AI agents complicate customer identity because they can carry out actions that look legitimate while obscuring the actual decision-maker. That weakens attribution, reduces visibility into intent, and makes challenge policies harder to tune. Teams need a model that binds agent activity to the customer journey rather than to traffic appearance.
Why This Matters for Security Teams
AI agents complicate customer identity and fraud controls because the system can look like a normal customer session while the real decision path is being assembled by software. That weakens signal quality for device checks, velocity rules, challenge steps, and step-up authentication. It also blurs attribution: a transaction may be initiated by a customer, delegated to an agent, or chained through multiple tools with different risk profiles.
For fraud teams, the issue is not only spoofing. Autonomous workflows can change intent mid-session, reuse permissions across tasks, and generate behaviour that appears consistent at the edge but is inconsistent in context. Current guidance suggests that identity controls must track the customer journey, not just the apparent source of traffic, which is consistent with the Ultimate Guide to NHIs and the NIST AI Risk Management Framework. In practice, many security teams encounter this only after legitimate-looking automation has already distorted fraud tuning and masked the true actor.
How It Works in Practice
The practical challenge is to distinguish customer-authorised automation from fraudulent automation without forcing every agent-driven action into a human-centric model. Static, role-based IAM is usually too blunt for this because agents do not follow fixed access patterns. A better pattern is to bind risk decisions to the live session, the intent of the action, and the workflow context.
That usually means combining several controls:
- Bind agent actions to a verified customer journey, not just a device fingerprint or IP address.
- Use step-up checks when the agent requests high-risk actions, changes payees, or alters account recovery settings.
- Issue short-lived, task-specific credentials instead of long-lived tokens that can be reused outside the approved context.
- Evaluate policy at request time using context-aware rules rather than a fixed allowlist.
- Separate customer authentication from agent authorisation so the system can prove who initiated the flow and what the agent is permitted to do.
This is where workload identity becomes important. For agentic systems, the identity primitive is often the workload, not the user session alone. Standards work around runtime authorisation and agent governance is still evolving, but current best practice is to anchor policy to what the agent is trying to do, then re-check at each sensitive step. The OWASP Agentic Applications Top 10 and the CSA MAESTRO agentic AI threat modeling framework both reinforce this runtime-first approach, while the NIST AI Risk Management Framework supports governance, traceability, and accountability.
These controls tend to break down when multiple agents, browser automation, and human approval loops are chained together in high-volume fraud operations because attribution becomes fragmented across systems.
Common Variations and Edge Cases
Tighter fraud controls often increase friction, requiring organisations to balance lower fraud loss against conversion, abandonment, and support overhead. That tradeoff is especially visible in account recovery, delegated payments, and assisted shopping journeys, where a human customer may legitimately rely on an AI agent to complete part of the flow.
There is no universal standard for this yet. Some teams treat authorised agent activity as a separate risk class, while others fold it into existing customer authentication with stronger evidence thresholds. The right model depends on whether the agent is merely recommending actions or is permitted to execute them. Where the agent can move money, change credentials, or alter contact details, fraud controls should assume that a clean-looking session may still be unsafe.
This is also where telemetry matters. The most useful signals are often not the usual fraud markers, but the sequence of actions, policy decisions, and handoffs between customer, agent, and downstream tools. The 52 NHI Breaches Analysis shows how quickly weak identity boundaries can become enterprise incidents, and the OWASP Top 10 for Agentic Applications 2026 highlights why unsafe tool use and poor action boundaries are recurring issues. Best practice is evolving, but the operational direction is clear: tie fraud rules to intent, not just appearance.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | A01 | Agentic misuse and unsafe tool execution drive identity ambiguity in fraud flows. |
| CSA MAESTRO | TRM-02 | MAESTRO addresses runtime threat modeling for autonomous workflows and handoffs. |
| NIST AI RMF | GOVERN | AI RMF governance is needed to assign accountability for agent-driven decisions. |
Bind each agent action to an approved intent and re-evaluate risk before execution.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 10, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
