Identity in an AI world: When the attacker is a model
On this page
Key takeaways
Rules-based onboarding was designed to stop a human attacker with limited time and effort. The new attacker is an AI model with unlimited time and zero marginal cost per attempt.
Only 2% of global financial crime is detected today, despite $304 billion spent annually on anti-money laundering (AML) and know-your-customer (KYC) compliance worldwide (McKinsey & Company, Agentic AI Report 2025).
AI-driven fraud now includes four distinct threat classes: AI-generated documents, deepfake video at onboarding, synthetic companies, and state-sponsored actors (FATF, Europol, FBI IC3, 2025).
Identity is also a conversion problem. More than half of applicants abandon financial applications that take over ten minutes to complete (Ribbit Capital, Identity Newsletter).
AI-native compliance systems have already cut onboarding time by 60% and reduced analyst follow-up rates by 51%. The gap is adoption: only around 10% of firms have made a meaningful AI impact in compliance (Duna, 2026).
What does "the attacker is a model" actually mean for compliance?
In 1993, The New Yorker published the cartoon that still hangs in every identity professional's mental gallery: one dog at a keyboard telling another, "On the Internet, nobody knows you're a dog." The joke aged fine. The compliance systems built on the same assumption did not.
For three decades, the financial industry layered checks on top of checks (more vendors, more workflow steps, more document requirements). The underlying assumption held: the person on the other side of the application was a human being with limited time, limited resources, and a limited appetite for friction. Rules-based onboarding was an arms race calibrated for that attacker. Create enough friction and the bad actor gives up. Let the legitimate customer through.
That assumption is now wrong. The attacker is increasingly a model. AI agents can attempt thousands of onboarding flows simultaneously, generate plausible synthetic documentation, pass liveness checks using deepfake video, and construct entirely fictitious company structures with supporting registries and directorship chains. The marginal cost of each new attempt approaches zero. The time available approaches unlimited. A system designed to exhaust a human adversary does not exhaust a model.
The result is a detection rate that has not kept pace with the scale of the problem. According to McKinsey & Company's Agentic AI Report (2025), only 2% of global financial crime is being detected today - despite the US alone spending $46 billion annually on financial crime compliance, and cumulative AML fines since 2008 reaching $321 billion globally. Revolut has more than a third of its staff working on financial crime; Wise runs compliance operations across 65+ licenses. The spend is enormous. The outcome is not.
What are the four AI threats to identity verification right now?
Regulators including FATF, Europol, and the FBI's Internet Crime Complaint Center (IC3) have catalogued four distinct threat classes in identity verification as of 2025.
AI-generated documents. Large language models and image synthesis tools can produce supporting documentation (utility bills, incorporation certificates, beneficial ownership records) that passes surface-level visual inspection. Document verification that relies on template matching or optical character recognition alone is now a weak control.
Deepfake video at onboarding. Real-time face-swapping and voice synthesis have reached the point where video liveness checks can be defeated without specialized hardware. The check that was designed to confirm a human is present can now be passed by a model driving a synthetic face.
Synthetic companies. Corporate identity fraud has scaled. It is now possible to construct a company with a plausible digital footprint (registered address, director history, company number, and some adverse-media-free history) using publicly available registries and AI-assisted content generation. Standard KYB (know-your-business) checks that rely on registry data alone do not catch a synthetic company that is, technically, in the registry.
State-sponsored actors. Nation-state fraud operations have the budget, the patience, and the AI infrastructure to probe compliance systems at scale over extended periods. The concept of "friction as deterrence" has no meaning against an adversary whose resources dwarf the cost of the friction.
Each of these threats shares the same structural property: it is optimized against a rules-based system. Rules are observable, testable, and eventually navigable by a patient, automated adversary. The defense has to be built differently.
Why does friction-first onboarding fail as a fraud strategy?
Friction-first onboarding was rational when the population of potential fraudsters was constrained by human cost. Every extra document request, every callback, every manual review added effort that a bad actor might not absorb. Legitimate customers tolerated it because switching was costly and the alternative was no account at all.
Neither of those conditions holds anymore.
On the fraud side: the marginal cost of completing an onboarding flow has dropped toward zero for model-based attackers. Friction deters humans. It does not deter agents.
On the conversion side: customers now comparison-shop financial services the way they compare any product. In 2018, 25% of customers opened a new bank account without shopping around; today that figure is 4% (McKinsey & Company, Global Banking Annual Review 2025). Friction that once locked customers in now loses them to whoever moves faster. More than half of applicants abandon applications that take over ten minutes (Ribbit Capital, Identity Newsletter). Identity is a conversion problem as much as a fraud problem, a framing the industry has been slow to accept.
The systems built on friction-as-defense are now simultaneously failing at both jobs. They are not stopping the attackers they were designed to stop, and they are turning away legitimate customers they were designed to admit.
What does AI-native compliance actually look like in practice?
The case for AI-native compliance is sometimes presented as a future state. The evidence suggests it is already producing results at firms that have made the transition.
The numbers from implementations of Duna's AI-native onboarding are concrete: onboarding time cut by more than 60%, and analyst follow-up rates down 51% (from around 30% of cases to 17%), measured over a rolling 30-day period through mid-2025. These results sit alongside the 10.6x onboarding and 4.8x productivity figures published at Duna's Series A. McKinsey's Agentic AI Report (2025) puts the productivity gains from agentic AI in financial-crime work at 200% to 2,000%.
These outcomes follow from three properties that distinguish AI-native systems from their rules-based predecessors.
Evidence-based decisioning. Rather than checking whether a document was submitted, an evidence-based system asks whether the evidence is consistent and credible across multiple signals simultaneously. A model can generate a document; it is harder to generate a document that is coherent with the applicant's digital footprint, behavioral signals, and cross-registry data.
Deterministic, auditable outputs. Compliance has a higher bar for AI deployment than most other functions. An unexplainable decision does not mean a missed sale: it means a regulatory enforcement action or a missed SAR (suspicious activity report). AI in compliance needs to produce decisions that can be explained to a regulator, attributed to a specific policy, and reproduced. The policy engine is the layer that makes AI decisions auditable rather than probabilistic.
Continuous monitoring. A customer who passes onboarding in January may be a different risk profile in July. Static, point-in-time onboarding produces a snapshot that becomes stale the moment it is filed. Continuous lifecycle monitoring (daily automated screening against sanctions lists, politically exposed person (PEP) registries, and adverse media) converts identity from a one-time check into a living record.
This is the inversion the industry is moving toward: from 99% checkbox and 1% judgment, to 1% checkbox and 99% judgment. The checkboxes get automated. The judgment (the decisions that actually require a human) gets surfaced to people equipped to make it.
Why has AI adoption in compliance been so slow?
Only around 10% of firms have made a meaningful AI impact in compliance (Duna, 2026). That is a striking gap given the proof of concept is already there.
Four structural factors explain why compliance is the second wave of AI rather than the first.
Risk asymmetry. In most business functions, the downside of a failed AI implementation is a missed efficiency. In compliance, the downside is a regulatory enforcement action, a fine, a reputational event, or a missed report on criminal activity. The upside is capped; the downside is career-ending. That asymmetry produces rational caution even when the evidence for transition is clear.
The legacy policy layer. Financial institutions have accumulated hundreds of pages of judgment-based compliance policy written for human analysts. Converting that policy into machine-readable rules is a project in its own right, one that has to happen before AI can run on top of it. Firms that have not done that translation work cannot plug an AI layer in.
The quality bar. AI in sales or marketing tolerates imprecision. AI in compliance must be reliable, repeatable, and explainable to a regulator on demand. The bar is higher, the testing cycles are longer, and the tolerance for hallucination is zero.
Constant change. Customer data changes. Regulations change. AI models are updated. Sanctions lists move daily. A compliance system has to handle continuous change in its inputs while maintaining consistent, auditable outputs. That is a harder engineering problem than most AI deployments face.
These are real constraints, not excuses. Purpose-built compliance infrastructure is designed to handle them; general-purpose AI tools applied to compliance workflows as an afterthought are not.
Three decisions that will define the next five years in identity and compliance
Treat identity as a living system of record. A KYB or KYC check that produces a PDF and a green light is not an identity system - it is a snapshot. The firms that will be best positioned are the ones that treat the identity record as something that continues to evolve after onboarding: updated continuously, enriched by new signals, and re-evaluated when the risk environment changes. The Duna AI memo frames this as the "AI-native identity system of record," the category that replaces static compliance files.
