I've always had a soft spot for "lies, damned lies, and statistics." It's the right quote for someone who spends too much time staring at engagement dashboards and not entirely trusting a single number on them. Numbers lie. Numbers get cherry-picked. Numbers tell you whatever story you wanted to hear before you went looking.
Except here's the annoying thing about ignoring data loudly enough: it just gets louder back. Nearly half of the attention this channel has pulled lately has landed on five specific conversations, and every one of them, from a different angle, is about the same thing: content that isn't real, behaving as though it is, and the people trying to stop it doing damage before anyone notices. So against my better statistical instincts, I'm going with the audience for the majority of this summer's recording. The focus will be on Deepfake first , then the EU AI Act now that the dust has almsot settled, with a sprinkling of AI Security, Change Management, Supply Chain Management, and Quantum chucked in for good measure.
The Deepfakes Five
Deepfakes in Financial Services.
Parya Lotfi (co-founder, DuckDuckGoose AI), Vunavia Mcduffey (compliance and AML consultant, RBC) and Nikita Kuzmin (product manager, Western Union) spent fifty minutes describing what Lotfi calls a "change in the DNA of fraud." Not an upgrade to existing attacks. A different organism. She walks through the trajectory from static face-swap filters to real-time video generation to what she terms "interactive, context-aware synthetic humans" — a progression she says has unfolded in years rather than decades, with each new generation of the technology now improving on a cycle of months, sometimes weeks. Kuzmin's contribution is the most quietly alarming: it isn't the individual fake identity that worries him, it's what happens once a few of them get through. "The issue is not if one or two deepfake identities come through the system, but the issue is if it becomes systemic. You're having fake identities contaminating your own existing data." Once your fraud model's training data is poisoned, every answer it gives you afterwards is built on the poison.
And then there's the Dutch bank story. A fraudster posed as an Airbnb host, collected roughly fifty genuine identity documents from guests under the pretext of ID verification, then face-swapped his own face onto each one and used them to open 46 bank accounts. He was caught on attempt 47. Not by a detection system. Because he put a male face on a woman's ID. Lotfi's verdict on the industry's going rate of 60–70% detection accuracy: "borderline irresponsible." Her advice to anyone evaluating a vendor: "Stop asking for accuracy — start asking for failure modes." Mcduffey's contribution was the operational fix nobody wants to hear because it's inconvenient: "No high-risk action should be approved through any single channel. No wires, no account changes based on interaction alone."
The Governance Gap in Synthetic Media.
Danni, an AI and data governance specialist, was the guest who made me wince hardest. A convincing deepfake of a specific person, she says, can be built in as little as ten minutes. A voice clone needs a few seconds of audio. I opened the interview by citing that fake Abraham Lincoln internet quote, the one everyone's seen, the one Lincoln never said, and asked whether we've now reached the point where all digital content should be assumed fake until proven otherwise. Danni's answer was a flat yes, and her supporting evidence was the kind that sticks: AI-generated music already racking up serious numbers on Spotify. The EU AI Act's Article 50 labelling requirement lands in August 2026, which does precisely nothing about the years of unlabelled synthetic material already in circulation. Nobody on the call had an answer for that backlog. Danni also flagged something I hadn't properly considered: a coming wave of deepfake-enabled workplace harassment cases, landing on HR departments that are currently navigating a legislative patchwork spanning harassment law, the Data Use and Access Bill, copyright, and the Online Safety Act, with no single coherent framework to lean on. To her credit, she closed by insisting the same technology has real upside, in dementia care, voice reconstruction, and memory preservation, and that the conversation shouldn't be all doom.
The Phone Number Knows More Than You're Asking.
