Notifications
Clear all
Topic starter
12/06/2026 10:01 pm
TL;DR: AI agents are becoming first-class actors online, and security teams need to distinguish authorized AI traffic from malicious bots with much greater certainty, according to Fingerprint. That shift makes traffic identification an identity and trust problem, not just a detection problem.
NHIMG editorial — based on content published by Fingerprint: From bots to agents: why identifying AI traffic with certainty matters
By the numbers:
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials.
Questions worth separating out
Q: How should security teams distinguish authorised AI agents from malicious bots?
A: Start by separating traffic classification from identity assurance.
Q: Why do AI agents complicate bot management and fraud controls?
A: AI agents complicate these controls because they can behave like authorised automation while still producing risky outcomes at machine speed.
Q: What breaks when bot controls rely only on fingerprints and behaviour scoring?
A: What breaks is the ability to prove intent and authority.
Practitioner guidance
- Define which AI traffic classes are authorised Separate human, scripted, and agent-driven traffic into explicit policy categories.
- Bind high-risk actions to verified identity context Require stronger identity proof before account changes, data export, checkout, or other sensitive workflows.
- Move enforcement closer to the decision point Use edge or inline controls to challenge or block risky behaviour before the request chain completes.
What's in the full article
Fingerprint's full analysis covers the operational detail this post intentionally leaves for the source:
- How the vendor distinguishes authorised AI traffic from malicious bot behaviour in real deployment scenarios
- Practical examples of signal combinations used to raise confidence before blocking or challenging a request
- Implementation detail on rules-based enforcement for high-risk traffic paths
- Operational guidance for teams deciding where detection should end and enforcement should begin
👉 Read Fingerprint's analysis of why AI traffic certainty matters →
From bots to agents: what identity teams need to change?
Explore further
13/06/2026 12:30 am
Bot management is becoming an identity governance problem, not just an anti-abuse function. Fingerprint’s framing reflects a broader shift: organisations can no longer assume that automation is either fully benign or fully hostile. When AI agents can act with partial independence, the question is not only whether traffic is automated, but whether the actor behind it has bounded authority and traceable lifecycle controls. Practitioners should treat AI traffic as an identity class that needs governance, not just filtering.
A few things that frame the scale:
- 98% of companies plan to deploy even more AI agents within the next 12 months, despite documented rogue behaviour in 80% of current deployments, according to AI Agents: The New Attack Surface report.
- Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
A question worth separating out:
Q: Who should own governance for AI traffic, IAM or fraud teams?
A: Both teams need a shared operating model. IAM owns identity proof, permission boundaries, and lifecycle governance, while fraud or abuse teams own behavioural detection and challenge flows. The effective model is joint ownership with clear decision rights, because AI traffic risk sits at the boundary between identity authority and abuse prevention.
👉 Read our full editorial: Bot management and AI traffic certainty: what changes now
