Deepfakes, AI Agents, and the Collapse of Traditional Identity Security

A big thank you to Denodo for helping me make more than 60 monthly interviews possible across the Tech Talks network. And as businesses move from gen .ai to agentic .ai, trusted data becomes everything. Everything from gen .ai to agentic .ai, Denodo is helping organizations build intelligent, secure and scalable AI solutions with data access, governance and explainable results. So build AI that you can trust and do it with Denodo and you can learn more by simply visiting denodo .com What if the person logging into your bank account isn't a person at all? Not a hacker in a hoodie, not someone halfway across the world guessing your password But an AI system that knows just enough about you, your habits, your bank and even the exact moment that your bank updates its website All in a way to sound completely convincing And here's the incredibly uncomfortable part Most of us would still trust it And today's conversation sits right at the centre of that tension between trust and deception Because while businesses are racing to adopt AI, the very thing that holds everything together, which is identity, this is something that's starting to crack under the pressure. So joining me today is someone who has spent decades right in the middle of this world. Her name's Mary Ann Miller, and she's a fraud and cybercrime executive advisor and VP of client experience at a company called Prove. And she is someone that has advised banks, fintechs and global institutions. And she's seen first hand how fraud has evolved long before most of us even knew it existed. And from her time at everything from PayPal and Lloyds Banking Group through to her work with the Federal Reserve, Mary Ann brings a perspective that cuts through the hype and gets into exactly what is happening right now in front of us and behind the scenes. So today we're going to talk about something that impacts every single one of us. That is whether we realise it or not and why identity can no longer be treated as a one -time checkpoint and why your login might be the last secure moment in your entire digital journey. So if you've ever assumed that once you're logged in, you're safe, this conversation might just change how you think about Trust Online. But enough scene setting for me. Let me introduce you to my guest now. So a massive thank you for joining me on the podcast today. For everyone listening, hearing about you for the first time, can you tell them a little about who you are and what you do? Hi, Neil. It's great to be here with you and your audience. And I'm Mary Ann Miller. I'm the VP of customer experience at Prove, but also I'm a fraud and cybercrime executive advisor. I've held leadership roles globally, and I've worked in a combination of different leadership roles, expanding banking, fintech, and also technology companies that supply good risk controls to the market. And I'm here today to talk about lots of topics that you and I want to cover. There's so much I want to talk with you about as well because I think you have somewhat of a unique vantage point because you've spent years at the intersection of fraud, identity, financial systems, etc. I'm curious now as we talk about all things AI, when you look at how AI is changing the threat landscape today, what genuinely feels different this time around compared to the previous waves of cyber risk that you've seen throughout your career? Yeah, it's that's a great question. And you know, Neil, there really is what I call a step change occurring when it comes to AI infused attacks, you know, and we think about the cyber crime landscape. Let's just use one example. A clear example is what I call AI infused phishing attacks. So what we're seeing is the bad actors are able to have more contextual phishing. So for example, my bank actually is updating their website and the phishing message actually says, you know, we're XYZ Bank. We're updating our website. We need you to click on this link to update your account. And I've already received as a consumer, as a bank customer, an alert from the bank that they are updating their website. So it's not just, it's the bank trying to reach out. It's actually, I'm going to pretend like I'm the bank and I'm going to actually have information about that bank to be able to convince you that this is a real fish. So we're seeing that. So we're seeing more contextual phishing. But not only contextual, but we're actually seeing it at scale. So there's many more customers being touched at one point. And we're actually seeing it go across the industry. Recently here in the US, this will be an interesting use case. We saw a spike. It was a day in February when a lot of mid -tier banks suddenly put a security banner on top of their websites. And security banners are also indications that their customers are being influenced by or being attacked by these phishing text messages or emails. And not only the security banners go up, but we saw some websites actually shut down their access to their customers temporarily until they could recover from that attack. Another shocking statistic I found before coming on here is that the The data out there shows that humans can only actually detect things like deep fakes for around 40 % of the time. So shockingly low stat there. So what do you think that tells us about the future of trust online, especially when we're reaching a point where human intuition is no longer a reliable security layer? And even just scrolling down our social media feeds, we see