AI agent fraud detection and identity: are your controls keeping up?

TL;DR: Consumer-ready AI agents are driving more non-human traffic into customer journeys, exposing gaps in device fingerprinting, bot detection, and auditability as identity and fraud controls converge, according to Transmit Security. Traditional stacks assume stable human-driven sessions, but agent-mediated actions now require policies that distinguish trusted delegation from hijacked automation.

NHIMG editorial — based on content published by Transmit Security: Identity and Fraud in the Age of AI

By the numbers:

• 92% of organisations expose NHIs to third parties, raising concerns about supply chain security.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
• 80% of identity breaches involved compromised non-human identities such as service accounts and API keys.

Questions worth separating out

Q: How should teams govern AI agents that act on behalf of customers?

A: Treat the agent as a delegated executor with bounded authority, not as a full customer identity.

Q: Why do classic fraud controls miss malicious or hijacked AI agents?

A: Because classic controls were built to separate humans from scripted bots, not to distinguish a legitimate-looking agent from a hijacked one.

Q: What breaks when identity and fraud teams stay in separate stacks?

A: The organisation loses a single view of who acted, why the action was authorised, and whether the outcome should be trusted.

Practitioner guidance

• Define agent-specific authorization boundaries Write policies that distinguish human action from delegated agent action, including explicit conditions for when the human must be looped back in before a purchase, booking, or payment completes.
• Replace fingerprint-only trust decisions Combine device, session, behavioral, and task-context signals before granting agent-mediated access, so a trusted interface does not automatically inherit customer-level privilege.
• Shorten the privilege window for agent sessions Use ephemeral, scoped tokens that expire as soon as the task changes, the risk score changes, or the session deviates from the expected customer journey.

What's in the full article

Transmit Security's full product analysis covers the operational detail this post intentionally leaves for the source:

• How Mosaic applies Predictive AI signals to classify agent-driven sessions in real time.
• How just-in-time authorization is expressed for ephemeral agent tokens across customer journeys.
• How Google Cloud AI, Threat Intelligence, and Security Operations are combined in the product architecture.
• How the platform positions discovery, verification, and fraud prevention inside one workflow for implementation teams.

👉 Read Transmit Security's analysis of AI agent identity and fraud controls →

AI agent fraud detection and identity: are your controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →