Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Agentic AI and deepfake fraud: what identity teams need to know


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 10745
Topic starter  

TL;DR: Agentic AI breaks the identity verification assumptions behind human-centric fraud controls, while banks are already blocking 300 to 500 deepfake attempts per day and human reviewers perform roughly 8x worse than machine learning models in IDV, according to Incode. The operational gap is no longer theoretical: identity programmes built around people, documents, and review queues now face sessions with no stable human subject to verify.

NHIMG editorial — based on content published by Incode: 10 Insights on Deepfake Fraud and Identity Security From Money 20/20 Europe

By the numbers:

Questions worth separating out

Q: How should security teams handle account recovery when synthetic identities are in play?

A: Treat recovery as a privileged re-entry path, not a support convenience.

Q: Why do deepfake attacks create problems for IAM and fraud teams at the same time?

A: Because the same identity journey is being used to prove legitimacy, grant access, and recover access later.

Q: What breaks when identity verification assumes there is always a human behind the session?

A: The model breaks when the subject is an AI agent or a synthetic identity that cannot be verified through conventional human attributes.

Practitioner guidance

  • Map the recovery flow as an attack path Walk through password reset, MFA reset, help-desk verification, and recovery escalation as if you were the attacker.
  • Separate verification signals into independent layers Require device, session, document, biometric, and network evidence to fail independently rather than collapsing into a single score.
  • Reclassify account recovery as privileged access Apply stronger review, logging, and challenge controls to recovery than to ordinary support requests.

What's in the full article

Incode's full article covers the operational detail this post intentionally leaves for the source:

  • The Money 20/20 Europe session context and the operator perspectives behind each of the ten insights.
  • The fraud-versus-conversion tradeoff discussion, including how teams should think about blocked users and drop-off.
  • The practical breakdown of layered deepfake defence across device, biometric, document, and network signals.
  • The article's view on how agentic AI changes verification assumptions for financial services and regulated identity flows.

👉 Read Incode's 10 insights on deepfake fraud and identity security →

Agentic AI and deepfake fraud: what identity teams need to know?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 10300
 

Agentic identity is forcing identity verification to move from person-centric trust to scope-centric trust. Traditional IDV assumes the subject can be verified through a face, document, or personal attribute. That assumption fails when the actor is an agent that may operate without a stable human-facing identity at runtime. The implication is that identity teams must rethink what they are certifying: not just who the subject is, but what the session is allowed to do and who is accountable for it.

A few things that frame the scale:

  • Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
  • 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, including 38% with no or low visibility and 47% with only partial visibility.

A question worth separating out:

Q: Who is accountable when agentic workflows use identity checks that were built for people?

A: Accountability should sit with the organisation that deploys and authorises the agent, not with the model itself. Security, IAM, and product teams need explicit ownership for scope, logging, and termination conditions. That prevents agentic behaviour from becoming an unowned trust gap inside the identity programme.

👉 Read our full editorial: Agentic AI breaks identity verification stacks built for humans



   
ReplyQuote
Share: