Regula warns most organizations don’t know what bots are doing, or why

The latest report from Regula underlines the discrepancy between what’s happening to companies in the AI age, and how seriously they take the security threat. A release says the New Shape of Identity Threats study suggests organizations are “increasingly encountering behavior that appears legitimate, yet is difficult to clearly attribute, interpret, or distinguish from genuine user activity using existing verification approaches.”

In short, the digital sphere has become much more crowded with the arrival of AI agents, and it’s hard to keep everyone apart. Agents without clear attribution may or may not be in the system, pilfering secrets. “Rather than appearing as clearly identifiable fraud, much of this activity exists in a gray zone between suspicious behavior and confirmed attacks,” Regula says. “This makes it increasingly difficult for organizations to distinguish between legitimate users, automated systems, and artificially generated identity signals.”

The result is that identity verification has broadened to encompass the answers to three questions. “Is this interaction genuine? Is the actor human, a bot, or AI-assisted? And can the identity signals – documents, selfies, voice, behavior – actually be trusted?”

It’s a by-now familiar refrain: most systems in current use were designed for people. When flashmobs of agents hit, they’re not prepared. The threat is global, with the UK and Singapore leading mature fraud ecosystems. And every sector is exposed, as deepfakes and bots propagate like digital roaches, with midsize companies seeing the most damage.

Per the report, “the top three threats show deepfake impersonation is now viewed almost on par with document fraud and identity spoofing. But another signal stands out: AI bots that behave like customers – moving through onboarding, login, and transaction flows built for people.”

“1 in 4 organizations already see it. The rest may not yet know it’s there.”

Today, says Henry Patishman, executive VP of identity verification solutions of Regula, “organizations are not only verifying identities – they are determining whether an interaction itself is genuine, and whether the actor behind it is human or machine.” But they’re often unsure, as they detect signals they cannot reliably track, attribute or explain. “Organizations now face a new challenge: understanding what kind of entity is interacting with their systems and whether that interaction can be trusted.”

Article Topics

AI agents  |  digital identity  |  identity verification  |  market report  |  non-human identities  |  Regula