By NHI Mgmt Group Editorial TeamDomain: Identity Beyond IAMSource: RiskifiedPublished June 30, 2026

TL;DR: A global survey of 4,060 consumers found that 81% now use digital platforms for travel planning, 26% already rely on AI tools, and 53% say identity verification steps sometimes or often cause booking abandonment, according to Riskified. The trust gap between discovery and purchase now shapes fraud controls, checkout design, and identity verification choices.


At a glance

What this is: Riskified’s survey shows that AI and digital travel planning are rising quickly, but checkout trust, payment security, and identity verification friction still constrain conversion.

Why it matters: For IAM and fraud teams, the finding matters because identity checks that reduce fraud can also suppress completion rates, forcing tighter coordination between access, verification, and customer experience.

By the numbers:

👉 Read Riskified's survey findings on AI, trust, and travel checkout friction


Context

Travel booking is now a trust-and-friction problem as much as it is a pricing problem. Consumers will plan with digital tools and AI, but they hesitate when they are asked to share payment details, passport data, or complete layered verification steps that interrupt checkout. That tension is familiar to identity teams because the same controls that reduce fraud can also create abandonment if they are too blunt or poorly timed.

The identity verification angle is broader than travel alone. Any programme that uses step-up checks, risk-based authentication, or fraud screening has to balance assurance with completion, especially when the user is a customer rather than an employee. In this survey, the starting position is typical of modern digital commerce: users embrace convenience early, then demand stronger proof only when the transaction becomes sensitive.


Key questions

Q: How should retailers reduce fraud without making checkout too slow?

A: Use progressive verification. Keep low-risk browsing and sign-up flows fast, then increase assurance only when users request account recovery, payment enrolment, or other high-value actions. That approach preserves conversion while still creating a real control point where fraud risk is highest. Measure both fraud loss and abandonment so you can see whether the balance is working.

Q: Why do identity verification steps cause customers to abandon bookings?

A: Customers abandon when verification is poorly timed, repetitive, or unexplained. In consumer journeys, any extra step can feel like suspicion rather than protection, especially when the user is trying to complete a time-sensitive purchase. Clear trust signals and proportionate controls reduce that drop-off.

Q: How can security teams decide where AI is allowed to act in a customer journey?

A: Define AI as advisory unless the transaction has been explicitly governed for automation. AI can assist with discovery and comparison, but payment, passport data, and booking commitments should require controlled authorisation, auditability, and a clear human override path.

Q: What should organisations measure if they want to know fraud controls are working?

A: Organisations should measure whether controls are increasing attacker cost, reducing campaign success rates, and forcing repeated abuse to become uneconomic. A control can reduce one attempt and still fail strategically if attackers can immediately retry at low cost. The right metric is not only detection, but deterrence.


Technical breakdown

Checkout friction and identity verification in travel commerce

Travel checkout often combines payment authorisation, device and behavioural risk signals, and identity verification in one flow. That makes it easy to overcorrect. If verification is inserted too early, too often, or without clear risk scoring, legitimate customers abandon the booking. If it is too light, fraudsters exploit discounts, stolen cards, and ticket resale abuse. The technical problem is orchestration: deciding when to step up assurance, when to defer it, and how to preserve continuity across devices, sessions, and channels.

Practical implication: tune verification triggers to transaction risk instead of applying the same control path to every booking.

AI travel assistants and trust boundaries for sensitive data

AI tools now influence discovery, comparison, and itinerary creation, but they are not automatically trusted to handle payments or passport details. That boundary matters because the system that recommends a trip is not necessarily the system that should complete or authorise it. From a governance perspective, the question is where to separate advisory AI from transactional authority, especially when customer identity, payment data, and booking commitments are involved.

Practical implication: separate AI planning functions from payment and identity decisions unless explicit, audited controls exist.

Fraud pressure, scam velocity, and the conversion trade-off

Fraudsters exploit urgency, discounts, and consumer expectations of seamless digital service. In travel, that means fake ticket listings, payment abuse, account takeover, and social engineering all compete with legitimate merchants for user attention. The operational challenge is to reduce scam exposure without forcing every user through a high-friction path. That requires dynamic risk scoring, clearer trust signals, and post-authentication controls that match the transaction’s value and sensitivity.

Practical implication: build layered fraud controls that adapt to risk signals instead of relying on one rigid checkout gate.


Threat narrative

Attacker objective: The attacker aims to monetise urgency and trust by extracting payments, selling fake bookings, or diverting customers into fraudulent travel transactions.

  1. Entry occurs when fraudsters attract travellers through fake discounts, invalid ticket offers, or manipulated booking flows that appear legitimate at first contact.
  2. Escalation follows when attackers exploit low-friction checkout paths, weak verification logic, or rushed purchasing behaviour to capture payment details or complete fraudulent bookings.
  3. Impact is conversion loss, ticket fraud, payment abuse, and customer trust erosion for merchants that cannot distinguish legitimate demand from scam-driven transactions.

NHI Mgmt Group analysis

Checkout trust is now an identity problem, not just a UX problem. The survey shows that verification friction can directly suppress completion, which means identity controls are shaping revenue outcomes as well as fraud outcomes. In practice, IAM-adjacent decisions in consumer commerce now sit inside conversion engineering, not beside it. Teams need to treat step-up logic as a controlled business policy, not a static security default.

AI travel planners create a new boundary between advice and authority. Consumers are comfortable using AI to explore options, but far less willing to let it handle payment or passport data. That distinction matters because AI systems can influence intent without being the system of record for identity or authorisation. Practitioners should define where AI can assist, where human confirmation is mandatory, and where transactional privilege must never be delegated.

