Fraud and risk teams often live in a perpetual firefight—chasing new attack patterns, justifying friction, and trying to prove their value to a business that’s laser-focused on growth.
That tension is exactly what we explored in the first session of Facing Digital Challenges: How Biometrics Will Shape Secure Identity in 2026, part one of two in our webinar series for fraud, risk, and identity professionals.
Hosted by Ajay Amlani, CEO of Aware, and joined by Esther Scott, Head of Identity Product at Square (Block), part one of this conversation dug into how leaders can:
- Move from reactive spend to sustained investment
- Position risk and identity as business enablers, not blockers
- Balance passive vs. active signals and smart friction
- Navigate the messy realities of vendor selection, build vs. buy, and vendor lock
- Evolve from KYC to KYC + KYB + KYA in an AI-accelerated world
This blog recaps those key themes and insights from Part One. Join us for Part Two, where Esther and Ajay will go deeper on liveness, proof of personhood, deepfake threats, standards, and privacy.
The Whack-A-Mole Problem: Reactive Spend and Short Memory
One of the first big themes: fraud investment is often reactive. A big incident happens, spending spikes… then everyone relaxes.
As Esther put it:
“There will be some acute event that happens… and then you can see the spending in that area for probably 18 months… and there’s a memory loss thing that goes on.”
The result? Risk teams are stuck in a Whack-A-Mole cycle, always a step behind:
“You can be great today, but tomorrow is a different day… if you’re in the Whack-A-Mole reactive game, you’re behind. If you’re not behind today, you’re behind tomorrow.”
This problem is amplified by the rise of deepfakes and automated attacks, which lower the cost and scale of fraud. The “year-scale” improvement cycles many organizations are used to simply don’t work anymore.
Risk as Business Enablement, Not Just Loss Prevention
Esther stressed that to win long-term support, fraud and identity leaders need to reframe their work as an engine for growth, not just a compliance cost.
“If you do a good job of shoring up your risk systems, your identity systems… you can control that lever in a somewhat predictable way.”
Done well, the right investments:
- Enable new markets
- Support new products
- Expand who you can safely serve
“Doing those things right enables you to enter new markets, offer new products, [and] expand how you think about readiness of people for those products.”
Ajay reinforced this tension: product teams are often focused on maximizing growth and reducing friction, while fraud teams are trying to justify friction and resources. Part of the job is teaching the organization that:
- Friction isn’t the enemy—unnecessary friction is.
- Strong identity and risk controls widen the funnel over time by allowing the business to say “yes” more confidently.
Active vs. Passive Signals: Finding the Right Moments for Friction
Ajay then shifted to a practical challenge: balancing active and passive signals across the customer journey.
He contrasted active checks, like KBA, document capture + selfie, or explicit biometric prompts, with passive signals pulled from device, network, and account behavior:
“There are signals that you can collect in a passive fashion… and signals that you can collect in an active fashion… Are you asking the customer to do anything?”
Esther’s answer: it depends—and it changes over time.
“If there were one silver key for all of this, then great, we’d all do that and we’d be done… but the reality is that it’s very nuanced and trends over time.”
A few key points from her approach:
Context matters.
For high-stakes flows (e.g., mortgage applications), customers expect more invasive checks and are willing to tolerate them.
“There’s probably a tolerance for that… you think, yeah, I want it all. I want to lock this down.”
For lighter-weight use cases (e.g., P2P payments apps), that same friction would be unacceptable. Here, you lean harder on “silent checks”:
“How secure can I feel that Ajay is Ajay and this is his phone… he’s in the jurisdiction where I think he should be… based on everything he’s given me?”
Timing is everything.
Teams test whether it’s better to front-load checks at onboarding or trigger them later based on behavior, thresholds, or risk signals:
“Everywhere I’ve worked, we’ve done a lot of testing with, is the right moment to do that all up front? Is it when you’re doing something new?”
This is where AI and ML become essential:
“You can only hand-code and hand-build so many scenario-based handling[s]… most places are leaning into… recognizing patterns that have happened and [making] smarter decisions going forward.”
She also called out the limitations of legacy tools like KBA:
“KBA in particular… is pretty frictiony, and I don’t feel great about it in most applications… What can I do instead?”
