By NHI Mgmt Group Editorial TeamPublished 2026-06-25Domain: AnnouncementsSource: Arkose Labs

TL;DR: 90% of banks are concerned about account takeover and credential stuffing, while only 19% feel very well prepared to fight AI attacks and 48% lack personnel skilled in both AI and cybersecurity, according to Arkose Labs. The gap is no longer awareness, but operational readiness across fraud, IAM, and AI threat response.


At a glance

What this is: This is a banking-focused fraud and AI attack analysis that shows concern is high, but preparedness and cross-skilled staffing remain low.

Why it matters: It matters because identity teams now have to align fraud controls, human IAM, and machine-led attack detection before automated abuse outruns current response models.

By the numbers:

👉 Read Arkose Labs' analysis of AI-driven banking fraud and account takeover risk


Context

Banks are facing a widening gap between fraud pressure and operational readiness. Account takeover, credential stuffing, fake accounts, phishing, and AI-assisted abuse all depend on identity weaknesses, but the defenders who need to coordinate fraud, IAM, and security often do not share the same skills or telemetry.

The practical issue is not only attack volume. It is that many programmes still treat bot mitigation, customer identity protection, and identity governance as separate concerns, even though the attack chain now moves across them quickly and repeatedly.


Key questions

Q: How should banks reduce account takeover risk without creating excessive customer friction?

A: Banks should combine device intelligence, behavioural signals, and adaptive challenge flows so that friction appears only when risk rises. The key is to protect login, recovery, and payment flows as one sequence. If teams tune those controls separately, attackers can move to the weakest handoff while genuine users face unnecessary barriers.

Q: Why do AI-assisted attacks make credential stuffing more dangerous for banks?

A: AI-assisted attacks make credential stuffing more dangerous because they help attackers vary timing, targeting, and follow-up behaviour at scale. That increases the chance that automated attempts look normal long enough to reach recovery or transaction stages. Banks need detection that reads identity context, not just login failure volume.

Q: What do security teams get wrong about bot mitigation in banking?

A: Security teams often treat bot mitigation as a point solution instead of a trust decision. That creates blind spots between authentication, account recovery, and fraud response. Effective mitigation depends on shared telemetry and consistent risk scoring across those stages, otherwise one control can be bypassed by the next.

Q: Who should be accountable when AI-driven fraud crosses IAM and fraud operations?

A: Accountability should sit with a shared identity risk owner who can coordinate IAM, fraud, and security response. When the same abuse path touches customer login, recovery, and transaction controls, no single team sees the full picture. The accountable function must be able to change policy, not only investigate incidents.


How it works in practice

How AI-assisted account takeover turns identity controls into attack surfaces

Account takeover in banking usually starts with credential stuffing, phishing, or reused passwords, then moves into session abuse and transaction fraud. AI changes the tempo by helping attackers scale targeting, adapt lures, and rotate tactics faster than manual review queues can respond. The control problem is not one gate. It is the chain from authentication to risk scoring to step-up decisions and account recovery. When those controls are siloed, a bot can look like a normal customer long enough to create an account, reset access, or drain value before intervention.

Practical implication: tie authentication, recovery, and bot signals into one decision path.

Why volumetric bot traffic defeats isolated fraud tooling

Volumetric attacks work because they are not trying to be clever in one request. They are trying to be cheap at scale until enough sessions slip through. Dynamic challenges and real-time scoring can help, but only when the underlying identity and device signals are strong enough to separate genuine users from scripted behaviour. If challenge logic, device telemetry, and fraud review are disconnected, attackers can keep probing weak points until they find a path that looks legitimate to one control but not to the rest.

Practical implication: treat bot defence as a decisioning system, not a single detection layer.

How staffing gaps become an identity security control failure

A lack of people who understand both AI and cybersecurity is not just a talent issue. It means the organisation may not recognise which signals matter, which incidents need escalation, or how AI-driven abuse changes fraud thresholds. In banking, the real risk is that teams optimise one part of the problem, such as customer friction or false positives, while missing cross-domain abuse patterns that spread from onboarding to login to payment execution. That is a governance gap as much as a resourcing gap.

Practical implication: build shared operating models across fraud, IAM, and security response.


NHI Mgmt Group analysis

Fraud teams and identity teams are now managing the same attack surface. Arkose Labs is effectively describing a world where account takeover, bot abuse, and AI-assisted fraud cannot be governed as separate disciplines. The bank that treats customer authentication as one problem and fraud mitigation as another will miss the handoff points attackers exploit. The implication is that programme boundaries, not just tool gaps, are part of the exposure.

AI attack readiness is a governance problem before it is a detection problem. If only 19% of banks feel very well prepared, the issue is not simply more alerts or better models. It is whether the organisation has a shared operating model for identity risk, customer abuse, and automated adversary behaviour. That means the decision-making chain must span IAM, fraud operations, and security leadership, not sit inside one team. Practitioners should treat preparedness as an operating discipline, not a dashboard metric.

