TL;DR: Fraud teams are being forced to redesign around AI-driven abuse, account compromise, and social engineering as transaction volume rose 18% in 2025 while payment fraud attempts held near 3.25%, according to Sift. The operational issue is no longer only detection speed, but whether the team structure, metrics, and escalation model can absorb synthetic abuse at scale.
At a glance
What this is: This is a fraud and trust and safety operations analysis arguing that modern abuse has outgrown purely payment-focused fraud teams and now requires broader organisational design.
Why it matters: It matters to identity and security practitioners because fraud increasingly targets accounts, identities, and internal users, which means IAM, verification, and access governance now sit inside the fraud operating model.
By the numbers:
- Transaction volume on the Sift Global Data Network grew 18% in 2025, while payment fraud attempt rates held steady at around 3.25%.
- Dispute rates rose 78% year-over-year in Q3 2024.
👉 Read Sift's operational blueprint for modern fraud team design
Context
Fraud operations have shifted from a narrow transaction-checking function into a broader trust governance problem. AI-assisted abuse now moves faster than manual review can keep up, and the same pressure that affects consumer fraud teams also reaches identity systems, internal users, and the access paths that support them.
The key organisational question is no longer whether fraud exists, but whether the company is structured to see account abuse, synthetic identity activity, and social engineering as one connected risk surface. That is especially relevant where fraud, IAM, and verification controls overlap, because weak identity assurance becomes an operational fraud problem very quickly.
Key questions
Q: What breaks when fraud teams stay focused only on payment loss reduction?
A: They miss account takeover, onboarding abuse, synthetic identities, and social engineering that damage trust without always producing an immediate chargeback. A loss-only model can look healthy while the abuse surface expands. Teams need metrics that include identity confidence, customer friction, and escalation quality, not just fraud dollars prevented.
Q: How do fraud and IAM teams work together on AI-driven abuse?
A: They should share the same decision points. Fraud teams bring anomaly detection, rate patterns, and device intelligence. IAM teams bring identity proofing, authentication policy, and step-up enforcement. When those signals are combined, the organisation can treat suspicious automation as an access decision rather than a standalone fraud alert.
Q: What do security teams get wrong about trust and safety org design?
A: They often treat it as a staffing choice instead of a control model. The structure has to match the abuse surface. If fraud spans product, identity, and support, a narrow queue will fragment visibility and slow escalation. A trust and safety model works when governance, data, and response are designed together.
Q: What should organisations measure if they want to know fraud controls are working?
A: Organisations should measure whether controls are increasing attacker cost, reducing campaign success rates, and forcing repeated abuse to become uneconomic. A control can reduce one attempt and still fail strategically if attackers can immediately retry at low cost. The right metric is not only detection, but deterrence.
Technical breakdown
Why payment fraud metrics no longer describe the full abuse surface
Payment fraud metrics capture only one slice of modern abuse. Account takeover, synthetic identities, policy abuse, and socially engineered access attempts often create more damage than a blocked transaction because they compromise trust, not just revenue. When AI tools increase attacker speed and variation, a team can show stable loss rates while the actual risk surface expands underneath it. The operational model has to reflect the full abuse graph, not just the checkout flow.
Practical implication: Use a broader abuse taxonomy so IAM, fraud, and trust signals are measured together, not in separate dashboards.
How trust and safety differs from a pure fraud queue
A pure fraud team usually optimises for fast, accurate transaction decisions. A trust and safety function is built for platforms where abuse spans onboarding, identity, content, account behavior, and user trust. That difference changes everything from staffing to escalation to metrics. If customer trust is mission-critical, the team needs cross-functional reach into product, security, and verification rather than a narrow review queue.
Practical implication: Define the operating model around the abuse types you face, then align ownership across product, security, and identity teams.
Why AI changes fraud operations, not just fraud tooling
AI does not only help defenders score events faster. It also helps attackers generate more convincing social engineering, synthetic identities, and prompt injection paths that can reach humans and internal workflows. That means the control problem expands from pattern detection to governance of who can influence identity decisions, when manual review is required, and how exceptions are handled across systems.
Practical implication: Treat AI as a force multiplier on both sides and add governance around identity decision points, not only model outputs.
Threat narrative
Attacker objective: The attacker wants to scale abuse faster than manual operations can detect it, while making malicious activity look like normal customer or employee behaviour.
- Entry begins when attackers use AI-assisted social engineering or synthetic identities to interact with onboarding, support, or internal workflows.
- Escalation follows when the attacker gains trust through repeated low-friction interactions, policy abuse, or compromised user accounts.
- Impact occurs when the platform records fraudulent transactions, account takeover, or trust erosion that causes legitimate users to churn.
NHI Mgmt Group analysis
AI-scaled fraud has become an identity governance problem, not just a loss problem. The article shows that fraudsters are now targeting accounts, people, and internal decision points with AI-assisted speed. That shifts the centre of gravity from blocking bad transactions to governing identity assurance, review authority, and exception handling across the business. For identity teams, the fraud function now depends on the same assurance controls that IAM and verification programmes manage every day.
