By NHI Mgmt Group Editorial TeamDomain: Identity Beyond IAMSource: SignifydPublished November 20, 2025

TL;DR: Manual review still has a role in ecommerce fraud detection, but Signifyd cites Merchant Risk Council data showing 35% of fraud teams want to reduce or eliminate it, and says merchants now screen twice as many orders digitally as manually. Human review remains useful for edge cases, but machine-led decisioning is becoming the operational default.


At a glance

What this is: This is a Signifyd analysis arguing that manual fraud review should be reserved for edge cases while machine learning handles most ecommerce decisions.

Why it matters: It matters to fraud, IAM, and identity verification teams because the same governance problem appears wherever humans are asked to adjudicate high-volume trust decisions that systems could score continuously.

By the numbers:

👉 Read Signifyd's analysis of manual fraud review versus AI


Context

Manual fraud review is a control process, not a strategy. It works when the volume of suspicious transactions is low enough for humans to add context, but it breaks down when teams use people as the primary decision engine for every ambiguous order. In ecommerce, that creates friction, cost, and inconsistent outcomes. The primary keyword here is manual fraud review, and the governance question is how much trust should be left to a human judgment loop versus a machine-scored decision.

For identity and fraud programmes, the relevance is broader than checkout abuse. Any environment that relies on manual adjudication for access, verification, or transaction trust eventually hits the same scaling limit: humans are slower, more expensive, and harder to standardise than well-governed decision systems. That makes the article useful not because it proves AI is magic, but because it shows where operational governance shifts from review to policy.


Key questions

Q: How should merchants reduce manual fraud review without increasing fraud risk?

A: Merchants should first segment transactions into stable, low-risk decisions and true exceptions. Then they should automate the routine cases, keep human review for ambiguous orders, and monitor decline rates, override rates, and false positives. The goal is not zero review. It is to make manual review an exception-control function rather than a default operating model.

Q: Why does manual fraud review become expensive at scale?

A: Manual fraud review becomes expensive because each case consumes analyst time, adds delay to order fulfilment, and increases the chance of inconsistent decisions. Even a well-run team cannot match the throughput of automated scoring when volumes rise. The hidden cost is not only payroll. It is abandonment, lost conversions, and the operational drag of routing too many normal decisions to people.

Q: What do teams get wrong about hybrid fraud controls?

A: Teams often assume that adding more human review automatically improves accuracy. In practice, a hybrid model works only when automation handles the bulk of routine decisions and humans focus on genuine edge cases. If review queues are full of obvious approvals, the hybrid model is hiding weak policy rather than improving fraud protection.

Q: How do merchants know if automation is ready to replace most manual review?

A: Merchants should look for a low review-to-decline rate, stable model performance, and a small number of well-defined exception types. If most reviewed orders would have been approved anyway, the manual layer is not adding much value. Readiness means the system can make consistent decisions with measurable oversight, not that every case is fully automated.


Technical breakdown

How manual fraud review actually works in practice

Manual fraud review is a case-handling workflow built around exception management. A trigger such as address mismatch, unusual order value, or risky geography sends a transaction into human analysis, where reviewers inspect customer data, history, and supporting evidence before deciding to approve or decline. The problem is not that human judgment has no value. The problem is that manual review depends on subjective interpretation, inconsistent thresholds, and limited throughput. Once the queue grows, the process becomes a bottleneck rather than a control. In governance terms, it is a compensating control for uncertainty, not a scalable decision framework.

Practical implication: treat manual review as an exception path with defined thresholds, not the default decision layer.

Why machine learning changes fraud decisioning economics

Machine learning changes fraud prevention because it shifts the decision from a person reading a case file to a model evaluating a large feature set in near real time. That improves throughput, consistency, and the ability to learn from network-scale signals that a single merchant cannot see alone. In fraud and identity contexts, this matters because the operational cost of delay is often higher than the cost of a wrong decision. A model can also be tuned to risk appetite, which means automation does not have to be binary. The governance challenge is ensuring the model is monitored, retrained, and constrained rather than treated as an opaque authority.

Practical implication: define model thresholds, review triggers, and monitoring controls before expanding automation.

Review thresholds are a governance lever, not a tuning afterthought

The article's review-then-decline metric is really a governance signal. If most manually reviewed orders would have been approved automatically, then the review queue is absorbing work that policy could have handled. That means the organisation is paying people to confirm low-risk decisions while the real risk sits in the small set of truly ambiguous cases. This is analogous to identity programmes where broad review processes are used to compensate for weak decision policy. Better governance starts with clear risk segmentation, because thresholds determine where humans add value and where they simply slow the business down.

Practical implication: measure the percentage of manual reviews that change the final decision and raise automation thresholds where the rate is low.


Threat narrative

Attacker objective: The attacker aims to complete fraudulent transactions while bypassing detection long enough to convert stolen value into shipped goods or authorised payments.

  1. Entry occurs when a suspicious order or account signals possible fraud and enters a review queue rather than being auto-decisioned. Escalation follows when slow handling, inconsistent judgment, or poor thresholds allow fraudulent activity to continue through the checkout path. Impact is financial loss, customer friction, and operational drag from high-cost manual handling.

