Document fraud is a board metric now.

Why 2026 broke the old fraud playbook

The fraud team's old mental model treated a forged document as the product of a person sitting in front of a graphics tool. Someone took a real bank statement, retyped a balance, exported a fresh PDF, and hoped the operator did not look too carefully. The defense was symmetric: train the operator, add a template check, compare a few hashes, hold up the cases that look off.

That model worked because forgery was expensive. The attacker needed the real document to start from, a stable font, a willingness to spend an hour per case. The unit economics capped the volume. The defender's sample-based review kept up.

Generative AI removed the cap. A single operator with a frontier image model and a hundred-dollar subscription generates a credible bank statement in under 30 seconds, with a balance, a transaction history, a bank logo, and metadata consistent with the issuer's PDF tooling. The document does not start from a real specimen — the model has seen thousands of them and writes a new one in the same style. Eight months is the window in which monthly fraud volume grew almost five-fold; the eight months before that grew it twice. The line is not bending.

The board cares because the loss is not the only number that changed. The reputational tail of approving a synthetic ID for a sanctioned party, or paying out a claim against a fabricated invoice, lands in the same regulator-facing report as the audit trail of an AI decision. Fraud detection moved from a Risk-team operational metric to an item that sits next to AI governance and compliance on the same board slide. The people asking about it are the same ones asking about the AI operating model and the audit trail for non-deterministic outputs.

The four shapes of AI-generated documents in the queue

The fraud team that still talks about "fake documents" as one bucket misses what is actually happening. Four distinct shapes hit the intake queue, and each one breaks a different layer of the defense if you do not name them honestly.

The fully generated identity

A passport, driver's licence or national ID generated end-to-end by an image model. The MRZ checks out because the model learned the checksum. The photograph is a model-rendered face that does not correspond to any real person, indexed against no breach database. The document is plausible at a glance and consistent with the issuer's template at a structural level. The attacker is not impersonating a real person — they are minting a new one.

The synthetic statement

A bank statement, brokerage statement or payroll document that is internally consistent: balances reconcile, transactions sum to the closing balance, dates form a plausible cadence. Generated in one pass, no original specimen in the loop. The metadata says it was produced by the bank's PDF tooling because the model embedded the producer string. Submitted as proof of income or proof of funds.

The fabricated proof of address

A utility bill, lease agreement or telecom invoice with an address the attacker controls or rents for an hour. Generated to match the utility's letterhead, with billing dates inside the acceptable window. The hardest shape to falsify five years ago — the easiest one to mass- produce today, because the document type carries no biometric anchor and the issuing entity's templates are public.

The hybrid: real document, surgical edit

A real bank statement with the balance line replaced. A real contract with one signature page swapped. A real invoice with the beneficiary IBAN rewritten. The attacker uses generative AI to render the patch in a font and resolution that defeats pixel-level comparison. This is the most dangerous shape, because three of the four classic signals — metadata, issuer fingerprint, internal consistency — all still read as authentic.

Why deterministic checks stopped working

The old four-signal stack — template match, font fingerprint, PDF metadata, EXIF — used to catch the median forgery. In 2026, each signal decays in a specific way, and the team that scores them with the same weight as 2022 has a quietly failing program.

Three of the four signals went from useful to advisory. None of them went to zero — they are still cheap to compute and worth running — but the program that treats them as the decision is shipping confidence it no longer has.

The hybrid defense that holds

What replaces the old stack is not "a smarter model." It is four layers running in parallel, each cheap on its own, each blind on its own, and a decision boundary that decides which case takes the expensive look. None of these are new individually. The discipline is ensuring all four ship together and that no single layer is allowed to approve a case.

The metadata pass — what the document tells about itself

Every PDF carries a small amount of structural metadata: producer string, creation date, modification trail, embedded fonts, page objects, signature blocks, attachment streams. The metadata pass reads all of it, normalises it against the known fingerprint of the claimed issuer, and emits a structured verdict — not a single score, but a set of signals the next layer can reason about.

The trap teams fall into is treating metadata as truth. It is not. It is one of four inputs, and the moment it becomes the gate the attacker rewrites it. The metadata pass earns its keep when it disagrees with the other layers — that disagreement is the signal, not the value itself.

Structural comparison — what a real document of this type looks like

For every document type we process, we hold a reference distribution of authentic specimens — field positions, line densities, signature block sizes, watermark placement, transaction-line cadence. A vision model scores the incoming document against the distribution and emits a deviation profile, not a binary verdict. The point is not "does it match the template" — generated documents match the template by design. The point is "where does it deviate from the cloud of real ones," and the answer is usually subtle: an unusual ratio of summary to detail lines, a balance that lands too close to a round number, a signature block aligned to the wrong grid by 4 pixels.

