according to Arkose Labs. The governance problem is no longer detection alone, but whether platform identity and abuse controls can keep pace with adversarial automation.


At a glance

What this is: This is an Arkose Labs industry page arguing that bots, fraud, and AI-driven abuse are now core platform risk issues, with real-time detection and adaptive mitigation presented as the operational response.

Why it matters: It matters because IAM, fraud, and platform security teams increasingly need to govern machine-driven abuse patterns alongside customer identity, account takeover, and access abuse.

By the numbers:

👉 Read Arkose Labs' analysis of bot abuse, AI threats, and platform trust


Context

Platform abuse is what happens when automated actors, bots, and AI-assisted fraud attempts overwhelm the trust layer of a digital service. For identity teams, that means the problem sits at the intersection of customer access, account security, abuse detection, and the operational controls used to decide whether a session, device, or transaction should be trusted.

Arkose Labs frames this as a revenue and trust issue as much as a security one. The practical challenge is that traditional IAM and fraud controls were not designed for adversarial automation that can change pace, volume, and interaction patterns faster than manual review or static policy can respond. That makes the problem especially relevant to platform teams managing consumer identity and abuse resistance.


Key questions

Q: How should platform teams reduce bot abuse without blocking legitimate users?

A: Use adaptive challenges and multi-signal risk scoring so friction increases only when behaviour looks adversarial. The goal is to slow automation, not create a universal barrier. Teams should tune the decisioning model against real attack patterns, then monitor whether legitimate users are being pushed into unnecessary verification steps.

Q: Why do bots and account takeover often need the same control stack?

A: Because they usually share the same abuse infrastructure, telemetry gaps, and decision points. Registration, login, password reset, and transaction flows can all be manipulated by the same actor set. A shared control stack lets teams correlate behaviour, reduce duplication, and respond to abuse as one lifecycle rather than separate incidents.

Q: What signals should security teams measure to spot platform abuse early?

A: Look for velocity anomalies, device inconsistency, repeated failed interactions, unusual geographic patterns, and mismatches between behavioural and technical fingerprints. No single signal is decisive on its own. The strongest programmes combine several weak indicators into one trust decision and review how often attackers learn to evade the model.

Q: Who should own bot management when it affects customer trust and revenue?

A: Ownership should sit with a cross-functional team that can act across IAM, fraud, and platform security, because bot abuse affects all three. If one team owns only the tooling, the organisation can still fail on response, tuning, or business impact. Shared accountability is what turns detection into a measurable control.


How it works in practice

How adaptive challenges reduce bot-driven abuse

Adaptive challenges are friction controls that change based on observed risk, rather than presenting the same test to every user. In practice, they combine signals such as device reputation, behavioural anomalies, request patterns, and velocity to decide when to step up verification. That makes them useful against scripted abuse because the attacker cannot reliably predict the challenge path or reuse the same automation logic across sessions. The value is not that they stop all abuse, but that they raise the cost of large-scale fraud and fake-account creation while preserving a lower-friction path for legitimate users.

Practical implication: tune challenge policy to risk signals, not fixed thresholds, so high-volume abuse is slowed without punishing normal users.

What 225+ signals can tell you about suspicious activity

A signal-based decision engine works by aggregating many weak indicators into a stronger trust decision. Single signals, such as IP reputation or device fingerprint, are easy for attackers to evade in isolation. When the platform combines hundreds of indicators, the abuse decision becomes harder to spoof because the adversary has to mimic an entire behavioural profile, not just one control point. This is why multi-signal risk scoring is more resilient than isolated checks. It also explains why the quality of telemetry matters as much as the mitigation step itself.

Practical implication: inventory your risk signals and test whether they are independently useful or only meaningful when combined into a scoring model.

Why account takeover and fake accounts often travel together

Account takeover and fake-account creation are different attack goals, but they often share the same underlying infrastructure, tooling, and abuse actors. Fraud groups reuse device farms, proxies, and automation frameworks to probe login flows, registration pages, password reset paths, and SMS-based verification. Once one path is exposed, the same actor can pivot into adjacent abuse, including credential stuffing, referral fraud, and spam amplification. That is why platform defenders should treat identity abuse as a chain of related behaviours rather than a single event type.

Practical implication: correlate registration, login, reset, and transaction telemetry so one abuse pattern does not get managed as four separate problems.


NHI Mgmt Group analysis

Platform abuse is now an identity problem, not just a fraud problem. The article shows that fake accounts, account takeover, and AI-assisted abuse all converge on the same trust surface: whether a platform can reliably distinguish legitimate from adversarial automation. That puts consumer IAM, bot management, and fraud operations into the same decision chain. The implication is that identity programmes for digital platforms need to treat abuse resistance as part of access governance, not as an adjacent web-security function.

