By NHI Mgmt Group Editorial TeamDomain: Agentic AI & NHIsSource: StytchPublished August 13, 2025

TL;DR: AI has not defeated modern authentication so much as exposed the weakness of single-factor login, according to Stytch. The practical response is to combine phishing-resistant passkeys, device-bound biometrics, and pre-session risk scoring, with the same trust layer extended to AI agents and delegated integrations.


At a glance

What this is: This is an analysis of why AI amplifies fraud only when authentication still relies on single factors, and why layered, device-bound identity controls change the equation.

Why it matters: It matters because IAM, fraud, and identity teams now need one trust model that covers human logins, delegated agent access, and risk-based step-up without overrelying on brittle signals.

By the numbers:

👉 Read Stytch's analysis of AI-era authentication and delegated agent access


Context

AI-generated voice and face fraud increases pressure on authentication programmes, but the core weakness is older than generative AI: systems still trust single signals that are easy to copy, replay, or coerce. In identity terms, the problem is not that authentication has stopped working, but that too many programmes still treat one factor as sufficient proof of identity.

For IAM teams, the stronger model is layered verification. Device-bound credentials, contextual risk scoring, and continuous session signals reduce dependence on any single proof point, while also giving organisations a way to govern both human access and delegated AI agent access under the same assurance model.

The same pattern appears across non-human identity governance as well. When an agent, integration, or workload acts on behalf of a user, the trust chain must still be scoped, auditable, and revocable, which is why the Ultimate Guide to NHIs remains relevant to teams trying to unify human and machine identity controls.


Key questions

Q: How should security teams reduce AI-driven account takeover without adding user friction?

A: Use phishing-resistant primary authentication, then add risk scoring only when session context looks unusual. Passkeys and device-bound biometrics remove the weakest reuse paths, while contextual checks let good users pass quickly. The goal is not more prompts, but fewer prompts tied to stronger proof.

Q: Why do single-factor logins fail faster in the AI era?

A: Because AI lowers the cost of impersonation while single-factor systems still trust one easy-to-copy signal. Passwords, voiceprints, and basic biometrics are no longer durable proof on their own. Organisations need layered assurance that includes device binding, context, and session risk.

Q: How do organisations know if their authentication controls are actually working?

A: Look for fewer successful phishing and replay attempts, lower fallback-to-password usage, and more decisions based on device and network risk rather than static credentials. If users still bypass strong factors often, the control is present but not governing real access paths.

Q: What should teams do when AI agents act on behalf of real users?

A: Treat the agent as a scoped identity with explicit permissions, audit trails, and revocation rules. The human owner should be verified strongly, but the agent still needs its own access boundaries. That prevents delegated activity from becoming invisible shadow access.


Technical breakdown

Why single-factor authentication breaks under AI-assisted fraud

Single-factor authentication assumes one credential or one biometric is enough to establish identity. That assumption fails when attackers can cheaply clone voices, mimic facial signals, or reuse stolen passwords at scale. In practice, the authentication decision becomes too dependent on a static token or a weak human signal, while the real risk sits in session context, device integrity, and behavioral anomalies that the lone factor cannot represent.

Practical implication: move away from single signals as primary proof and require phishing-resistant, device-bound authentication for high-risk access.

How passkeys and hardware-bound biometrics change the auth model

Passkeys use public-key cryptography so the private key stays on the user’s device and is unlocked locally. That shifts the security boundary from something the user remembers to something the device can prove. When biometrics are tied to a secure enclave rather than treated as a cloud-stored identity secret, they become an unlock mechanism, not a standalone authenticator, which materially reduces replay and phishing risk.

Practical implication: make device-bound passkeys the default for primary authentication and reserve weaker fallback paths for tightly controlled recovery.

Why pre-session risk scoring matters for human and delegated AI access

Risk scoring works best before the session is established, because it can combine device fingerprinting, network reputation, client integrity, and historical access patterns into one decision. That matters for delegated AI access too, because an AI client may legitimately call tools on behalf of a person while still requiring scoped, verifiable trust. The control plane should evaluate the session, not just the login event.

Practical implication: score the client and environment before granting access, then apply step-up only when the session context falls outside expected bounds.


NHI Mgmt Group analysis

Single-factor authentication is the real broken assumption, not authentication itself: the article is correct that AI has not defeated identity assurance, it has exposed the fragility of programmes that still rely on one proof point. That model was designed for a world where a password or biometric was hard to copy at scale. The implication is that identity teams must stop treating single-factor login as a meaningful assurance baseline.

Device-bound proof is now the minimum viable trust anchor for both humans and delegated access: passkeys and hardware-tethered biometrics reduce the value of cloned voices, replayed credentials, and synthetic impersonation. This aligns with phishing-resistant authentication patterns in modern IAM, but it also changes how programmes think about evidence of presence and possession. Practitioners should treat the device as part of the identity signal chain, not an implementation detail.

