Notifications
Clear all
Topic starter
12/06/2026 9:55 pm
TL;DR: AI-powered bots made up 40% of enterprise attack types in the last year and 88% of organisations reported more bot activity over two years, according to Arkose Labs research with KS&R. The security gap is now less about awareness than about whether identity, fraud, and account controls can adapt fast enough to adversarial AI.
NHIMG editorial — based on content published by Arkose Labs: AI-resistant solutions to defend against AI-powered fraud
By the numbers:
- 40% of all attacks on enterprises in the last year were AI-powered bots.
- 88% of enterprises saw an increase in AI-powered bot attacks in the last two years.
- 51% of all respondents don’t have enough talent with both AI and cybersecurity skills.
Questions worth separating out
Q: How should security teams handle AI-powered bots that target identity and account controls?
A: Security teams should treat AI-powered bots as adaptive identity threats, not just traffic noise.
Q: Why do AI-powered fraud attacks create more pressure on IAM programmes?
A: They compress the time between reconnaissance, credential abuse, and account takeover, which makes static identity controls less effective.
Q: How do you know if AI-resistant controls are actually working?
A: Look for reduced attacker success, higher retooling effort, and lower abuse conversion rather than only fewer blocked requests.
Practitioner guidance
- Map AI-abuse paths across identity and fraud controls Trace where credential stuffing, fake account creation, prompt abuse, and session hijacking intersect with IAM, customer authentication, and fraud analytics.
- Measure defensive AI approval latency Document how long it takes to approve, test, and deploy AI-based detection or response changes.
- Tune controls for attacker economics Assess whether your bot challenges, step-up checks, and account protections increase the cost of automation enough to reduce attacker ROI.
What's in the full report
Arkose Labs' full research covers the survey detail this post intentionally leaves at the strategic level:
- Sector-by-sector breakdowns of concern levels for generative AI threats across fintech, banks, airlines, hotels, and technology firms
- The full AI Enthusiasts model, including the specific behaviours that distinguish top-quartile defensive maturity
- A/B test details showing how AI-resistant challenges performed against AI-powered bots versus non-AI-resistant controls
- Additional report downloads and commentary on bot management and account security use cases
👉 Read Arkose Labs' research on AI-powered fraud and AI-resistant controls →
AI-powered fraud resistance: what enterprises still need to fix?
Explore further
13/06/2026 12:20 am
AI-powered fraud is now an identity governance problem, not just a bot problem. Once attackers use AI to scale account abuse, the control plane moves from rate limiting into identity assurance, session trust, and account lifecycle governance. That forces IAM and fraud teams to share responsibility for who or what is actually operating behind each transaction. Practitioners should treat bot resistance as part of identity security architecture, not a separate perimeter layer.
A few things that frame the scale:
- 1 in 4 organisations are already investing in dedicated NHI security capabilities, with an additional 60% planning to do so within the next twelve months, according to The State of Non-Human Identity Security.
- Lack of credential rotation is cited as the top cause of NHI-related attacks by 45% of organisations, followed by inadequate monitoring and logging at 37% and over-privileged accounts at 37%, according to the same research.
A question worth separating out:
Q: Who should own response when AI fraud affects customer accounts and identity systems?
A: Ownership should sit across IAM, fraud, and security operations because the issue crosses authentication, account recovery, and abuse monitoring. When those functions operate separately, attackers exploit the handoff gaps. Shared ownership shortens containment and prevents the same pattern from recurring across channels.
👉 Read our full editorial: AI-powered fraud is outpacing enterprise defensive AI readiness
