Gerardo Prieto, Chief Information Security Officer at The Mill Adventure, explores how the rise of generative AI is forcing a total paradigm shift in iGaming security and player verification.
Online gambling’s traditional identity stand-off has reached a breaking point. For years, operators walked a tightrope, balancing rigid AML/KYC regulations against the player’s desire for frictionless onboarding. But as we move through 2026, the ground has shifted substantially. The modern fraudster is no longer a manual actor relying on basic tools like Photoshop, but a 24/7 automated threat, utilising adaptive AI to evolve faster than most development sprint cycles.
For operators, the cost of losing this arms race is staggering. Identity fraud and money laundering have converged as the predominant risks, with 64.8% of businesses citing them as their primary threats. However, the real wake-up call is the point of entry. Recent market analysis reveals that the financial threshold is now the most vulnerable vector, with 41.9% of fraud attempts occurring specifically during the deposit stage. This is now the absolute frontline of defence.
The death of seeing-is-believing
We have moved well beyond the era of scripted attacks. The new frontline is defined by AI-driven abuse, where generative models create synthetic identities and high-fidelity deepfakes. Using real-time FaceSwap and lip-sync algorithms, bad actors can now bypass standard KYC protocols with ease. The traditional liveness check – asking a user to blink or turn their head – is increasingly obsolete against sophisticated generative adversarial networks (GANs).
The nightmare scenario for the modern CISO is the rise of camera injection. In these attacks, fraudsters bypass the device’s physical camera sensor entirely, feeding AI-generated content directly into the verification stream. Because the software believes it is receiving a direct feed from hardware, it misses the red flags of a digital overlay. In this landscape, the human eye has become a vulnerability, and pixels alone can no longer be trusted to verify a soul.
Biology vs. Algorithms: The new verification
To defend the perimeter, operators need to shift to a verification model rooted in physics and biology, not just image recognition. This requires advanced countermeasures like Remote Photoplethysmography (rPPG). This technology analyses minute light absorption patterns to track blood flow changes invisible to the naked eye. An AI deepfake might have perfect skin texture and flawless movement, but it does not have a pulse. By detecting the heartbeat in a video stream, we can distinguish between a living human and a digital mask.
We must also utilise 3D geometry and lighting physics to validate that a user’s environment is a physical reality. While a deepfake can simulate a face, it often fails to replicate the complex interaction between environmental light and the 3D topography of human skin. If the light source doesn’t wrap around the subject correctly, or if the depth map detects a planar surface, the system exposes the image for what it is: a flat counterfeit. We are essentially moving toward a proof-of-presence model that demands physical consistency.
The lifecycle defence
Resilience in 2026 requires a ‘shift left’ strategy. This means intercepting fraud at the absolute earliest stage. However, security cannot simply end at the front door and needs to evolve into a lifecycle defence system.
At onboarding, the priority is stopping synthetic identities. At the deposit stage, operators must employ multi-signal matching to validate KYC names against cardholders, dismantling muling rings before they can load funds. During gameplay, behavioural AI is essential to analyse betting patterns for bot signatures. Finally, at withdrawal, we must replace simple passwords with biometric step-up checks to prevent Account Takeover (ATO) fraud.
The operational standard is now risk-based authentication. Instead of rigid ‘allow or block’ rules, operators must move toward dynamic risk profiles for every session. By ingesting over 100 different signals, including biometric, IP, and device data, a system can apply friction only where it is explicitly needed. Low-risk users on trusted devices enjoy a seamless experience, while medium-risk anomalies trigger a passive biometric scan. Only overt threats are blocked immediately.
In this new reality, survival is about agility and not budget. Annual audits and static policies are relics of the past. If your security strategy is static, you are effectively opening the door to attackers. It is time to cultivate an adaptive immune system that evolves faster than the threat.
