Bot and agent trust management exposes the AI traffic blind spot

At a glance

What this is: Arkose Labs argues that bot and agent trust management has become a distinct control problem because modern AI-driven traffic can look legitimate while evading older human-versus-bot detection models.

Why it matters: IAM, fraud, and identity teams need a way to classify agentic traffic, because the same visibility gap affects login, signup, checkout, and account lifecycle controls across human and non-human identities.

By the numbers:

• The organizations experiencing agentic attacks in 2025, 85% of which already had bot detection deployed, did not have inadequate security teams.

👉 Read Arkose Labs' analysis of bot and agent trust management in consumer identity flows

Context

Bot and agent trust management is the control layer that tries to distinguish legitimate human activity, authorised AI-assisted activity, and malicious automation. The problem is no longer simple bot detection, because modern AI-driven traffic can reuse real devices, residential IPs, and human-like interaction patterns while still operating at machine scale.

For identity programmes, that means consumer IAM, fraud controls, and account lifecycle governance now need shared visibility into non-human behaviour. The challenge is not only stopping abuse at the edge, but understanding whether the session belongs to a person, an authorised agent, or an adversary using automation to mimic both.

Key questions

Q: How should security teams distinguish authorised AI agents from malicious automation in consumer flows?

A: Security teams should combine device intelligence, behavioural analysis, and challenge telemetry into one trust decision. That approach helps separate authorised AI-assisted activity from hostile automation that uses residential proxies, spoofed browsers, or human-like interaction patterns. If the signals are evaluated separately, teams often misclassify modern agentic traffic and delay enforcement until after abuse has started.

Q: Why do legacy bot controls fail against agentic AI traffic?

A: Legacy bot controls were built to identify scripted, obvious automation. They fail when traffic runs locally on real devices, uses legitimate residential IPs, and mimics normal user behaviour closely enough to avoid classic fingerprints. In that environment, the control problem shifts from detecting automation to understanding intent and provenance.

Q: What do IAM and fraud teams get wrong about non-human traffic?

A: They often treat non-human traffic as a separate fraud issue instead of an identity governance problem. That creates blind spots across login, signup, and checkout because the same trust signals should inform access policy, session risk, and account lifecycle decisions. When those functions stay siloed, the organisation cannot see the full actor behaviour across the journey.

Q: How can organisations measure whether bot and agent trust management is working?

A: They should measure whether the control layer can classify sessions consistently across channels and whether the classification changes enforcement in real time. Useful indicators include reduced false positives on legitimate automation, faster blocking of malicious sessions, and a measurable drop in unclassified or ambiguous traffic. If the system cannot explain its trust decisions, it is not yet operationally reliable.

Technical breakdown

Why human-versus-bot detection is no longer enough

Traditional bot management was calibrated to detect scripted automation, cloud-hosted tooling, and obvious fingerprint mismatches. That model breaks when adversaries run locally on consumer hardware, use residential proxies, and tune browser characteristics to resemble normal traffic. In parallel, authorised AI agents may act on behalf of real users without self-identifying, which means the detection problem is now about intent and provenance, not only device evidence. The control layer has to classify traffic based on behavioural and technical signals together, or it will confuse good automation with malicious automation.

Practical implication: Practitioners should treat simple bot-versus-human checks as incomplete and evaluate whether their controls can distinguish authorised agents from hostile traffic.

How device intelligence, behavioural biometrics, and telemetry work together

Device intelligence identifies the environment, behavioural biometrics describe how the session behaves, and adaptive challenge telemetry measures how the actor responds under friction. Each signal alone is weak in modern agentic traffic, because one can be spoofed, scripted, or partially imitated. Combined, they create a stronger confidence model for intent classification. This is especially important for consumer-facing identity flows where login, signup, and checkout activity often blends legitimate users, AI assistants, and fraud infrastructure in the same funnel.

Practical implication: Security teams should validate whether they are correlating device, behaviour, and challenge outcomes in one decision path rather than relying on a single detection feed.

Why trust classification has become an identity control problem

When trust classification persists across sessions and is tied into identity infrastructure, it becomes part of the account lifecycle rather than a one-off fraud signal. That matters because the same actor may appear benign in one session and risky in another, especially when AI agents or session hijackers reuse prior context. The architectural shift is from static challenge-response logic to continuous classification that can inform access, step-up decisions, and enforcement across the session lifecycle.

Practical implication: IAM and fraud teams should align their trust signals with identity policy decisions so that session risk can influence access rather than sit in a separate console.

Threat narrative

Attacker objective: The attacker aims to gain trusted access to consumer identity flows at scale so that fraudulent actions look like legitimate sessions.

1. Entry occurs when malicious adversaries use residential proxies, spoofed browser values, and realistic device fingerprints to blend into consumer traffic.
2. Escalation follows when superhuman click precision, fake account creation, and account takeover automation operate at machine scale without triggering older bot rules.
3. Impact is reached when fraud campaigns, cashout operations, or unauthorised account actions move through login, signup, and checkout flows before the detection layer can classify the actor correctly.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• AI LLM hijack breach — attackers used stolen AWS access keys to hijack Anthropic LLM models on Bedrock.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Bot and agent trust management is now an identity governance problem, not just a fraud problem. The article shows that consumer traffic can no longer be sorted with a human-versus-bot binary because authorised AI assistants, malicious automation, and real users all inhabit the same channels. That changes the control question from simple detection to identity classification across the session lifecycle. The practitioner conclusion is that IAM, fraud, and access policy teams need shared decisioning for non-human traffic.