Design for determinism and explainability from the start. Adding explainability to a system that was built without it is expensive and often impossible. Compliance AI that cannot trace a decision back to a specific policy input will not survive regulatory scrutiny. The architecture decision (evidence-based and auditable from day one) is more consequential than the choice of which AI model to run on top of it.
Build for the adversary you will face, not the one you faced. The compliance frameworks in place at most institutions were calibrated against a human attacker with limited resources. The attacker is now a model. The threat classes are already documented by FATF, Europol, and the FBI: AI-generated documents, deepfake video, synthetic companies, state-sponsored actors. The question is whether the systems being built today are designed to handle them, or designed to handle a 2015 fraud profile.
The detection rate does not move without the underlying system changing. Two percent detected is not a measurement problem. It is an architecture problem.
Frequently asked questions
What is the current global financial crime detection rate? According to McKinsey & Company's Agentic AI Report (2025), only 2% of global financial crime is detected today, despite approximately $304 billion being spent each year on AML and KYC compliance worldwide.
What AI threats are financial institutions facing in identity verification? FATF, Europol, and the FBI IC3 have identified four primary AI-driven threats in identity verification as of 2025: AI-generated documents, deepfake video used to defeat liveness checks at onboarding, synthetic companies with fabricated digital footprints, and state-sponsored actors operating at scale.
Why did rules-based onboarding stop working? Rules-based onboarding was designed to deter human attackers with limited time and resources. AI-based attackers have unlimited time, near-zero cost per attempt, and can systematically probe and navigate fixed rules. Friction deters people; it does not deter models.
What are the measurable results of AI-native compliance systems? Implementations show onboarding time reductions of more than 60% and a 51% drop in analyst follow-up rates. McKinsey (Agentic AI Report, 2025) estimates productivity gains from agentic AI in financial-crime work at 200% to 2,000%.
What makes compliance harder to automate with AI than other functions? Compliance requires AI outputs to be reliable, repeatable, and explainable to regulators on demand. The tolerance for error is effectively zero, and the consequences of a missed detection or unexplainable decision are regulatory rather than commercial. The quality bar is categorically higher than in most business functions where AI has already taken hold.
Key takeaways
Rules-based onboarding was designed to stop a human attacker with limited time and effort. The new attacker is an AI model with unlimited time and zero marginal cost per attempt.
Only 2% of global financial crime is detected today, despite $304 billion spent annually on anti-money laundering (AML) and know-your-customer (KYC) compliance worldwide (McKinsey & Company, Agentic AI Report 2025).
AI-driven fraud now includes four distinct threat classes: AI-generated documents, deepfake video at onboarding, synthetic companies, and state-sponsored actors (FATF, Europol, FBI IC3, 2025).
Identity is also a conversion problem. More than half of applicants abandon financial applications that take over ten minutes to complete (Ribbit Capital, Identity Newsletter).
AI-native compliance systems have already cut onboarding time by 60% and reduced analyst follow-up rates by 51%. The gap is adoption: only around 10% of firms have made a meaningful AI impact in compliance (Duna, 2026).
What does "the attacker is a model" actually mean for compliance?
In 1993, The New Yorker published the cartoon that still hangs in every identity professional's mental gallery: one dog at a keyboard telling another, "On the Internet, nobody knows you're a dog." The joke aged fine. The compliance systems built on the same assumption did not.
For three decades, the financial industry layered checks on top of checks (more vendors, more workflow steps, more document requirements). The underlying assumption held: the person on the other side of the application was a human being with limited time, limited resources, and a limited appetite for friction. Rules-based onboarding was an arms race calibrated for that attacker. Create enough friction and the bad actor gives up. Let the legitimate customer through.
That assumption is now wrong. The attacker is increasingly a model. AI agents can attempt thousands of onboarding flows simultaneously, generate plausible synthetic documentation, pass liveness checks using deepfake video, and construct entirely fictitious company structures with supporting registries and directorship chains. The marginal cost of each new attempt approaches zero. The time available approaches unlimited. A system designed to exhaust a human adversary does not exhaust a model.
The result is a detection rate that has not kept pace with the scale of the problem. According to McKinsey & Company's Agentic AI Report (2025), only 2% of global financial crime is being detected today - despite the US alone spending $46 billion annually on financial crime compliance, and cumulative AML fines since 2008 reaching $321 billion globally. Revolut has more than a third of its staff working on financial crime; Wise runs compliance operations across 65+ licenses. The spend is enormous. The outcome is not.