so much AI and fake stuff there. What do you think this means? Where is it taking us? Oh yeah, this is so much manipulation going on, as we know, with this AI, around all kinds of communication. What's interesting is, recently I saw a statistic, I don't know if you're familiar with Liminal, but they're an organization that really focuses on identity, and they focus on all things human and non -human in their reporting. And they did a survey, and it was real interesting. I think there's a little bit of... what I call false sense of security. They said 94 % say they govern non -human interactions, 94 % of organizations, which I found high. But 60 % of those respondents said that they cite compliance risks from unauthorized agent access. So these are AI agents or AI attacks. Even a legitimate AI that's trying to access the organization. But this is the most important statistic is 10 % don't have a mature non -human identity management strategy. So if you are allowing AI to occur, but you're not ready, you don't have a strategy and a framework in place, that really puts you in a vulnerable position and what I call non -ready position. And I think for years, identity has been treated as almost a checkpoint at login. But what's breaking in that model right now and why are organizations still holding on to something that clearly no longer reflects how digital behavior works? So much has changed, hasn't it? It has. And, you know, login is the welcome mat. It's when the customer comes into your organization, their account, they expect, you know, A good customer experience. We have the breakdown of one time passwords. and all of the attacks around OTPs when it comes to SMS forwarding. We have SMS takeover in those accounts when the actual OTP is SIM swapped. We have porting events that occur as well. So the actual mechanism that a lot of businesses in general, financial institutions and businesses use to really answer the question, is Marianne Miller or is Neil at the other end of that interaction? And that's the question they're trying to answer. And that's starting to break down. And when you look at login, a lot of the bad actors, they'll be a new device that'll enter the ecosystem. And during that event, that new device needs to be authenticated. It can't be the customer. The customer, we all get new devices. Or we have multiple devices. But there's a breakdown around how that is established. combining the identity and authentication process. So it's really forcing the industry globally to look through fresh eyes around, A, how do we bind the correct identity to a new login or an unrecognized login, and how do we authenticate that login? And one of the things I love about you and your work that you're doing here is you talk about identity as something that evolves over time rather than a single moment. So can you just walk me through what continuous identity actually look likes in practice inside a typical organization? Yeah, continuous identity is really, identity doesn't happen at one point in time. There's always you're welcome at, again, whether it's a new account that you're onboarding, a new customer. Of course, depending on the type of organization or type of regulations that your organization is bound to, there's going to be specific KYC, KYB, know your business, know your customer requirements, even compliance requirements. But I find that those compliance requirements are not even good enough. They're guardrails. They're guidance. But it's really incumbent upon us to actually look at identity from a new way of looking at how do we tokenize identity? How do we look at identity to really answer that question? Is Marion on the other end of that event to establish that identity, especially in a call center, especially in a digital interaction, especially in a mobile interaction. And then once that's established, ongoing those logins, those registration events, those recovery events, those are all what I call identity risk moments. And that's all part of what I call the continuous identity landscape. You know, there's always a reason to be able to check in to say, do I recognize Mary Ann on the other end of that event? Is she still? On the other end of that event or is this an agent or is this a nefarious actor coming in and that's really important for all of us in the industry to take a fresh look at that. And I think another one of the most striking things that we're seeing right now is, yes, many organizations will proudly say that they are investing heavily in AI. Yet a large percentage of those same organizations will also admit that they have no real defense strategy against AI -driven fraud. So there's a clear disconnect there. But where are you seeing that disconnect happening between awareness and adoption and actual action against some of the threats? I really like this perspective because we mentioned it earlier, Neil, but this is, again, I'll go back to Liminal and some of their statistics. Recently, they said 68 % of organizations said they lack the identity controls for AI systems and agents, so agenic interactions. And this is the most alarming, that of the organizations that they surveyed, and I think this number has probably gone up. This was a survey at the end of 2025 that 19 % of all account takeovers have some kind of eugenic AI involvement driver. So they're seeing that we're already looking at non -human drivers for account takeover. And that is going to be climbing in 2026. And I think there's always been a tension between reducing fraud and maintaining that smooth customer