This is where vision-language models earn their place in the fraud stack. The same architecture we covered in our pipeline-collapse post reads the page as a whole and scores it against a learned distribution rather than a rigid template. The cost is real — a VLM call is not free — and the discipline is to run it only on cases where the cheaper layers flagged something worth a second look.

Behavioral intelligence — what the submitter has done before

The same physical document is suspicious or innocuous depending on who is submitting it. A clean ID from a five-year customer with a consistent device fingerprint and a stable address history is one thing. The same clean ID from a 4-hour-old account that uploaded three statements in quick succession from three different IPs is another. Behavioral intelligence is the layer that contextualises the document against the submitter's history — and against the tenant's broader population. A pattern that is rare in one tenant's normal traffic is the signal; the same pattern in another tenant's traffic is the baseline.

The honest constraint: behavioral intelligence only works if the tenant has enough volume to compute a baseline. New customers get bootstrapped against the platform-level distribution we have permission to use, and graduate to their own baseline as their data accumulates. The first 60 days of a new tenant are the period where the program is most exposed; we say so in the contract.

Human review at the decision boundary

The fourth layer is not a model. It is the operator who sees the case once the first three layers have done their work, with the evidence already structured: which signals fired, which deviated, which behavioral patterns are unusual, and what the reviewer should look at first. The hybrid defense is not "AI replaces the reviewer." It is "AI gives the reviewer the case prepared, the question framed, and the time to look at the 12 cases that matter instead of the 200 that don't."

Three things make this layer work in practice. Reviewers see the evidence, not the verdict — they form their own conclusion and can disagree with the model. Their decisions feed back into the gold set for the structural-comparison layer, so the system learns from the review. And the review-routing threshold is a tenant-configurable knob, not a platform-wide constant, because a marketplace's risk tolerance is not a bank's.

What an investigation agent actually does

The four-layer defense answers the question "is this document suspicious enough to look at." It does not answer "what do we do next." That is where agentic behavior earns its place in the stack. An investigation agent — a specialist in the multi-agent shape we covered in our multi-agent post — picks up cases the first layers flagged and runs a bounded, auditable workflow. Five behaviors define it.

• Open the case with structured evidence — the agent does not start a free-form investigation; it opens a case record with the signals from each layer, the deviation profile, the behavioral context, and a recommended next step. The reviewer inherits the case in a known shape.
• Request a specific second document — when the policy supports it, the agent reaches back to the submitter and asks for a corroborating artifact: a second statement from a different month, a utility bill that matches the address on the ID, a selfie video against the photo on the document. The request is bounded and tenant-configured, not improvised.
• Cross-check against tenant history — the agent queries the tenant's own past decisions on similar submitters, similar documents, and similar deviation profiles. It does not query other tenants; that boundary is a contract obligation, not a policy nicety.
• Escalate by risk band — the agent emits a risk band (low, medium, high, critical), and each band maps to a tenant-configured action: auto-approve, queue for level-1 review, queue for level-2 review with a SLA, route to compliance with a 90-day retention hold. The mapping is the tenant's, not ours.
• Stamp the trace — every action the agent took, every signal it weighed, every external call it made, lands on the case record as an audit artifact. The reviewer reads the trace; the regulator reads the trace; the customer's data protection officer reads the trace.

The agent's blast radius is bounded by design. It cannot approve a case unilaterally above a tenant-configured threshold. It cannot request a document type the tenant has not authorised. It cannot write outside the case record. The shape is "bureaucrat with memory," not "autonomous investigator." Anything more ambitious than that breaks the audit story.

The four failure modes we keep watching for

The hybrid stack ships and works. It also fails in specific shapes if the program is not careful, and the failures are not the ones the slide deck warned about.

False-positive cascade

Each layer is tuned for high recall on its own. Run all four in series with low-threshold OR-logic, and the false-positive rate compounds: clean customers see review delays, level-1 queues backlog, and the operator starts approving the queue under pressure to clear it. The defence is a fused score with calibrated weights, not a series of independent gates, and a weekly review of the false-positive cohort the same way the program reviews the false-negative cohort.