Intent classification has become the named governance gap. If a platform cannot tell what a session is trying to do, then its protection model is always reacting one step late. This is a control-plane issue because the security decision depends on combining device evidence, behavioural evidence, and challenge telemetry into one trust decision. The practitioner conclusion is that visibility into intent must be treated as a core security requirement, not a nice-to-have analytics feature.

Consumer identity flows now carry non-human identity risk whether teams recognise it or not. AI agents acting on behalf of users create a bridge between human IAM and machine identity governance, especially where account creation, login, and checkout are shared surfaces. That makes lifecycle thinking relevant, because trust decisions made at one point in the session can affect downstream access and abuse potential. The practitioner conclusion is that identity teams should govern these flows as mixed human and machine pathways.

Static detection models are being outpaced by adversaries who mimic legitimate infrastructure too well for legacy heuristics. The report’s description of Generation 3 tooling shows why older controls can remain deployed yet still miss the threat. The important shift is not simply more alerts, but a different trust model for agentic traffic and account abuse. The practitioner conclusion is that legacy bot controls should be assumed insufficient until proven otherwise.

Visibility into agentic traffic is becoming a board-level operating risk for digital businesses. If teams cannot measure how much traffic is AI-driven, then fraud rates, abandonment metrics, and access policy decisions all become less trustworthy. That matters because identity programs increasingly feed customer experience, fraud loss, and compliance reporting from the same data. The practitioner conclusion is that organisations should treat trust telemetry as a governance metric, not only a security one.

From our research:

• 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials, according to AI Agents: The New Attack Surface report.
• Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation, according to AI Agents: The New Attack Surface report.
• For a broader view of the control gap, see Ultimate Guide to NHIs , 2025 Outlook and Predictions for how agentic identity changes the operating model for non-human access.

What this signals

Intent classification is becoming a practical boundary between usable telemetry and governance noise. When consumer sessions can be produced by humans, authorised agents, or adversaries with similar fingerprints, the organisation needs a trust model that survives ambiguity. The next maturity step is to tie device, behaviour, and session outcomes into one policy path, not a separate fraud dashboard.

With 80% of organisations reporting AI agents have already acted beyond intended scope, according to AI Agents: The New Attack Surface report, the control gap is no longer hypothetical. Teams should expect pressure to explain what agentic traffic is doing, not only whether it exists. That will push IAM and fraud programmes toward shared ownership of session-level risk.

Consumer identity teams should start planning for mixed human and machine journeys now. The practical implication is that login, signup, and checkout controls will increasingly need to recognise authorised automation without giving cover to abuse. The organisations that define trust signals early will have better outcomes when agentic traffic becomes a routine part of volume and risk modelling.

For practitioners

• Classify traffic by intent, not only by source attributes Map login, signup, and checkout flows to a trust model that combines device intelligence, behavioural signals, and challenge outcomes. The goal is to separate authorised automation from malicious automation before the session reaches a sensitive control point.
• Reassess bot controls against modern residential-proxy abuse Test whether your current detection stack still depends on cloud-hosted indicators, obvious browser mismatches, or old automation signatures. Include local execution and real-device abuse in red-team scenarios.
• Link trust decisions to identity policy events Use risk classification to influence step-up checks, session continuation, and account-lifecycle decisions rather than storing the signal in a separate fraud queue. That makes trust data operational for IAM teams instead of merely observational.
• Measure the share of AI-driven traffic explicitly Add reporting that estimates the proportion of consumer-facing sessions likely generated or assisted by AI agents, then compare that estimate across channels and geographies. If you cannot quantify it, you cannot tune controls for it.
• Validate controls against authorised agent behaviour Check whether good agents can be recognised without opening a path for malicious agents to impersonate them. This is especially important where legitimate automation uses the same surfaces as fraud campaigns.

Key takeaways

• Bot management is no longer just about detecting scripts, because AI-assisted and malicious traffic can now look like legitimate consumer activity.
• The strongest control model combines device intelligence, behavioural signals, and challenge telemetry rather than relying on a single indicator.
• Identity teams should treat trust classification as part of access policy and lifecycle governance, not a standalone fraud metric.

Key terms

• Bot and Agent Trust Management: Bot and agent trust management is the practice of classifying non-human and AI-assisted traffic so security systems can decide whether to allow, challenge, or block it. It combines identity signals, device evidence, and behavioural analysis to determine intent rather than assuming all automation is hostile.
• Intent Classification: Intent classification is the process of inferring what a session is trying to do from its technical and behavioural signals. In identity security, it matters because modern automation can look legitimate while still pursuing fraud, account takeover, or abuse at machine scale.
• Behavioural Biometrics: Behavioural biometrics are interaction patterns such as mouse movement, click cadence, and navigation paths that help distinguish one type of session from another. They are strongest when combined with device and telemetry data, because behaviour alone can be copied or partially simulated.
• Non-Disclosing Good Agent: A non-disclosing good agent is an authorised AI agent that acts on behalf of a user but does not self-identify in the session. These agents can be legitimate and useful, yet they create governance complexity because their activity can resemble malicious automation unless trust controls recognise them.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Arkose Labs: Arkose Labs Named a Strong Performer in The Forrester Wave for Bot and Agent Trust Management Software, Q2 2026. Read the original.