Notifications
Clear all
Topic starter
12/06/2026 9:21 pm
TL;DR: Credential stuffing and AI-enabled fraud are already driving major losses, with consumers losing over $12.5 billion in 2024 and U.S. fraud losses projected to reach $40 billion by 2027, according to FTC and Deloitte figures cited by Arkose Labs. The real issue is not bot volume but the inability to tell legitimate automation from adversarial agents, which makes static detection and point-in-time controls structurally inadequate.
NHIMG editorial — based on content published by Arkose Labs: AI The Financial Cost of Agentic AI Fraud
By the numbers:
- Consumers lost over $12.5 billion to fraud in 2024, according to FTC data cited by Arkose Labs.
- U.S. fraud losses are projected to reach $40 billion by 2027, driven by generative AI, according to Deloitte figures cited by Arkose Labs.
- Arkose Labs’ November 2025 study found that 8 in 10 enterprises report improved cybersecurity posture from AI adoption, even though only 44% feel very well prepared for AI-powered volumetric attacks.
Questions worth separating out
Q: What fails when fraud controls are built only for bots and not agentic attackers?
A: Static bot controls fail because agentic attackers do not behave like fixed scripts.
Q: Why do legitimate AI agents complicate fraud and access decisions?
A: Legitimate AI agents complicate decisions because they can share the same technical signals as malicious automation while still being authorized to act.
Q: How do teams know whether machine traffic is becoming a fraud risk?
A: Look for growing use of shared login patterns, repeated challenge failures, unusual transaction sequencing, and machine activity that changes behaviour after friction is introduced.
Practitioner guidance
- Define a Know Your Agent policy Create identity requirements for every automated actor that touches customer or payment flows.
- Move from point-in-time blocking to continuous prevention Use controls that evaluate behaviour across the full session, not just at login, because adaptive agents can change tactics after every denial.
- Tighten authentication defaults for high-value channels Make MFA mandatory where it is still optional, especially for financial and retirement accounts.
What's in the full article
Arkose Labs' full article covers the operational detail this post intentionally leaves for the source:
- The article breaks down the attack economics behind credential stuffing, AI-assisted fraud, and why attacker ROI changes when the actor becomes agentic.
- It includes the regulatory context around FinCEN deepfake fraud guidance and the EU AI Act, which matters if you need compliance language for executive reporting.
- It discusses the KYA concept in more detail, including what provenance and authorization checks need to prove before automation can be trusted.
- It adds vendor-specific framing on continuous prevention versus point-in-time detection that implementation teams may want to evaluate against existing controls.
👉 Read Arkose Labs' analysis of agentic AI fraud and Know Your Agent controls →
Agentic AI fraud and KYA controls: are your defenses ready?
Explore further
12/06/2026 11:22 pm
Agentic fraud turns identity assurance into a provenance problem: once automated traffic can reason, adapt, and transact, the security question is no longer only whether a session is authenticated. The real question is whether the actor behind the session is authorized to act with that degree of independence. That shifts governance from coarse bot blocking toward binding automation to origin, ownership, and acceptable scope. Practitioners should treat this as a change in identity semantics, not just a fraud-control update.
A few things that frame the scale:
- Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation, according to AI Agents: The New Attack Surface report.
- Our research also found that 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, sharing sensitive data, and revealing access credentials.
A question worth separating out:
Q: Who is accountable when an automated agent causes financial fraud?
A: Accountability should sit with the programme that authorized the automation, the team that owns the transaction, and the control owners who accepted the residual risk. If the organisation cannot prove the agent’s origin, purpose, and scope, it cannot credibly defend the decision after loss or regulatory review. That is now a governance issue, not only an incident issue.
👉 Read our full editorial: Agentic AI fraud exposes the limits of bot detection
