AI-assisted identity flows are reshaping fraud and access management

At a glance

What this is: Transmit Security’s 2025 Mosaic Rewind argues that identity security is shifting toward AI-assisted, adaptive flows, with new capabilities spanning fraud detection, biometrics, integrations and CUA visibility.

Why it matters: That matters because IAM teams now have to govern identity journeys that blend human authentication, automated behaviour and fraud signals in one operating model.

By the numbers:

• 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%).
• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
• 92% of organisations expose NHIs to third parties, raising concerns about supply chain security.

👉 Read Transmit Security's 2025 Mosaic Rewind on AI-assisted identity and fraud

Context

Identity security is no longer just about login and authorization. It now includes AI-assisted journey design, fraud detection across multiple sessions, biometric assurance, and visibility into automated actors that can look human at the point of access but behave very differently once inside.

Transmit Security’s 2025 Mosaic Rewind presents that shift as a platform evolution, but the governance problem is broader: teams are being asked to manage changing identity flows without losing control of assurance, auditability or policy consistency. That is relevant across human IAM, fraud prevention and non-human identity programmes.

For practitioners, the issue is not whether identity systems can become more adaptive. The question is whether governance can keep pace when the same platform is shaping user journeys, fraud decisions and machine-driven activity in the same control plane.

Key questions

Q: How should teams govern AI-assisted identity journeys without losing control?

A: Teams should treat AI-assisted journey design as change management, not self-service automation. Define which flow elements can be generated, which require approval, and which must be tested against policy, audit and fraud thresholds before release. The goal is to keep adaptive behaviour inside a governed boundary, not to freeze innovation.

Q: Why is cross-session fraud detection more effective than single-event scoring?

A: Single-event scoring only sees one interaction, which is often enough to look legitimate. Cross-session detection finds repetition, reuse and behavioural consistency that appear across multiple verifications, making synthetic identities and manipulated media easier to spot. It improves confidence because fraud patterns usually emerge over time, not in one transaction.

Q: How can security teams spot automated behaviour inside human-looking sessions?

A: Use behavioural timing, interaction patterns and system-level cues to identify automation that is operating through a normal login or application session. The important distinction is not whether a session began with a human credential, but whether the actions inside it match human behaviour. That is where misuse often hides.

Q: What should organisations check before relying on adaptive identity platforms in regulated environments?

A: They should verify that the platform’s authentication model, policy controls and audit trail meet the standards expected for the sector. For regulated use cases, protocol alignment and traceability matter as much as feature breadth. If the system cannot prove how decisions were made, governance will be weak regardless of automation quality.

Technical breakdown

AI-assisted identity journey design and policy drift

The article describes Spark as an assistant that helps teams define objectives, generate journeys, analyse performance and optimise identity and fraud flows using natural language and live data. Technically, that means policy expression is moving closer to intent capture, while execution remains distributed across authentication, orchestration and fraud telemetry layers. The risk is policy drift: if teams treat generated flows as equivalent to governed controls, the system can evolve faster than review, approval and testing cycles. Adaptive systems need explicit boundaries for what can be changed automatically and what must remain human-approved.

Practical implication: govern AI-assisted journey changes as policy artefacts, not just configuration output.

Multi-session fraud detection and behavioural correlation

Multi-session detection shifts fraud analysis from isolated events to pattern recognition across repeated interactions. Instead of judging a selfie, document or login in a single transaction, the system compares biometric similarity, behavioural signals and document traits over time to identify reuse patterns, synthetic identities and manipulated media. This matters because fraud often appears legitimate within one session but becomes obvious when correlated across journeys. The technical move here is to link identity evidence across sessions without overfitting to a single signal. That requires good data quality, consistent session stitching and clearly defined escalation thresholds.

Practical implication: tune fraud controls around cross-session correlation, not just single-event scoring.

Computer-using agent visibility and non-human behaviour

The CUA reference is important because it shows identity systems are now expected to distinguish human interaction from automated runtime behaviour. A computer-using agent can operate through interfaces that look like normal user activity, which makes traditional human-centric detection weaker. Visibility here depends on interaction patterns, timing regularity, input generation and system-level cues that differ from human behaviour. Once CUAs are in scope, identity teams are effectively monitoring a new class of actor whose access may originate through a human session but whose actions are machine-driven.

Practical implication: extend monitoring and policy logic to detect automated behaviour inside apparently human sessions.

Threat narrative

Attacker objective: The objective is to pass identity checks repeatedly and convert trusted onboarding or authentication flows into a scalable fraud channel.

1. Entry occurs when AI-driven automation or synthetic identity activity enters through normal identity channels that are still optimised for human users.
2. Escalation happens when repeated sessions, biometric reuse or behavioural consistency allow the attacker or fraud actor to blend into trusted flows.
3. Impact follows when the platform misclassifies automation or synthetic identity as legitimate, enabling account compromise, fraudulent enrolment or abuse at scale.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Salt Typhoon US telecoms breach — Salt Typhoon APT used stolen credentials and Cisco CVE to breach US telecoms.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Adaptive identity flows create a governance problem before they create a user experience benefit. When the system can generate journeys, tune rules and optimise outcomes from live signals, the control question shifts from configuration accuracy to policy drift. That is a different governance burden from traditional IAM, where rules are expected to remain stable long enough for review. Practitioners should treat AI-assisted flow design as a controlled change process, not a convenience feature.

Cross-session fraud correlation is the real control shift here, not biometric novelty. The article’s multi-session detection capability reflects a broader industry move away from single-event trust decisions toward behavioural accumulation across sessions. That matters because synthetic identities and media manipulation are rarely provable from one signal alone. The field should stop asking whether one factor is strong enough and start asking whether enough evidence is being retained to prove pattern repetition.

Computer-using agents force identity teams to govern automated behaviour inside human-looking sessions. That is where the traditional assumption breaks: session activity no longer implies a human actor. The implication is not just better fraud detection but a redefinition of where assurance ends and machine action begins. Practitioners need to separate identity proof from execution proof, or automated abuse will continue to hide inside legitimate authentication flows.

Identity platforms are converging fraud prevention and access management into one operational layer. That convergence is useful, but it also raises the cost of poor governance because a weakness in one control domain now affects the others. If identity journeys, fraud signals and automation visibility are not coordinated, teams will keep optimising local controls while missing system-level abuse. The practical conclusion is that IAM, fraud and NHI governance can no longer be run as isolated programmes.

FAPI 2.0 certification and standards alignment matter because regulated identity flows need verifiable trust boundaries. In sectors such as open banking, the issue is not only whether a platform can authenticate users, but whether its interaction model aligns with stronger protocol expectations and auditability. Practitioners should use standards alignment as a gating criterion for integrating adaptive identity flows into regulated environments.

From our research:

• 92% of organisations expose NHIs to third parties, raising concerns about supply chain security, according to Ultimate Guide to NHIs.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to Ultimate Guide to NHIs.
• For a broader control baseline, see Top 10 NHI Issues for the governance gaps most teams still miss when identity expands beyond humans.

What this signals

Adaptive identity platforms are becoming control planes for both humans and machines, which means governance has to move from static policy design to continuous assurance. Teams that only review identity flows at release time will miss the drift introduced by AI-assisted configuration, especially when fraud and access decisions are sharing the same orchestration layer.

Identity programmes should expect more evidence requirements, not fewer, as automated behaviour becomes harder to separate from human interaction. The practical signal is that auditability, session lineage and behavioural traceability will matter more than single-point authentication strength.

Cross-domain governance is the next constraint: once fraud intelligence, access management and automation detection converge, a weakness in one area can pollute the others. That is why NHI, IAM and fraud teams need shared control language and shared escalation criteria rather than separate programme dashboards.

For practitioners

• Define approval boundaries for AI-assisted journey changes Treat generated identity and fraud flows as governed changes, with explicit review points for policy, step-up logic and exception handling before they reach production.
• Correlate fraud evidence across sessions Retain session lineage for biometric, behavioural and document signals so repeated patterns can be detected instead of treating each verification as a standalone event.
• Separate human proof from automated execution Add detection logic for computer-using agents and other automated actors that can operate inside apparently normal user sessions, especially where access decisions are session based.
• Apply standards checks to regulated identity flows Validate that open banking or similar high-assurance journeys meet protocol and audit expectations before connecting adaptive orchestration to production authentication paths.

Key takeaways

• Transmit Security’s 2025 update shows identity security moving toward AI-assisted, adaptive orchestration that changes the governance burden as much as the technology stack.
• Multi-session fraud detection and CUA visibility matter because modern abuse is increasingly pattern-based and machine-mediated rather than isolated and obvious.
• Practitioners should govern identity flow generation, cross-session evidence and automated behaviour as connected controls, not as separate feature decisions.

Key terms

• Identity Journey Orchestration: The coordinated design of authentication, fraud, step-up and exception flows across a user’s path through a digital service. In practice, it determines how policy, assurance and usability interact, and it must be governed as a controlled process when AI systems can help generate or modify flows.
• Multi-Session Fraud Detection: A fraud control that evaluates patterns across repeated interactions rather than judging each login or verification in isolation. It helps expose synthetic identities, reused biometrics and coordinated abuse that only becomes visible when session data is linked over time.
• Computer-Using Agent: An automated software actor that interacts with applications through user-like interfaces and can perform actions that resemble normal human activity. For identity teams, the important issue is not whether the session starts with a human login, but whether machine-driven actions are occurring inside it.
• Policy Drift: The gradual divergence between an intended control policy and the behaviour actually produced by a live system. In adaptive identity environments, drift can happen when generated flows, exception handling or fraud rules evolve faster than review, making governance weaker even when the platform appears to be functioning normally.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Transmit Security: 2025 Mosaic Rewind Release Notes and platform update overview. Read the original.