A new study by Regula has revealed a growing gap between organisations’ exposure to AI-driven identity activity and their ability to recognise it as a security threat.
While 87% of companies worldwide report signs of AI-assisted or automated activity within identity verification processes, only 26% classify such activity as a major risk.
The study
The research was conducted by Sapio Research in March 2026 and is based on a survey of 850 decision-makers in fraud prevention and financial crime across seven markets: the UK, US, Germany, Singapore, UAE, Brazil and Mexico.
Respondents represent industries including banking, financial services, crypto, telecommunications, government and gaming.
According to the company, the full report includes country- and industry-level findings on AI-driven identity activity, visibility gaps and emerging risks in digital identity verification.
Findings
Regula highlighted that the findings of The New Shape of Identity Threats study suggest that organisations are increasingly encountering behaviour that appears legitimate, yet is difficult to clearly attribute, interpret or distinguish from genuine user activity using existing verification approaches.
Confidently interpreting activity
According to the study, 35% of organisations report signals consistent with automated or scripted behavior where attribution remains uncertain, while another 35% report suspected use of synthetic or AI-generated identity evidence.
Rather than appearing as clearly identifiable fraud, much of this activity exists in a grey zone between suspicious behaviour and confirmed attacks.
Regula stated that this makes it increasingly difficult for organisations to distinguish between legitimate users, automated systems and artificially generated identity signals.
Visibility remains limited
Visibility into such activity also remains limited.
The study found that while 39% of organisations report having clear visibility into AI-assisted interactions, nearly a third say AI-assisted tool use is already common but not fully understood.
At the same time, 13% either report no detected activity despite monitoring efforts, have limited monitoring capabilities, or do not actively measure such interactions at all.
The unrecognised threat
Despite growing operational exposure to AI-driven identity activity, only 26% of organisations identify AI agents acting as users among their top identity-related concerns.
In comparison, organisations remain more focused on established threats such as identity spoofing (38%), document fraud (36%) and deepfakes (35%).
The findings suggest that while AI-assisted behavior is already appearing inside identity systems, many organisations still do not classify it as a distinct strategic risk.
Identity systems are facing more human-like behavior
The study points to a broader shift in identity verification, where automated systems are increasingly capable of moving through onboarding and authentication flows in ways that resemble legitimate user behaviour.
Regula highlighted that unlike traditional attacks designed to directly bypass controls, these interactions are often built to blend into identity processes, making suspicious behaviour harder to distinguish using existing verification approaches.
“A new challange”
Henry Patishman, Executive Vice President of Identity Verification Solutions at Regula commented: “Identity systems were designed to verify people, not increasingly sophisticated automated behavior that can resemble legitimate users.
“Organisations now face a new challenge: understanding what kind of entity is interacting with their systems and whether that interaction can be trusted,” he concluded.
