As AI agents begin handling more online transactions, many e-commerce systems still assume a human is behind every interaction. That disconnect is creating new challenges for fraud prevention, authentication, and personalization as businesses struggle to determine who — or what — is actually initiating a transaction.
That challenge is pushing some identity-verification providers to rethink traditional Know Your Customer (KYC) models for a world in which software, not just people, may initiate and authorize transactions. In that environment, the key question is no longer just who the customer is, but what actor is taking action, under whose authority, and for what purpose.
According to Albert Roux, EVP of product at Microblink, autonomous commerce is beginning to blur the distinction between human customers and the systems acting on their behalf. In some cases, the actor may be a software agent operating with varying levels of autonomy on a user’s behalf — or interacting directly with other systems.
Traditional KYC frameworks are largely static. They answer “Who are you?” at a single point in time, but not who — or what — is acting at a given moment, under what authority, or with what permissions.
"In AI-driven transactions, those questions become critical and must be addressed," he told CRM Buyer.
While many AI-agent identity frameworks remain early-stage, the rise of autonomous commerce is already pressuring fraud and authentication systems designed primarily for human-driven interactions.
Why Traditional KYC Is Breaking Down
Microblink’s Know Your Actor framework is designed to move fraud prevention and authentication beyond a one-time customer check. Instead of relying only on static identity data, the model evaluates whether a transaction fits the user, the authorized actor, the device, and the context in which the action occurs.
That distinction matters because AI agents and malicious bots can both operate at machine speed, Roux explained. The difference is whether the activity matches an authorized profile and expected behavior.
“An AI actor can operate at machine speed and scale, probing systems continuously. Fraud models built around human constraints such as reaction time, behavioral norms, visual verification, and trusted personal devices begin to break down, forcing systems to evolve toward continuous authentication and anomaly detection at the transaction layer,” Roux explained.
Authentication tokens, biometric and device profiles, eIDs, and digital wallets are likely to play larger roles in fraud prevention as AI-driven transactions become more common, according to Roux.
Detecting Malicious AI Actors
Distinguishing a legitimate AI agent from a malicious bot largely comes down to intent, permissions, and behavioral consistency over time.
"A malicious bot deviates in velocity, context, or execution path," he said. “Microblink combines identity signals — who is authorized — with real-time interaction signals that evaluate how actions are performed."
In practice, that means verification shifts from a single checkpoint to a continuous background process evaluating device integrity, behavioral patterns, and transaction context in real time.
“Instead of forcing repeated user actions, systems should continuously evaluate indicators of trustworthiness in the background, including device integrity, behavioral biometrics, document authenticity, and contextual consistency,” he explained. “The goal is to minimize disruption for legitimate users while remaining highly sensitive to anomalies.”
The problem becomes more difficult as generative AI improves the tools available to fraudsters.
GenAI Complicates Identity Verification
Generative AI is making it easier for attackers to spoof biometric markers that were once considered difficult to replicate. Detection systems must evolve to identify synthetic identities that mimic the appearance, voice, or behavior of legitimate account holders.
"Generative AI raises the bar significantly," Roux said. "Static biometrics alone are no longer sufficient because they can now be replicated."
To counter those threats, identity systems increasingly need layered verification that combines document authenticity checks, liveness detection, device intelligence, session analysis, and behavioral indicators. The effectiveness comes from correlating multiple verification layers instead of relying on any single signal.
Microblink has deployed GenAI-focused detection tools across its platform, but Roux said the broader challenge is that fraud systems can no longer treat a face, voice, device, or document as sufficient proof on its own.
Disputed AI Transactions Complicate Liability
In fraud disputes involving AI agents, identifying the actual actor behind a transaction may become a legal necessity. Responsibility could involve the user who delegated authority, the developer who designed the agent, the platform that processed the transaction, or some combination of those parties.
When an AI agent performs a transaction that a user later disputes, Roux said Microblink’s KYA framework creates an audit trail intended to help reconstruct how the transaction occurred. The platform continuously evaluates identity, authorization, and transaction context to create a record of how actions were initiated and executed.
“This does not fully resolve the legal questions yet, but it creates a foundation for understanding what actually happened during a transaction,” Roux said. “Liability may ultimately be shared among users, developers, and platform operators.”
Some form of standardized AI-agent identity system will likely emerge over time, potentially including interoperable trust systems or portable digital credentials, Roux said. Such systems could eventually allow AI agents to carry credentials across multiple commerce platforms.
“In the near term, verification will likely remain fragmented across platforms and ecosystems,” Roux said. “The challenge is building systems that can still operate with a high degree of trust without universal standards.”
Microblink’s platform maintains end-user profiles designed to support verification across transactions.
Privacy Risks of Continuous Verification
Roux said future KYA systems will need to balance stronger verification with consumer privacy expectations. He warned against creating systems that rely on constant surveillance of users and the AI agents acting on their behalf.
He argued that future systems should rely on data minimization — collecting only the contextual and behavioral information needed to establish trust. The goal is to verify legitimacy without persistently tracking users across platforms and sessions.
“Techniques such as on-device processing, temporary authentication tokens, and privacy-preserving computation will likely become increasingly important,” he said.
As AI agents take on larger roles in digital commerce, businesses may need to rethink long-standing assumptions about identity, authorization, and accountability. The winners will be systems that can verify automated activity without making legitimate customers feel constantly monitored.
Loading ...