TL;DR: AI agents are rapidly reshaping retail and banking traffic, with the source article saying more than 60% of online shop visitors are now bots, generative AI traffic to U.S. retail and banking sites has surged 2000% in the past year, and fraud losses could rise sharply if controls remain human-centric, according to Transmit Security. Human-designed fraud models now fail because the actor type has changed, not because the attack has become more sophisticated.
NHIMG editorial — based on content published by Transmit Security: AI agents are breaking human-centric fraud detection models
By the numbers:
- 60% of visitors to online shops and retailers, retailers are now bots, not humans.
- Generative AI sourced traffic to U.S. retail and banking sites has surged 2000% in just the last 12 months.
- More than 50% of consumers are comfortable letting AI agents shop and browse on their behalf.
Questions worth separating out
Q: How should security teams handle fraud detection when AI agents act on behalf of customers?
A: Security teams should treat AI agents as delegated actors, not as ordinary users or simple bots.
Q: Why do AI agents break traditional fraud detection models?
A: AI agents break traditional fraud detection because those models assume a human behind each session.
Q: What do fraud teams get wrong about bot detection in the age of AI agents?
A: Fraud teams often assume bot detection can separate good automation from bad automation.
Practitioner guidance
- Reclassify agent traffic as a delegated identity problem Map which customer-facing workflows now allow AI agents, then treat those sessions as delegated access paths with explicit scope, traceability, and approval rules.
- Reduce reliance on human-motor signals De-emphasise typing cadence, scrolling rhythm, and hesitation as primary trust factors when the session may be executed by an AI agent from cloud infrastructure.
- Add intent and purpose checks to risk scoring Score whether the action fits the user’s expected task, transaction history, and delegation scope instead of relying mainly on device or browser reputation.
What's in the full article
Transmit Security's full report covers the operational detail this post intentionally leaves for the source:
- The report breaks down how AI agents change fraud decisioning across shopping, banking, and account activity.
- It outlines why device fingerprinting, behavioural biometrics, and bot detection lose reliability in delegated agent sessions.
- It describes the move toward predictive AI models that score intent rather than only visible automation cues.
- It provides the broader market framing behind the claim that legacy fraud layers will be outmatched without a new control model.
👉 Read Transmit Security's analysis of how AI agents are changing fraud detection →
AI agents in fraud detection: are your controls keeping up?
Explore further
Human-centric fraud detection is no longer the default baseline. The article shows that the actor behind a transaction is now often a delegated software agent, not a person with a stable device and human motor patterns. Controls built for human identity are being asked to classify non-human behaviour without first understanding the delegation chain. The practical conclusion is that fraud governance now overlaps directly with identity governance.
A few things that frame the scale:
- 92% agree governing AI agents is critical to enterprise security, yet only 44% have implemented any policies to do so, according to AI Agents: The New Attack Surface report.
- Only 80% of organisations report their AI agents have already performed actions beyond their intended scope, including access to unauthorised systems, sensitive data sharing, and revealing credentials.
A question worth separating out:
Q: Who is accountable when an authorised AI agent causes fraud or abuse?
A: Accountability should sit with the organisation that allowed the delegated automation, not with the detection system alone. Fraud, IAM, and compliance teams need a shared control model that records which agent was authorised, for what purpose, and under what limits. That audit trail is what supports incident review and regulatory response.
👉 Read our full editorial: AI agent adoption is breaking human-centric fraud detection