The First AI-Native Fraud Isn't a Fake — It's Laundered Authority
Friday's poll asked what the first truly AI-native fraud is. The crowd answered with familiar villains. The trap was the question: the new scarcity isn't authenticity, it's accountability.
The cold open
Here was Friday’s thought experiment, posed exactly as it ran:
Every major technology wave creates a new form of fraud. Search created click fraud. Social created engagement fraud. Programmatic created impression fraud. What is the first truly AI-native form of fraud?
It has the shape of a pattern you can finish in your head — search, social, programmatic, and now the obvious next term in the sequence. That tidiness is exactly what made it worth interrogating. When a question feels this answerable, the answer is usually hiding the more interesting problem.
The vote
73 votes. Here is how the room split:
| Answer | Share |
|---|---|
| Synthetic audiences | 38% |
| Synthetic attribution | 30% |
| Model collusion | 16% |
| Agency laundering | 15% |
Read the top two together and 68% of the room voted for a fraud we already have. Synthetic audiences are fake people. Synthetic attribution is fake credit. Both are real, both are expensive, and both predate generative AI by years. The crowd, asked for something new, reached for the most familiar villains and dressed them in newer clothes.
That is the tell. When the popular answer to “what’s new?” is a thing that is demonstrably old, the question has quietly substituted scale for novelty. We voted for the frauds AI makes bigger, not the fraud AI makes possible. The one option describing a failure mode that didn’t exist before agents could act on our behalf — agency laundering — came last.
The reframe
So here is the turn. Maybe the question is the trap.
Every fraud in the prompt — click, engagement, impression — is a fraud of authenticity. Is this click real? Is this engagement real? Is this impression real? For thirty years we built ad tech to answer authenticity questions, because that was the binding constraint. Machines couldn’t read context, so we wrote standards, taxonomies, and identity graphs to certify that a thing was what it claimed to be. Fraud meant a fake.
Generative AI does not primarily produce a new kind of fake. It produces a new kind of action. An agent doesn’t impersonate a person — it acts under delegated authority, calls its own tools, and decides the “how” on its own. The thing you can no longer verify isn’t whether the actor is real. It’s whether the actor was authorized, by whom, and within what scope.
That moves the whole problem up a layer. The question isn’t “what is the first AI-native fraud?” It is “what is the first AI-native accountability problem?” Authenticity is a solved-enough question. Accountability is the open one.
Why this one is genuinely new
Here is the part I keep turning over, because it’s what separates agency laundering from everything on the ballot.
Authenticity fraud has a fixed shape. Someone fakes a thing; you build a detector for the fake. The whole anti-fraud industry is a cat-and-mouse game played on that single axis — real versus not-real. Agency laundering has no fake in it anywhere. Every step is real, and every step is authorized.
Walk the chain. A human authorizes an agent to “optimize spend.” That agent delegates to a planning agent. The planner calls a buying agent. The buyer negotiates with a seller’s agent. The seller’s agent books inventory through a curation agent. Five hops, each a legitimate delegation, not one of them a lie. But the authority the human actually granted — three words, “optimize spend” — has been quietly widened at every hop into decisions the human never saw, can’t reconstruct, and might never have approved. Nothing was faked. Authority was laundered: passed through enough hands that its origin is unrecoverable.
That is why it doesn’t fit the poll. The old frauds break authenticity, and you can detect a fake. This one breaks accountability, and there is nothing to detect — no forgery, no synthetic anything, just a real chain of real actions whose responsibility has been washed out somewhere in the middle. You cannot build an authenticity detector for an action that is entirely authentic. That is a new problem, not a bigger old one.
Fraud follows the money, not the technology
The sharpest comment in the thread came from Daniel Landsman, who ignored the technology entirely and looked at the incentive: “Predatory sell-side agent spoofing would be first, since it could be used for profit extraction. I look at the incentive structure.”
He’s right, and it generalizes into the rule I’d bet the whole question on: fraud follows economics, not technology. Click fraud appeared because the click was the unit that paid. Impression fraud appeared because the impression was the unit that paid. In an agentic market the unit that pays is the decision — which agent gets trusted, which counterparty wins the deal, which recommendation becomes the buy. So the fraud will target decisions, not impressions. It won’t fake the audience; it will bias the agent that chooses the audience. Sell-side spoofing matters precisely because it attacks decision-making rather than identity.
Which surfaces the question the entire agentic stack has to answer and currently can’t: how does a buy-side agent know it’s negotiating with a legitimate counterparty acting within its declared authority? Today it doesn’t know. It assumes. Every agentic transaction riding on an unstated assumption of good-faith authority is a transaction with an unpriced risk inside it — and unpriced risk is exactly where fraud has always made its home.
What the room got right
The skeptics in the thread were the ones who sharpened this, not the people who picked a winner.
