Rule-based controls usually only catch known patterns, such as specific device or document values. Modern fraud blends synthetic identities, bot behaviour, and account takeover signals in ways that look normal until combined. AI works better because it evaluates multiple signals in context and can adapt as abuse patterns change.
Why This Matters for Security Teams
Rule-based fraud controls are built to recognise known patterns, but modern identity abuse is assembled from normal-looking fragments: a legitimate device posture, a low-and-slow bot, a recycled identity, and a payment or login event that is only suspicious in context. That makes rigid decision trees brittle. Once an attacker learns the thresholds, the control becomes a checklist rather than a defence. Guidance from NIST Cybersecurity Framework 2.0 emphasises risk-informed decision-making, which is closer to how fraud teams now need to operate.
NHIMG’s research shows how quickly identity abuse escalates once secrets or credentials are exposed, including the LLMjacking: How Attackers Hijack AI Using Compromised NHIs findings that public AWS credentials were targeted within an average of 17 minutes. That speed matters because static rules usually depend on retrospective tuning, not real-time adaptation. In practice, many security teams encounter fraud that looks harmless event by event only after account takeover, synthetic onboarding, or automated abuse has already crossed the threshold.
How It Works in Practice
Modern fraud detection works best when it treats identity abuse as a correlation problem, not a single-event violation. A rule such as “block this device hash” or “deny this country” can still be useful, but it should be one signal in a broader decision stack. Practitioners increasingly combine device intelligence, velocity checks, behavioural anomalies, session consistency, account age, and transaction context into a scored or policy-driven decision.
This is where rule-based systems fail: they assume the same indicator will remain meaningful across threats. Attackers now use synthetic identities that age naturally, bots that mimic human pacing, and account takeover chains that borrow trust from previously clean sessions. The evidence base in NHIMG’s 52 NHI Breaches Analysis and Top 10 NHI Issues reinforces a wider pattern: once credentials, tokens, or API keys are reused, the abuse often appears legitimate until multiple weak signals are combined.
- Use rule engines for obvious hard stops, such as confirmed bad IPs, impossible travel, or known compromised artifacts.
- Use contextual scoring for ambiguous cases, weighting device trust, session history, and behaviour over time.
- Continuously refresh features so the model or policy layer can adapt when attackers rotate infrastructure or change pacing.
- Keep a human review path for high-value decisions, especially when identity confidence is low.
Best practice is evolving toward layered decisioning rather than pure automation, because static thresholds are easy to test and easy to evade. These controls tend to break down in high-volume consumer environments where fraudsters can probe thresholds repeatedly and adapt faster than review queues can respond.
Common Variations and Edge Cases
Tighter fraud controls often increase false positives and manual review cost, so organisations must balance conversion, friction, and loss prevention. That tradeoff is real, especially in onboarding, payments, and passwordless login flows where legitimate users already look inconsistent. There is no universal standard for tuning these thresholds yet, but current guidance suggests using different policy weights for different risk tiers rather than one global rule set.
Edge cases matter. A high-value business account with a new device should not be treated the same as a low-value retail session. A trusted automation account may trigger suspicious patterns that resemble bot abuse. And a model that adapts well to consumer fraud may still underperform when attackers blend into enterprise workflows or exploit service-to-service trust. This is why NIST’s risk-based approach and NHIMG’s identity-focused research are useful together: one frames the governance model, the other shows where identity misuse appears in practice. For implementation detail, the broader NHI landscape in the Ultimate Guide to NHIs is a useful reference point.
When fraud tactics are highly localised, such as a single campaign targeting one product or region, simple rules can still outperform more complex systems temporarily because they are easier to deploy and explain. The limitation is that they age quickly once the campaign changes.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | DE.CM-1 | Fraud detection relies on continuous monitoring of anomalous identity activity. |
| OWASP Non-Human Identity Top 10 | NHI-02 | Identity abuse often starts with compromised secrets or tokens. |
| NIST AI RMF | Context-aware fraud scoring fits AI RMF governance for adaptive decisioning. |
Instrument identity telemetry and review detection logic continuously as attacker behaviour shifts.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
