By NHI Mgmt Group Editorial TeamPublished 2026-05-10Domain: Agentic AI & NHIsSource: Incode

TL;DR: AI-driven KYC workflows can turn uploaded documents into untrusted execution surfaces once OCR output reaches an agent with tool access, according to Incode’s analysis of the [un]prompted 2026 demo and Trend Micro’s recap. The governance problem is no longer just document fraud; it is separation between extraction, orchestration, and autonomous writes.


At a glance

What this is: AI-assisted KYC can let hidden document content influence extraction agents and connected systems, turning files into an execution surface rather than a passive input.

Why it matters: IAM and fraud teams need to treat document ingestion, tool permissions, and agent scope as one control plane, because identity trust can collapse between OCR and downstream action.

By the numbers:

👉 Read Incode's analysis of AI-driven KYC document fraud and agentic risk


Context

AI-driven KYC now has a trust boundary problem, not just a fraud problem. Once OCR or text extraction feeds an agent that can call tools, the document is no longer only evidence of identity. It becomes part of the control flow that can influence database writes, verification decisions, and downstream actions.

That shift matters because most identity programmes still separate document checks, workflow orchestration, and access control. The article’s core point is that those layers now overlap. For KYC, fraud prevention, and agent governance teams, the question is whether the pipeline treats uploaded content as untrusted input or as something that can safely steer execution.


Key questions

Q: What breaks when AI-driven KYC agents can act on OCR output directly?

A: The pipeline becomes vulnerable to indirect prompt injection and trust inversion. A document that should only supply identity evidence can instead influence tool calls, record updates, or verification closure. The result is that content, workflow, and authorisation are no longer separable in practice.

Q: Why do hidden instructions in identity documents matter so much?

A: Hidden instructions matter because LLMs and extraction agents can process them as context, not as attack content. If the same agent also has tool access, the malicious payload can move from interpretation into action. That turns a document fraud problem into a system integrity problem.

Q: How can security teams reduce risk in AI-assisted document verification?

A: They should isolate extraction from orchestration, strip write permissions from first-pass agents, and validate documents before any content reaches model context. The best signal is whether an uploaded file can still influence a system action after preprocessing.

Q: Who is accountable when an AI KYC workflow acts on a poisoned document?

A: Accountability sits with the organisation operating the workflow, not the document or the model. Teams need explicit ownership for the agent, defined revocation authority, and controls that make the agent’s scope auditable. Without that, the verification chain can act without clear human or system accountability.


Technical breakdown

Why OCR-to-agent handoff creates an execution surface

OCR output is often treated as cleaned text, but in an agentic workflow it can become active context. If hidden instructions, metadata tricks, or embedded payloads survive extraction, the model may ingest them alongside legitimate identity data. Once that context is coupled with tool access, the agent can be induced to read, write, or route records in ways the workflow owner did not intend. The control failure is architectural: the system assumes extracted text is inert when it is now operationally meaningful.

Practical implication: isolate extraction from orchestration so document content cannot directly influence tool-enabled agent steps.

Prompt injection in KYC documents and AI agent tool use

Indirect prompt injection works when malicious instructions are placed inside untrusted content that an LLM later processes. In KYC, that content can be a passport image, a scanned form, or OCR text. The risk rises sharply when the agent can call APIs, update records, or trigger verification actions without a separate approval boundary. OWASP’s warning on excessive agency applies here because the same payload that alters model interpretation can also alter system behaviour through connected tools.

Practical implication: constrain tool permissions and require explicit trust boundaries before any write-capable action is available to the agent.

Why document verification is no longer enough on its own

Traditional document verification focuses on authenticity, liveness, and template fraud. That matters, but it does not address the agentic layer where the document steers a workflow. In this model, the security question is not only whether the ID is fake, but whether the file can alter a broader identity decision chain. That is why document integrity, device signals, behavioural telemetry, and session correlation now need to work together rather than as isolated checks.

Practical implication: evaluate document fraud controls as part of a broader identity verification stack, not as a standalone check.


Threat narrative

Attacker objective: The attacker wants to use a forged or weaponised document to influence identity verification outcomes and trigger unauthorised downstream actions.

  1. Entry occurs when an attacker submits a crafted identity document containing hidden instructions or malformed content into an AI-driven KYC pipeline.
  2. Escalation occurs when OCR output is passed into an agent with tool access, allowing the embedded payload to steer database reads, writes, or verification steps.
  3. Impact occurs when the agent acts on poisoned context and the attacker gains fraudulent verification, record manipulation, or broader workflow abuse.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.


NHI Mgmt Group analysis

Document ingestion is now an execution boundary, not a capture step. The article shows why AI-driven KYC cannot treat OCR output as inert text once it reaches an agent with tool access. That assumption was designed for static review pipelines, where the document informed a human or a fixed decision engine. It fails when the content can steer action inside the same session. The implication is that identity teams must rethink where trust begins and ends in the verification chain.

Hidden instructions inside identity documents create an identity trust collapse. This is not only document fraud and not only prompt injection. It is a merged failure mode in which attacker-controlled content influences identity decisions and system operations at the same time. OWASP-NHI and OWASP agentic application guidance both point toward this boundary problem. Practitioners should recognise it as a control-plane issue, not a cosmetic accuracy issue.