What are the four AI threats to identity verification right now?
Regulators including FATF, Europol, and the FBI's Internet Crime Complaint Center (IC3) have catalogued four distinct threat classes in identity verification as of 2025.
AI-generated documents. Large language models and image synthesis tools can produce supporting documentation (utility bills, incorporation certificates, beneficial ownership records) that passes surface-level visual inspection. Document verification that relies on template matching or optical character recognition alone is now a weak control.
Deepfake video at onboarding. Real-time face-swapping and voice synthesis have reached the point where video liveness checks can be defeated without specialized hardware. The check that was designed to confirm a human is present can now be passed by a model driving a synthetic face.
Synthetic companies. Corporate identity fraud has scaled. It is now possible to construct a company with a plausible digital footprint (registered address, director history, company number, and some adverse-media-free history) using publicly available registries and AI-assisted content generation. Standard KYB (know-your-business) checks that rely on registry data alone do not catch a synthetic company that is, technically, in the registry.
State-sponsored actors. Nation-state fraud operations have the budget, the patience, and the AI infrastructure to probe compliance systems at scale over extended periods. The concept of "friction as deterrence" has no meaning against an adversary whose resources dwarf the cost of the friction.
Each of these threats shares the same structural property: it is optimized against a rules-based system. Rules are observable, testable, and eventually navigable by a patient, automated adversary. The defense has to be built differently.
Why does friction-first onboarding fail as a fraud strategy?
Friction-first onboarding was rational when the population of potential fraudsters was constrained by human cost. Every extra document request, every callback, every manual review added effort that a bad actor might not absorb. Legitimate customers tolerated it because switching was costly and the alternative was no account at all.
Neither of those conditions holds anymore.
On the fraud side: the marginal cost of completing an onboarding flow has dropped toward zero for model-based attackers. Friction deters humans. It does not deter agents.
On the conversion side: customers now comparison-shop financial services the way they compare any product. In 2018, 25% of customers opened a new bank account without shopping around; today that figure is 4% (McKinsey & Company, Global Banking Annual Review 2025). Friction that once locked customers in now loses them to whoever moves faster. More than half of applicants abandon applications that take over ten minutes (Ribbit Capital, Identity Newsletter). Identity is a conversion problem as much as a fraud problem, a framing the industry has been slow to accept.
The systems built on friction-as-defense are now simultaneously failing at both jobs. They are not stopping the attackers they were designed to stop, and they are turning away legitimate customers they were designed to admit.
What does AI-native compliance actually look like in practice?
The case for AI-native compliance is sometimes presented as a future state. The evidence suggests it is already producing results at firms that have made the transition.
The numbers from implementations of Duna's AI-native onboarding are concrete: onboarding time cut by more than 60%, and analyst follow-up rates down 51% (from around 30% of cases to 17%), measured over a rolling 30-day period through mid-2025. These results sit alongside the 10.6x onboarding and 4.8x productivity figures published at Duna's Series A. McKinsey's Agentic AI Report (2025) puts the productivity gains from agentic AI in financial-crime work at 200% to 2,000%.
These outcomes follow from three properties that distinguish AI-native systems from their rules-based predecessors.
Evidence-based decisioning. Rather than checking whether a document was submitted, an evidence-based system asks whether the evidence is consistent and credible across multiple signals simultaneously. A model can generate a document; it is harder to generate a document that is coherent with the applicant's digital footprint, behavioral signals, and cross-registry data.
Deterministic, auditable outputs. Compliance has a higher bar for AI deployment than most other functions. An unexplainable decision does not mean a missed sale: it means a regulatory enforcement action or a missed SAR (suspicious activity report). AI in compliance needs to produce decisions that can be explained to a regulator, attributed to a specific policy, and reproduced. The policy engine is the layer that makes AI decisions auditable rather than probabilistic.
Continuous monitoring. A customer who passes onboarding in January may be a different risk profile in July. Static, point-in-time onboarding produces a snapshot that becomes stale the moment it is filed. Continuous lifecycle monitoring (daily automated screening against sanctions lists, politically exposed person (PEP) registries, and adverse media) converts identity from a one-time check into a living record.