Cross-skilled staffing has become an identity control requirement, not a nice-to-have. When 48% of banks lack personnel skilled in both AI and cybersecurity, the likely failure mode is misclassification of behaviour, slower escalation, and weak tuning of controls that sit between users and abuse. The control gap is not only technical. It is the inability to interpret AI-shaped abuse through an identity lens. The practical conclusion is that identity governance now depends on shared fraud, AI, and security literacy.

Bot mitigation and identity assurance must be evaluated as one system. The article’s use of 225 plus signals points to a layered decision model, but layered only works when the layers are coherent. A bank can have strong device data, strong challenge flows, and strong fraud rules, yet still fail if those signals are not tied to a single trust decision. Practitioners should re-evaluate whether their current controls make one decision or several disconnected guesses.

From our research:

  • 98% of companies plan to deploy even more AI agents within the next 12 months, despite documented rogue behaviour in 80% of current deployments, according to AI Agents: The New Attack Surface report.
  • Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
  • For a broader identity lens, see OWASP NHI Top 10 for the agentic risk patterns that security teams should map to controls.

What this signals

Identity programmes that separate fraud and IAM will struggle to keep pace. Bank attackers now move across login, recovery, and transaction stages quickly enough that a single-team operating model becomes a control gap. The practical shift is toward shared decisioning, shared telemetry, and common escalation paths that treat account trust as an enterprise concern rather than a channel-specific one.

Cross-skilled teams will matter more than isolated tooling purchases. When 48% of banks lack personnel skilled in both AI and cybersecurity, the organisation may misread AI-shaped abuse as ordinary fraud noise. The programme response should be to build joint expertise across identity, fraud, and security operations, then align that to policy tuning and incident response. For supporting research, see 52 NHI Breaches Analysis.

Banking controls will increasingly be judged by how well they handle adaptive abuse. Static checks are not enough when attackers can change tactics midstream. Identity assurance, bot defence, and recovery governance need to be measured as one system, or the attacker simply shifts to the next weakest decision point.


For practitioners

  • Unify fraud and identity decisioning Map the points where authentication, device intelligence, bot detection, recovery, and fraud review all influence the same account decision. The goal is one risk path, not separate teams making conflicting calls.
  • Reassess account recovery controls Review password reset, MFA reset, and support-assisted recovery for steps that can be socially engineered or scripted at scale. Recovery is often where account takeover becomes durable.
  • Build shared AI and cybersecurity escalation playbooks Define when a fraud analyst, IAM lead, or SOC analyst owns the next step when behaviour is ambiguous. Shared escalation cuts the delay attackers rely on when they test weak points across teams.
  • Use customer-facing friction selectively Apply step-up checks and challenges only where risk signals justify them, so you do not create avoidable abandonment while still disrupting scripted abuse. Measure false positives and recovery fraud together.

Key takeaways

  • The article shows that banking fraud is now an identity governance problem as much as a security problem.
  • The evidence is stark: 90% of banks are worried about account takeover, but only 19% feel very well prepared to handle AI attacks.
  • Teams should align IAM, fraud, and security controls into one trust decision path before AI-assisted abuse exploits the gaps between them.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0, NIST SP 800-63 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AC-1Identity access control is central to stopping account takeover and fraud abuse.
NIST SP 800-63Digital identity assurance matters when attackers abuse login and recovery paths.
NIST Zero Trust (SP 800-207)PR.AC-4Continuous verification fits the layered decisioning needed for bot and ATO defence.

Tie authentication and recovery flows to PR.AC-1 so risky sessions get stepped up consistently.


Key terms

  • Account Takeover: Account takeover is the unauthorised capture of a legitimate user account for fraud, abuse, or data access. In banking, it often follows credential stuffing or phishing and becomes more damaging when recovery, session, and transaction controls are not governed as one trust chain.
  • Credential Stuffing: Credential stuffing is the automated testing of stolen username and password combinations across many sites. It succeeds when organisations rely on password reuse, weak rate limits, or disconnected detection signals that do not recognise repeated identity abuse across sessions and channels.
  • Adaptive Challenge: An adaptive challenge is a dynamic verification step that changes based on risk signals such as device trust, behaviour, or session context. It reduces fraud only when the logic is tied to a broader identity decision model rather than used as an isolated friction control.

What's in the full announcement

Arkose Labs' full article covers the operational detail this post intentionally leaves for the source:

  • Specific banking use cases for account takeover, credential stuffing, fake account creation, SMS toll fraud, API security, and MFA compromise.
  • The platform's 225 plus risk signals and how those signals are used in decisioning and mitigation flows.
  • Examples of customer stories showing how attacks were interrupted across phishing, ATO, and volumetric abuse scenarios.
  • The article's framing of how dynamic challenges and cross-vertical intelligence are applied in practice.

👉 Arkose Labs' full article covers detection signals, mitigation mechanics, and banking use cases in more operational detail.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or programme maturity, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-06-25.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org