TL;DR: 90% of banks are concerned about account takeover and credential stuffing, while only 19% feel very well prepared to fight AI attacks and 48% lack personnel skilled in both AI and cybersecurity, according to Arkose Labs. The gap is no longer awareness, but operational readiness across fraud, IAM, and AI threat response.
NHIMG editorial — what this means for NHI practitioners
By the numbers:
- 90% of banks are concerned about ATO and credential stuffing.
- 19% of banks are very well prepared to combat AI attacks.
- 48% of banks lack personnel skilled in both AI and cybersecurity.
Questions worth separating out
Q: How should banks reduce account takeover risk without creating excessive customer friction?
A: Banks should combine device intelligence, behavioural signals, and adaptive challenge flows so that friction appears only when risk rises.
Q: Why do AI-assisted attacks make credential stuffing more dangerous for banks?
A: AI-assisted attacks make credential stuffing more dangerous because they help attackers vary timing, targeting, and follow-up behaviour at scale.
Q: What do security teams get wrong about bot mitigation in banking?
A: Security teams often treat bot mitigation as a point solution instead of a trust decision.
Practitioner guidance
- Unify fraud and identity decisioning Map the points where authentication, device intelligence, bot detection, recovery, and fraud review all influence the same account decision.
- Reassess account recovery controls Review password reset, MFA reset, and support-assisted recovery for steps that can be socially engineered or scripted at scale.
- Build shared AI and cybersecurity escalation playbooks Define when a fraud analyst, IAM lead, or SOC analyst owns the next step when behaviour is ambiguous.
What's in the full announcement
Arkose Labs' full article covers the operational detail this post intentionally leaves for the source:
- Specific banking use cases for account takeover, credential stuffing, fake account creation, SMS toll fraud, API security, and MFA compromise.
- The platform's 225 plus risk signals and how those signals are used in decisioning and mitigation flows.
- Examples of customer stories showing how attacks were interrupted across phishing, ATO, and volumetric abuse scenarios.
- The article's framing of how dynamic challenges and cross-vertical intelligence are applied in practice.
👉 Read Arkose Labs' analysis of AI-driven banking fraud and account takeover risk →
Bank fraud, AI attacks, and the governance gap teams are missing?
Explore further
Fraud teams and identity teams are now managing the same attack surface. Arkose Labs is effectively describing a world where account takeover, bot abuse, and AI-assisted fraud cannot be governed as separate disciplines. The bank that treats customer authentication as one problem and fraud mitigation as another will miss the handoff points attackers exploit. The implication is that programme boundaries, not just tool gaps, are part of the exposure.
A few things that frame the scale:
- 98% of companies plan to deploy even more AI agents within the next 12 months, despite documented rogue behaviour in 80% of current deployments, according to AI Agents: The New Attack Surface report.
- Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
A question worth separating out:
Q: Who should be accountable when AI-driven fraud crosses IAM and fraud operations?
A: Accountability should sit with a shared identity risk owner who can coordinate IAM, fraud, and security response. When the same abuse path touches customer login, recovery, and transaction controls, no single team sees the full picture. The accountable function must be able to change policy, not only investigate incidents.
👉 Read our full editorial: Arkose Labs' banking fraud data exposes AI attack readiness gaps