Embedded finance and AI fraud are reshaping banking trust

At a glance

What this is: This episode brings together banking, payments, and risk leaders to explain how AI fraud, embedded finance, and cloud-native operations are changing trust controls.

Why it matters: It matters because IAM, PAM, and governance teams must align identity controls with faster decision cycles, higher fraud pressure, and more complex access relationships across human and non-human actors.

👉 Read SumSub's episode on banking leaders, AI fraud, and embedded finance

Context

Financial services teams are trying to preserve trust while making credit, payments, and onboarding faster. That creates a governance problem, because identity controls are now expected to support real-time risk decisions instead of slowing the business down.

The article frames that tension through banking and compliance leaders discussing fraud-resilient lending, cloud-native banking, and payments strategy. For IAM practitioners, the relevant question is not whether innovation should continue, but how access, assurance, and monitoring keep pace with the speed of financial operations.

Key questions

Q: How should banks connect fraud detection to access control decisions?

A: Banks should feed fraud and behavioural signals into conditional access and transaction controls so identity assurance is not frozen at login. If a session shows unusual device, velocity, or destination patterns, the system should step up verification or pause the action before value moves. This keeps fraud response inside the identity plane rather than treating it as a separate monitoring function.

Q: Why does embedded finance make identity governance harder?

A: Embedded finance introduces delegated access across partner systems, APIs, and service identities, so the institution no longer controls every identity in the trust chain. That increases the need for entitlement mapping, supplier recertification, and clear accountability for approved actions. Without those controls, a bank can be secure internally and still exposed through third-party access paths.

Q: What breaks when cloud banking teams treat compliance as a post-deployment task?

A: When compliance is checked after deployment, access shortcuts and privileged paths are already embedded in the platform. At that point, remediation is slower and more disruptive, especially in cloud-native banking where services change frequently. Governance has to be built into design reviews, delivery pipelines, and operational monitoring so new access does not outpace oversight.

Q: How do IAM teams support faster lending or payments without weakening trust?

A: IAM teams should align authentication, authorization, and fraud controls with the business action being taken. A low-risk lookup may need minimal friction, while a loan approval, payment release, or privilege change should trigger stronger checks. The goal is not to slow every journey, but to make higher-risk actions carry proportionately stronger assurance.

Technical breakdown

AI-driven fraud changes the timing of identity decisions

AI-driven fraud compresses the time available for identity checks, because attackers can adapt quickly across onboarding, payments, and support channels. In financial services, the issue is not only whether a user is authenticated, but whether the access request, transaction, or workflow is consistent with the current risk context. That pushes banks toward continuous evaluation rather than one-time assurance. Traditional IAM boundaries were built around discrete sign-in events, while fraud-aware identity decisions now need to observe behaviour across the session and transaction lifecycle.

Practical implication: align fraud signals with access policy so high-risk actions can trigger step-up checks or transaction holds.

Cloud-native banking depends on identity governance at design time

Cloud-native banking changes the identity control surface because service boundaries, API calls, and operational roles are more dynamic than in traditional core systems. When banking platforms are built to be agile, identity must be treated as part of the architecture, not as a downstream compliance layer. That means entitlements, privileged operations, and service-to-service trust all need governance from the start. The risk is that speed-oriented delivery teams create access paths that are technically convenient but difficult to review later.

Practical implication: build access design reviews into platform engineering so new services do not ship with unmanaged privilege.

Embedded finance expands the trust chain beyond the institution

Embedded finance adds third-party touchpoints that blur the line between the bank, the platform, and the end customer. Identity and access governance becomes more complex because assurance is no longer confined to one organisation's perimeter. The bank must understand which partner systems initiate actions, which identities hold delegated rights, and where accountability sits when something goes wrong. This is as much a governance problem as it is a technical integration problem, because trust now depends on the quality of delegated access and monitoring across the chain.

Practical implication: map delegated access paths end to end and review partner entitlements as part of supplier governance.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Zacks Investment Research breach — Zacks breach exposed 12M customer records including credentials.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

AI fraud is forcing banking identity controls to become continuous rather than event-based. The old model assumed that a successful login or approved workflow was enough to establish trust for the session. That assumption is breaking because fraud actors adapt after authentication, not before it. Practitioners need to treat post-authentication behaviour as part of identity assurance, not just a separate fraud problem.

