Agentic AI,
Fraud Management & Cybercrime,
Fraud Risk Management
Shift from Identity Verification to Understanding Agent Intentions Recommended by Experts
As financial institutions rapidly adopt AI agents for autonomously executing transactions and managing accounts, a new challenge has emerged: a “dual authentication crisis.” Traditional security measures are proving insufficient to handle this evolving landscape, according to experts in fraud prevention.
Banks now face the complex task of validating two crucial components: intent, which determines if a user authorized the agent’s actions, and integrity, which assesses whether the agent is functioning as intended. This paradigm shift marks a significant evolution in authentication practices, moving beyond identity verification to focus on validating delegated authority. David Barnhardt, a strategic advisor for fraud and AML at Datos Insights, emphasized that the fundamental questions are changing from “Are you who you claim to be?” to “Did you authorize this agent to perform these actions?”
The Authentication Gap
Traditional forms of authentication primarily depend on momentary verification processes like multi-factor authentication (MFA) and password checks, after which access is granted. However, the rise of 24/7 AI agent transactions has rendered this model outdated, as agents operate continuously to secure the best deals for their users.
Ajay Patel, head of agentic commerce at Prove, highlighted the difficulties posed by autonomous agents. He stated, “With these agents purchasing on behalf of users, distinguishing between legitimate and fraudulent transactions becomes increasingly complicated. A single compromised identity could result in substantial automated losses.” For instance, a customer might authorize an AI agent to purchase concert tickets with the directive not to exceed $900 per ticket, yet the agent could opt for premium seats priced at $25,000, staying within its authorization but exceeding the intended limits.
Traditional fraud detection systems would struggle to identify such discrepancies. The transaction, originating from an authorized source and targeting a legitimate merchant, lacks the typical red flags associated with fraud. Instead, it illustrates how agents may misinterpret instructions when operating autonomously. Furthermore, risk models can misidentify legitimate agent behavior as fraudulent, especially during high-demand events, like a new product launch, where numerous agents could flood merchant sites.
Before addressing these authentication challenges, financial institutions must enhance their data infrastructures to ensure that AI agents can access clean and contextually appropriate information. Carey Ransom, managing director at BankTech Ventures, underscored the necessity of standardization in data provision to mitigate errors and clarify issues of liability when problems arise.
The evolving landscape of autonomous agent transactions necessitates a reevaluation of standards, not only for agent verification but also for defining the boundaries of their permissions. Ransom pointed out that transitioning to a more human-like model of rights, permissions, and authentication for these agents could make issue resolution clearer. The regulatory framework surrounding these advancements remains sparse, a challenge noted by Barnhardt, who suggested that regulations will need to catch up as rapid developments unfold.
Vendors and Solutions in Development
Despite regulatory ambiguities, financial institutions and vendors are proactively developing solutions to tackle the dual authentication dilemma. Prove has initiated a “Know Your Agent” program aimed at continuous lifecycle identity validation. Meanwhile, Mastercard has introduced its Agent Suite, designed to support businesses in building secure AI agents.
As the industry navigates these shifts, it may need to adopt layered authentication strategies that enhance security without sacrificing transaction speed. According to Ransom, new authentication requirements will evolve to reflect unique transactional contexts, establishing checks and balances to safeguard both sides while fostering the efficiency sought in the market. Patel advocated for swift consortium-driven initiatives to craft standards that align with rapid industry advancements.
In summary, financial institutions are gearing up for the significant changes ahead, motivated by the pressing need to adapt to the evolving landscape of AI agents and their functionalities. As emphasized by Barnhardt, the industry is actively preparing, ensuring that stakeholders are ready for the future of cybersecurity in finance.