Synthetic data poisoning the gold set

The structural-comparison layer learns from a distribution of authentic documents. The moment an undetected synthetic document enters the gold set, the layer learns that the synthetic looks normal, and every future case of that shape gets a softer score. The defence is a curated gold set with a labelling SLA, periodic re-validation against a held-out adversarial sample, and a policy that says new examples go into the gold set only after explicit human confirmation — never auto-promoted from the approved queue.

Single-pass approval after risk-band miscalibration

If the risk-band mapping is too generous, low-band cases auto-approve and the agent never opens an investigation on the ones that needed a closer look. The miss is invisible until a regulator asks. The defence is a sampling rate on auto-approved cases — a fixed percentage gets reviewed retrospectively, the results feed back into the threshold calibration, and the band boundaries get adjusted quarterly with the tenant's risk committee in the loop.

"Trusted source" assumptions that age badly

A tenant lists a partner as a trusted document source and the program waives the four-layer check on documents from that partner. Two years later the partner's onboarding has changed, their fraud rate has tripled, and the trust list is the policy that hides the problem. The defence is an expiration date on every trust-list entry and a periodic re-validation against the partner's current fraud signal. Nothing in the policy is permanent.

The hybrid defense does not catch every synthetic. It catches enough of them, at the right cost, with an audit trail the regulator can read.

What we ship at Cogneris

Fraud detection is not a separate product at Cogneris; it is a set of specialists in the same multi-agent shape every customer gets out of the box. The behaviors below are on by default for every tenant, with the thresholds, risk bands and review routing configured per-tenant.

• Four-layer scoring per page — metadata pass, structural comparison against the document-type distribution, behavioral signals against the tenant's history, and forensic forensics for the surgical-edit case. The output is a fused score and a deviation profile, not a single number.
• Investigation specialist in the agent squad — opens the case, requests the second document when policy allows, cross-checks against tenant history, emits the risk band, and stamps the audit trace. Same audit substrate as the rest of the platform.
• Per-tenant risk-band mapping — the mapping from risk band to action (auto-approve, level-1 review, level-2 review with SLA, compliance hold) is the tenant's, not ours. We ship a sensible default and a tool to tune it; we do not ship a black box.
• Retrospective sampling on auto-approved cases — a fixed percentage of auto-approvals goes through full review post-decision, and the results feed back into threshold calibration. The sampling rate is logged and auditable.
• Tenant-scoped behavioral baselines — the behavioral layer learns from the tenant's own submissions, never from another tenant's data. The data-protection commitments we already make on extraction apply to the fraud layer identically.
• Investigation kill switch — every specialist in the squad has a feature flag the tenant's operator can pull. If the investigation agent's behavior regresses after a model change, the tenant pulls it out of the dispatch pool and the case routes to manual review until the regression is resolved.

Where the hybrid stack is honestly the wrong answer

The stack we ship is built for B2B document workflows with a review budget — onboarding, claims, KYC, proof-of-funds, marketplace seller verification. There are three workflow shapes where the program we describe above is over-engineering and we say so before the contract.

Pure consumer flows at sub-second latency. A live KYC step on a sign-up page where the user is waiting does not have the budget for a four-layer investigation. The right shape there is a fast deterministic gate at the door and the agentic investigation offline, on a sample, as a quality signal. We say that on the call.

Workflows where the document is not the decision. Some workflows treat the document as evidence of an underlying fact and decide on the fact via other channels — bureau scores, banking aggregators, third-party identity. In those, the fraud layer on the document carries marginal value beyond a metadata sanity check. Adding the full stack is paying for a defence the workflow does not need.

Pilot phase with under 200 cases. The behavioral baseline does not exist yet; the structural comparison's gold set is too small to be discriminative; the risk-band calibration has no traffic to learn from. The pilot runs on the metadata and forensic layers only, with the full stack lighting up once the tenant clears the volume threshold. We tell the customer where the threshold is and when we expect them to clear it.

Closing thought

Generative AI did not invent document fraud. It removed the unit-economics ceiling that kept the volume in check, and the defense that worked when forgery was expensive does not survive contact with forgery that is nearly free. The hybrid stack described above is not novel in any single piece — metadata checks, vision-based comparison, behavioral intelligence, and human review have been in the literature for a decade. What changed is the discipline of running all four together, fusing their scores honestly, letting an agent run the bounded investigation, and stamping the audit trail every step. That discipline is what makes the difference between a fraud program that reports a number to the board and one that survives the regulator's follow-up question.

If you are sizing what fraud detection has to look like on your own platform — onboarding, claims, marketplace verification — see our product page for the specialists we ship out of the box, or talk to our team and we'll walk you through the risk-band mapping that fits your tenant's tolerance.