TL;DR: 64% of organisations report decreased customer acquisition due to cyberattacks, while 78% are concerned about AI-powered threats to critical business apps and 44% are focused on ATO and credential stuffing, according to Arkose Labs. The practical shift is that customer trust, bot pressure, and account abuse now have to be governed together, not as separate problems.
NHIMG editorial — what this means for NHI practitioners
By the numbers:
- 64% Report decreased customer acquisition due to cyberattacks
- 78% Are concerned about AI-powered threats to critical business apps
- 44% Are concerned about ATO/credential stuffing threats
Questions worth separating out
Q: How should security teams reduce account takeover risk in customer-facing applications?
A: Security teams should combine behavioural detection, device intelligence, and adaptive challenges around login, recovery, and payment flows.
Q: Why do bots and credential stuffing matter to IAM programmes?
A: Bots and credential stuffing matter because they turn identity controls into a business-risk problem.
Q: What breaks when adaptive challenges are too blunt?
A: When challenges are too blunt, legitimate users encounter unnecessary friction while attackers adapt around static controls.
Practitioner guidance
- Instrument customer journeys for abuse, not just authentication Map signup, login, password reset, and payment flows for credential stuffing, fake account creation, and scripted abuse.
- Calibrate challenge strength by risk tier Use adaptive challenges so low-risk users move through quickly while high-risk sessions face stronger verification.
- Tie fraud telemetry to identity and revenue metrics Track takeover rates, fake onboarding volume, and subscription abuse alongside conversion and churn so leadership sees the business cost of abuse.
What's in the full announcement
Arkose Labs' full article covers the operational detail this post intentionally leaves for the source:
- Specific platform messaging around streaming revenue protection and customer transaction risk
- Product-oriented explanation of how 225-plus signals are combined into real-time decisioning
- Use-case examples for account takeover, fake onboarding, and SMS toll fraud
- The vendor's own framing of adaptive challenges and intelligence sharing
👉 Read Arkose Labs' analysis of AI-powered fraud risks in streaming and media →
AI-powered fraud in streaming apps: are your controls keeping up?
Explore further
Identity and fraud have converged into one governance problem: media and streaming platforms can no longer treat customer authentication, bot mitigation, and revenue protection as separate controls. The article shows that attack pressure now runs through the full customer journey, from fake onboarding to account takeover and subscription abuse. For practitioners, the implication is that identity governance must be measured by abuse resistance as much as by login success.
A few things that frame the scale:
- 92% agree governing AI agents is critical to enterprise security, yet only 44% have implemented any policies to do so, according to AI Agents: The New Attack Surface report.
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials.
A question worth separating out:
Q: Who should own account abuse governance in streaming and media?
A: Account abuse governance should be shared by IAM, fraud operations, and product security, with clear decision ownership for challenge policy, recovery flows, and customer friction thresholds. If those responsibilities are split without coordination, attackers exploit the gaps between teams and users experience inconsistent protection.
👉 Read our full editorial: AI-powered fraud pressure is reshaping streaming account security