Embedded finance creates delegated identity exposure that most IAM programmes still under-model. When a customer journey runs through partners, the institution is not just governing its own users. It is governing access paths, approvals, and risk decisions that may originate outside the bank's direct control. That makes entitlement visibility and delegated accountability central to resilience, not optional reporting.

Cloud-native agility does not remove compliance burden, it moves it into the build process. The leaders in this discussion all point toward faster delivery under regulatory pressure, which means governance cannot sit after deployment. Access design, privileged operations, and monitoring need to be treated as engineering constraints from the start. The practical takeaway is that security teams must be present where platforms are designed, not only where they are audited.

Financial trust is becoming a multi-actor identity problem, not a single-user problem. Modern banking now spans customers, staff, service identities, APIs, and external platforms in the same transaction chain. That means the control question is no longer simply who authenticated, but which identities were involved in creating, approving, and executing the action. Practitioners should reframe trust around the whole identity path.

From our research:

• 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
• Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, according to The 2024 ESG Report: Managing Non-Human Identities.
• For the governance model behind this pattern, see Ultimate Guide to NHIs , Key Challenges and Risks for the controls that reduce sprawl, over-privilege, and unmanaged credentials.

What this signals

Identity governance in banking is moving toward risk-adaptive control planes. Teams that still separate fraud monitoring, access management, and compliance evidence will struggle to keep up with banking products that change in real time. The control model now has to absorb transaction context, partner delegation, and privilege changes as part of the same decision fabric.

With 72% of organisations already reporting or suspecting an NHI breach in our research, the underlying lesson is broader than fraud alone. Financial institutions need inventory, recertification, and delegated-access visibility that can survive rapid product change, especially where cloud services and embedded finance expand the number of identities in play.

The next maturity jump is not another dashboard. It is a governance model that can explain which identity acted, on whose authority, and with what level of assurance across the full journey.

For practitioners

• Tie fraud signals to access decisions Feed behavioural and transaction-risk signals into conditional access policies so high-risk actions can trigger stronger verification before value moves or credit decisions complete.
• Review delegated access in embedded finance journeys Map which partner systems, APIs, and service identities can initiate or approve actions on behalf of the institution, then recertify those rights alongside supplier reviews.
• Shift cloud governance left Require identity and privilege review during platform design, not after deployment, so new banking services do not inherit unmanaged service access or operational shortcuts.
• Separate customer assurance from operational trust Do not assume that a verified customer session proves the safety of every downstream action. Apply stronger checks where a request changes funds movement, lending outcomes, or privileged configuration.

Key takeaways

• The core risk is no longer just fraudulent access, but identity systems that cannot adapt fast enough to evaluate changing transaction context.
• The evidence from this discussion points to banking operations, cloud infrastructure, and embedded finance all expanding the trust chain at the same time.
• Practitioners should embed identity governance into fraud, platform, and supplier controls so speed gains do not create invisible privilege paths.

Key terms

• Embedded Finance: Financial services delivered inside another product or customer journey rather than through a standalone banking channel. The governance challenge is that identity, risk, and accountability spread across multiple organisations, making delegated access and assurance controls just as important as the customer experience itself.
• Fraud-Resilient Identity Control: An identity control model that keeps checking risk after the user or service has authenticated. It combines access policy, behavioural signals, and transaction context so higher-risk actions can be slowed, challenged, or blocked when the session no longer looks trustworthy.
• Delegated Access: Access that one party can exercise on behalf of another, often through an API, partner platform, or service identity. In financial services, delegated access is a governance issue because the authority to act may originate outside the organisation that ultimately bears the risk.
• Cloud-Native Banking: Banking platforms built on cloud services, APIs, and modular delivery patterns rather than fixed monolithic systems. Identity governance must be designed into this model because access paths, operational roles, and service trust relationships change more quickly than traditional audit cycles.

Deepen your knowledge

AI-driven fraud, embedded finance, and cloud-native identity governance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are designing controls for fast-moving financial services environments, it is worth exploring.

This post draws on content published by SumSub: an episode of What the Fraud? recorded at Money20/20 Europe in Amsterdam. Read the original.