Security 14 min read

When Your Next Customer Is an AI Agent: Preparing Your Stack for Agentic Shopping

Automated traffic is growing eight times faster than human, agent-referred shoppers now convert better than people, and a benign checkout agent sits half a percentage point away from a fraud bot. The reflex to block bots has quietly become a decision to turn away your own customers. A field guide to getting your stack agent-ready.

By Pavel Klachan

For about thirty years the question at the front door of your website was simple: human or bot? Humans were customers, bots were noise or threat, and the whole bot-management industry grew up to sort one from the other. That question stopped being useful sometime in the last year, and most teams haven’t noticed yet.

The customer arriving at your checkout today is increasingly a piece of software. It is an AI assistant filling a cart, comparing fares, opening an account or moving money on behalf of a person who never loads your page at all. It navigates fast, it skips the marketing, it talks to your APIs directly, and on every signal your old rules were built to catch, it looks exactly like the attacker you spent a decade learning to block. The reflex to keep bots out has quietly become a decision about whether to serve or refuse your own buyers.

We argued a while back that bot management was never a checkbox, that it’s a tuning practice you keep revisiting. Agentic commerce is the moment that argument stops being about precision and starts being about revenue. This is a field guide to what actually changed in 2026, why blunt blocking now costs you twice, and how to get your stack ready to recognize an agent, prove what it is, and serve the good ones rather than slam the door on demand.

The short version: automated traffic is now growing roughly eight times faster than human traffic, and HUMAN Security’s 2026 benchmark found that about half a percentage point separates the rate of benign automation from malicious automation. The old “bot or not” test can’t split a gap that small, so the question has become “trust or not.” Get this wrong in the strict direction and you turn away paying demand that, per Adobe’s data, now converts better than human visitors. Get it wrong in the permissive direction and you eat the fraud, because attackers spoof the exact trusted-agent identities you’d want to allow (16.4 million requests impersonated a single Meta agent in two months). The fix is not a bigger blocklist. It’s verification at the edge, agent-ready APIs, and account protection underneath, so you can tell the agent doing your customer’s shopping from the bot testing stolen cards.

The shift: your customer is now an agent

Start with the traffic, because the scale is the part people still underestimate. HUMAN Security’s 2026 State of AI Traffic & Cyberthreat Benchmark Report, drawn from more than a quadrillion interactions across its network in 2025, found automated traffic growing about eight times faster than human traffic, and traffic from autonomous, web-acting agents up 7,851% year over year. Not 78%. Closer to eight thousand percent. Akamai’s own network data tells the same story from a different angle: AI agent and bot traffic nearly tripled over the past year, and in one two-month window the commerce sector alone saw more than 25 billion AI bot requests.

This isn’t evenly spread, and it isn’t theoretical. HUMAN’s April 2026 reading found that agentic browsers, led by Perplexity’s Comet and OpenAI’s Atlas, already generate close to three-quarters of all agentic traffic. And the agents have started transacting rather than just looking: 2.3% of agentic activity now lands on checkout pages, which means autonomous purchases are already happening on real merchants without a human in the session.

Here is the number that should change how a commercial team thinks about this. For most of 2025, agent traffic was a worse customer than a human, and the data backed up the instinct to be wary: Adobe Analytics measured AI-referred visitors converting around 38% worse than other traffic in March 2025. Twelve months later that reversed completely. By March 2026 Adobe found AI-referred traffic converting about 42% better than non-AI traffic, with those shoppers spending 48% more time on the page and viewing 13% more pages per visit. Traffic to US retail sites from generative-AI sources rose 693% across the 2025 holiday season and 393% year over year in the first quarter of 2026. The software at your door is no longer a tire-kicker. It is, on the evidence, your highest-intent visitor.

So the headline isn’t “bots are coming.” Bots arrived a decade ago. The headline is that a large and fast-growing share of the automation hitting your site is now your customer, behaving like your best customer, and your security stack is still configured to treat it like your worst.

Why this breaks the old bot binary

The uncomfortable finding underneath all of this is how little separates the good automation from the bad. HUMAN’s 2026 benchmark put it at roughly half a percentage point: across enormous volumes of traffic, that’s about all that distinguishes the rate of benign automation from malicious automation. A blunt rule that blocks “things that behave like bots” cannot resolve a difference that fine. It will either wave through fraud to avoid losing customers, or block customers to avoid losing money. Both are happening, on the same endpoints, right now.

Spoofing makes the gap unworkable rather than merely narrow, because the agent’s identity is self-asserted. An agent shows up, its user-agent string says it’s a well-known, trusted shopping assistant, and historically that was enough to be waved through. There is usually nothing stopping a malicious actor from typing the exact same string. DataDome’s early-2026 telemetry, drawn from 7.9 billion agent requests in January and February alone, found Meta’s external agent was the single most impersonated identity, with 16.4 million spoofed requests in two months, while PerplexityBot had the highest impersonation rate, with around 2.4% of requests claiming to be it turning out to be fraudulent. So the convenient shortcut, allow-listing trusted agents by name, has itself become an attack surface. “It says it’s a trusted agent” is not the same sentence as “it is a trusted agent.”