Session-level trust decisions matter more as adversarial automation scales. Arkose Labs' emphasis on real-time detection and adaptive mitigation reflects a broader shift away from static allow-or-block thinking. Attackers do not need to defeat every control, only enough of the trust path to create accounts, take over sessions, or siphon revenue. That means platform teams should care less about single-point checks and more about whether risk decisions can be updated continuously across the session lifecycle.

Signal density is becoming the new boundary for abuse defence. The 225-plus signal model described in the article reflects an industry reality: weak signals are cheap to imitate, but dense behavioural models are harder to game. That does not make the control perfect, but it does raise the bar for bot operators and fraud rings. For practitioners, the lesson is that trust decisions should be based on layered evidence, not on one isolated indicator of legitimacy.

Customer identity and revenue protection are now inseparable. The article's customer stories and impact claims point to a simple truth: when abuse increases, acquisition, conversion, and trust all decline together. That is why platform security leaders should not frame bot management as a narrow operational tool. It is part of the identity stack that protects customer experience, revenue, and the credibility of every downstream access decision.

From our research:

  • 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%), according to AI Agents: The New Attack Surface report.
  • Only 44% of organisations have implemented policies to govern AI agents, even though 92% say governance is critical to enterprise security.
  • For a broader view of the identity risk surface, see OWASP Agentic AI Top 10 for the controls teams are using to manage agent behaviour.

What this signals

AI-assisted abuse is widening the gap between detection and governance. The more automation is used to probe sign-up, login, and transaction flows, the more platform teams need evidence-based trust decisions rather than static blocking rules. That is why identity and abuse operations should be connected to the same behavioural telemetry, with clear escalation paths when risk moves from nuisance to revenue loss.

Platform teams should expect more overlap between fraud controls and identity controls. As adversarial automation improves, signals that once belonged to bot management will increasingly inform IAM, risk-based authentication, and customer account protection. The organisations that respond fastest will be the ones that treat abuse telemetry as part of identity infrastructure, not as a separate dashboard.

Signal density becomes a governance advantage when it is linked to policy. The practical challenge is not collecting more data for its own sake, but turning that data into consistent decisions across registration, recovery, and transactional access. Teams that can do that will reduce manual review load while preserving a defensible trust model.


For practitioners

  • Instrument abuse decisions across the full customer journey Correlate registration, login, reset, and transaction telemetry so bot activity is measured as a chain of behaviours, not four unrelated alerts.
  • Use adaptive friction for high-risk sessions Apply step-up verification only when combined signals indicate suspicious activity, and keep low-risk paths as seamless as possible for legitimate users.
  • Review your signal model for evasion resistance Test whether a small change in device, network, or behaviour can bypass the current decisioning model, then strengthen the weakest inputs first.
  • Align fraud, IAM, and platform security ownership Assign one accountable team for bot abuse outcomes so account takeover, fake-account creation, and revenue loss are managed under a shared operating model.

Key takeaways

  • Bot abuse, account takeover, and AI-assisted fraud now operate against the same platform trust surface, so identity and fraud teams need shared governance.
  • Arkose Labs' own numbers show both market pressure and operational friction, with 71% concerned about generative AI threats and 53% saying AI tools are hard to integrate.
  • The practical response is not universal blocking but adaptive, signal-driven friction that can distinguish legitimate users from adversarial automation.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Agentic AI Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AC-4Identity and access decisions need to account for suspicious automation and abuse.
NIST Zero Trust (SP 800-207)GV.OC-01Zero trust principles support continuous verification of sessions and trust signals.
OWASP Agentic AI Top 10AI-driven abuse patterns overlap with agentic tooling and automated decision paths.

Use agent-risk thinking to examine where automation can amplify abuse or bypass challenge controls.


Key terms

  • Adaptive Challenge: A challenge mechanism that changes based on observed risk rather than applying the same test to every user. It is used to slow suspicious automation while preserving a low-friction path for legitimate activity. In platform security, it becomes a trust decision, not just a bot deterrent.
  • Account Takeover: A condition where an attacker gains control of a user account and can act as that user inside the platform. It often follows credential stuffing, phishing, or recovery abuse. For identity teams, the risk is not only unauthorised access, but also downstream fraud and trust loss.
  • Signal-Based Decisioning: A trust model that combines multiple weak indicators such as device, network, behaviour, and velocity into one action. It is more resilient than single-factor checks because attackers must imitate an entire profile, not just one control. The quality of the model depends on the quality of the signals.

What's in the full announcement

Arkose Labs' full page covers the operational detail this post intentionally leaves for the source:

  • Product-specific breakdown of how Arkose Titan combines detection and mitigation across abuse scenarios
  • Customer story examples that show how the platform was applied to account takeover, fake accounts, and SMS fraud
  • The vendor's own explanation of its 225-plus signal decisioning model and adaptive challenge flow
  • Commercial details, customer proof points, and platform packaging that implementation teams would need before evaluating a deployment

👉 Arkose Labs' full page includes the platform details, customer examples, and mitigation model behind the abuse-control approach.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-06-25.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org