AI impersonation attacks: what IAM teams need to change now

TL;DR: AI-powered impersonation is scaling phishing, vishing, and executive fraud by pairing convincing synthetic voice, text, and video with rapid credential testing and replay attacks, according to WorkOS and CrowdStrike’s 2025 Global Threat Report. Static verification, weak session control, and one-time trust assumptions are no longer enough when attackers can imitate legitimate identity signals at machine speed.

NHIMG editorial — based on content published by WorkOS: Generative AI and enterprise identity fraud: How to defend against AI-powered impersonation attacks

By the numbers:

• CrowdStrike’s 2025 Global Threat Report showed a 442% spike in AI-powered voice phishing attacks in just six months.
• Attackers can attempt access within an average of 17 minutes when AWS credentials are exposed publicly, and as quickly as 9 minutes in some cases.
• 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.

Questions worth separating out

Q: How should security teams defend against AI-powered impersonation attacks?

A: Security teams should combine strong identity verification with continuous monitoring and tight authorization limits.

Q: Why do deepfake attacks make MFA less effective?

A: Deepfake attacks make MFA less effective because the attacker can target the human decision around the factor, not just the factor itself.

Q: What breaks when organisations rely on voice or video to verify executives?

A: Voice and video verification break when the organisation treats them as proof rather than as one signal among many.

Practitioner guidance

• Harden high-risk approvals Require out-of-band confirmation for payments, role changes, vendor bank detail updates, and other sensitive actions that could be triggered by impersonation.
• Shorten trust windows Use short-lived sessions, aggressive token revocation, and step-up checks before privileged actions.
• Rebuild login monitoring around behavior Prioritise anomalies such as unusual device posture, impossible travel, rapid approval sequences, and new message patterns instead of relying on voice or style recognition.

What's in the full article

WorkOS's full article covers the operational detail this post intentionally leaves for the source:

• Examples of SAML and OIDC patterns for strengthening enterprise SSO against impersonation-led fraud
• Workflows for deploying MFA, passkeys, and session revocation in high-risk approval paths
• Operational guidance on continuous monitoring for login anomalies, device changes, and token abuse
• Practical logging and audit patterns for incident response and compliance reviews

👉 Read WorkOS's analysis of AI-powered impersonation and enterprise identity fraud →

AI impersonation attacks: what IAM teams need to change now?

Explore further

View Full Forum →  |  NHI Foundation Course →