By NHI Mgmt Group Editorial TeamDomain: Identity Beyond IAMSource: RiskifiedPublished November 10, 2025

TL;DR: AI is now embedded in shopping behaviour, with 73% of consumers using it in some part of the journey and 58% planning to use it for holiday gift shopping, according to Riskified. That shift creates a new peak-season fraud surface across identity verification, account integrity, payment flows, and post-purchase claims.


At a glance

What this is: This is a Riskified analysis of how AI-assisted shopping changes holiday fraud dynamics, especially around identity verification, account integrity, and chargebacks.

Why it matters: It matters because merchants need to treat AI-assisted traffic as a governance problem as well as a fraud problem, with direct implications for customer identity checks and account protection.

By the numbers:

👉 Read Riskified's analysis of AI-driven holiday fraud and merchant exposure


Context

AI-assisted shopping is changing the fraud environment because it alters how customers discover products, compare options, and complete transactions. That matters for merchants because identity verification, account protection, and payment trust now have to cope with traffic that may be generated, filtered, or even acted on by AI.

The seasonal problem is not just higher volume. It is the combination of peak demand, return abuse, and automated assistance that creates ambiguity in customer intent and makes traditional fraud heuristics less reliable. For identity and fraud teams, this is where consumer convenience intersects with account takeover risk, claim abuse, and verification friction.

Riskified’s baseline is broadly typical for ecommerce: holiday periods already attract opportunistic abuse, and AI intensifies that pattern rather than replacing it.


Key questions

Q: How should merchants handle fraud risk when shoppers use AI to assist purchases?

A: Merchants should treat AI-assisted shopping as a trust classification problem, not a binary fraud flag. The right approach is to combine behavioural, account, device, and payment signals so fast, AI-shaped journeys do not automatically inherit full trust. Step-up verification should focus on high-risk moments such as account recovery, shipping changes, and disputed claims.

Q: Why does AI-assisted shopping complicate identity verification for ecommerce teams?

A: AI-assisted shopping compresses the customer journey, reduces visible browsing signals, and can make legitimate and fraudulent behaviour look more similar. That means identity verification has less context to work with, especially when a shopper uses AI to compare products, select items, or initiate purchases quickly across multiple sessions.

Q: What do security teams get wrong about holiday fraud prevention?

A: They often focus too heavily on payment authorization and not enough on the full customer lifecycle. Fraud also happens in account recovery, returns, customer support, and dispute handling, which is where peak-season pressure and AI-assisted behaviour can create the most opportunity for abuse.

Q: How do merchants balance convenience with stronger fraud controls?

A: Merchants should use risk-based controls that add friction only where evidence warrants it. That means preserving low-friction checkout for trusted customers while escalating verification for unusual device signals, abnormal fulfilment changes, repeated support contacts, and high-risk claim patterns.


Technical breakdown

AI-assisted shopping and merchant trust signals

AI-assisted shopping changes the signals merchants rely on to distinguish legitimate customers from fraudulent automation. Product research, price comparison, and purchase initiation can now be mediated by tools that compress browsing behaviour and mask intent, which makes behavioural scoring less stable. In practice, identity confidence has to be built from stronger signals across device, account history, payment consistency, and transaction context rather than page-view patterns alone.

Practical implication: merchants should re-tune trust models for AI-shaped shopping journeys instead of relying on legacy browsing heuristics.

Holiday fraud patterns, account integrity, and claims abuse

Peak-season fraud is not only about carding. Fraudsters exploit high return rates, stretched service teams, and customer expectation pressure to abuse claims, manipulate disputes, and test weak account recovery paths. When AI-assisted shoppers move faster and submit cleaner-looking requests, the distinction between convenience and manipulation becomes harder to enforce, especially where manual review capacity is limited.

Practical implication: teams need controls that cover account recovery, returns, and claims, not just checkout fraud.

Identity verification in an AI-mediated ecommerce flow

Identity verification now has to support both humans and AI-mediated actions. That means knowing when a transaction should be challenged, when friction should be added, and when existing trust can be reused safely across the customer lifecycle. The security issue is not that AI makes all purchases risky, but that it can accelerate patterns that bypass thin verification and create downstream liability for the merchant.

Practical implication: set explicit step-up rules for risky flows and align them to customer lifecycle events, not just order value.


Threat narrative

Attacker objective: The attacker objective is to exploit AI-shaped shopping behaviour and seasonal overload to convert fraudulent activity into approved transactions, successful claims, or unrecovered losses.

  1. Entry occurs when AI-assisted shopping compresses research and purchase behaviour, creating more transaction-like activity in a shorter time window.
  2. Escalation follows when fraudsters use peak-season volume, returns pressure, and customer service ambiguity to push claims, disputes, or account abuse through weak controls.
  3. Impact is expressed as chargebacks, fraud losses, and operational strain on merchant review and support teams.

NHI Mgmt Group analysis

AI-assisted shopping is becoming an identity and fraud governance problem, not just a commerce feature. The article shows that consumer AI use changes how intent is expressed, how transactions are initiated, and how merchants interpret trust. That creates a governance boundary between convenience and verification that fraud teams, IAM leads, and identity verification teams need to manage together. The practitioner conclusion is that AI-mediated commerce must be treated as a distinct trust tier.

