TL;DR: AI agents now account for 57.5% of HTML web traffic versus 42.5% from humans on Cloudflare Radar, while HUMAN Security says agentic AI traffic grew roughly 7,851% year over year. The shift is structural: apps, APIs, analytics, and commerce flows now need to work for machine actors as well as people.
NHIMG editorial — based on content published by WorkOS: AI agents now make up the majority of web traffic
By the numbers:
- AI agents now account for 57.5% of HTML web traffic versus 42.5% from humans.
Questions worth separating out
Q: How should security teams govern AI agents that browse and transact on behalf of users?
A: Security teams should govern AI agents as delegated actors with narrow, task-scoped permissions, not as enhanced browsers.
Q: Why do AI agents make web analytics less reliable?
A: AI agents can complete tasks much faster than humans and generate request patterns that do not resemble normal browsing.
Q: What breaks when websites are designed only for human browsing?
A: Task completion breaks first.
Practitioner guidance
- Segment machine traffic from human traffic Create separate reporting for AI crawler, browser agent, and human sessions so pageviews, conversion, and abandonment are not mixed into the same KPI set.
- Audit forms for machine compatibility Test key workflows with DOM-based interaction, native submit controls, labelled inputs, and server-rendered fallback paths.
- Define transaction-scoped permissions for agents Limit delegated access to the smallest purchasable or service-specific action set, and require explicit boundaries for checkout, payment, booking, or account changes.
What's in the full article
WorkOS's full article covers the implementation detail this post intentionally leaves for the source:
- How Cloudflare and HUMAN Security distinguish old-school bots from agentic traffic in practice.
- Specific form, analytics, and content delivery changes that improve compatibility with browser-based agents.
- Details on UCP and ACP integration paths for transactional web and commerce flows.
- Operational guidance on crawl policy, robots handling, and machine-friendly endpoint design.
👉 Read WorkOS's analysis of how AI agent traffic is changing apps, APIs, and analytics →
AI agent web traffic: what developers need to change now?
Explore further
Human-paced analytics is now a broken assumption: web telemetry was designed for visitors whose browsing, comparison, and checkout behaviour unfolded in human time. That assumption fails when AI agents can traverse hundreds of pages and complete tasks in a single delegated session. The implication is not simply better reporting. It is that identity-aware telemetry must distinguish actor type before programme teams can trust any conversion, engagement, or abuse signal.
A few things that frame the scale:
- 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job, according to the 2026 Infrastructure Identity Survey.
- 53% of security leaders expect AI to run major portions of their infrastructure autonomously within the next three years, which means delegated access decisions are already ahead of many governance models.
A question worth separating out:
Q: How do organisations prepare for agent-mediated commerce without over-granting access?
A: Organisations should treat checkout, booking, and fulfilment as identity-governed workflows. That means limiting agents to the minimum transaction scope, adding explicit approval points where needed, and logging each action so the organisation can prove what the agent was authorised to do.
👉 Read our full editorial: AI agent web traffic is forcing a new app and API model