Tool access is the real multiplier in AI-driven KYC risk. An OCR model without downstream privileges is inconvenient; an OCR model with write access to customer records becomes materially dangerous. The article’s architecture example shows why excessive agency amplifies the blast radius of poisoned content. Security teams need to assess not just the quality of extraction, but whether the extraction stage has any path to mutate records or trigger verification completion.

Agentic identity must extend into KYC, or accountability fragments. The article correctly extends the trust problem from documents to the agents themselves. If an AI system can be influenced by untrusted input and then act, teams need a way to bind the agent to a verified owner, a bounded scope, and a revocation model. The broader lesson is that identity assurance is no longer finished at customer onboarding; it now includes the runtime behaviour of the systems that perform that onboarding.

Cross-session fraud intelligence becomes essential once one document can seed many actions. A successful document attack rarely ends at the first verification event. The same identity artefact can support account creation, mule onboarding, or repeat abuse across related flows. That makes session-level controls necessary but insufficient on their own. Practitioners should connect document signals to cross-session detection and fraud analytics so one poisoned interaction does not become a reusable trust foothold.

From our research:

  • 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to our Ultimate Guide to NHIs.
  • 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.
  • That same lifecycle gap is why teams should also review 52 NHI Breaches Analysis for the failure modes that turn exposure into impact.

What this signals

Document trust is becoming a runtime governance problem. As AI-assisted verification spreads, teams should expect more controls to move from static authenticity checks to runtime containment, where the question is not just whether a document is real, but whether it can alter system behaviour. That change should be reflected in architecture reviews and red-team exercises, not left to fraud teams alone.

With 96% of organisations still storing secrets outside secrets managers in vulnerable locations including code, config files, and CI/CD tools, per our Ultimate Guide to NHIs, the broader lesson is that identity programmes already struggle to keep untrusted material away from execution paths. KYC workflows now face the same separation problem in a new form.


For practitioners

  • Separate extraction from execution Keep OCR, text normalisation, and agent orchestration in different trust zones so extracted content cannot directly trigger tool calls or record mutations.
  • Remove write privilege from the first-pass agent Design the initial extraction agent as read-only, with no database writes, approval closure, or external side effects until a separate policy gate is passed.
  • Harden document handling against indirect prompt injection Scan for hidden text, invisible characters, metadata anomalies, and multimodal payloads before any document enters an LLM context.
  • Correlate document signals with session risk Combine device integrity, behavioural indicators, and document authenticity checks so one suspicious upload can suppress or step up the rest of the flow.
  • Define revocation paths for agentic identity in KYC If an agent can act on behalf of a verifier or analyst, define who owns that agent, how scope is limited, and how its access is revoked after use.

Key takeaways

  • AI-driven KYC changes the trust boundary by letting document content influence execution, not just verification.
  • Hidden instructions inside uploaded documents can turn OCR output into a control-path risk when agents have tool access.
  • Security teams need isolation, write restrictions, and cross-session signal correlation to keep verification from becoming an execution layer.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Agentic AI Top 10 and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST AI RMF, NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Agentic AI Top 10The article centers on indirect prompt injection and excessive agency in an AI-driven workflow.
OWASP Non-Human Identity Top 10NHI-01AI verification agents are NHIs with scoped privileges that must be bounded and reviewed.
NIST AI RMFMANAGEAgentic verification requires ongoing risk controls, ownership, and monitoring.
NIST CSF 2.0PR.AC-4The article is about access boundaries between document input and system action.
NIST Zero Trust (SP 800-207)The trust boundary between OCR output and orchestration maps cleanly to zero trust thinking.

Use agentic AI threat patterns to separate untrusted inputs from any write-capable agent action.


Key terms

  • Indirect Prompt Injection: Indirect prompt injection is an attack where malicious instructions are placed inside content the model later processes. In AI-driven KYC, that content can be a document, image, or OCR text, and the goal is to influence model behaviour without changing the model itself.
  • Execution Surface: An execution surface is any input path where untrusted content can affect system behaviour. In agentic identity workflows, a document becomes an execution surface when its extracted text can steer tool calls, writes, or verification decisions rather than remaining passive evidence.
  • Agentic Identity: Agentic identity is the governance layer for software systems that act on behalf of people or organisations. It binds the agent to an owner, scope, and revocation path, because runtime behaviour, not just authentication, determines who is accountable for the action.
  • Trust Boundary: A trust boundary is the point where data changes from controlled input to something that can influence privileged action. For AI-assisted KYC, the boundary should sit before orchestration and tool use, not after OCR has already placed content inside the model context.

What's in the full article

Incode's full post covers the operational detail this post intentionally leaves for the source:

  • The Deepsight for Documents rollout context and how the detection layers are positioned inside existing identity verification flows.
  • The reported performance claims, including the 9.7x increase in GenAI-driven fraud attempts and the 100% detection result on the controlled dataset.
  • The Agentic Identity framing, including verified human owner binding, scoped consent, tokenization, and continuous monitoring.
  • The pipeline examples showing how the OCR-to-agent handoff creates risk between extraction and execution.

👉 Incode's full post covers the OCR-to-agent attack path, detection claims, and agentic identity framing in more detail.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an identity security programme, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-05-10.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org