experience that we all almost expect to standard now. So I'm curious, how do you advise companies to maybe rethink that balance without introducing more friction for legitimate users? Because it is a tough balancing act sometimes, isn't it? Yeah, and it's real interesting. I like to look at, when I look at AI, both perspectives, how AI is being used to create a better customer experience and how AI is being used for fraud prevention and for cybersecurity risks. And what's interesting, Neil, is what's not always talked about too much is that AI classically has been used in fraud prevention for decades. If you think about it, every time we swipe our card, there's generally, and I worked for a company out of San Diego, California, that developed the first neural networks. This was back in the late 90s, and this was a pattern recognition software. that looked at anomalies for credit card and debit card transactions and we've all had that phone call from our bank to say, is this you using your card? This isn't normal activity. So that was early versions of AI, early versions of neural networks. Again, more elementary than what we have today. Fast forward to 2026. Today, of course, AI is driving cars. AI is driving commerce. And we're seeing a lot of adoption of AI across all kinds of use cases. Let's talk about a little bit around business. We're going to see, in fact, I just read this. There's actually a gentleman out of the UK who has a site called FinTech Brain Food. I think it's called his name, Simon Taylor. And he just posted over the weekend that was interesting. There's a lot of discussion around AI commerce, agenic commerce. But Walmart just... That you know, they launched it anogenic experience, but they saw a 66 % drop in Conversion so that was alarming to Walmart, you know Because you know you were trying to use AI for the customer experience But yet customers are not looking at that is something that's really helpful to them So I think what we're going to see is we're going to see a lot of stops and starts around AI Enablement and we're going to see companies and say wait a minute We have to build this for the customer with the customer in mind, you know Otherwise, they're not going to adopt to it. They're gonna go back to the old ways to interacting So I think we're going to see delays and stops and starts some lessons learned on the fraud and risk side I think we're going to see a more advanced adoption of AI There's companies out there developing risk tools, using more AI, machine learning, fraud detection, to actually complement the early use cases of AI. So there's going to be some real interesting days for all of us in the fraud, risk, and cybersecurity world. So many great examples there. And I love that stat around Walmart as well. And I'm curious from everything else that you're seeing across multiple industries, where are attackers? having the most success right now. Is it still at the front door during onboarding or is real risk happening later in the customer journey? Where are you seeing any trends around where these attacks are happening? Yeah, I think it depends. Of course, there's different types of trends in different countries all over the world. But certainly a consistent message I hear globally is definitely at the front door, you know, opening up an account. But more importantly account takeover account takeover you know it was a term established and in fact i think. You know as we talked about earlier account takeover is it is morphing it's morphing to automated attacks i think we're going to start to see new. fraud classifications of account takeover to say AI infused account takeover rather than human infused account takeover. So I think that account takeover authentication, as we talked about with some of the attacks around a one time passwords, that's where we're still seeing a lot of risk globally. In fact, there are some countries that have just recently made statements that they're no longer going to accept a one -time password as the authenticator for login. So those countries are moving to new technologies, like we have it prove, to actually authenticate and log into your account with more modern ways of looking at that. And one of the things I always try and do on this podcast is give everyone listening a valuable takeaway. So if you have the attention of any boardroom, anywhere in the world, just for five minutes, what would you tell them that needs to change immediately in how they think about identity, risk and trust in this AI first world that we find ourselves in? Any particular advice or message that you'd really want to deliver to those people? Absolutely. I would take a step back. There are some routines in cybersecurity we call pen testing, but there's also what we call fraud red team testing. And that's something that I think you take a step back so you can do your risk assessments and do an AI fraud red team testing control against all of your organization, your logins, your count openings, your recovery, all of your password resets. Make sure that you're looking at, can I answer these questions? Can I recognize an AI fused attack? If I see a spike in my IVR, suddenly is that customers calling in or is that an AI infused attack? If I see a spike, No anomaly at a different recovery password reset are these a i infused attacks and a lot of organizations a don't know how to recognize that and be don't have the right defenses built in to have those controls so don't wait for those spikes. actually do these proactive fraud red team testing. There's