This is the inversion the industry is moving toward: from 99% checkbox and 1% judgment, to 1% checkbox and 99% judgment. The checkboxes get automated. The judgment (the decisions that actually require a human) gets surfaced to people equipped to make it.
Why has AI adoption in compliance been so slow?
Only around 10% of firms have made a meaningful AI impact in compliance (Duna, 2026). That is a striking gap given the proof of concept is already there.
Four structural factors explain why compliance is the second wave of AI rather than the first.
Risk asymmetry. In most business functions, the downside of a failed AI implementation is a missed efficiency. In compliance, the downside is a regulatory enforcement action, a fine, a reputational event, or a missed report on criminal activity. The upside is capped; the downside is career-ending. That asymmetry produces rational caution even when the evidence for transition is clear.
The legacy policy layer. Financial institutions have accumulated hundreds of pages of judgment-based compliance policy written for human analysts. Converting that policy into machine-readable rules is a project in its own right, one that has to happen before AI can run on top of it. Firms that have not done that translation work cannot plug an AI layer in.
The quality bar. AI in sales or marketing tolerates imprecision. AI in compliance must be reliable, repeatable, and explainable to a regulator on demand. The bar is higher, the testing cycles are longer, and the tolerance for hallucination is zero.
Constant change. Customer data changes. Regulations change. AI models are updated. Sanctions lists move daily. A compliance system has to handle continuous change in its inputs while maintaining consistent, auditable outputs. That is a harder engineering problem than most AI deployments face.
These are real constraints, not excuses. Purpose-built compliance infrastructure is designed to handle them; general-purpose AI tools applied to compliance workflows as an afterthought are not.
Three decisions that will define the next five years in identity and compliance
Treat identity as a living system of record. A KYB or KYC check that produces a PDF and a green light is not an identity system - it is a snapshot. The firms that will be best positioned are the ones that treat the identity record as something that continues to evolve after onboarding: updated continuously, enriched by new signals, and re-evaluated when the risk environment changes. The Duna AI memo frames this as the "AI-native identity system of record," the category that replaces static compliance files.
Design for determinism and explainability from the start. Adding explainability to a system that was built without it is expensive and often impossible. Compliance AI that cannot trace a decision back to a specific policy input will not survive regulatory scrutiny. The architecture decision (evidence-based and auditable from day one) is more consequential than the choice of which AI model to run on top of it.
Build for the adversary you will face, not the one you faced. The compliance frameworks in place at most institutions were calibrated against a human attacker with limited resources. The attacker is now a model. The threat classes are already documented by FATF, Europol, and the FBI: AI-generated documents, deepfake video, synthetic companies, state-sponsored actors. The question is whether the systems being built today are designed to handle them, or designed to handle a 2015 fraud profile.
The detection rate does not move without the underlying system changing. Two percent detected is not a measurement problem. It is an architecture problem.
Frequently asked questions
What is the current global financial crime detection rate? According to McKinsey & Company's Agentic AI Report (2025), only 2% of global financial crime is detected today, despite approximately $304 billion being spent each year on AML and KYC compliance worldwide.
What AI threats are financial institutions facing in identity verification? FATF, Europol, and the FBI IC3 have identified four primary AI-driven threats in identity verification as of 2025: AI-generated documents, deepfake video used to defeat liveness checks at onboarding, synthetic companies with fabricated digital footprints, and state-sponsored actors operating at scale.
Why did rules-based onboarding stop working? Rules-based onboarding was designed to deter human attackers with limited time and resources. AI-based attackers have unlimited time, near-zero cost per attempt, and can systematically probe and navigate fixed rules. Friction deters people; it does not deter models.
What are the measurable results of AI-native compliance systems? Implementations show onboarding time reductions of more than 60% and a 51% drop in analyst follow-up rates. McKinsey (Agentic AI Report, 2025) estimates productivity gains from agentic AI in financial-crime work at 200% to 2,000%.
What makes compliance harder to automate with AI than other functions? Compliance requires AI outputs to be reliable, repeatable, and explainable to regulators on demand. The tolerance for error is effectively zero, and the consequences of a missed detection or unexplainable decision are regulatory rather than commercial. The quality bar is categorically higher than in most business functions where AI has already taken hold.
Continue reading
Industries
Customers
Company
Industries
Customers
Company
Industries
Customers
Company