Vendor Overload, Testing, and the Build vs. Buy Question
Any fraud or identity leader recognizes Ajay’s next pain point: vendor overload.
“When I was at enterprises, I’d have 20 to 30 vendors a week calling me… ‘If you just use my hammer, all of your problems will go away.’”
He also pointed out how some vendors win bake-offs by quietly leaning on large manual review teams while marketing their solutions as “fully automated”:
“They actually have a deep bench of 50 people… looking at every single one… [and] the customer is like, ‘Wow, this automated system is absolutely amazing.’”
Esther highlighted how tough real, fair evaluation is in practice:
“To be able to test 20, 30 vendors in a year is really expensive, both from a time and a resourcing perspective.”
Her playbook includes:
- Backtesting at scale, within strict data-governance constraints
- Asking for fast turnarounds—if it’s truly automated, it shouldn’t take weeks
- Running live integration tests with a short list of top vendors
- Improving internal processes for contracts and integrations to reduce friction over time
On build vs. buy, Esther’s stance is clear: building is the exception, not the norm.
“We’re not here to build the best [verification] capability necessarily… by and large, people are using fairly commoditized capabilities.”
Custom builds only make sense if:
- You have a truly unique problem or moat
- You’re prepared to stay ahead of attackers and tech changes indefinitely
“You might build something and think, great, problem solved, I’m going to move on. Well, fraudsters aren’t starting or stopping. Tech is not stopping.”
Avoiding Vendor Lock and Planning for Change
Vendor lock isn’t just a procurement concern—it’s a resilience risk.
Esther recommended a mindset of constant, light-touch reevaluation:
“A healthy rigor… is an assessment and reevaluation of any capability you have… at least annually: am I on the right horse?”
Key practices she mentioned:
Have a “steady horse” for day-to-day volume
Keep your “toes in the pool” with other vendors—stay curious, and keep talking to them
Layer in additional vendors or capabilities before your current solution ages out
Don’t get emotionally attached:
“People get acquired, all sorts of things shift around… That doesn’t mean you got it wrong. It just means the market kept moving.”
Ajay added a DOD perspective from his time helping create the Defense Innovation Unit:
“We realized that we basically were surrounded by traditional vendors… their only customer was the Department of Defense… you pay for R&D, and then you turn around and you buy the product.”
The DIU model leaned into competition, staged evaluation, and leveraging external capital (investors) instead of funding all R&D directly—an interesting analogy for how commercial enterprises might think about “investing in their vendor base.”
From KYC to KYC + KYB + KYA in an AI-Driven World
In the later part of the discussion, Ajay and Esther looked at how identity has expanded from KYC into:
KYC – Know Your Customer
KYB – Know Your Business
KYA – Know Your Agent
Ajay framed it as the “ABCs” of modern identity and asked how enterprises should think about balancing these layers—especially as agents and AI-enabled actors play a larger role:
“Attackers… have the flexibility, the autonomy, and… collaborative tools to work across the globe to try to mimic good people.”
Esther noted that while the flavors differ, the underlying principles are consistent:
“All of the previous discussion around what’s effective, what’s the pace of things applies to KYC, KYB, KYA as well.”
Some highlights from her view:
- Expectations differ by segment. Larger enterprises expect heavier onboarding; consumers expect something closer to a P2P app experience.
- Agent verification is a new layer, not a replacement: you now need assurance that the agent and the represented party are both legitimate.
- Layered controls and resilience are key:
“Having that resilience to feel like no matter what happens, I’ve got a vendor mix… capabilities… to either step up or put somebody through the right process.”
And AI will stress-test traditional assumptions about trust:
“We traditionally have been able… to err on the side of trusting a customer because we’ve built enough momentum. Now, all of a sudden, something can look very much like a customer, and it’s not a customer… and you don’t know it until they’ve gone way over.”
What’s Coming in Part Two
In Part Two, Ajay and Esther will go deeper into the technology and trust layer beneath all of this:
- Liveness detection and proof of humanness
- Proof of personhood in an agentic, AI-heavy environment
- Deepfake threats and what “good enough” defenses look like
- Standards and independent testing (NIST, DHS, etc.)
- The evolving role of privacy and stewardship in biometric systems
Check out Part One and register for Part Two of this series where we’ll unpack those topics and share more practical guidance for fraud, risk, and identity leaders.
