Kevin Pierce, President and COO at VikingCloud. With 30 years in the technology space, he has designed several scalable cloud systems.gettyA finance employee at a global engineering firm joined what looked like a routine video call with the CFO and several colleagues. Every face on the screen was a deepfake. By the time the deception was uncovered, the employee had authorized $25 million in transfers. In this case, no systems were breached. Access controls functioned exactly as designed. Attackers did not compromise a single credential or bypass a single technical control. They needed only one authorized employee to act on a request that looked and sounded legitimate.My company's recent survey of 200 cybersecurity leaders at the director level and above in July 2025 found a six-time year-over-year increase in the number of organizations reporting they are unprepared for deepfake attacks. And consumer fraud losses reported to the U.S. Federal Trade Commission reached a record $15.9 billion in 2025, up from $12.5 billion the year before, with imposter scams accounting for $3.5 billion of the total.As deepfake attacks escalate, businesses must identify and close trust gaps before attackers exploit them. In my company's work with global distributed enterprises, including retail, hospitality and travel organizations, we are seeing the same pattern repeat: Identity controls hold, but the workflows behind them do not. Closing that gap means going beyond identity security to build behavioral and contextual controls that validate every request, not just every credential.The Trust Gap In ActionAI is reshaping what security teams can take for granted, and leadership is taking notice. In our research, 43% of cybersecurity leaders named AI-vishing as one of their top concerns, and 41% specifically cited deepfake attacks. Generative AI phishing tops the list at 51%, up from 22% just one year earlier.Enterprise security systems are built to verify authorization through tools like MFA and SSO. But attackers have shifted their focus to what comes after identity is confirmed, exploiting the assumption that verified access implies a legitimate request.That assumption is where AI-powered attacks are landing. Many organizations lack strategies to protect the space between authentication and action. The $25 million video-call case illustrates the failure precisely. The credentials were valid. The faces were familiar. The request was acted on. The challenge? Nothing in the workflow was designed to question whether the request itself was real.Three Common Trust FailuresThe rise of AI-powered deepfake attacks has exposed three trust failures that security leaders can no longer overlook. These failures hit distributed enterprises hardest, where decentralized approvals, regional handoffs and high-transaction volume across franchised and company-owned locations open trust gaps no single perimeter can close: 1. Voice Verification Failure: At the help desk—often regional or outsourced in distributed organizations—password resets and access approvals have long relied on voice recognition as an authentication layer. AI has broken that layer. Generating a convincing voice clone now takes only seconds of source audio.2. Workflow Approval Collapse: Security tools verify identity at the point of access, but they cannot determine whether a request from a verified user is legitimate. Payment approvals, vendor onboarding and access grants are all built on the assumption that a confirmed identity is sufficient authorization to act. AI-generated impersonations target these moments because once identity is verified, nothing behind it questions the request.3. AI Agent Verification Failure: Enterprises are deploying agentic AI to capture efficiency gains, but agents are often running without strong guardrails on the data they consume, enforceable permissions or auditable reasoning behind their decisions. Unlike human operators who might catch inconsistencies through intuition or peer review, agents execute decisions automatically and at scale. A single misconfigured identity or overprivileged credential can become a template that the agent repeats across systems, compounding the error.These three failures share a common root: Identity verification was never designed to carry the weight that AI-powered attacks are now placing on it.Building A Trust Layer That Goes Beyond IdentityAs AI accelerates the speed and scale of attacks, organizations can no longer rely on identity alone. Security leaders must now equip their teams to treat context as a mandatory second input for every authorization decision.In practice, that means building behavioral baselines around how executives communicate, how approvals move through the organization and what a normal transaction looks like for a given employee, counterparty or system. When a request deviates from established patterns, a risk-scoring system can determine whether additional verification is required and automatically route a confirmation through an independent channel. The organizations that I've seen that have already shifted in this direction tend to have one thing in common: They treat anomaly detection and approval workflows as a single system.Applied to the finance employee scenario, a system with behavioral context would have weighed multiple signals at once: the size of the transfer, the channel through which the request came, the timing relative to other approvals and whether the meeting itself fit the employee's normal collaboration pattern. The deepfake may have deceived the employee, but the system would have held the transaction for independent verification before it cleared.The same logic must extend to AI agents. Agents need boundaries, not just credentials. They need provenance controls over the data they consume and an auditable record of why they acted. When an agent deviates from established patterns, it should trigger the same verification response as any other suspicious request before the next decision compounds the first.As AI-driven threats scale, the cost of relying on human intuition alone is unsustainable. Executives must ensure their organizations move beyond identity-only controls and invest in systems that continuously validate behavior and context.Security Starts Where Identity EndsAI attacks have invalidated the assumptions organizations have long relied on about trust, legitimacy and authority in digital systems. Organizations should now make a strategic shift from thinking about security in terms of having the most tools or the loudest alerts. Instead, rethink security as a continuous trust problem that spans people, systems and machines.Identity uncovers who is asking. Context uncovers whether the request should be trusted. In the AI era, identity cannot be the proof of legitimacy. Trust has to be verified at every step.Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
The AI Trust Crisis: Why Identity Alone Is Not Enough
As deepfake attacks escalate, businesses must identify and close trust gaps before attackers exploit them.







