Kevin Pierce, President and COO at VikingCloud. With 30 years within the expertise house, he has designed a number of scalable cloud methods.
A finance worker at a worldwide engineering agency joined what appeared like a routine video name with the CFO and a number of other colleagues. Each face on the display was a deepfake. By the point the deception was uncovered, the worker had approved $25 million in transfers.
On this case, no methods have been breached. Entry controls functioned precisely as designed. Attackers didn’t compromise a single credential or bypass a single technical management. They wanted just one approved worker to behave on a request that appeared and sounded legit.
My firm’s latest survey of 200 cybersecurity leaders on the director stage and above in July 2025 discovered a six-time year-over-year improve within the variety of organizations reporting they’re unprepared for deepfake assaults. And client fraud losses reported to the U.S. Federal Commerce Fee reached a file $15.9 billion in 2025, up from $12.5 billion the 12 months earlier than, with imposter scams accounting for $3.5 billion of the overall.
As deepfake assaults escalate, companies should determine and shut belief gaps earlier than attackers exploit them. In my firm’s work with world distributed enterprises, together with retail, hospitality and journey organizations, we’re seeing the identical sample repeat: Id controls maintain, however the workflows behind them don’t.
Closing that hole means going past id safety to construct behavioral and contextual controls that validate each request, not simply each credential.
The Belief Hole In Motion
AI is reshaping what safety groups can take with no consideration, and management is taking discover. In our analysis, 43% of cybersecurity leaders named AI-vishing as one in every of their high issues, and 41% particularly cited deepfake assaults. Generative AI phishing tops the checklist at 51%, up from 22% only one 12 months earlier.
Enterprise safety methods are constructed to confirm authorization by means of instruments like MFA and SSO. However attackers have shifted their focus to what comes after id is confirmed, exploiting the idea that verified entry implies a legit request.
That assumption is the place AI-powered assaults are touchdown. Many organizations lack methods to guard the house between authentication and motion. The $25 million video-call case illustrates the failure exactly. The credentials have been legitimate. The faces have been acquainted. The request was acted on. The problem? Nothing within the workflow was designed to query whether or not the request itself was actual.
Three Frequent Belief Failures
The rise of AI-powered deepfake assaults has uncovered three belief failures that safety leaders can not overlook. These failures hit distributed enterprises hardest, the place decentralized approvals, regional handoffs and high-transaction quantity throughout franchised and company-owned areas open belief gaps no single perimeter can shut:
1. Voice Verification Failure: On the assist desk—usually regional or outsourced in distributed organizations—password resets and entry approvals have lengthy relied on voice recognition as an authentication layer. AI has damaged that layer. Producing a convincing voice clone now takes only seconds of source audio.
2. Workflow Approval Collapse: Safety instruments confirm id on the level of entry, however they can not decide whether or not a request from a verified consumer is legit. Fee approvals, vendor onboarding and entry grants are all constructed on the idea {that a} confirmed id is adequate authorization to behave. AI-generated impersonations goal these moments as a result of as soon as id is verified, nothing behind it questions the request.
3. AI Agent Verification Failure: Enterprises are deploying agentic AI to seize effectivity beneficial properties, however brokers are sometimes operating with out sturdy guardrails on the information they devour, enforceable permissions or auditable reasoning behind their selections. In contrast to human operators who may catch inconsistencies by means of instinct or peer evaluate, brokers execute selections routinely and at scale. A single misconfigured id or overprivileged credential can develop into a template that the agent repeats throughout methods, compounding the error.
These three failures share a standard root: Id verification was by no means designed to hold the burden that AI-powered assaults are actually inserting on it.
Constructing A Belief Layer That Goes Past Id
As AI accelerates the velocity and scale of assaults, organizations can not depend on id alone. Safety leaders should now equip their groups to deal with context as a compulsory second enter for each authorization resolution.
In observe, which means constructing behavioral baselines round how executives talk, how approvals transfer by means of the group and what a standard transaction appears like for a given worker, counterparty or system.
When a request deviates from established patterns, a risk-scoring system can decide whether or not further verification is required and routinely route a affirmation by means of an impartial channel. The organizations that I’ve seen which have already shifted on this course are likely to have one factor in widespread: They deal with anomaly detection and approval workflows as a single system.
Utilized to the finance worker state of affairs, a system with behavioral context would have weighed a number of alerts without delay: the dimensions of the switch, the channel by means of which the request got here, the timing relative to different approvals and whether or not the assembly itself match the worker’s regular collaboration sample. The deepfake could have deceived the worker, however the system would have held the transaction for impartial verification earlier than it cleared.
The identical logic should lengthen to AI brokers. Brokers want boundaries, not simply credentials. They want provenance controls over the information they devour and an auditable file of why they acted. When an agent deviates from established patterns, it ought to set off the identical verification response as another suspicious request earlier than the subsequent resolution compounds the primary.
As AI-driven threats scale, the price of counting on human instinct alone is unsustainable. Executives should guarantee their organizations transfer past identity-only controls and put money into methods that repeatedly validate habits and context.
Safety Begins The place Id Ends
AI assaults have invalidated the assumptions organizations have lengthy relied on about belief, legitimacy and authority in digital methods. Organizations ought to now make a strategic shift from eager about safety by way of having probably the most instruments or the loudest alerts. As a substitute, rethink safety as a steady belief drawback that spans folks, methods and machines.
Id uncovers who’s asking. Context uncovers whether or not the request must be trusted. Within the AI period, id can’t be the proof of legitimacy. Belief needs to be verified at each step.
Forbes Technology Council is an invitation-only group for world-class CIOs, CTOs and expertise executives. Do I qualify?
