.svg)
Why Identity Is Key To Curbing AI-Driven Social Engineering And Executive Fraud
Amit Basu, VP, CIO & CISO at International Seaways, on how AI-driven fraud targets human behavior and why identity, verification, and leadership now define cyber resilience.
Key Points
AI-powered fraud shifts cybersecurity risk from systems to human decision-making, as speed, pressure, and trust let deception succeed without breaching infrastructure.
Amit Basu, VP, CIO & CISO at International Seaways, discussed how skipped verification and overconfidence in identity controls drive many costly breaches.
Organizations protect themselves by treating identity as critical, enforcing trust-then-verify processes, and using continuous verification to detect and stop attacks in minutes, not hours.
Cybersecurity’s frontline has moved straight into human decision-making. Modern attackers use AI to craft flawless, hyper-personalized messages that mimic colleagues, executives, and trusted partners through text, voice, and video. These tactics render old warning signs meaningless and expose a deeper weakness inside organizations. Breakdowns happen when pressure and convenience short-circuit established processes, allowing deception to succeed without ever touching a firewall.
Amit Basu is Vice President, CIO, and CISO for International Seaways, one of the world’s largest energy transportation companies, with more than 30 years of global experience across IT and cybersecurity. He leads the company’s digital transformation and enterprise cyber resilience efforts and serves on cybersecurity advisory boards at Pace University and Ithaca College. As a Founding Member of the Professional Association of CISOs, Basu operates at the intersection of academic thinking and operational risk, where security theory is constantly tested by real-world pressure.
"It’s often convenience and complacency that cost us, not a lack of technology. It's not enough to trust what we see or hear; it has to be substantial proof," Basu said. Under pressure, employees defer to urgency and authority, bypassing verification steps designed to protect the business. When that happens, even mature security programs fail, leaving organizations exposed to attacks that succeed through persuasion rather than technical force.
The urgency illusion: "Fake urgency, like quarter-end pressures, drives mistakes. These sham urgencies need to go, and employees who question unusual requests should be encouraged," Basu said. Creating a culture where employees feel safe to flag unusual requests is critical to preventing costly errors.
Identity crisis: Many high-profile breaches trace back to skipped procedures rather than missing tools, Basu said, pointing to a widely reported case where finance executives transferred more than $20 million after a deepfake call that a simple callback verification could have stopped. "The danger is assuming identity has already been proven. People believe multifactor authentication will always work, but as identity becomes the primary attack surface, that kind of trust creates blind spots attackers are quick to exploit."
Trust issues: "Every time I do something unusual, the system should ask me again," he continued, describing approaches like adaptive authentication and continuous verification. "The system can challenge you differently depending on where you’re logging in from, the time of access, or the resources you’re trying to reach." For high-risk actions, he advocated layered, out-of-band confirmation, such as a phone call or secondary approval, to ensure the request is legitimate.
Leadership ultimately determines whether identity risk is taken seriously or quietly tolerated. When senior executives underestimate identity fraud or fail to follow the same controls expected of employees, it signals that security is negotiable. Based on ongoing conversations with fellow CISOs, Basu says this gap remains widespread, especially at the board level, where cybersecurity is still framed as a technical concern rather than a business risk with direct financial consequences.
Seconds, not hours: "If your response time to an identity breach is measured in hours or days, you have already lost," Basu warned. "We must be able to detect and respond in seconds, or minutes at most." Speed is just as critical as verification. For sensitive roles, Basu insisted on phishing-resistant MFA tokens based on FIDO standards, paired with Identity Threat Detection and Response capabilities that can reduce detection time.
Digital body language: In complex environments like the global maritime supply chain, where brokers, port agents, and third parties multiply identity risk, Basu framed the challenge as a constant stress test for access controls. "It's very difficult for an AI to fake human behavior over long periods of time," he said, pointing to signals such as keystrokes, mouse movements, and access patterns. Continuous authentication built around this digital body language allows organizations to spot impersonation early and disrupt attacks that rely on maintaining a stolen identity rather than breaching a system outright.
AI now sits at the center of modern cybersecurity, amplifying both risk and resilience. It has stripped away the margin for error, rewarding attackers who move fast and punishing organizations that rely on trust without verification. At the same time, it offers defenders new ways to see patterns, surface anomalies, and respond at a speed no human team can sustain. The outcome depends less on the tools themselves and more on whether organizations anchor them to discipline, accountability, and proof.
"AI has turned deception into a perfect crime," Basu said. "It can generate tens or hundreds of thousands of hyper-personalized attacks at virtually no cost, with a level of precision humans could never reach." But the balance can shift. "Used correctly, AI gives defenders visibility and speed that humans alone can’t match. It changes what’s possible in detection and response."