The cost of getting it wrong runs in both directions, which is what makes standing still the most expensive option. Lean strict and you reject demand that, as we just saw, now outconverts your humans. Lean permissive and you inherit the fraud economy that rides the same automation: carding volume is up 250% since 2022 by HUMAN’s count, and the attacks concentrate exactly where the money is. Akamai’s May 2026 State of the Internet research on financial services found banking absorbed 60% of all web attacks and 83% of attacks against API endpoints in 2025, with advanced bot activity up 147% late in the year and one platform seeing 96% of its traffic identified as malicious scraping. We walked through how that drains a platform in our piece on bot attacks against fintech, and the same blunt instrument that bleeds revenue at the front door still fails to stop it.

The old bot binary collapses in 2026. The left panel shows the legacy model: two buckets, human equals allow and bot equals block. The right panel shows the 2026 reality: four traffic classes - human, verified agent, unverified agent and attacker - that look nearly identical on old signals (benign and malicious automation sit about 0.5% apart) and each need a different action: serve, fast-path, challenge or block.

The shift, in one line, is from “bot or not” to “trust or not.” That sounds like a slogan until you realize the two questions need completely different machinery to answer. The first you can do with reputation and behavior. The second needs proof.

The two ways to lose (and the one most teams can’t see)

There’s a defensive way to lose this and a commercial one, and the commercial one is invisible on your security dashboards.

The defensive loss is the one we’ve covered: you let a spoofed agent through and it tests cards, scrapes prices or takes over accounts. Painful, but at least it shows up in your fraud numbers eventually. The commercial loss is quieter. Increasingly the agent does more than buy on a customer’s behalf. It also answers their questions, and it answers from whatever it can read about you before the buyer ever reaches your site. Roughly 68% of Google searches ended without a click in early 2026, AI Overviews now sit on more than a fifth of searches, and Google’s AI Mode passed a billion monthly users with query volume more than doubling each quarter. The discovery step is moving inside the assistant. If an AI can’t parse your content well enough to cite you, you simply aren’t in the room when the recommendation is made, and you’ll never see the lost sale on any report you currently run.

This is where the response splits into two jobs. The first is to stop being legible only to humans. Akamai piloted its new AI Brand Presence service on its own site by serving a machine-readable version of its content alongside the human one, at the edge, with no back-end rebuild. The reported results were the kind you double-check: citations up about 85%, brand presence up 364% for general searches where the brand wasn’t even named, and a 133% lift in one major assistant versus competitors. Whatever the exact numbers settle at as the category matures, the direction is the point. Being readable by the agent is becoming a growth lever, not a compliance chore, and Gartner expects 60% of brands to be using agentic AI for one-to-one customer interactions by 2028.

The second job, the one that makes the first safe, is visibility into which agents are actually touching your business and what they’re doing once inside. You can’t serve, win or stop what you can’t see, and most teams genuinely cannot see it yet. That’s the gap to close before you touch a single rule.

The standards that just arrived

The reason verification is suddenly practical, rather than a nice idea, is that 2025 and 2026 produced the plumbing for it. Three things landed in quick succession, and they matter because they replace “trust the label” with “check the signature.”

OpenAI and Stripe published the Agentic Commerce Protocol in late 2025 under an open license; it’s the rail behind ChatGPT’s in-chat checkout. Google published the Agent Payments Protocol, built on W3C Verifiable Credentials, and then donated it to the FIDO Alliance in April 2026, putting agent payments on the same standards footing as passkeys, with Adyen, Worldpay and dozens of other partners signed on. Visa’s Trusted Agent Protocol uses HTTP Message Signatures to let a legitimate agent prove who it is at transaction time, and Akamai built on the related Web Bot Authentication work moving through the IETF. In June 2026 Akamai and Visa announced a joint framework that stitches these together. Akamai’s Reuben Koh described the division of labor neatly: think of Visa as the passport provider, verifying the agent and the human behind it, and Akamai as the immigration officer, checking where the agent actually came from and how it behaves once admitted. A verified agent arriving from a compromised server still gets stopped. A verified agent that says it wants to browse and then starts testing card numbers gets stopped too.

The practical upshot for you is that the building blocks for cryptographic agent verification now exist and are converging, rather than fragmenting into a dozen incompatible silos. You no longer have to choose between trusting a forgeable string and blocking everything. You can ask an agent to prove it, and let the ones that can prove it through.

Getting your stack agent-ready

None of this requires ripping out what you run. It’s a set of signals and policies layered onto your existing edge, identity and fraud tooling. Here’s the order we work through it with clients, each step assuming the one before it will sometimes fail.

1. Get visibility before you change a rule

Before any policy decision, find out which agents are already hitting you, which endpoints they touch, and what they do once inside. Most teams are surprised by how much agentic traffic is already in their logs and how much of it is on checkout, search and account endpoints rather than the homepage. Baseline it first; you can’t tune what you can’t measure, the same discipline we apply to WAF rules and bot policy generally.

