AI-driven fraud prevention now depends on device intelligence

At a glance

What this is: This is Fingerprint’s summary of Gartner’s 2025 fraud and financial crime outlook, arguing that AI-driven fraud is outpacing static controls and making device intelligence central to modern banking defences.

Why it matters: It matters to IAM practitioners because the same shift toward adaptive, signal-driven decisioning is reshaping how identity, fraud, and access programmes handle NHI, autonomous, and human risk at runtime.

By the numbers:

• Fingerprint analyzes more than 100 device, network, and behavioral signals each time a visitor interacts with a website or application.
• Fingerprint’s platform includes 20+ Smart Signals, including Bot Detection, VPN Detection, and Browser Tampering Detection.

👉 Read Fingerprint's summary of Gartner's 2025 fraud and financial crime outlook

Context

AI-assisted fraud is no longer limited to obvious bot activity or crude phishing. In banking and financial services, attackers are combining synthetic identities, device spoofing, and social engineering to create fraud attempts that blend into normal customer journeys and strain legacy identity checks.

For IAM and fraud teams, the issue is not only detection but decision quality. Controls that rely on static trust markers, fixed rules, or one-time authentication are increasingly poor fits for environments where risk changes with every session, device, and transaction.

Key questions

Q: How should banks reduce false positives without weakening fraud controls?

A: Banks should combine device intelligence with behavioural analytics so a suspicious session is challenged only when the evidence supports it. That means using contextual signals such as tampering, network changes, and velocity anomalies to distinguish fraud from ordinary customer variance. The goal is selective friction, not blanket tightening, because broad controls create churn and still miss adaptive attacks.

Q: Why do AI-driven fraud attacks create problems for static identity checks?

A: Static checks fail because they capture a point in time, while fraud can evolve during the same session. An attacker may pass onboarding or login and then shift devices, networks, or behaviour to complete abuse. Banks need runtime risk decisions that update as the session unfolds, rather than assuming trust is fixed after the first verification step.

Q: How do security teams know whether device intelligence is working?

A: Device intelligence is working when it improves detection without creating excessive manual review or blocking legitimate customers. Look for better identification of tampering, emulator use, VPN masking, and unusual velocity, along with lower false-positive rates in onboarding and transaction flows. If teams cannot explain why a risk score changed, the signal model is too opaque to govern well.

Q: What is the difference between fraud detection and identity assurance in banking?

A: Fraud detection looks for abusive behaviour and suspicious context, while identity assurance asks whether the subject is who they claim to be. In modern banking, the two overlap because attackers often use valid-looking identities on compromised or manipulated devices. Strong programmes treat them as linked but separate decision layers, with shared signals and different intervention thresholds.

Technical breakdown

Device intelligence and persistent visitor IDs

Device intelligence combines device, network, and behavioral signals to build a persistent visitor ID that remains stable even when cookies are cleared or network paths change. That gives fraud systems a durable way to recognize repeat activity across sessions and surface anomalies such as spoofing, emulator use, or browser tampering. The value is not simple fingerprinting, but contextual recognition that supports real-time risk scoring when identity evidence is incomplete or intentionally obscured.

Practical implication: use persistent device identity as one input to step-up decisions, not as a standalone trust signal.

How behavioral analytics improves fraud detection

Behavioural analytics looks at patterns such as keystrokes, gestures, session timing, and navigation flow to detect when activity diverges from normal human or device behaviour. In this article’s context, those signals help distinguish a legitimate customer from an AI-assisted fraud attempt that mimics a real session but leaves subtle timing and interaction anomalies. This is especially useful when fraudsters rotate infrastructure or hide behind VPNs, because the session behaviour itself becomes part of the risk model.

Practical implication: combine behavioral telemetry with device context so suspicious activity can be challenged without blocking ordinary customers.

Why ML models need fresh real-world signals

Fraud models decay when they are trained on stale patterns. Continuous device and session telemetry gives self-supervised, supervised, and unsupervised models the live data they need to detect emerging attack patterns, recalibrate thresholds, and reduce false positives. In practice, this matters because fraud tactics evolve faster than manual rules and review queues can keep up. The architectural point is that model quality depends on signal freshness as much as on model sophistication.

Practical implication: feed current device and session data into retraining cycles so fraud controls do not freeze around last quarter’s attack patterns.

Threat narrative

Attacker objective: The attacker wants to complete fraudulent onboarding, take over legitimate accounts, or move money while avoiding detection.

1. Entry occurs when an attacker uses AI-assisted phishing, synthetic identities, or spoofed devices to begin a fraudulent banking interaction.
2. Escalation follows as the attacker rotates IPs, tampers with the browser, or uses emulators and VPNs to evade static checks and progress through onboarding or account access.
3. Impact is account takeover, abusive transaction activity, or money-mule style fraud that slips past legacy controls and creates compliance and customer-experience damage.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Zacks Investment Research breach — Zacks breach exposed 12M customer records including credentials.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

AI-driven fraud has turned identity verification into a continuous risk decision, not a point-in-time gate. Static checks assume a user remains stable across the session, but this article describes an environment where device, network, and behaviour all change under active attack. For banks, the governance question is no longer whether identity was confirmed once, but whether the signal set remains trustworthy throughout the interaction. The practitioner conclusion is that fraud controls now need runtime context, not just onboarding assurance.

