Identity fraud is shifting to multi-step AI attacks

At a glance

What this is: This is a Sumsub analysis of rising AI-driven identity fraud and why static onboarding checks no longer contain multi-step attacks across the customer lifecycle.

Why it matters: It matters because IAM teams now have to govern identity risk as a continuous process across human, NHI, and AI-assisted interactions, not as a single authentication event.

By the numbers:

• Sophisticated fraud grew 180% year over year.
• 10% in 2024 to 28% in 2025 of
• Sumsub works with more than 4,000 clients worldwide.

👉 Read Sumsub's analysis of AI-driven identity fraud and lifecycle risk

Context

Identity fraud is no longer a single check that either passes or fails. It is now a sequence of probes, impersonation attempts, and escalation steps that can continue across onboarding, account recovery, and ongoing use. For IAM teams, that means the control problem has moved from point-in-time assurance to lifecycle assurance, with continuous verification becoming the practical baseline.

Sumsub's framing matters because the attack surface now spans both human identity workflows and AI-enabled deception. Deepfakes, synthetic identities, and coordinated fraud operations can defeat controls that were designed for one-off document review or isolated authentication events. The right response is to treat identity assurance as a moving target, not a gate at the front door.

For identity programmes already stretched across customer IAM, fraud operations, and access governance, this is a typical failure pattern rather than an edge case. The operational question is no longer whether fraud can mimic legitimate users, but how quickly the programme can detect progression when the fraud chain changes shape mid-session.

Key questions

Q: How should IAM teams respond to multi-step identity fraud?

A: They should move from single-point verification to continuous trust evaluation across onboarding, recovery, and downstream activity. Multi-step fraud succeeds when each step looks harmless in isolation, so the defence must correlate identity, device, and session signals over time. The practical aim is to detect progression early enough to narrow trust before abuse completes.

Q: Why do AI-powered fraud campaigns weaken one-time verification?

A: Because the attacker can use AI to adapt artefacts and tactics after the first check, then keep exploiting the account or session later. One-time verification only tells you that a user looked acceptable at one moment. It does not prove the identity will remain trustworthy when behaviour changes.

Q: How do security teams know if continuous identity verification is working?

A: Look for a reduction in fraud that progresses beyond first-touch checks, plus faster escalation of risk scores when behaviour changes. Good signals include fewer successful account takeovers after onboarding, better detection of unusual session transitions, and more accurate risk decisions during recovery flows.

Q: What is the difference between static onboarding checks and lifecycle identity assurance?

A: Static onboarding checks validate identity at a single entry point. Lifecycle identity assurance keeps evaluating trust after the user is admitted, using session, device, and transaction evidence. That difference matters because modern fraud often appears after the initial check, not before it.

Technical breakdown

Multi-step identity fraud across the customer lifecycle

Multi-step identity fraud combines several small actions into one coordinated attack chain. An attacker may begin with synthetic or stolen identity data, then use AI-generated artefacts such as deepfakes or altered documents to satisfy an initial check, and later pivot into account takeover, money movement, or mule-network activity. The key mechanism is persistence across stages, not a single successful bypass. Controls that only validate the first touchpoint miss the fact that fraud can emerge after onboarding when trust is already granted.

Practical implication: design controls that inspect identity behaviour after onboarding, not just during registration.

AI-powered fraud agents and coordinated abuse

AI fraud agents are software-driven adversaries that can generate content, adapt messages, and coordinate actions at scale with limited human supervision. They are not the same as simple automation because they can vary their tactics, timing, and presentation based on feedback. In identity operations, that means a fraud campaign can test multiple verification paths, imitate legitimate user behaviour, and adjust in near real time. The defensive challenge is less about blocking one artifact and more about detecting pattern shifts across repeated interactions.

Practical implication: look for behavioural correlation across sessions, devices, and identity events rather than trusting any one successful check.

Continuous verification versus one-time checks

One-time verification assumes that identity risk is front-loaded and that a successful initial check materially reduces future exposure. Continuous verification rejects that assumption. It treats identity trust as conditional and revisable, so signals from device reputation, session behaviour, document consistency, and transaction context can all be re-evaluated as risk changes. In fraud environments shaped by AI-generated impersonation, this model is more resilient because the attacker's success at entry does not guarantee durable trust.

Practical implication: replace static pass or fail logic with staged trust decisions that can narrow privileges when risk increases.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Identity fraud has become a lifecycle problem, not a verification problem. The article shows why one-time onboarding checks fail once attackers can move from initial impersonation to later-stage abuse. That shift matters because the control boundary is no longer the application login screen, it is the full customer journey. Practitioners should treat fraud as a continuing governance issue across identity, session, and transaction layers.