Erez Levin and Ashwin Navin, CEO of Samba TV, made the same move from opposite votes — “this was happening many years ago when AI was still ML, so not sure I’d call it AI-native,” and “Synthetic attribution has been going on for years!” Both correct, and both the point: the top two answers are pre-AI frauds that generative AI industrializes rather than invents. Naming them as “new” is how the real new thing stays invisible.
David Kaplan got closest to it, relaying an analysis that the danger isn’t fake people but “synthetic behavior by real accounts… real people, AI-driven actions — far more dangerous because it defeats the identity verification layer entirely.” That’s the crux. The entire identity layer we spent a decade building assumes the human behind the account is the one acting. Once a real, verified identity is generating machine-scale behavior, identity verification confirms exactly the wrong thing — it certifies the account while the authority behind the action goes unexamined. Kaplan also flagged the most underrated option on the ballot, model collusion — buying and selling agents that “learn to game each other… without any human intent to defraud.” The next generation of failures may not come from bad actors breaking the rules. It may come from optimization systems following the rules perfectly and producing an outcome nobody chose and nobody owns.
Johnathan Barnes gave the sober operator’s read — “AI just exacerbates all of it… fully agentic buying is a ways off… until we fix the underlying infrastructure and the monetization incentives” — and he’s right that the infrastructure problem comes before the autonomy. And Siamac Rahnavard compressed the whole thesis into two words: “Still humans.” For now, yes. My worry was never that agents replace humans. It’s that the human stays in the loop but becomes impossible to locate in it. The person responsible is still there. By the time the action lands, you just can’t find them.
The thesis move
So, without hedging: the first AI-native fraud isn’t a fake. It’s laundered authority.
The shift is from authenticity to accountability — from fake people to untraceable authority. The poll’s top answers describe a world where the danger is that an actor isn’t real. The agentic world’s danger is that the actor is entirely real, fully authorized at the top of the chain, and yet by the time the action executes you cannot trace it back to the human who is answerable for it. You can’t audit a vibe — and right now, an agent’s authority is a vibe.
This is the through-line I keep coming back to. For thirty years, meaning was the scarce thing, so we built an industry to supply it. LLMs now do meaning for free, so the value migrates one layer up — from “what does this mean?” to “who is accountable for this action?” The defensible layer of the agentic era is trust, authority, and provenance, not semantics. The frauds we voted for are authenticity frauds, and authenticity is the war we already know how to fight. The accountability fraud is the new one. It even has a name, and 15% of you already picked it: agency laundering.
So the better question isn’t “what is the first AI-native fraud?” It’s “what is the first AI-native accountability problem?” — and the answer was sitting in last place on the ballot.
Traceability, not multiplicity
The most precise refinement came after the fact, from Alexei Poliakov, CEO of Locomizer: “it isn’t fakery, and it isn’t even multiplicity at its core, but traceability. The chain from an action back to an accountable person breaks.” That’s a tighter word than “accountability,” and it’s worth taking the upgrade. Accountability is the destination; traceability is the mechanism that fails on the way there, and it fails at a specific, nameable point — the link back to a principal.
His sharper point is that it breaks two different ways depending on who sits at the top of the chain. For agents, it’s delegation: “scope widens, hops accumulate, and the link to the principal is never carried forward” — the same five-hop chain this essay already walked. For humans, the failure looks nothing like that on the surface and lands in the same place anyway: “a real, verified identity can sit at the top of that chain and still be impossible to locate in the action that lands, because identity verification confirms the person while leaving the authority behind the action unexamined.” Same failure, reached by two different routes — one through delegation, one through an identity check that was never asking the right question. Which sharpens this essay’s own closing question rather than answering it early: “the missing layer isn’t one that proves who someone is, it’s one that proves an action stayed inside the authority a person actually granted.”
His follow-up pushes the argument somewhere this essay hadn’t gone: symmetry. Agents are about to be held to a standard — no sock-puppets, no faking independent parties, no laundering one intent through many faces — that humans have quietly violated since the open web began: “one person, many ‘independent’ accounts inside a single service, farming discounts, faking reviews, manufacturing consensus.” His rule, stated flatly: “within any given context, one actor can’t pretend to be a crowd. You don’t get to impose accountability on agents and keep fabricated plurality as a human birthright — the trust layer either holds for both or it holds for neither.” One accountable principal within a context, for humans and agents alike — or the whole framework is just a rule written for whichever party has less power to resist it.
Next Friday
If accountability is the new scarcity, the next question writes itself — and the comments already did some of the work of sharpening it: not proof of who someone is, but proof an action stayed inside the authority they actually granted. Who supplies that? If meaning is going to zero and provenance is going up, what is the layer that enforces it — a protocol, a constitution, a contract — and who gets to own it? That’s where this goes next. Let’s see how this plays out. My 2c, as always — food for thought for the weekend.
(It went here: What Agents Can’t Manufacture — trust is the one asset an agent cannot mint for itself.)