Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Agent trust management software: what it means for IAM teams


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9059
Topic starter  

TL;DR: Forrester’s Bot and Agent Trust Management Software Landscape reflects a market shift away from binary human-versus-bot detection toward intent, customer journey continuity, and risk-based challenge decisions as AI agents increasingly act on behalf of legitimate users. The underlying issue is that conventional bot controls were built for automation detection, not trust decisions across delegated access paths.

NHIMG editorial — based on content published by Arkose Labs: Arkose Product Arkose Labs Recognized as a Notable Vendor in Forrester Bot and Agent Trust Management Software Landscape

Questions worth separating out

Q: How should security teams govern AI agents that act on behalf of customers?

A: Security teams should govern customer-facing AI agents as delegated non-human actors with explicit trust boundaries, action limits, and continuous monitoring.

Q: What breaks when bot detection only looks for human versus automated traffic?

A: Bot detection breaks when legitimate AI agents and malicious automation share similar traffic patterns.

Q: Why do AI agents complicate customer identity and fraud controls?

A: AI agents complicate customer identity because they can carry out actions that look legitimate while obscuring the actual decision-maker.

Practitioner guidance

  • Map delegated customer access paths Inventory where AI agents or other non-human actors can act for customers, then document which transactions they can complete, which identity signals you can still observe, and where human attribution becomes ambiguous.
  • Shift from source-based detection to intent-based response Review bot controls so response is driven by transaction intent, session behaviour, and risk level instead of only origin IP, device reputation, or automation indicators.
  • Align fraud, IAM, and customer security policies Create shared thresholds for step-up, allow, and block decisions so the same delegated session is not treated differently by fraud tooling and identity governance teams.

What's in the full analysis

Arkose Labs' full post covers the operational detail this post intentionally leaves for the source:

  • How the platform connects various agents back to human customers across direct and delegated journeys
  • The analytics and reporting detail behind intent visibility and risk-based challenge decisions
  • Telemetry-driven detection methods built from billions of sessions and custom customer models
  • Use cases such as account takeover prevention and SMS toll fraud detection

👉 Read Arkose Labs' analysis of bot and agent trust management in Forrester's landscape →

Agent trust management software: what it means for IAM teams?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8498
 

Binary bot detection is no longer sufficient for delegated access paths. The old model assumed the security question was whether traffic came from a person or an automated script. That assumption fails when AI agents can act on behalf of legitimate users and complete business workflows. The practical conclusion is that identity and fraud teams need to evaluate trust in the action, not just the source of the request.

A few things that frame the scale:

  • 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%), according to AI Agents: The New Attack Surface report.
  • That same research found that only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.

A question worth separating out:

Q: How do organisations decide when to challenge delegated automation?

A: Organisations should challenge delegated automation when transaction intent, velocity, session context, or historical behaviour falls outside the expected pattern for that customer journey. The decision should be risk-based, consistent across teams, and focused on preserving legitimate activity while stopping abusive automation before it reaches the transaction stage.

👉 Read our full editorial: Agent trust management is replacing binary bot detection



   
ReplyQuote
Share: