TL;DR: A reported 180% rise in sophisticated multi-step attacks across 2024 to 2025 underscores how identity signals, device intelligence, and behaviour monitoring are converging in enterprise fraud controls, according to SumSub. Fraud governance is no longer separate from identity governance, because the same trust decisions now span user onboarding, transaction monitoring, and real-time risk response.
At a glance
What this is: Sumsub’s latest Chartis recognition highlights how enterprise fraud controls are increasingly centered on identity signals, device intelligence, and real-time behavioural monitoring.
Why it matters: IAM teams should read this as a sign that fraud, identity verification, and compliance are becoming one operating model, which affects NHI, autonomous, and human identity governance alike.
By the numbers:
- The share of sophisticated multi-step attacks increased by 180% over 2024 to 2025.
👉 Read Sumsub's Chartis recognition analysis for enterprise fraud solutions
Context
Fraud control is now an identity governance problem because the trust decision is no longer limited to login. Enterprises have to evaluate who or what is acting, whether the signal is human, machine, or agent-derived, and whether that identity can be trusted across the full session or transaction.
This matters because modern fraud programs sit on top of identity, device, and behavioural evidence at the same time. The article is really about how security teams are being pushed toward unified identity risk controls rather than separate fraud and IAM workflows.
For IAM practitioners, the practical issue is not vendor recognition but category drift. The fraud stack is absorbing more identity work, and that changes how teams think about assurance, monitoring, escalation, and the boundary between access governance and transaction risk.
Key questions
Q: How should security teams connect fraud monitoring with identity governance?
A: Security teams should treat fraud monitoring as part of the identity control plane, not a separate workflow. That means linking identity proofing, device intelligence, behavioural signals, and case management so the same evidence can support authentication, transaction review, and audit. When those functions stay split, attackers can move between controls faster than teams can correlate the risk.
Q: When do static fraud rules stop being enough?
A: Static fraud rules stop being enough when abuse unfolds in stages rather than in one obvious event. If an attacker can establish trust, change behaviour, and then complete the fraud chain through multiple interactions, single-point rules will miss the pattern. Teams need streaming detection, behavioural drift analysis, and escalation logic that can react before the final loss occurs.
Q: What do teams get wrong about identity-based fraud detection?
A: Teams often assume identity verification at onboarding is the main trust decision. In practice, the trust posture has to be reassessed during the session or transaction because fraud can emerge after the first check passes. The mistake is treating identity as a gate instead of a continuously scored signal that changes with context.
Q: How do you know if fraud controls are actually improving?
A: Fraud controls are improving when teams can correlate fewer false handoffs, faster escalation, and better detection of staged attacks across the full user journey. The best signal is not volume of alerts, but whether the organisation can connect identity, device, and behaviour evidence to a defensible decision. If investigations still rely on manual stitching, the model is not mature.
Technical breakdown
Identity signals in fraud detection
Fraud platforms increasingly combine identity verification signals with device intelligence and behavioural monitoring because no single indicator is reliable enough on its own. Identity signals tell you whether a person or account is plausible, device signals show whether the endpoint looks familiar or anomalous, and behaviour signals help distinguish normal use from scripted or coordinated abuse. The technical shift is toward continuous risk scoring across the full user journey rather than a one-time onboarding check. That architecture matters because many fraud patterns only become visible when weak signals are correlated over time.
Practical implication: teams should map which trust signals are available at onboarding, authentication, and transaction time, then close the gaps between them.
Real-time behavioural monitoring and multi-step attacks
Multi-step fraud attacks are harder to stop because the attacker does not need to win in a single request. They may establish a legitimate-looking foothold, then move through account takeover, payment abuse, or synthetic identity progression in stages. Real-time behavioural monitoring is designed to catch changes in cadence, sequence, device use, and interaction pattern before the full fraud chain completes. The architecture is closer to streaming detection than periodic review, which is why rule-only controls often lag behind coordinated attacks. When attack chains become adaptive, detection has to look for drift, not just known bad signatures.
Practical implication: teams should tune detection to behavioural drift and chained activity, not just static fraud indicators or individual rule hits.
Why identity and compliance now share the same control plane
Identity verification, fraud prevention, and compliance are converging because the same evidence supports all three decisions. A platform that can explain who is interacting, how the interaction changes over time, and whether the transaction fits expected patterns reduces handoffs between risk teams. That does not mean every problem is solved in one console, but it does mean the control plane increasingly has to serve multiple governance outcomes. For enterprises, the technical question is how to preserve auditability while retaining enough signal fidelity to make timely intervention possible.
Practical implication: teams should evaluate whether their fraud, IAM, and compliance evidence can be audited together without losing traceability.
Breaches seen in the wild
- Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
- AI LLM hijack breach — attackers used stolen AWS access keys to hijack Anthropic LLM models on Bedrock.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Fraud identity controls are becoming the front line of identity governance. The article shows that enterprises are buying and benchmarking platforms on how well they combine identity signals, device intelligence, and behavioural monitoring. That is no longer just a fraud problem, because the same evidence increasingly governs who is trusted to complete a transaction, open an account, or progress through a workflow. Practitioners should treat fraud tooling as part of the identity control surface, not a separate security lane.
