Subscribe to the Non-Human & AI Identity Journal

How should security teams verify legitimate bots without relying on user-agent strings?

Use cryptographic request signing so the server can verify that the caller controls a private key associated with the bot. Then combine that proof with endpoint policy, replay protection, and least-privilege authorisation. User-agent strings are easy to fake, so they should never be the trust anchor for machine access.

Why This Matters for Security Teams

User-agent strings are descriptive, not authoritative, so they cannot prove that a request came from a legitimate bot. Attackers can copy them in seconds, which means any access decision built on that header alone is effectively a self-asserted claim. Security teams should instead verify possession of a private key, then bind that proof to policy, replay checks, and narrow authorisation. This is consistent with the direction of the NIST AI Risk Management Framework and the emerging guidance in OWASP NHI Top 10, both of which emphasise trustworthy machine identity and runtime controls over static labels.

The practical risk is not just impersonation. Once a bot is treated as trusted because of a header, it may inherit broad API access, bypass monitoring, or reuse secrets across environments. NHI governance research from NHI Management Group shows how often organisations struggle with over-privilege and weak lifecycle control, which makes fake-bot abuse especially damaging when automation touches production systems. In practice, many security teams discover bot impersonation only after a scraping, fraud, or data-exfiltration event has already been underway for some time, rather than through intentional verification design.

How It Works in Practice

The strongest pattern is to make every legitimate bot prove cryptographic control at request time. The server issues or expects a request signature that is created with a private key held by the bot, then verifies the signature against a known public key, certificate, or workload identity. That proof should be paired with short-lived credentials, replay protection, and policy decisions that evaluate the request context, not just the caller name. Current guidance suggests treating this as machine identity verification, not bot detection.

In practice, teams often combine several layers:

  • Workload identity for the bot, such as OIDC-backed tokens or SPIFFE-style identities, so the caller is known by cryptographic proof rather than a mutable label.
  • Signed requests with nonce, timestamp, or sequence enforcement to reduce replay risk.
  • Policy-as-code at the gateway or API layer, using runtime checks for destination, scope, environment, and sensitivity.
  • Just-in-time access with short TTLs so the bot receives only the privileges needed for the current task.
  • Logging that captures key ID, token lifetime, and policy decision outcome for audit and abuse detection.

This model fits the real problem described in NHIMG research on compromised automation and secret leakage, including the Moltbook AI agent keys breach and the Ultimate Guide to NHIs — 2025 Outlook and Predictions, which shows how long-lived secrets and excessive privileges magnify machine-to-machine exposure.

These controls tend to break down when bots are distributed across unmanaged CI/CD jobs, shared runners, or third-party integrations because key custody, revocation, and telemetry become inconsistent.

Common Variations and Edge Cases

Tighter bot verification often increases operational overhead, requiring organisations to balance stronger assurance against rollout complexity and key-management burden. That tradeoff is real, especially for high-volume crawlers, partner integrations, and ephemeral batch jobs where rotating keys too often can disrupt service.

There is no universal standard for this yet, but the direction is clear: static allowlists and user-agent checks are insufficient. Some environments still use mTLS as the strongest baseline, while others rely on signed JWTs or HMAC-based request signing. The right choice depends on whether the bot is first-party, partner-operated, or internet-facing, and whether the team can manage certificate issuance and revocation reliably.

Edge cases matter. Shared bot platforms can make a single user-agent represent many different workloads, so the trust decision must move down to the individual identity and request. For autonomous agents, the issue is sharper because the bot may chain tools, change paths, or request new scopes during execution. That is why the CSA MAESTRO agentic AI threat modeling framework and the OWASP Agentic AI Top 10 both point toward runtime controls and least privilege as the safer posture. NHI Management Group’s research on the OWASP Agentic Applications Top 10 reinforces that the more autonomous the workload, the less reliable static identifiers become as a trust signal.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10, OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
OWASP Non-Human Identity Top 10 NHI-01 User-agent trust fails without cryptographic proof of bot identity.
OWASP Agentic AI Top 10 A01 Agentic workloads need runtime verification, not static labels.
CSA MAESTRO M1 MAESTRO emphasizes identity and policy controls for autonomous agents.
NIST AI RMF AI RMF supports governance for trustworthy, context-aware AI access.
NIST Zero Trust (SP 800-207) PR.AC-1 Zero Trust requires continuous verification instead of implicit trust.

Apply AI RMF governance to define verification, logging, and accountability for bots.