Technically this one's about SMS OTP and mobile identity APIs rather than deepfakes directly. Stick with me, it's the same fight from the defensive side. Bahadir "Bob" Yavuz, Head of Products at GTC and a co-author of a GSMA white paper on mobile identity, built fraud models at Telesign using telecom metadata for clients including Airbnb, and his case is straightforward: your phone number's behavioural patterns are one of the few signals genuinely hard for a fraudster to fake. SMS, by contrast, is buckling. He cites markets where SIM swap fraud has risen by a thousand percent. The fix on offer is the GSMA's CAMARA and Open Gateway framework, a set of standardised network APIs, Number Verify, SIM Swap detection, KYC Check, KYC Fill-in, and Age Verification, that let telcos hand over a yes/no answer instead of raw customer data. The UAE is already nudging its banks away from SMS OTP towards exactly this. The catch, and it's a big one, is that it only works if competing telcos in the same market agree to cooperate on coverage, which Yavuz points to Indonesia's three-operator model as proof can actually happen. There's also a four to five percent growth uplift quoted from reduced onboarding friction, in case anyone on your board needs convincing with a number rather than a principle.
Deepfake Resilience as an Organisational Capability.
Seven practitioners, one of the channel's most popular panels, and one genuinely alarming statistic: 40% of security professionals in a controlled experiment failed to correctly identify fabricated video. People whose actual job is catching this. The panel, drawn from fraud detection (Bob Yavuz again, having quite the run across two episodes), deepfake detection sales (Alexandra Jorissen, Identif.ai), enterprise AI security (Ray Ellis), AI governance (Richard Mendoza, Compass MSP), education governance (Craig Clark, Clark and Company), AI security and OWASP (Aruneesh Salhotra), and cybersecurity architecture (David Clarke), opened with the case study of a British engineering firm that lost roughly $25 million to a single deepfake video call. Jorissen's explanation for why so many financial institutions still insist they have no deepfake problem is the line I keep coming back to: "it's because they haven't spotted them." David Clarke punctured the comfort blanket of encrypted messaging apps directly: "Yeah, they're encrypted, but that's about it. Ray Ellis proposed extending phishing simulation culture into a "deep fake me" exercise, testing staff against synthetic content the same systematic way you'd test for phishing susceptibility, and closed with the line that probably belongs on a poster somewhere: "We need to start doing something now. It's not going to get easier, it's going to get more complicated and harder. The more we embed this into the business organisation, the better." But the closing word, and the one that's stayed with me longest, went to Craig Clark: "Deepfakes aren't just another cyber threat that we can patch and filter. At its heart, what deepfakes do is represent a fundamental shift in how trust operates. The way that we used to demonstrate evidential truth is what we could see, what we could hear. And that no longer applies."
Episode 26 — Identity Verification in the Deepfake Era.
Ofer Friedman, Chief Business Development Officer at AU10TIX, doesn't do hedging. Asked about the business case for investing in deepfake detection, his opener was "you don't have a choice." Friedman frames the current moment as a second AI revolution in fraud, not because generative tools exist, that was the first revolution, but because fraudsters are now building and selling fraud-as-a-service infrastructure to each other: "Fraudsters are actually building tools and creating services that enable them and other fraudsters to do everything easy and en masse." He points to a figure that's genuinely hard to sit with: roughly 10 billion compromised identity sets currently circulating, more than the entire population of the planet. The threat is also shifting in shape, from a one-time onboarding check to something continuous: "The way I put it is a shift from onboarding to ongoing. It'll be much easier to commit fraud ongoing." His read on agentic AI as the next horizon is the most vivid description of the threat I've heard on this channel: "Agentic AI does what you know about AI, but has its own mind. It can launch a full attack. It will get information, it will choose a face, it will create a document, it will choose a target. And it will apply." His advice, delivered without much comfort: "You should assume that you're not well covered." And on the increasingly blurred line between identity verification and cybersecurity, the two industries he describes as "two galaxies clashing": "Try to unite your cyber defence with your identity defence, with your IAM defence."
What That Means For July and August
July and August are getting handed over almost entirely to new recordings, fresh interviews and webinars rather than archive pulls, covering AML and financial crime, fraud, the CISO seat, AI security, AI governance, data protection, and compliance, with deepfakes as the connective thread running through all of it. If you work any of those angles and have something to say that isn't a press release wearing a lanyard, get in touch.
There's also an industry survey going out as part of this, alongside a wider call for organisations to participate, with all of it, interviews, survey data, whatever else two months of recording turns up, pulled together into a report due in Q4.
Stewart Tinson