Seasonal fraud exposure now extends beyond checkout into the full customer lifecycle. The article points to returns abuse, disputes, and stretched support operations, which means the attack surface is no longer limited to payment authorization. Identity teams should read this as a lifecycle issue: account creation, recovery, purchase, post-purchase claims, and support interactions all become fraud choke points. The practitioner conclusion is that fraud controls need lifecycle coverage, not a single transaction checkpoint.

Consumer comfort with AI purchasing does not equal merchant trust. That distinction matters because business pressure to reduce friction can lead teams to overestimate the safety of automation-heavy shopping flows. Verification trust gap: when an AI-assisted interaction is treated as equivalent to a stable human session, merchants may lose the ability to distinguish legitimate automation from abuse. The practitioner conclusion is that trust policies must be explicit about which AI-mediated actions inherit customer trust and which do not.

Holiday volume amplifies weak policy boundaries in the same way that identity sprawl amplifies access risk. In both cases, the issue is not the presence of automation but the absence of clear controls around who or what is allowed to act, when, and with what evidence. For teams that already manage non-human identities in operational systems, this is a useful reminder that policy clarity, not just detection, determines whether automation stays governable. The practitioner conclusion is that governance rules should be defined before peak season begins.

What this signals

Verification trust gap: merchants are moving into a phase where customer behaviour is increasingly mediated by AI, yet the policy layer still assumes a human-only shopping rhythm. That mismatch creates room for both fraud and over-friction, so teams should re-evaluate where identity verification decisions are anchored and how much lifecycle context they use.

The practical lesson for security and fraud programmes is that peak-season controls should be planned as a trust architecture, not as a blacklist exercise. When customer support, payment authorization, and post-purchase claims all consume the same evidence differently, the weakest policy boundary becomes the easiest abuse path.


For practitioners

  • Tighten identity checks on high-risk shopping paths Apply step-up verification to account recovery, first-time checkout, unusual shipping changes, and high-value post-purchase claims. Use stronger verification where the customer journey shows compressed or AI-shaped behaviour rather than only when order value crosses a threshold.
  • Separate fraud controls for checkout, returns, and disputes Build different decision rules for payment authorization, return abuse, and customer service claims so one weak point does not expose the entire lifecycle. Add review logic for repeated support contacts, abnormal return patterns, and inconsistent account signals.
  • Re-tune trust models for AI-assisted traffic Review behavioural scoring to account for faster product discovery, shorter sessions, and reduced browsing depth. Combine device reputation, account age, payment consistency, and fulfilment history so AI-driven efficiency does not look identical to fraud.
  • Prepare support teams for fraud-driven claims pressure Train customer service and operations teams to recognise impersonation, dispute farming, and return manipulation during peak season. Align support workflows with fraud escalation rules so manual concessions do not become the easiest attack path.
  • Map merchant trust decisions to lifecycle events Document when an AI-assisted action should inherit existing trust and when it should trigger re-verification. Use lifecycle checkpoints for account creation, recovery, checkout, and post-fulfilment claims to keep policy decisions consistent.

Key takeaways

  • AI-assisted shopping changes fraud prevention because it reshapes the trust signals merchants use to decide who is legitimate.
  • The risk extends beyond checkout into account recovery, returns, and customer service claims, where seasonal pressure makes controls easier to bypass.
  • Merchants need lifecycle-aware verification and risk-based friction before peak season, not after abuse patterns emerge.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST SP 800-63 and NIST CSF 2.0 set the technical controls, while GDPR define the regulatory obligations.

FrameworkControl / ReferenceRelevance
NIST SP 800-63SP 800-63BAuthentication and verification controls matter where AI-assisted shopping changes trust signals.
GDPRArt.32Identity and transaction data used in fraud scoring must still be protected appropriately.
NIST CSF 2.0PR.AC-4Least-privilege access to customer and fraud systems reduces abuse in peak-season operations.

Use assurance levels and step-up checks to match verification strength to the risk of the transaction.


Key terms

  • AI-assisted shopping: Shopping behaviour where consumers use AI tools to research, compare, or initiate purchases. The security issue is that AI changes the shape of normal customer activity, which can reduce the reliability of behavioural signals used for fraud detection and identity verification.
  • Verification trust gap: The difference between what a system assumes about a customer interaction and what the evidence actually supports. In fraud and identity programmes, this gap appears when automated or accelerated journeys are treated as trusted without enough context, allowing abuse to look legitimate.
  • Claims abuse: The misuse of post-purchase processes such as returns, refunds, chargebacks, or support escalations to obtain value unfairly. It often thrives when merchants focus only on checkout controls and ignore the identity and behaviour signals present after the transaction completes.

What's in the full article

Riskified's full analysis covers the operational detail this post intentionally leaves for the source:

  • Survey breakdown of how consumers use AI across product discovery, review evaluation, and purchase behaviour.
  • Seasonal abuse patterns seen in dark web discussion leading into Black Friday and Cyber Monday.
  • Practical considerations for merchants balancing conversion, fraud review, and customer experience.
  • Holiday preparedness framing from checkout through post-fulfilment claims and disputes.

👉 Riskified's full post covers AI shopping trends, fraud pressure points, and holiday preparedness considerations.

Deepen your knowledge

NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, secrets management, IAM, and workload identity for practitioners who need to govern access across human and non-human systems. It helps security teams connect identity controls to the operational decisions that shape real-world risk.
NHIMG Editorial Note
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org