NHI Mgmt Group analysis

Manual fraud review is a control for exceptions, not a sustainable trust model. Once review volume becomes routine, human judgment turns into queue management and loses the contextual advantage it was meant to provide. The article shows that the operational question is no longer whether manual review can work, but where it still adds unique value. For practitioners, that means reserving humans for genuinely ambiguous cases.

AI-assisted decisioning creates a governance problem that looks familiar to identity teams. Organisations that centralise trust decisions in people often do so because policy, thresholds, or evidence models are incomplete. Fraud review, identity proofing, and access approval all fail in the same way when humans are forced to act as the primary control. The lesson is to move judgement closer to policy and telemetry, not to add more review layers.

Review-to-decline rates expose where process has become inefficient control theatre. If most manual reviews end in approval, the organisation is paying for redundancy rather than risk reduction. That mirrors broader identity governance failures where access reviews produce activity but not materially better decisions. Practitioners should treat low decline rates as a sign that decision logic needs redesign, not that reviewers need more time.

Machine learning does not remove governance, it changes the control surface. The real issue is no longer whether a person approved an order, but whether the model, thresholds, and exception handling are governed with the same discipline as any other decision system. That makes fraud operations increasingly similar to IAM programme management: policy, evidence, and accountability matter more than the approval event itself. Practitioners should manage the model as a governed trust engine.

Manual fraud review and identity governance are converging around the same operating principle. High-volume trust decisions should be automated when the decision logic is stable, and escalated only when evidence is incomplete or unusual. That does not eliminate human oversight. It moves it to policy design, drift detection, and exception management, which is where security teams should focus their attention.

What this signals

Manual decisioning only works when the trust signal is rare, the queue is small, and the organisation can accept inconsistency as part of the control. Once that balance tips, the control ceases to be a control and becomes operational drag. Teams should treat this as a programme-design issue, not a staffing issue.

Decision-threshold debt: when review teams compensate for weak policy by manually resolving cases that should be machine-scored, the programme accumulates cost and inconsistency. That pattern is familiar in identity governance, where review activity can mask poor entitlement design. The fix is to redesign the decision boundary, not just add more reviewers.

For identity-adjacent programmes, the relevant lesson is that automation governance matters as much as automation capability. Identity proofing, fraud scoring, and access approval all need measurable thresholds, exception handling, and audit trails. The control objective is not to eliminate humans, but to move them to the points where their judgement changes outcomes.


For practitioners

  • Define explicit manual-review thresholds Set objective triggers for when an order moves to human review, such as risk score, transaction value, geography, or mismatch conditions, and document when analysts may override automation.
  • Measure review-to-decline conversion Track how often manual reviews end in decline versus approval, then use that ratio to determine whether the team is spending time on decisions that policy could automate.
  • Move reviewers into exception management roles Redesign fraud teams so they validate edge cases, tune thresholds, and investigate drift instead of handling every suspicious transaction from first review to final decision.
  • Govern machine-learning decision engines like identity controls Assign ownership for model changes, data quality, and escalation logic so the fraud engine has clear accountability, auditability, and rollback paths.

Key takeaways

  • Manual fraud review is still useful, but only as an exception control for edge cases that automation cannot resolve cleanly.
  • The evidence in the article points to a costly operating model, with manual handling adding delay, inconsistency, and avoidable review volume.
  • Practitioners should redesign thresholds, model governance, and exception handling so humans manage ambiguity instead of routine decisions.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0 and NIST SP 800-53 Rev 5 set the technical controls, while GDPR define the regulatory obligations.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AC-4Review thresholds govern which decisions require human intervention and which are automated.
NIST SP 800-53 Rev 5SI-4Model monitoring and anomaly detection support fraud decision integrity.
GDPRWhere fraud review uses personal data, governance must cover lawful processing and minimisation.

Apply GDPR data minimisation and transparency controls where customer data is used in review decisions.


Key terms

  • Manual Fraud Review: A manual fraud review is a human-led assessment of a transaction or account to decide whether it should be approved, rejected, or escalated. It is typically used for edge cases that automated scoring cannot resolve with enough confidence, but it becomes inefficient when used for routine decisions.
  • Review-to-Decline Rate: Review-to-decline rate measures how many manually reviewed transactions are ultimately declined. A low rate usually means the review queue is catching too many cases that automation could have handled, while a higher rate can indicate that human review is finding meaningful exceptions.
  • Machine Learning Fraud Decisioning: Machine learning fraud decisioning uses statistical models and transaction signals to approve, decline, or route cases for review. It improves speed and consistency by evaluating many signals at once, but it still requires governance over thresholds, retraining, and exception handling.

What's in the full article

Signifyd's full blog covers the operational detail this post intentionally leaves for the source:

  • The four-step manual review workflow, including initial assessment, customer verification, historical context, and final determination.
  • The cost and customer-experience impact of manual review, including the reported $3.47 average cost per transaction.
  • The review-then-decline calculation used to decide whether automation thresholds should be raised.
  • The merchant-facing explanation of how machine learning changes decision speed, accuracy, and scale.

👉 Signifyd's full post covers the review workflow, cost model, and automation threshold logic.

Deepen your knowledge

The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, secrets management, and identity lifecycle fundamentals. It gives identity and security practitioners a practical way to connect access control, lifecycle discipline, and governed automation.
NHIMG Editorial Note
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org