Multi-step identity fraud is the right named concept for this shift. The 10% to 28% increase in multi-step attacks shows that attackers are chaining actions instead of trying a single bypass. That makes static assurance models brittle because they only measure the first event, not the progression of trust erosion. For identity programmes, the implication is clear: the attack is evolving through stages, so the defence model must observe stages as well.

AI-driven impersonation now exploits the gap between proof and persistence. Deepfakes and synthetic identities can help an attacker get through a check, but the real risk is that the resulting account or session remains trusted after the initial proof has already gone stale. That is a governance failure in any programme built on isolated validation events. Security and fraud teams should view persistence of trust as the real control objective.

Digital inclusion and fraud prevention are now coupled governance decisions. The article's emphasis on non-document verification and reusable identity reflects a broader truth: stricter checks can reduce fraud while also creating exclusion risk for legitimate users. That tension cannot be solved by either security or product teams alone. Practitioners should treat onboarding design as a policy choice with measurable access and abuse trade-offs.

AI anti-fraud will increasingly overlap with identity security governance. The article points to a category shift where fraud detection, verification, and identity lifecycle controls are converging. That convergence matters because the same identity evidence must support both access decisions and abuse detection. Practitioners should expect fraud tooling, IAM controls, and customer trust policies to be managed as one programme rather than separate stacks.

From our research:

• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
• Only 5.7% of organisations have full visibility into their service accounts, which means many teams cannot even prove where identity risk is concentrated.
• That visibility gap is why the Top 10 NHI Issues remains relevant for teams trying to separate inventory problems from control failures.

What this signals

Identity trust is becoming event-driven rather than checkpoint-driven. With fraud now evolving across the full user journey, IAM and fraud teams need shared telemetry that can reassess trust after onboarding, during recovery, and at transaction time. The programme question is no longer whether a user passed verification, but whether the trust decision still holds two or three steps later.

Lifecycle assurance is the better control lens for AI-enabled impersonation. The practical gap is not a lack of verification methods, it is the absence of governance for when trust should be reduced, re-evaluated, or withdrawn. For practitioners, that means aligning fraud operations, customer IAM, and security policy around the same lifecycle checkpoints rather than running them as separate control planes.

As identity deception gets more sophisticated, the operational advantage goes to teams that can correlate signals, not merely collect them. The broader market signal is that fraud prevention is converging with identity governance, and the organisations that recognise that convergence early will be better placed to manage both abuse and exclusion risk.

For practitioners

• Add post-onboarding risk evaluation Monitor identity behaviour after initial verification so account recovery, transaction changes, and device shifts can trigger re-assessment. Treat trust as conditional across the lifecycle, not permanent after first approval.
• Correlate fraud signals across sessions Link device reputation, document anomalies, behavioural telemetry, and transaction patterns into a single review path. Correlation is what exposes multi-step attacks that look normal when each event is reviewed alone.
• Stress-test for AI-generated impersonation Exercise customer verification flows against deepfake-style media, synthetic identity artefacts, and fast retry patterns. The goal is to find where controls still assume human-paced attacker behaviour.
• Separate exclusion risk from fraud tolerance Measure where tighter verification blocks legitimate users, especially in markets with poor document quality. Use those findings to decide where reusable identity or non-document checks are justified.

Key takeaways

• AI-driven identity fraud is shifting from single-event abuse to multi-step progression across the customer lifecycle.
• Sumsub reports 180% year-over-year growth in sophisticated fraud and a rise in multi-step attacks from 10% to 28% of all identity fraud.
• The control answer is continuous trust evaluation, because static onboarding checks do not hold up when attackers adapt after entry.

Key terms

• Multi-step identity fraud: An attack pattern where the adversary succeeds through a sequence of smaller actions rather than one obvious bypass. The first step may be identity proofing abuse, while later steps use the trusted account or session for takeover, mule activity, or transaction fraud.
• Continuous verification: A governance model that keeps reassessing identity trust after initial admission. Instead of relying on a single approval at onboarding, it uses ongoing signals from behaviour, device context, and session changes to reduce or revoke trust when risk increases.
• Lifecycle identity assurance: A control approach that treats identity trust as something managed across the full user journey. It combines onboarding, recovery, session monitoring, and downstream activity into one assurance model so fraud cannot hide behind a successful first check.
• AI-powered impersonation: The use of generative or adaptive AI techniques to mimic legitimate users, documents, or behaviours. In identity operations, this raises the quality and speed of deception, making static rules and isolated checks less reliable as primary controls.

Deepen your knowledge

Identity fraud lifecycle governance is a core topic in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your programme is still centred on one-time verification, this course helps you reframe trust as a lifecycle control.

This post draws on content published by Sumsub: its analysis of the World Economic Forum Unicorn Community and AI-driven identity fraud. Read the original.