Agentic commerce and authentication risk: what IAM teams need now

TL;DR: Authentication, fraud prevention, and application security are converging around stronger trust, verification, and layered controls as OneSpan’s January 2026 newsletter ties together its Build38 acquisition, 2025 fraud trends, PSD3 and PSR updates, and emerging risks from agentic commerce.

NHIMG editorial — based on content published by OneSpan: The Authentication Newsletter for January 2026

By the numbers:

• 2025, 025, reported losses in Japan from account takeover fraud reached approximately ¥690 billion, or US$4.44 billion.
• Lack of credential rotation is cited as the top cause of NHI-related attacks by 45% of organisations, followed by inadequate monitoring and logging (37%) and over-privileged accounts (37%).
• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.

Questions worth separating out

Q: How should security teams handle delegated access when AI agents act on behalf of customers?

A: Security teams should treat delegated access as a separate governance layer, not as a normal login session.

Q: Why do passkeys and phishing-resistant MFA not solve fraud on their own?

A: They reduce credential theft, but they do not stop a compromised device, a manipulated session, or social engineering that exploits a legitimate user after authentication.

Q: How can banks tell whether transaction risk is higher than sign-in risk?

A: Banks need to compare the context of the transaction against normal user behavior, device posture, and previous session activity.

Practitioner guidance

• Map delegated authority for agentic commerce Define what an AI agent may do on a user’s behalf, which transaction types are allowed, and how consent is revoked before the agent can complete a purchase or payment.
• Extend fraud controls beyond login Correlate authentication events with device posture, behavioral analytics, and transaction context so that a valid login does not automatically equal a trusted payment.
• Treat mobile app security as an identity control Review whether app hardening, integrity checks, and runtime protection are feeding identity and fraud decisions in regulated mobile journeys.

What's in the full analysis

OneSpan's full newsletter covers the operational detail this post intentionally leaves for the source:

• The acquisition context around Build38 and how mobile app protection fits OneSpan's broader authentication and fraud direction.
• The specific 2025 fraud trends cited by ThreatFabric, including investment fraud, carding, biometric abuse, genAI, and intelligence sharing.
• The regulatory notes on PSR, PSD3, and CBUAE consumer protection requirements that shape banking control choices.
• The webinar and resource references on fraud kill chains, passkeys, and mobile banking controls.

👉 Read OneSpan's January 2026 Authentication Newsletter on fraud, regulation and agentic commerce →

Agentic commerce and authentication risk: what IAM teams need now?

Explore further

View Full Forum →  |  NHI Foundation Course →