Trust and safety is the right organisational pattern where abuse crosses identity, product, and support boundaries. A pure fraud queue cannot keep pace when the abuse surface includes onboarding fraud, ATO, policy abuse, and synthetic identities. The more a business relies on identity to mediate customer trust, the more its fraud model resembles a governance function. Practitioners should treat team design as a control decision, not just an org chart exercise.
Metrics that stop at loss rate create governance blind spots. Loss reduction matters, but it does not tell leaders whether legitimate customers are being rejected, whether identity assurance is weakening, or whether manual review is absorbing AI-scaled abuse. That is a measurement failure as much as an operational one. Practitioners need outcome metrics that connect fraud, identity confidence, and customer experience.
Fraud programmes now sit inside the same control universe as IAM and verification. When attackers use social engineering or synthetic identities to reach internal workflows, the boundary between fraud prevention and identity security becomes artificial. That means access governance, step-up checks, and exception management all become part of fraud resilience. Teams that keep these disciplines separate will miss the attack path that links them.
Trust infrastructure is the named concept this article sharpens. Fraud teams are no longer defending a single transaction point. They are defending the operational fabric that decides whether users, devices, and internal actors are trusted at all. The practical conclusion is simple: if the trust layer fails, the fraud layer cannot recover the business outcome on its own.
What this signals
Fraud organisations should expect continued convergence between identity assurance, abuse detection, and access governance. The practical implication is that fraud leadership will need to speak the language of IAM, verification, and internal control design more often, because attack paths are no longer confined to payment rails.
trust-layer fragmentation: when customer trust, employee trust, and identity verification are handled in separate workflows, AI-assisted abuse exploits the seams. That creates a governance problem as much as a detection problem, and the strongest programmes will be the ones that close the handoff gaps between fraud, IAM, and support operations.
Where identity assurance is weak, fraud teams will be forced to compensate with more review, more friction, and more false positives. Practitioners should prepare for a programme shift toward shared control ownership, especially around step-up authentication, account recovery, and exception handling.
For practitioners
- Reclassify abuse by attack surface Map your fraud cases across payments, account takeover, onboarding abuse, synthetic identity, support fraud, and internal social engineering before you rework staffing or tooling. That mapping should show where IAM and verification controls are part of the fraud path.
- Align fraud and IAM escalation paths Create a shared escalation model for account compromise, step-up failures, suspicious identity proofing, and privileged internal requests so security and fraud teams are not operating separate triage queues.
- Replace loss-only reporting with outcome metrics Track approval rates, false positives, customer churn after fraud events, and manual-review throughput alongside loss rate so leadership sees the business cost of overblocking and underblocking.
- Audit internal trust boundaries for social engineering exposure Review which employees, queues, and exceptions can be influenced by external actors using AI-generated persuasion, then tighten approval chains and identity verification for high-risk requests.
Key takeaways
- Modern fraud is increasingly an identity and trust governance problem, not only a payment-loss problem.
- AI-assisted abuse pushes fraud teams to measure customer impact, review quality, and identity confidence alongside loss rate.
- Organisations that align fraud, IAM, and verification controls will be better positioned to absorb synthetic abuse at scale.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST SP 800-53 Rev 5, NIST SP 800-63 and NIST AI RMF set the technical controls, while GDPR define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Identity assurance and access control are central to fraud and trust workflows. |
| NIST SP 800-53 Rev 5 | AC-6 | Least privilege matters where internal approvers and support workflows can be abused. |
| GDPR | Art.32 | Fraud and verification workflows process personal data and need security controls. |
| NIST SP 800-63 | SP 800-63A | Identity proofing and recovery are directly implicated by synthetic identity abuse. |
| NIST AI RMF | GOVERN | AI-assisted abuse makes governance of decision rights and accountability essential. |
Limit exception and recovery paths with AC-6 so no single queue can override identity controls.
Key terms
- Trust And Safety: Trust and safety is the combined discipline of preventing abuse, reducing harm, and preserving legitimate participation in a digital community. In identity programmes, it links verification, moderation, and lifecycle governance so account confidence and user experience are managed together.
- Account Takeover: Account takeover occurs when an attacker gains control of a legitimate user account and uses that trust to commit fraud, steal data, or move into other systems. It is especially damaging because the attacker operates through valid identity pathways, which makes detection and response slower.
- Synthetic Identity: A synthetic identity is a fabricated or blended identity created from real and fake attributes to pass checks and establish trust over time. In fraud operations, it can look legitimate during onboarding and only reveal itself once the attacker starts abusing account privileges or payment flows.
What's in the full article
Sift's full post covers the operational detail this post intentionally leaves for the source:
- How Kevin Lee structures fraud, trust, and safety organisations across centralised, embedded, and CoE models
- The full metric shift discussion on approval rates, false positives, churn, and business-outcome reporting
- Career and hiring heuristics for fraud analysts, including how to evaluate inquisitiveness and proactive investigation
- The operational roadmap for the next session in the series, including detection, response workflows, and review design
👉 The full Sift post covers team structure, hiring signals, and the metric shift in more detail
Deepen your knowledge
NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security, and secrets management. It helps practitioners connect identity control design to the broader security operating model.
Published by the NHIMG editorial team on July 12, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org