Notifications
Clear all
Topic starter
10/06/2026 10:38 pm
TL;DR: AI-driven fraud is getting harder to distinguish from legitimate automation, with Sumsub citing a 180% year-on-year increase in multi-step, coordinated attacks in 2025 and a model that binds agent activity to verified human identity for accountability. The real shift is that identity teams must govern automation as a trust and attribution problem, not just a bot-detection problem.
NHIMG editorial — what this means for AI and NHI governance
By the numbers:
- According to Sumsub’s Identity Fraud Report 2025–2026, there was a 180% year-on-year increase in multi-step, coordinated attacks globally in 2025.
- AI agents outnumbered by 25x to 50x in modern enterprises is not a future-state issue but an operational governance problem now.
Questions worth separating out
Q: What breaks when AI agents can act without a verified human behind them?
A: Fraud and IAM controls lose attribution.
Q: Why do AI agents complicate identity and access management programmes?
A: They complicate IAM because they sit between user intent and machine execution.
Q: How do security teams decide when to challenge automated activity?
A: They should challenge automation when the action is high risk, state changing, or hard to reverse.
Practitioner guidance
- Map automation paths to accountable humans Inventory every workflow where AI or browser automation can create accounts, move funds, change controls, or trigger payouts, then require a named human owner for each path.
- Apply step-up checks at high-risk moments Use liveness or equivalent identity assurance only where the action changes state materially, such as onboarding, account control changes, or high-value payouts.
- Separate bot detection from authorisation policy Treat device intelligence and bot detection as signals, not final decisions.
What's in the full announcement
Sumsub's full blog post covers the operational detail this post intentionally leaves for the source:
- How AI Agent Verification is wired into Device Intelligence, Bot Detection, and Risk Scoring workflows
- Where liveness verification is used in onboarding, account control changes, and high-value payout flows
- How Mule Network Prevention looks for coordinated behaviour across devices, accounts, and sessions
- The article's framing of Know Your Agent as a practical control model for human-backed automation
👉 Read Sumsub's article on AI agent verification and Know Your Agent →
AI agent verification and KYA: what changes for IAM teams?
Explore further
11/06/2026 2:45 am
AI agent verification is really an accountability control, not a bot control. The article frames automation as manageable when it can be tied to a verified human, which places the control problem squarely in identity governance rather than perimeter filtering. That matters because fraud teams often over-index on machine detection while missing the attribution layer that decides who is answerable for the action. The practitioner takeaway is that automation policy and identity assurance now need to be designed together.
A few things that frame the scale:
- 92% agree governing AI agents is critical to enterprise security, yet only 44% have implemented any policies to do so, according to AI Agents: The New Attack Surface report.
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials.
A question worth separating out:
Q: What should organisations do when delegated automation changes role or leaves service?
A: They should treat delegated automation like a governed identity with lifecycle events, not a one-time setup. When the human sponsor changes role or exits, the automation’s authority, approvals, and exception paths must be reviewed so accountability does not outlive the business relationship that justified it.
👉 Read our full editorial: AI agent verification ties automation back to human identity