Device intelligence is becoming the control plane for fraud decisions because fraudsters increasingly attack the device, not just the account. When emulators, VPNs, tampering, and velocity abuse are part of the attack path, identity proofing alone cannot explain the risk. The stronger model is to treat device behaviour as an identity signal that supports KYC, AML, and account takeover prevention together. Practitioners should align fraud, IAM, and risk teams around shared signal governance rather than separate control silos.

Behavioural drift is the named concept banks need to watch. The same customer journey can look legitimate at login and malicious by transaction time, which means trust drift occurs within a single session. That is why fixed rules produce both misses and false positives. The implication is that practitioners must design controls around movement in risk, not a one-time trust verdict.

AI is compressing the attacker advantage faster than traditional fraud operations can absorb. Fraudsters use generative tools to scale synthetic identities and phishing, while defenders must ingest more signals, retrain models, and preserve customer experience at the same time. Gartner’s framing points to a structural shift in financial crime prevention, not a temporary tuning problem. The practitioner conclusion is that teams need adaptive governance and model operations, not just stronger thresholds.

Privacy and fraud detection now have to be designed together, not traded off after the fact. The article’s emphasis on transparency, device context, and real-time decisioning reflects a broader governance reality: banks cannot afford controls that are either too blunt for customers or too thin for regulators. The right answer is not maximal collection but disciplined signal use. Practitioners should treat data governance as part of fraud architecture, not a downstream compliance task.

From our research:

• The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
• Organisations maintain an average of 6 distinct secrets manager instances, creating fragmentation that undermines centralised control, according to The State of Secrets in AppSec.
• If you are extending fraud telemetry into identity governance, The 52 NHI breaches Report shows how weak secret discipline becomes an abuse path when access spans systems and sessions.

What this signals

Behavioural drift is now a governance problem, not just a detection problem. Banks that rely on static identity checkpoints will miss the way AI-assisted fraud changes shape mid-session. The control challenge is to keep authentication, fraud scoring, and transaction monitoring aligned as the risk signal changes, rather than treating each as a separate queue.

With 43% of security professionals concerned that AI systems may learn and reproduce sensitive information patterns from codebases, the broader identity lesson is that machine-assisted abuse now has memory, speed, and repeatability. For banking teams, that means device intelligence and model governance need to be managed together, not in parallel silos. Practitioners should prepare for more adaptive adversaries and fewer stable indicators of compromise.

Risk-based banking depends on signal quality. When organisations operate across an average of 6 distinct secrets manager instances, control fragmentation becomes part of the fraud surface as well as the IAM surface. The practical move is to narrow the number of trust sources and make each one explainable, auditable, and usable across KYC, AML, and account takeover workflows.

For practitioners

• Instrument device-level risk telemetry Collect device, network, and behavioural signals at login, onboarding, and transaction time so fraud teams can compare current sessions against prior trusted behaviour.
• Use step-up authentication only on risky sessions Trigger additional verification when tampering, emulator use, VPN switching, or unusual velocity appears, instead of applying the same friction to every customer.
• Feed fraud signals into model retraining Use current session data to refresh supervised and unsupervised models regularly so detection logic keeps pace with synthetic identity and AI-assisted attack patterns.
• Align KYC, AML, and account takeover monitoring Review onboarding, transaction monitoring, and fraud response as one workflow so a suspicious device or geography can influence all three decision points consistently.

Key takeaways

• AI-driven fraud is forcing banks to replace one-time identity checks with continuous, signal-rich decisioning.
• Device intelligence matters because attackers now hide behind spoofed devices, VPNs, tampering, and synthetic identities.
• Fraud, IAM, and compliance teams need shared runtime signals or they will keep fighting the same attack with disconnected controls.

Key terms

• Device Intelligence: Device intelligence is the practice of using device, network, and behavioural signals to assess whether a session is likely legitimate or abusive. In financial crime prevention, it helps detect spoofing, tampering, and reuse patterns that are invisible to simple account checks.
• Persistent Visitor ID: A persistent visitor ID is a stable identifier generated from combined telemetry so a returning device or browser can be recognised across sessions. It is useful when cookies are cleared or networks change, but it must be treated as one risk input, not as proof of identity.
• Behavioural Analytics: Behavioural analytics examines how a user interacts with a system, including timing, navigation, typing, and gesture patterns. It adds context to fraud and identity decisions by identifying when a session behaves differently from normal human use, even if the login credentials appear valid.
• Synthetic Identity Fraud: Synthetic identity fraud uses fabricated or blended identity data to create a person or account that looks plausible enough to pass weak checks. The risk increases when onboarding controls are static and when downstream monitoring cannot distinguish a genuine customer from a manufactured profile.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Fingerprint: Financial crime is evolving fast. Read the original.