A practitioner roundtable organized by FraudNet put a direct question to three risk leaders: why do fraud rules fall short against AI-generated fraud, and what does effective detection actually require today?
Before the discussion started, attendees answered a poll to assess the preparedness of their fraud programs to detect AI-generated fraud.
Sixty-seven percent said, "somewhat prepared — aware of gaps and working on them." 33% said their tools weren't built to address this threat at all. Nobody selected "very prepared."
Melanie Gagne, CEO of Brains Capital and the session's moderator, read the results plainly: "I think [these results represent] what the industry currently looks like... [People] can learn from what is being published and what's being said in [events] like this."
What followed was a conversation among three practitioners building fraud programs to address exactly this threat — Whitney Anderson, CEO and Co-Founder of FraudNet; Martin Naor, CEO and Founder of Bankingly; and Mayra De La Garza, Global Head of Compliance at epay/Skylight. All three run fraud programs actively contending with AI-generated attacks across digital banking, payments compliance, and enterprise fraud protection.
Three changes that broke the old model
Whitney identifies three compounding shifts in the past two to three years, each undercutting a different assumption that rules-based programs have always depended on.
Money now moves before most detection systems can respond. Real-time payment rails (FedNow, UK Faster Payments, Brazil's PIX) give defenders a window measured in milliseconds. The European Banking Authority estimates fraud risk on instant payment rails is roughly ten times higher than on traditional channels. Detection at T+0 requires knowing what to look for before a transaction starts. That works only when attack patterns are stable. Gen AI made them unstable:
"The fraud fight used to favor the defender. But now Gen AI has flipped that equation. The ease and scale of account takeovers, money muling, and synthetic identity give bad actors the ability to generate new attack patterns far faster than rules can be written or teams can defend against. According to our measurements, AI-driven attacks are growing 450% year over year, and success rates across the board are climbing as the models get better." — Whitney Anderson, CEO & Co-Founder, FraudNet
The third shift is regulatory. Regulators are moving from checklist compliance toward requiring provable, real-time evidence that fraud and AML programs actually work. That pressure falls hardest on programs running static rule sets that cannot demonstrate their detection logic to an examiner.
The attacker's cost has collapsed
Martin brings the operational view from Latin American banking, where the real-time dynamic is most acute. Brazil's PIX has effectively collapsed all payment systems into a single logic: make a decision before the transaction, not after. But the deeper shift isn't the rails — it's what happened to the attacker's economics.
"What you could [once] address by having larger scale [than] the attacker — that doesn't work anymore." — Martin Naor, CEO & Founder, Bankingly
An AI agent can create new accounts at one-second intervals for almost nothing. The infrastructure costs that once made large-scale fraud campaigns expensive have effectively disappeared. Defenders bear the majority of costs associated with detection, review, compliance, and remediation. Attackers have shed most of theirs.
A detection system optimized for individual, bounded events, such as scoring a transaction in isolation, applying a rule, returning yes or no, doesn't map onto how AI-generated fraud operates. It spans entities, channels, and time, establishing behavioral patterns well before any single transaction would trigger a rule.
"[Detection] isn't about one single point-in-time behavior… applying a rule and returning yes or no. It's about how behavior has changed over time, how it fits the overall picture we have of the person, the context, the channel, and everything else that's going on." — Martin Naor, CEO & Founder, Bankingly
Rules catch patterns that have already been seen and defined. Behavioral detection catches intent while it is still forming. Against AI-generated attacks, the window between those two things is where most of the damage happens.
Why attackers move faster
Bad actors skip every approval cycle a fraud program has to navigate: model governance, legal review, risk committee. Mayra makes the operational consequence plain:
"You can't afford not to be looking at [AI agents] as a strategy. The fraudsters are. And the bad actors are going to be exploiting this." — Mayra De La Garza, Global Head of Compliance, epay/Skylight
Fraudsters don't run model reviews or wait for quarterly governance cycles before deploying new capabilities. Fraud programs do. That differential is structural, and it compounds: every period a program spends evaluating a tool the other side is already using, the gap widens.
The consequence, in her words, is direct:
"If you're not equipped with better — or at least matching — tools, you're going to be looking at losses that far outperform what you had in the past." — Mayra De La Garza, Global Head of Compliance, epay/Skylight
The goal isn't to out-resource attackers, which is no longer possible. The goal is to match them at the layer where they now operate, leveraging behavioral patterns, entity signals, and anomaly detection that doesn't require pre-defined rules to fire.
What 2026 detection requires
Whitney's closing makes the timeline explicit.
"If you're still running a rules-based program, looking only at transactions in separate silos — you're solving a 2018 problem, not a 2026 problem." — Whitney Anderson, CEO & Co-Founder, FraudNet
The opening poll made the population she's addressing clear: 67% somewhat prepared, 33% not built for this threat. What Whitney describes is a detection architecture that operates at the entity level, across behavioral history, with rules as one layer in a broader decision engine. Rules encode policy mandates and the decisions that require explicit definition. Catching AI-generated fraud before it becomes a recognizable pattern requires behavioral signals and entity context that accumulate over time.
Learn more in Webinar: Why Fraud Rules Fall Short Against AI-Generated Fraud, including what that looks like in production and how to make the internal case for modernizing a rules-heavy program.
%20(640%20x%201229%20px).png)
You might be interested in…
Get Started Today
Experience how FraudNet can help you reduce fraud, stay compliant, and protect your business and bottom line
