Why You Can't Be Saved by Me Alone

            IAM systems are essential, but they are not made to handle this issue.

               •  Although attackers can use AI to evade MFA prompts, IAM can enforce strong authentication.
               •  Although IAM can centralize identities, APIs and shadow apps introduce vulnerabilities.
               •  Although AI-driven bots produce noise that appears to be human logs, IAM offers audit logs.

            IAM is reactive, which is a painful reality. Layered defenses and proactive detection are necessary for
            credential stuffing.



            How AI Enhances Credential Stuffing

            Attackers use AI as a weapon in the following ways:

               1.  Behavioral Mimicry: By recording actual user sessions, bots teach machine learning models to
                   imitate mouse motions, geolocation switching, and typing rhythm.
               2.  Learning that Adapts: Bots use residential proxies to route if IPs are blocked; they learn from
                   unsuccessful login attempts. They target distinct accounts if MFA is activated.
               3.  Changes  to  Passwords:  Passwords  that  have  been  stolen  are  transformed  into  dozens  of
                   different variations by generative models ("Summer2023!" → "$umm3r2023!!").
               4.  Getting around CAPTCHAs: The majority of CAPTCHAs are broken at scale by computer vision
                   and LLM-powered solvers.
               5.  Abuse of APIs: Bots circumvent web defenses by directly exploiting login APIs.



            Case Study: In order to evade fraud detection, a financial services company found that attackers were
            utilizing  reinforcement  learning bots  that  modified  login  attempts  in  real  time.  Before  the  attack  was
            lessened, it took six months and a new bot defense solution.



            Developing a Defense Outside of IAM

            1. Feeds of Credential Intelligence

               •  Incorporate threat intelligence that keeps an eye on dark web dumps and sends out alerts when
                   user credentials show up.
               •  For instance, businesses that use these feeds proactively reset exposed accounts following the
                   LinkedIn leak.


            2. AI-Powered Bot Detection

               •  Use anomaly detection at the edge (WAF/CDN), which examines behavioral patterns such as
                   device fingerprinting, velocity, and mouse movement entropy.





            Cyber Defense eMagazine – September 2025 Edition                                                                                                                                                                                                          159
            Copyright © 2025, Cyber Defense Magazine. All rights reserved worldwide.