KYC in the age of LLMs: Why agent-based ID scanning can ruin your business

By Konstantin Bulatov, Ph.D., Chief Technology Officer of OCR Studio

In recent years, the industry has seen a rapid push toward the implementation of agentic AI and LLM systems in KYC processes, combining multiple responsibilities into a single AI-driven pipeline. Although the promised potential for automation might look tempting in the light of this approach, the use of agentic orchestration in security-critical workflows without multi-layered defense architecture can lead to significant vulnerabilities, as shown in recent public studies.

The reason for this lies not in implementation errors, but in the very nature of agentic technologies. Without predictability and control over all the components, KYC turns into a risk factor.

The confused deputy – What actually happened

A recent demonstration by TrendAI revealed a class of attacks on agentic-built KYC systems, where an ID document becomes an active vector. Researchers used a KYC pipeline that included FastAPI as the backend layer, agent orchestration through Claude Code, and access to an SQLite database through MCP tools.

In the demo, a passport contained hidden microtext embedded in its visual structure. The OCR system extracted this text correctly, but once passed to the LLM agent, it was interpreted as an instruction rather than data. The injected text prompted the system to execute a SQL query and send the results to an external endpoint. The model complied, transferring all stored personal data to the attacker.

This is not an isolated case, but rather a systemic consequence of the architecture where LLMs are involved in processing untrusted input. In this scenario, the document is no longer just “data” – it becomes a potential command channel. When agents are given powerful tools like SQL MCP without a hard boundary between untrusted data and system commands, they aren’t just processing a document – they’re executing externally influenced behavior.

Agentic document processing as a risk source

Injection attacks are not new, and the fact that “flat” systems with embedded LLM-based AI agents have been found to be prone to such vulnerabilities is also not a discovery. Without the ability to distinguish between content and disguised instructions, such systems become defenseless against prompt injections.

The situation becomes even more dangerous when such systems are given tool access. Agentic models directly connected to external databases or APIs can transform misinterpreted text into real system actions.

In a KYC environment, this limitation becomes critical. Identity verification pipelines are built on the assumption that all external input is untrusted and must be processed in a controlled and deterministic manner. The introduction of LLM-based agents breaks this assumption. Extracted text is no longer treated as neutral. Instead, it becomes part of a conversational and operational context that the model may misinterpret.

In the end, with no proper instruction-data segregation, AI agents become vulnerable to unintended execution and structural security collapse.

Why KYC is the target

At a broader level, it becomes evident why KYC is becoming a priority target for prompt-injection attacks. These systems inherently handle external, untrusted data while having access to highly sensitive information, such as users’ personal and financial data, passports, and other ID documents. And once the KYC workflow is agent-driven, it can be easily manipulated.

According to recent Interpol reports, financial fraud continues to grow and has become the dominant type of cybercrime, with attacks on KYC systems playing a crucial role. As companies or IDV providers strive for complete automation of onboarding, a dangerous combination of factors emerges: untrusted input, external data processing, and automated decision-making.

The core issue is architectural: KYC systems operate under strict regulatory, security, and privacy requirements. Adding agentic LLMs into this environment creates an unacceptable risk surface. The system becomes highly susceptible to behavioral modification, validation bypass, or the triggering of unforeseen actions within the system. Connecting such systems to internal tools and databases can lead to catastrophic consequences, including massive data breaches.

How to eliminate this risk

As the industry continues to explore AI-driven automation, it is essential not to lose sight of first principles. KYC is not a domain where probabilistic interpretation is acceptable. It is a domain where trust must be enforced by design. And control should never become a matter of a promise from the provider. It should be a tangible feature.

The only robust and production-ready architecture in this case is a strict separation. LLMs, if used at all, must be isolated from the ingestion pipeline and must never have access to raw untrusted document inputs. Tool access must also be completely separated from any document-derived context. Most importantly, document processing must never be interpreted as an “agentic task.” It is a verification task, and it must remain deterministic, auditable, and isolated.

In comparison, deterministic AI-based systems (like OCR), work in a completely different manner. OCR systems do not interpret extracted text as executable instructions, which significantly reduces their exposure to prompt injection risks compared to LLM-based systems. Enterprise-grade OCR solutions for ID scanning with on-premise processing within the user’s security perimeter ensure transparency and full control over all operations. Transparency that is built into the design, which is the essence of the matter when we talk about reliable KYC workflows.

This boundary is non-negotiable: OCR delivers deterministic, auditable data extraction, while LLMs introduce probabilistic behavior and the risk of instruction misinterpretation. In a security-critical system built on strict trust assumptions, this is not an acceptable trade-off. Businesses building KYC in-house and KYC providers alike should reassess these architectural risks now–before they are forced to deal with the consequences.

​​About the author

Konstantin Bulatov is a scientist and Chief Technology Officer of OCR Studio, where he has led the development and implementation of advanced OCR technologies. He has designed a method for optimizing object recognition in video streams, which has improved the accuracy and efficiency of real-time OCR systems. Under his direction, OCR Studio develops secure on-device programming solutions that address diverse industry needs and contribute to advancements in the field.

Konstantin is an IEEE Senior Member, he has authored multiple patent applications and published his research in prominent academic conferences and journals. His work emphasizes innovative approaches to developing high-performance recognition systems, reinforcing OCR Studio’s position as a significant contributor to the global technology landscape.

Article Topics

AI agents  |  automation  |  document verification  |  KYC  |  OCR Studio  |  prompt injection