companies that will provide that for you. And then that way you can actually start to form your strategy and start to put those controls in place. And of course you work at Prove, which is trusted by over 1 ,500 plus leading companies in helping them reduce fraud and improve customer experiences, ultimately helping them enable their customers to prove their identities. Anything you can share with me about what you do at Prove and what makes Prove a little bit different from other solutions that business leaders might be using? So I prove we're looking at the future of identity we're taking care of organizations of all sizes whether they're banking whether they're gaming whether they're crypto whether they're you know marketplace accounts We're protecting health care. We're protecting all kinds of interactions across the industry today. But we also take seriously that we know investment and innovation for the future is really important. So at Proof, we're always looking forward. We're always looking at innovation and what we can do to really support our customers going into the future. I think that's a great moment to end on and for anyone listening wanting to dig a little bit deeper on anything we talked about today, I want to connect with you, your team, find out more information about Prove. Where would you like me to point everyone listening and I'll post links to everything. Yes, our website's very, very informative. So if you go to www .prove .com, you can certainly find information there. Certainly in the media, we have press releases. We have blogs. We have lots of information out there, white papers. And so there's lots of information that all organizations can take a look at. Awesome. Well, I will include links to everything that you mentioned, including your LinkedIn. And there was a great section on the proof website of all the blogs that you've written as well. There's some great information there. So I'll pop a link to that too. So for everyone listening, please go check those links out. Let me know what your thoughts, how it might work for you, the challenges that you're having, but more than anything, Mary Ann, thank you for shining a light on this topic today. Really appreciate you, Tom. Thank you, Neil. This has been fun. Wow. So where does all this leave us? Because if there's one thing that really stayed with me from this conversation, it is that fraud isn't waiting at the front door anymore. It's sitting inside, quietly watching and waiting for the moment when trust has gone unchecked for a little too long. That's the moment that changes everything. And for years many organisations, yet they've treated identity like another box to tick. Verify once, move on, job done. But as Marianne made clear today, that model belongs to a very different era, a slower internet, a simpler threat landscape, a time before AI could mimic behaviour scale attacks and blur the lines between humans and machines. But now, fast forward to 2026, trust has a shelf life, and if it isn't being continuously re -evaluated, it does start to drift. So what I found interesting today is that it isn't just a security problem, it is a business wide problem. Because the same systems that are meant to protect customers can also frustrate them, it can slow them down or even push them away entirely if they're not designed with real human behaviour in mind. So it seems from the outside looking in that every company now is walking a very fine line. They need to reduce fraud without adding friction. They need to strengthen security without breaking the experience. And this is where this idea of continuous identity starts to feel much less like a technical upgrade and more like a complete rethink of how digital trust works. So if you want to explore this further, I'll add links to Marianne, her work and everything happening at Prove in the show notes. But as always, you've heard from me, you've heard from my guests. I want to hear your take. This is a dialogue, not a monologue. That's why I record these episodes. So have a think. Are we heading towards a future where we trust machines to verify us more than we trust ourselves? Or are we sleepwalking into a world where identity can become the weakest link in everything that we do online? And how are you managing these new set of challenges? Let me know your thoughts. Go to techtalksnetwork .com. We'll continue this conversation. A quick thank you to Nord Lager for supporting the podcast and helping me make these daily conversations possible. And if you are listening and you're responsible for security or IT, you will know the reality. The reality that most of your risk now sits inside SaaS apps and browser activity. That gap is exactly what Nord layer is addressing with its new business browser. So instead of bolting security on from the outside, it builds it directly into the browser itself. This means you can control access, monitor activity, enforce policies and reduce shadow IT all from one single place. And most importantly, it does it without adding deployment headaches or complex onboarding. You get things like browser -based data loss prevention, SAS access control and zero -trust browsing, but delivered in a way that your team can actually use. So if you've been trying to simplify your stack while improving visibility, please check it out at Nordlayer .com slash browser. And as for me, I'll also return again real soon with another guest with lots to talk and think about. I'll meet you here same time same place. We'll do it all again, but that's it for now