As AI-driven cyber threats become more advanced, organisations are struggling to balance improving customer experience with keeping everyone’s identity safe.
At the recent Raconteur roundtable: ‘Digital Identity: deepfakes, unauthorised access and the evolving fraud landscape’, experts discussed how businesses must invest time and money integrating people, security processes and technology to boost trust.
The roundtable was sponsored by digital transformation consultants Ensono and identity and access management experts Ping Identity.
The guests debated how AI technology can be used in a positive way to mitigate access management risks and reduce identity fraud which costs the UK economy around £1.8bn a year.
Identify the gaps
James Peet, practice director at Ensono, urged organisations to continuously evaluate their security and identity posture to identify gaps and areas that could be exploited by bad actors, including third party access. However, he said organisations embracing Britain’s digital future must be mindful to balance business goals with potential risk.
“Rather than having to overhaul everything to take advantage of AI, companies can evolve their existing systems incrementally to protect themselves,” said Peet. “Consider what are the key drivers to the business and to your customers in each area as well as identifying the potential security risks if something were to go wrong. Work backwards to identify how those risks can be mitigated without causing unnecessary customer friction.”
Whitbread’s head of information security, Martin Jimmick, said that as a hospitality business it must assess identity fraud risks from the customer’s perspective. The company owns the hotel chain Premier Inn and wants to be innovative. However, it has to accept that some customers will always be sceptical about new ideas and wrongly perceive them as increasing risk.
For example, Premier Inn is trialling digital keys which would sit in a guest’s digital wallet and enhance the customer experience. Jimmick accepted some guests might worry that this will compromise the physical security of the room as well as their personal data.
“It will actually be more secure than a physical key, but the scheme must be implemented and communicated correctly,” said Jimmick. “We have to protect the customer’s personal data, but balance that with improving our services and removing friction.”
Making smarter decisions - in real-time
AI technology is already reducing friction safely. Large language models (LLMs), for instance, understand normal user behaviour and instantly identify risky access patterns. Using risk signals in real-time enables you to step-up authentication when required.
Authorisation rules are centralised and abstracted from apps; they set the parameters for policy-based access. Authorisation itself does not change real-time, but ensures that once someone is logged in, there are rules as to what they can access.
Adam Preis, director of product and solution marketing at Ping Identity, explained that AI and machine learning are helping organisations make smarter, real-time decisions by analysing access data and risk signals.
This allows them to apply the right level of friction based on their risk tolerance. In regulated sectors like financial services and healthcare, consumers are generally willing to accept added friction - so long as it’s introduced at the right time, through the right channel and aligns with their access and personalisation preferences.
He cited his own example where he bought flights online but was not asked to prove his identity through two step verification. As a customer he felt that the transaction process was not robust enough.
“Vigorous identity access management systems are no longer just nice to haves for businesses, they are critical strategic assets to secure enterprise infrastructure and customer data,” he said.
Preis added that when it comes to verifying someone’s identity, organisations have traditionally relied on knowledge factors - such as a correct ID and password - and possession factors, like verifying a user’s device. But less emphasis has been placed on inherence, or who a person is. This includes biometric identifiers that are intrinsic to the individual, such as fingerprints, voice ID or retina scans.
“There needs to be a more balanced approach to verifying identity - one that takes into account what a user knows, what they own and who they are,” said Preis. “Biometrics, for example, can add an extra layer of assurance when used alongside other factors. The key is making sure any identity check is proportionate to the risk at that point in the customer journey.”
He added that when it comes to workplace and third-party interactions, organisations must ensure people only have access to sensitive information relevant to their job. “To effectively protect that data and manage access, businesses need a clear understanding of the information they hold, where it resides, and who owns it - something AI-enabled identity and access management can help achieve.”
A security mindset
Also taking part in the roundtable was Lorenzo Grillo, managing director and head of EMEA cyber risk at management consultants Alverez & Marsal.
He said that in many sectors, such as manufacturing where a cyberattack can stop production, AI is increasingly being used defensively as part of the automation process to protect businesses.
“Much of this comes down to being prepared for a potential attack, including deepfakes which can be hard to spot,” he said. “Businesses must invest in double and triple verification and in training employees across the organisation.”
Grillo wants to see more transparency and the increased use of explainable AI, which enables people to understand and trust the results and outputs from the technology. He said this will accelerate the adoption of more zero trust models within organisations and reduce identity and access management concerns.
He also discussed the growing trend of criminals using AI to predict future behaviour by manipulating an individual’s vulnerabilities through social engineering, fear tactics, cognitive biases and impersonation.
Humans are an easy target, and Ensono’s Peet has also noticed a rise in what are known as psychological attacks.
“The phishing attacks are getting more sophisticated, with AI picking up on context from multiple sources to make attacks more personalised and familiar, adding urgency which can trigger their emotions,” he said. “More needs to be done to make people aware of these threats, but the technology has to be there to help mitigate the human risk, detecting any out of the ordinary behaviour and dynamically putting appropriate guardrails in place.”
Whitbread’s Jimmick reminded everyone that there is still a serious role for humans when it comes to authentication because, despite AI being used positively to analyse data more effectively to protect digital identities, it can still miss vital information
“We must avoid AI reacting to an incident incorrectly and creating a false positive which disrupts a business,” he said. “There remains a huge number of areas where we still need a human to verify identity, alongside robust access management tools that help to cut through the noise.”
We all demand more seamless experiences when interacting or working with companies, while also insisting that our personal data is kept safe.
With AI-enabled identity and access management evolving rapidly, businesses that take a proactive, balanced approach – blending intelligent technology with human oversight – can strengthen security while delivering better experiences.
By investing in the right strategies today, organisations can turn identity into a strategic asset – one that builds trust, enables convenience and ensures protection at every interaction.
Safeguard your business from cyber risks with Ensono
As AI-driven cyber threats become more advanced, organisations are struggling to balance improving customer experience with keeping everyone’s identity safe.
At the recent Raconteur roundtable: ‘Digital Identity: deepfakes, unauthorised access and the evolving fraud landscape’, experts discussed how businesses must invest time and money integrating people, security processes and technology to boost trust.
The roundtable was sponsored by digital transformation consultants Ensono and identity and access management experts Ping Identity.