Identity-centric fraud governance: the category is shifting from point detection to continuous trust scoring. The Chartis recognition reflects a market preference for systems that can assess trust across the full user journey instead of only at entry. That shift matters because modern abuse patterns unfold over multiple steps and identities can change risk posture mid-session. The implication is that access governance, fraud prevention, and compliance review are converging on the same evidence model.
The 180% rise in sophisticated multi-step attacks shows why static assurance assumptions are breaking. Fraud programs built around single-event verification assume the risky event is visible at the point of entry. That assumption fails when attackers stage abuse across several interactions, channels, or identities before triggering loss. Practitioners should read this as a sign that control design has to follow the attack sequence, not just the initial authentication event.
Vendor recognition is becoming a proxy for maturity in identity-adjacent risk operations. Chartis is effectively rewarding completeness of offering, market direction, and operational coverage across fraud, identity, and compliance use cases. That tells practitioners the buying centre is moving toward platforms that can support cross-functional governance rather than isolated point solutions. The practical conclusion is that teams should re-evaluate whether their current tooling architecture can support shared evidence, shared escalation, and shared auditability.
The market is signalling that AI-driven fraud will force stronger linkage between identity proofing and runtime monitoring. As attack patterns become more automated and multi-step, the old split between onboarding assurance and post-login monitoring becomes harder to defend. Teams that keep those functions separate will struggle to explain how trust is maintained after the first decision point. The practitioner takeaway is that identity assurance must now extend beyond proofing into continuous monitoring.
From our research:
- The share of sophisticated multi-step attacks increased by 180% over 2024 to 2025, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
- For a broader view of the root causes behind hidden identity risk, see 52 NHI Breaches Analysis.
What this signals
Identity-centric fraud governance: the market is moving toward evidence models that join proofing, device context, and behaviour into one decision surface. That makes fraud operations look more like identity governance, especially where trust has to persist after the initial access event.
For practitioners, the real question is whether their current programme can explain a risk decision from end to end. If identity proofing, case management, and runtime monitoring live in separate systems, the organisation may have control coverage but still lack decision coherence.
The implication is broader than fraud alone. As AI-driven abuse becomes more adaptive, teams will need governance models that can follow identity across onboarding, session use, and escalation without losing audit traceability.
For practitioners
- Map fraud signals to the identity control plane Inventory which identity, device, and behaviour signals feed onboarding, transaction approval, and escalation decisions. Then identify where the same person or account is being assessed by different teams with no shared evidence model.
- Test controls against multi-step attack chains Run scenarios that simulate staged fraud rather than single-event abuse. Focus on how detection behaves when an actor alternates devices, changes cadence, or moves across channels before the final loss event.
- Review auditability across fraud and IAM teams Check whether identity proofing decisions, behavioural alerts, and case outcomes can be traced in one record set. If not, separate logs may be slowing investigations and obscuring accountability.
- Align escalation logic with runtime risk drift Set thresholds for when a trusted identity should be re-evaluated during a session or transaction. Use behavioural changes, not just initial assurance, to decide when to intervene.
Key takeaways
- Enterprise fraud tooling is converging with identity governance because trust now has to be measured continuously, not just at onboarding.
- The 180% rise in sophisticated multi-step attacks shows why single-event rules and isolated reviews are too narrow for current fraud patterns.
- Practitioners should evaluate whether their fraud, IAM, and compliance controls share the same evidence and escalation logic before the next attack chain does.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST Zero Trust (SP 800-207) and NIST SP 800-63 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AA-01 | Identity assurance must support fraud decisions across the full user journey. |
| NIST Zero Trust (SP 800-207) | Continuous verification aligns with real-time behavioural monitoring and runtime trust reassessment. | |
| NIST SP 800-63 | Identity proofing and authentication assurance underpin the fraud and access decisions discussed here. |
Map fraud and identity evidence to PR.AA-01 so trust decisions are consistent from onboarding to transaction review.
Key terms
- Identity-Centric Fraud Governance: An operating model that treats fraud detection, identity proofing, and access decisions as one connected control problem. It uses identity evidence, device context, and behavioural signals to decide whether a person or account should be trusted at each stage of a journey.
- Behavioural Drift: A meaningful change in how a user, account, or session behaves over time compared with its normal pattern. In fraud operations, behavioural drift is often more useful than a single suspicious event because it reveals coordinated or staged abuse before the final loss occurs.
- Continuous Trust Scoring: A method of reassessing trust throughout a session, transaction, or workflow instead of relying on one initial authentication or verification step. It combines multiple signals over time so teams can react when risk changes after entry.
Deepen your knowledge
Identity-centric fraud governance and behavioural monitoring are covered in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your team is dealing with overlapping fraud, access, and compliance risk, it is worth exploring.
This post draws on content published by Sumsub: Chartis recognition for Enterprise Fraud Solutions 2026. Read the original.
Published by the NHIMG editorial team on 2026-06-08.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