  • Segment automated traffic by self-declared identity, then by behavior, and watch where the two disagree.
  • Map agent activity to your money-moving endpoints specifically: checkout, booking, account opening, payment APIs.
  • Treat “we can’t tell which agents are in our environment” as a finding to fix, not a footnote.

2. Verify identity, don’t trust the label

Replace user-agent allow-listing with cryptographic verification wherever the standards now let you. A legitimate agent under Web Bot Auth, AP2 or Visa’s TAP can present a signature it can prove; a spoofed one can claim the name but can’t produce the signature, and fails the check instead of sailing through.

  • Verify signed agents at the edge, before the request reaches origin or your login logic.
  • Stop relying on user-agent strings as identity. They are text the agent typed about itself.
  • Feed the verification result into your existing bot and fraud decisions as a signal, not a verdict on its own.

3. Allow-list the good, challenge the rest

Once an agent is verified, give it a fast path so genuine demand flows without friction. Everything that fails verification gets policy by intent: throttle, challenge or block. This is where verification turns into conversion, because it lets you be generous to the agents you can prove and strict only with the ones you can’t.

  • Put verified, high-intent agents on a low-friction path to checkout and search.
  • Apply graduated responses to the unverified, rather than a single blanket block.
  • Review the false-positive rate on legitimate agents as a revenue metric, because that’s what it is.

4. Treat your APIs as the real attack surface

Agents don’t fill in forms; they call APIs. As Koh put it, an attacker doesn’t need to attack the agent when they can target the API executing its instructions, redirecting a “buy $200 of groceries” intent into a $5,000 order. With agent transactions set to balloon, the API layer becomes the weakest link, and 96% of financial-services leaders in Akamai’s research reported an API incident in the past year. We made the longer version of this case in what CTOs get wrong about API security.

  • Discover and inventory every endpoint an agent can reach, including the ones not in your public docs.
  • Enforce schemas and authorization per request; broken object-level authorization is still the most exploited API flaw.
  • Rate-limit and watch for intent drift: an agent whose behavior stops matching its stated purpose.

5. Keep account protection running underneath

Verification answers “what is this agent.” It doesn’t answer “is this session taking over an account,” which is why account protection sits below the whole stack. The agentic era doesn’t retire credential stuffing and session theft; it gives them better cover. Everything in our 2026 account-takeover checklist still applies, and matters more now that a malicious session can dress as a trusted assistant.

  • Score logins, registrations and password resets at the edge, in front of the agent traffic.
  • Re-authenticate for the actions that move money, regardless of how trustworthy the agent looked at the door.
  • Watch the post-login sequence, because a spoofed agent’s goal is usually the payee added two minutes after it gets in.

The first-mover playbook

You don’t need a twelve-month program to start, and the teams that move first get a genuine advantage while the standards are still settling.

In the first month, get visibility. Stand up the dashboard that tells you which agents are present and what they consume, and run agent verification in observe mode on one flow that matters, usually checkout or account opening. In parallel, look at your content the way an agent does: can a model actually read and cite you, or are you invisible at the answer layer? That audit is the cheapest growth lever most teams aren’t pulling.

In the second month, turn observed data into policy. Allow-list the verified agents you’ve now seen behaving well, apply graduated challenges to the rest, and tighten the APIs those agents hit. By the third, enforce: move tuned policies from observe to action, switch on re-authentication for money movement, and agree the three numbers you’ll hold yourself to, namely fraud loss avoided, legitimate agent demand recovered, and citations or referral traffic won at the AI-answer layer. The first protects your revenue; the second and third grow it.

The pattern across all of it is the same one we keep reaching in web application security and API security work: the old assumptions stopped being true one at a time, and defense in 2026 means replacing each one with a measurement. The assumption that a bot isn’t a customer. The assumption that a trusted name means a trusted agent. The assumption that the buyer will always reach your site to be served. Each was safe for years, and each is now a quiet way to lose revenue. The winners in agentic commerce won’t be the teams with the highest block rate. They’ll be the ones the good agents can reach, trust and recommend, and that decision is being made right now, on your endpoints, whether you can see it or not.

Continue reading

More from the blog.

Performance

CDN Configuration Mistakes That Silently Slow Your Site

A misconfigured CDN almost never announces itself. There’s no outage, no alert, no red square on the dashboard. The vendor console …

Performance

How Travel Booking Platforms Survive Flash Sales Without Downtime

On the morning of December 2, 2024, Alaska Airlines launched a Cyber Monday fare sale. Demand for the sale overwhelmed the airline’s …

Security

Account Takeover Attacks Are Rising: Your 2026 Defence Checklist

An account takeover is the quietest incident you will ever have. Nothing goes down. No dashboard turns red. A customer logs in, except it is …

Let's plan your next move.

A 30-minute consultation with one of our senior architects. Walk away with a clear, vendor-neutral assessment of your security and performance posture.

Read our case studies