TL;DR: Account takeover is accelerating, with 83% of organisations seeing at least one incident in 2025 and projected losses reaching $17 billion, according to Sift. Static authentication and periodic tuning are no longer enough when attackers can continuously optimise behaviour, while agentic AI is helping fraudsters imitate users and adapt in real time.
NHIMG editorial — based on content published by Sift: Account Takeover Inside the Rise of ATO: How Agentic AI Is Rewriting the Rules of Digital Trust
By the numbers:
- In 2025, 83% of organizations experienced at least one account takeover incident.
- Sift’s Q3 2025 Digital Trust Index shows ATO attempts rose 4% year-over-year.
- Projected losses are climbing to $17 billion, up from $13 billion last year.
Questions worth separating out
Q: How should security teams reduce account takeover risk in customer-facing applications?
A: Security teams should combine behavioural detection, device intelligence, and adaptive challenges around login, recovery, and payment flows.
Q: Why do static authentication controls fail against modern account takeover?
A: Static controls fail because they assume the attack is visible at login and stays predictable.
Q: What do IAM teams get wrong about post-login trust?
A: They often treat successful sign-in as a durable trust decision instead of a temporary one.
Practitioner guidance
- Instrument behavioural trust signals across the full session Measure device movement, timing, transaction patterns, and step sequences after login so fraud models can detect account misuse before value is extracted.
- Add step-up controls to high-value account actions Require additional verification before payouts, loyalty transfers, profile changes, and other actions that materially increase fraud impact.
- Separate login success from trust approval Treat authentication as one signal, not the decision itself, and make sensitive workflows depend on contextual risk scoring and policy checks.
What's in the full article
Sift's full article covers the operational detail this post intentionally leaves for the source:
- The full breakdown of Sift’s behavioural and device-signal approach for distinguishing legitimate users from automated fraud.
- Examples of how post-login monitoring is applied to purchases, account edits, and loyalty activity in real customer journeys.
- The source article’s discussion of how agentic AI changes fraud velocity, scale, and adaptation patterns.
- The vendor’s commentary on using generative AI to summarise user actions across sessions for investigation workflows.
👉 Read Sift’s analysis of how agentic AI is reshaping account takeover →
Agentic AI and account takeover: are your controls keeping up?
Explore further
Account takeover is becoming an identity governance problem, not only a fraud problem. The article shows that attackers are now using automation and AI to imitate legitimate users, which means the control challenge extends beyond blocking bad credentials. IAM and fraud teams must treat behavioural trust as part of identity assurance, because a valid login no longer proves legitimate intent. The implication is that account governance now has to cover the full session, not just authentication.
A few things that frame the scale:
- Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation, according to AI Agents: The New Attack Surface report.
- 98% of companies plan to deploy even more AI agents within the next 12 months, despite documented rogue behaviour in 80% of current deployments.
A question worth separating out:
Q: Who should own fraud controls when IAM and fraud teams overlap?
A: Ownership should sit with the team accountable for the decision point, while IAM, fraud, and compliance all contribute the signals and policy. If one group owns alerts and another owns action, attackers exploit the gap. Shared governance matters more than shared tooling.
👉 Read our full editorial: Account takeover is being reshaped by agentic AI and adaptive fraud