For most of financial crime history, scale was a limiting factor. Running a convincing phishing campaign required language skills, time and human coordination. Recruiting money mules demanded operational reach. Creating fraudulent identity documents took craft and effort. That constraint no longer applies.
AI has removed this hurdle, and the implications for compliance and financial crime professionals are only beginning to be understood.
Adam Khan and Robin Lee are practitioners, educators and two of the designers behind ICA Specialist Certificate in AI Threats and Risk Mitigation. Their perspective on where the threats are greatest, and where organisations are falling short, is drawn directly from the work that shaped the course.
Scale, credibility and attack surface: three shifts redefining threat landscape
Khan and Lee identify three interconnected changes reshaping what compliance and financial crime teams are up against. The first is scale. Activities that once required significant time, language expertise and human coordination such as synthetic identity creation and investment scams, can now be reproduced faster, cheaper and more convincingly than ever before.
The second shift is credibility. “AI technology can generate deepfake audio, video, cloned voices, websites, documents and fully interactive avatars,” they explain. “Messages and communication can be highly personalised, making scams harder to detect using traditional red flags. Fraud attacks are becoming less clumsy and more context aware.” Many existing controls depend on people noticing something that feels wrong. As deepfake technology improves, that intuition becomes a less reliable defence.
The third shift concerns the attack surface itself. Organisations are increasingly deploying AI across onboarding, transaction monitoring, customer risk assessment, fraud detection, investigations and customer service. That adoption creates new categories of risk: model manipulation, data leakage, prompt injection, bias, explainability failures and governance gaps. Add to this the reality that employees are also individual AI users and the perimeter of the exposure is broad.
When AI risk sits everywhere, it can end up owned by nobody
A persistent misconception Khan and Lee encounter is that AI risk is primarily a technology or data science issue, or that it only applies to organisations building their own models. Neither holds. “Many firms are already exposed through vendor solutions, embedded AI tools, productivity applications, customer-facing chatbots, screening tools, fraud detection systems or third-party analytics,” they point out. And in practice, the risks cut across compliance, financial crime, legal, operations, cyber, procurement, privacy, model risk and senior management accountability.
On governance, their assessment is candid: “The problem is that when something sits everywhere, it can end up being owned nowhere.” The response within many organisations reflects exactly this. Legal tracks new AI regulations. Compliance looks at policy obligations. Technology experiments with AI tools. Risk considers model governance. But these efforts are not always joined up, and the nature of AI risk demands a cross-disciplinary response that is not yet consistently happening.
The implication for compliance teams is specific. If AI is being used to support investigations, customer risk ratings or fraud detection, compliance cannot be a passive observer. It needs to understand how those systems work, where they can fail and how to evidence appropriate oversight.
The skills gap that matters most is not technical
If there is one area where Khan and Lee are most emphatic, it is in reframing what AI literacy actually means for compliance professionals. “The biggest gap is not coding,” they say. “It is AI literacy and understanding of the risk and ethical dilemmas for risk decision-making.”
What that means in practice is enough understanding to ask the right questions: What data was used to train this model? What is it optimising for? How are false positives and negatives handled? How is bias tested? Who is accountable when something goes wrong? These are compliance questions. They happen to be about AI systems.
A second gap concerns AI-enabled crime typologies. Many professionals have a strong grasp of traditional fraud, money laundering and financial crime patterns, but have not yet fully reckoned with how AI changes the speed, personalisation and believability of those threats. A third governance translation: the ability to connect AI concepts to familiar control frameworks: policies, risk assessments, monitoring, audit trails, escalation and regulatory evidence.
The threat that warrants the most immediate attention
Asked which AI threat warrants the most attention right now, Khan and Lee point to deepfake and impersonation fraud, not because it is the most technically sophisticated, but because it is already operationally relevant. It directly affects customer authentication, payment approval, executive impersonation, video KYC, onboarding and internal improvement processes. FATF and regulators have raised concerns.
“Deepfakes attack trust,” they explain. “They exploit the fact that people, and many processes, still treat voice, video and visual identity as strong signals of authenticity. That assumption is weakening quickly.”
Model manipulation and adversarial attacks represent a different and potentially more serious category of threat as AI becomes more deeply embedded in decision-making workflows, shifting the risk from isolated fraud events to compromised decision systems. Looking further ahead, Khan and Lee flag agentic AI misalignment and the evolution of hardware, including wearable and VR/AR technology, as areas of genuine uncertainty. “If wearable and VR/AR technology truly becomes accessible and mainstream,” they note, “this will change the game.”
Getting ahead of the curve
For compliance professionals still weighing up whether AI is relevant to their role, Khan and Lee’s answer is direct: it already is. “If you work in financial crime, AI is changing how criminals operate. If you work in compliance, AI is changing how firms make decisions, manage risk, interact with customers and provide documentation. If you work with regulators, AI is becoming part of the regulatory conversation around accountability, transparency, fairness and governance.”
Professionals who build AI literacy early can help shape controls before the risks become unmanageable. Those who wait are likely to find themselves reacting after incidents have already occurred. “In financial crime and compliance, being late to understand a risk usually means being late to control it,” they say. “We do not want to wait for an AI version of the 2008 financial crisis. History teaches us that the time to act is always the present.”
The ICA Specialist Certificate in AI Threats and Risk Mitigation was built with exactly that urgency in mind. For compliance and financial crime professionals without a technical AI background, it develops the knowledge to understand how fast-moving AI threats are evolving, identify vulnerabilities in data, models and deployment environments, navigate the global regulatory landscape, and improve organisational resilience through collaboration.
Find out more about the ICA Specialist Certificate in AI Threats and Risk Mitigation