Why Deepfake Fraud Beats Your Workflows, Not Your Technology - with Jon-Rav Shende of Thales Group
Summary
Deepfake voice fraud is primarily exploiting enterprise agent workflows, not bypassing security technology, according to Jon-Rav Shende, Global CTO for Data and AI at Thales Group. High-risk areas include customer support, help desks, claims, payments, password resets, account recovery, and executive-facing workflows, where agents are measured on speed and customer satisfaction. The highest risk point occurs when identity, urgency, and business actions converge in a single call. Shende proposes a four-step response framework for regulated organizations: map risky voice journeys, define escalation decision points, build auditor-required evidence chains, and deploy AI as a risk signal layer without automating high-risk actions. This approach emphasizes shared ownership among security, operations, and customer experience teams to manage the multifaceted problem effectively.
Key takeaway
For CISOs or AI Security Engineers evaluating deepfake defenses, you must prioritize securing agent workflows over solely relying on technology. Map your high-risk voice journeys, define clear escalation paths, and build robust evidence chains for auditors and cyber insurers. Deploy AI as a risk signal, but avoid automating high-risk actions without strong controls. Ensure shared accountability across security, operations, and customer experience to minimize financial and regulatory exposure.
Key insights
Deepfake voice fraud exploits human workflows and agent instincts, not just technology, especially where identity, urgency, and business actions converge.
Principles
- Deepfake fraud targets agent workflows, not just security technology.
- Highest risk occurs where identity, urgency, and business action converge.
- Govern actions and their impact, rather than individual AI tools.
Method
A four-step framework involves mapping risky voice journeys, defining escalation decision points, building required evidence chains for auditors, and deploying AI as a risk signal layer.
In practice
- Identify assisted service channels handling claims, payments, or password resets.
- Classify business actions (e.g., account access, money movement) by risk level.
- Trigger step-up verification before any high-risk action is completed.
Topics
- Deepfake Fraud
- Voice Biometrics
- Contact Center Security
- Workflow Vulnerability
- AI Risk Management
- Thales Group
Best for: CTO, VP of Engineering/Data, Executive, Director of AI/ML, AI Security Engineer, Consultant
Related on AIssential
Editorial summary, takeaway, and curation by AIssential. Original article published by The AI in Business Podcast.