Contextual auth now has to absorb fraud, identity, and delegation risk together: pre-session scoring is no longer just a fraud-prevention feature when AI clients can act on behalf of users through tool access and APIs. The same control plane has to decide whether a human, a bot, or a delegated agent should be trusted at all. Identity governance therefore becomes a unified trust problem across human IAM and NHI access, not a set of separate control silos.

AI agent access should be governed as scoped identity, not exception handling: the article’s delegation model shows why machine-mediated actions need first-class identity, least privilege, and auditability. That is where human IAM and NHI governance converge. The implication for practitioners is to design for revocation, scoping, and session-level visibility before delegated AI use becomes operationally normal.

From our research:

  • 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, according to Ultimate Guide to NHIs.
  • Only 5.7% of organisations have full visibility into their service accounts, which means many access paths remain outside governance and review.
  • For the broader governance model, see 52 NHI Breaches Analysis, which shows how exposed identities translate into real-world incident patterns.

What this signals

Session trust is becoming the organising principle for identity programmes. The practical shift is from treating login as a one-time gate to treating access as a continuously evaluated state. That means security teams need policies that combine device trust, behavioural signals, and delegated identity scope into one decision path, especially where human users and AI clients share the same applications.

AI delegation forces IAM and NHI governance to converge. A delegated agent is not just a new frontend for the user, it is a new identity subject with its own scoping and revocation requirements. Teams that already manage service accounts, secrets, and workload identity can reuse governance patterns here, but only if they stop treating agent access as an exception.

With 97% of NHIs carrying excessive privileges, the governance lesson is clear: if privilege is overbroad in machine identity, it will be overbroad in delegated AI access unless the access model changes first.


For practitioners

  • Default to phishing-resistant authentication Make passkeys the preferred primary factor for workforce and customer journeys where account takeover risk matters. Keep passwords only as tightly controlled fallback, and remove silent downgrade paths that let weak authentication survive in the background.
  • Bind biometrics to trusted devices Use biometric prompts as local unlock signals for keys stored on trusted hardware, not as standalone identity proof. That keeps the biometric out of the role of portable secret and reduces the chance that a replayed face or voice becomes enough to grant access.
  • Score sessions before access is granted Combine device integrity, browser and OS signals, IP reputation, and prior device-to-account history before the session starts. Use that score to decide whether to allow the request, require step-up, or block access outright.
  • Extend the same trust layer to delegated AI clients Treat AI clients and integrations as scoped identities that must be authenticated, authorised, and monitored under the same rules as users. Their permissions should be narrow, auditable, and revocable when the delegation relationship changes.

Key takeaways

  • AI has exposed the weakness of single-factor authentication, not the failure of authentication as a discipline.
  • Device-bound passkeys, hardware-tethered biometrics, and pre-session risk scoring form the practical baseline for stronger identity assurance.
  • Delegated AI access should be governed as scoped identity, with the same revocation and audit expectations used for non-human identities.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST Zero Trust (SP 800-207), NIST CSF 2.0 and NIST SP 800-53 Rev 5 set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-01The article extends trust decisions into delegated non-human access.
NIST Zero Trust (SP 800-207)3.4Continuous verification aligns with pre-session and contextual risk scoring.
NIST CSF 2.0PR.AC-7Phishing-resistant auth and contextual access fit identity proofing and access control outcomes.
NIST SP 800-53 Rev 5IA-2Phishing-resistant authentication maps directly to strong identification and authentication controls.

Prioritise phishing-resistant authentication and adaptive access controls in PR.AC-7 programmes.


Key terms

  • Passkey: A passkey is a phishing-resistant credential pair that uses public-key cryptography and keeps the private key on the user’s device. In practice, it replaces password reuse with device-bound proof and changes authentication from secret recall to cryptographic possession and local unlock.
  • Device-bound authentication: Device-bound authentication ties the strongest proof of identity to a trusted device or secure enclave rather than to a reusable secret. It matters because the device becomes part of the assurance model, which reduces replay, cloning, and remote theft risk across human and delegated access.
  • Session risk scoring: Session risk scoring evaluates the likelihood that an access attempt is legitimate by combining device, network, and behavioural signals before or during login. It is most effective when used to decide step-up, block, or approve access rather than as a passive fraud metric.
  • Delegated AI client: A delegated AI client is a software actor that performs actions on behalf of a human user under scoped authority. It should be treated as a governed identity subject, because its permissions, audit trail, and revocation state determine how much damage delegation can create.

What's in the full article

Stytch's full post covers the implementation detail this analysis intentionally leaves at the control-design level:

  • Passkey rollout guidance for consumer and workforce authentication flows
  • Device fingerprinting and active risk assessment patterns for session scoring
  • How to bias recovery flows away from password fallback without breaking access
  • Practical handling of AI clients and delegated access in the auth stack

👉 Stytch's full post covers passkey design, biometric binding, session scoring, and AI client trust patterns in more operational detail.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or lifecycle governance, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org