AI-assisted identity flows: what it means for IAM and fraud teams

TL;DR: Generative AI, multi-session fraud detection, facial biometrics and CUA visibility are changing how identity platforms are built, according to Transmit Security’s 2025 Mosaic Rewind. The deeper shift is that identity security is moving from static flows to continuously adapting controls, which raises governance demands across human IAM, fraud and non-human identity programmes.

NHIMG editorial — based on content published by Transmit Security: 2025 Mosaic Rewind Release Notes and platform update overview

By the numbers:

• 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%).
• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
• 92% of organisations expose NHIs to third parties, raising concerns about supply chain security.

Questions worth separating out

Q: How should teams govern AI-assisted identity journeys without losing control?

A: Teams should treat AI-assisted journey design as change management, not self-service automation.

Q: Why is cross-session fraud detection more effective than single-event scoring?

A: Single-event scoring only sees one interaction, which is often enough to look legitimate.

Q: How can security teams spot automated behaviour inside human-looking sessions?

A: Use behavioural timing, interaction patterns and system-level cues to identify automation that is operating through a normal login or application session.

Practitioner guidance

• Define approval boundaries for AI-assisted journey changes Treat generated identity and fraud flows as governed changes, with explicit review points for policy, step-up logic and exception handling before they reach production.
• Correlate fraud evidence across sessions Retain session lineage for biometric, behavioural and document signals so repeated patterns can be detected instead of treating each verification as a standalone event.
• Separate human proof from automated execution Add detection logic for computer-using agents and other automated actors that can operate inside apparently normal user sessions, especially where access decisions are session based.

What's in the full article

Transmit Security's full post covers the operational detail this post intentionally leaves for the source:

• Specific product workflow examples showing how Spark is used to build and analyse identity journeys
• Integration details for the new marketplace and how third-party tools fit into operational identity flows
• Implementation context for Multi-Session Detection, including the signals it correlates and where it fits in fraud operations
• The standards and certification detail behind FAPI 2.0 alignment and regulated use cases

👉 Read Transmit Security's 2025 Mosaic Rewind on AI-assisted identity and fraud →

AI-assisted identity flows: what it means for IAM and fraud teams?

Explore further

View Full Forum →  |  NHI Foundation Course →