Risk-based verification orchestration: the central design problem is deciding when identity checks should reduce fraud and when they simply interrupt legitimate demand. The survey’s findings show that blunt verification creates the wrong failure mode, especially in high-velocity travel checkout. The more effective model is context-aware assurance, where risk signals, device confidence, and transaction value determine the depth of control. That is the governance pattern merchants should be using.

Trust signals are becoming a competitive control surface. Payment security, ticket authenticity, and verification transparency are now part of the customer decision set. Merchants that cannot explain why a control exists will feel it as abandonment. The broader lesson for identity programmes is that assurance must be legible to users, or it will be bypassed psychologically even when it works technically.

Fraud and identity teams need a shared operating model for consumer journeys. This survey shows why isolated ownership is no longer enough: fraud prevention can degrade conversion, while conversion optimisation can weaken assurance. The field should move toward joint governance of customer identity, transaction risk, and checkout design. Practitioners should align on one measurable outcome: fewer scams without avoidable booking loss.

What this signals

Verification friction is becoming a governance metric. Teams that only measure fraud loss will miss the fact that identity controls can suppress legitimate revenue when they are too broad or poorly placed. The better programme design is to treat conversion impact, customer trust, and assurance depth as one control system, not separate workstreams. For consumer identity journeys, that means calibrating controls to transaction value and user context, then reviewing them as a business risk measure rather than a purely technical one.

The AI boundary in consumer journeys is likely to harden further as users become comfortable with AI for planning but not for payment. That creates a practical governance split between assisted decision-making and delegated action. Where that split is unclear, merchants will face both fraud risk and trust erosion. Practitioners should define the boundary explicitly and document which decisions an AI system can influence versus which ones it may never execute.

As this pattern spreads, identity teams will need stronger alignment with fraud, product, and revenue owners. The control objective is no longer simply prevention, but proportionate prevention. Programme leaders should prepare for more debate about when to challenge the customer, how to explain the challenge, and what evidence proves the control is doing more good than harm.


For practitioners

  • Rebalance verification timing Move identity checks later in the booking path when risk is low, and reserve stronger verification for high-value or anomalous transactions. Use step-up only when fraud signals justify the additional friction.
  • Separate AI-assisted planning from transaction authority Allow AI tools to help customers search, compare, and plan, but require explicit human confirmation before any payment, passport, or booking commitment is finalised.
  • Instrument abandonment around verification steps Track where customers drop out after payment security prompts, identity verification, or ticket-authentication checks, then compare abandonment by channel, device, and transaction risk score.
  • Strengthen scam detection at the offer layer Detect suspicious discounting, invalid ticket patterns, and booking-page manipulation before checkout begins, so fraud controls are not left to compensate for weak upstream trust signals.

Key takeaways

  • Travel commerce now exposes a classic identity trade-off: stronger verification reduces fraud but can also reduce bookings.
  • Consumer trust is highest in planning and lowest at payment, which makes transaction authority the real governance boundary for AI-assisted journeys.
  • Merchants need risk-based verification, not blanket friction, if they want to keep scam losses down without pushing legitimate customers away.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0, NIST SP 800-53 Rev 5, NIST SP 800-63 and NIST AI RMF set the technical controls, while GDPR define the regulatory obligations.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AC-4Identity verification friction and customer access decisions map to access control outcomes.
NIST SP 800-53 Rev 5IA-5IA-5 applies where customer authentication and verification controls affect transaction trust.
NIST SP 800-63SP 800-63BThe survey centres on authentication and verification experience in digital journeys.
GDPRArt.32Passport and payment data handling raises security of processing concerns.
NIST AI RMFGOVERNAI-assisted travel planning needs clear accountability for delegated decision boundaries.

Ensure verification flows protect personal data and limit exposure during checkout and AI-assisted planning.


Key terms

  • Risk-Based Verification: A control approach that adjusts assurance strength to the context of the transaction, such as jurisdiction, wallet type, and value at stake. It avoids one-size-fits-all checks and lets firms apply stronger proof where the compliance and fraud risk is higher.
  • Checkout abandonment: The point at which a legitimate customer leaves a purchase flow before completion. In identity-heavy commerce, abandonment is often caused by friction, repeated prompts, unclear trust signals, or authentication steps that feel disproportionate to the transaction.
  • Trust Boundary: A trust boundary is the point where one system’s authority should stop and another system’s authority should begin. For internal automation, weak trust boundaries let monitoring, remediation, and execution share privileges that should have remained separate.
  • Transactional authority: The ability to finalise a payment, booking, or other binding action. In AI-assisted commerce, this authority should be tightly separated from advisory functions so that recommendation engines do not become ungoverned decision-makers.

What's in the full report

Riskified's full article covers the survey detail this post intentionally leaves for the source:

  • Country-by-country survey breakdown across the United States, United Kingdom, China, Japan, Mexico, Brazil, and Colombia.
  • Consumer behaviour splits between travel planning, booking friction, and trust in AI-assisted trip purchase flows.
  • The exact wording of the questions behind payment security, fake ticket concerns, and booking abandonment.
  • Riskified's interpretation of how merchants should balance fraud prevention with checkout completion.

👉 The full Riskified article includes the survey methodology and the complete consumer response set.

Deepen your knowledge

The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, agentic AI identity, machine identity security, IAM, identity lifecycle, and secrets management. It helps security and identity practitioners apply governance patterns to programmes that now span people, systems, and delegated automation.
NHIMG Editorial Note
Published by the NHIMG editorial team on July 14, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org