By NHI Mgmt Group Editorial TeamDomain: Governance & RiskSource: Smile IDPublished May 29, 2026

TL;DR: AI-enhanced fraud is now 4.5 times more profitable than traditional methods, with INTERPOL citing 651 arrests and more than $45 million in losses across 16 African nations in early 2026, according to Smile ID’s analysis. The identity control problem is shifting from one-time KYC gates to continuous proof of personhood at transaction time, where static verification no longer matches machine-scale deception.


At a glance

What this is: This is Smile ID’s view that AI is industrialising fraud faster than many markets are adapting, and that identity checks must move from onboarding to continuous verification.

Why it matters: It matters because IAM, KYC, and fraud teams now have to treat identity assurance as an ongoing control problem, not a one-time checkpoint, especially where synthetic identities and deepfakes can drive transaction abuse.

By the numbers:

👉 Read Smile ID's analysis of AI-driven fraud and continuous identity verification


Context

AI is compressing the time between fraud invention and fraud at scale, which is why identity teams cannot rely on static onboarding checks alone. In markets where mobile financial services are growing faster than legacy banking infrastructure, the control question becomes whether the person at the moment of action is real, unique, and present.

The article argues that fraudsters are adopting AI faster than most enterprises are adapting their controls, and that the next wave of identity risk will blend synthetic identities, face swaps, device abuse, and poisoned identity data. For practitioners, this is a shift from compliance-led identity verification to runtime assurance across the transaction lifecycle.

This is typical of emerging-market identity programmes under pressure from mobile-first growth and fraud industrialisation, but the pattern is increasingly relevant wherever digital onboarding and high-value actions happen at scale.


Key questions

Q: How should security teams govern non-employee identities across onboarding and offboarding?

A: Security teams should treat non-employee access as a lifecycle process with named ownership, approved scope, and a clear end state. That means onboarding, entitlement changes, reviews, and deprovisioning all need the same sponsor accountability. If the relationship changes, the access record must change with it, otherwise orphaned access will accumulate.

Q: Why do AI-driven fraud attacks bypass traditional KYC controls?

A: Traditional KYC controls are designed to verify a person once, not to prove that the same person is still present later. AI-driven fraud exploits that gap with synthetic identities, face swaps, and adaptive social engineering. The control failure is not identity collection, but the lack of runtime revalidation when risk changes.

Q: What do identity teams get wrong about biometrics and phishing resistance?

A: They often assume stronger authentication alone solves identity risk. In reality, proofing quality, device trust, recovery paths, and exception handling all influence whether biometric or phishing-resistant methods are trustworthy. A weak lifecycle can undermine even a strong authentication factor.

Q: Who is accountable when AI-driven fraud bypasses identity controls?

A: Accountability usually sits across IAM, fraud operations, and product security, because the failure spans authentication, session trust, and abuse response. If the organisation cannot explain why an automated actor was treated as trustworthy, the gap is governance, not just detection. That is the level leaders should review.


Technical breakdown

Why continuous identity verification matters more than KYC gates

KYC answers whether an account should be opened, but it does not prove that the person behind a later transaction is still the same human. Continuous identity verification extends assurance into login, payment, and account-change moments, combining biometrics, liveness detection, device intelligence, and fraud signals. That matters because AI-generated faces, synthetic identities, and credential sharing can bypass one-time checks while still looking legitimate at onboarding. The deeper issue is that identity confidence decays after enrollment unless it is revalidated where risk changes.

Practical implication: treat onboarding as the start of identity assurance, not the end, and apply stronger checks to high-risk actions.

How biometrics and fraud signals work together against synthetic identity abuse

Biometrics alone are not enough if the attacker can replay, spoof, or inject generated content. Fraud signals add context by assessing device posture, behavioural anomalies, geolocation inconsistency, and velocity patterns around the transaction. Together, they make it harder for a synthetic identity to survive repeated challenge points. This is especially important in mobile-first environments, where low-friction customer journeys can be exploited if assurance is not layered. The key architecture point is that assurance should be cumulative, not binary.

Practical implication: combine biometric checks with device and behaviour telemetry for any action that changes money, access, or account state.

What AI changes in the fraud lifecycle

AI reduces the cost of generating convincing content, scaling outreach, and adapting fraud scripts in real time. That shifts fraud from manual, campaign-based abuse to adaptive, industrialised operations that can personalize lures, switch channels, and evade simple pattern matching. The result is that traditional controls focused only on known signatures fall behind quickly. Identity and fraud programmes therefore need controls that evaluate the session, the device, the human signal, and the transaction context together. In practice, this is a detection and decisioning problem, not just a verification problem.

Practical implication: design fraud controls to inspect behaviour and context at decision time, not just detect known bad indicators after the fact.



NHI Mgmt Group analysis

Continuous proof of personhood is becoming the real identity control. The article is right to separate KYC from continuous authentication, because AI fraud breaks the assumption that a checked identity remains trustworthy throughout the session. In practice, the control gap is not missing onboarding checks but the absence of runtime assurance at the moment value moves. Practitioners should treat post-enrolment identity as a separate trust decision, not a continuation of the original one.

AI-enhanced fraud collapses the gap between synthetic identity and behavioural abuse. Deepfakes, face swaps, poisoned identity records, and device manipulation are no longer isolated attack types. They now combine into a single fraud chain that can defeat narrow controls one by one. That means identity teams need to think in terms of assurance layers rather than single-point verification, especially where mobile financial services dominate.

Runtime identity risk is a lifecycle problem, not just a fraud problem. The same programme that verifies a customer at onboarding must also govern re-authentication, high-value approval, and account recovery. If those moments are governed separately, attackers simply move to the weakest one. The implication is that IAM, fraud, and customer identity teams need shared ownership of the post-login trust boundary.

Emerging markets are becoming the proving ground for post-AI identity controls. The article shows that fraud pressure is already forcing markets such as the Philippines and several African countries toward stronger biometric and fraud-signal requirements. That is likely to accelerate governance expectations elsewhere, because the operational lessons are arriving before formal policy does. Practitioners should expect continuous verification to move from niche control to baseline expectation.

From our research:

  • 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to Ultimate Guide to NHIs.
  • 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation, according to Ultimate Guide to NHIs.
  • For the broader control model behind this shift, see the Ultimate Guide to NHIs and align identity assurance with lifecycle governance.

What this signals

Proof of personhood is moving into the same governance category as access control. Once AI fraud becomes cheap to generate and hard to distinguish from a real user, the programme boundary moves from identity proof at enrolment to continuous assurance across the session. That means teams should expect stronger links between customer identity, fraud analytics, and step-up authentication in digital channels.

Continuous assurance will become a competitive requirement, not just a fraud control. Markets with mobile-first banking and fast digital onboarding will feel this first, but the governance lesson is broader: the more value moves digitally, the more identity must be revalidated at the point of action. Identity programmes that cannot connect onboarding, runtime checks, and account recovery will expose the weakest link.

With 79% of organisations already reporting secrets leaks and 77% of those incidents causing tangible damage, per our Ultimate Guide to NHIs, the lesson is that trust boundaries fail when identity signals are easy to copy or reuse. That same pattern now appears in human fraud flows, where static checks are increasingly insufficient.


For practitioners

  • Move from onboarding-only assurance to transaction-time verification Rework customer identity flows so that high-risk actions such as fund transfers, profile changes, and account recovery trigger fresh assurance checks. Make the decision point explicit and separate from initial KYC approval.
  • Layer biometrics with device and behaviour telemetry Use liveness detection, device intelligence, velocity checks, and anomaly scoring together rather than as isolated controls. The goal is to make synthetic identities harder to reuse across multiple actions.

Key takeaways

  • AI-enhanced fraud turns identity verification into a runtime assurance problem, not a one-time onboarding problem.
  • The scale signal is already clear: INTERPOL-linked enforcement actions and Smile ID’s own volume figures show the issue is operational, not theoretical.
  • The practical response is layered assurance, with biometrics, fraud signals, and transaction-time checks tied to high-risk actions.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0, NIST SP 800-63 and NIST Zero Trust (SP 800-207) set the technical controls, while GDPR define the regulatory obligations.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AC-1Identity proof and access decisions are central to continuous verification.
NIST SP 800-63SP 800-63BThe article’s focus on authenticating real humans aligns with digital authenticator guidance.
NIST Zero Trust (SP 800-207)4.0Continuous verification mirrors zero-trust assumptions about never trusting a single check.
GDPRArt.32Biometric and identity data handling raises security and protection obligations.

Assess biometric processing and fraud telemetry under Art.32 security controls and minimise unnecessary retention.


Key terms

  • Continuous identity validation: A governance model that checks identity trust throughout execution rather than only at login or periodic review. For AI and machine identities, this means verifying access, scope, and behaviour in real time so actions can be constrained while they are happening.
  • Proof of Personhood: Proof of personhood is evidence that a real human is present behind an interaction, not a bot, synthetic identity, or automated proxy. In modern identity programmes it is a runtime assurance concept, not a one-time signup check, and it becomes more important as AI makes fake human behaviour cheaper to produce.
  • Fraud signal: A fraud signal is any observable clue that suggests suspicious behaviour, such as failed verification, unusual access, transaction anomalies, or mismatched identity attributes. Good programmes do not rely on one signal alone. They correlate multiple signals before escalating a case.

What's in the full article

Smile ID's full article covers the operational detail this post intentionally leaves for the source:

  • The specific biometrics and fraud-signal methods used to authenticate identity at transaction time.
  • The Philippines policy shift away from SMS OTPs and what it means for digital identity design.
  • The company’s field observations from Africa and Asia on how AI fraud is changing customer trust decisions.
  • The operational distinction between KYC onboarding and continuous authentication in mobile financial services.

👉 Smile ID's full article covers the shift from KYC to continuous proof of personhood across mobile-first markets.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an identity security programme, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on July 14, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org