Notifications
Clear all
Topic starter
11/06/2026 11:08 pm
TL;DR: AI agents are now reaching login and signup surfaces in ways that make legitimate integrations, customer automation, and attacker traffic technically similar, according to Arkose Labs. The security shift is from bot detection to authorization and classification, because the old fraud signals no longer cleanly separate benign automation from abuse.
NHIMG editorial — based on content published by Arkose Labs: The New Fraud Frontier: How AI Agents Are Rewriting the Rules
Questions worth separating out
Q: What breaks when bot detection is used for AI agent traffic?
A: Legacy bot detection fails when legitimate automation and malicious automation share the same technical traits.
Q: Why do AI agents complicate fraud and access decisions?
A: AI agents complicate fraud decisions because they can act like approved partners while also behaving like attackers.
Q: How do security teams measure whether agent classification is working?
A: Track how often unknown automation is correctly separated from approved integrations, and measure false positives against business workflows that must stay online.
Practitioner guidance
- Classify agent traffic by authorisation context Separate verified partners, unknown automation, and hostile agents in policy before applying controls.
- Bind automated access to approved business relationships Require machine identities, headers, or tokens that map traffic to a known integration owner and purpose.
- Score behaviour instead of relying on legacy bot flags Weight signals such as credential test patterns, endpoint sequencing, rate-limit respect, and consistency across sessions.
What's in the full article
Arkose Labs' full article covers the operational detail this post intentionally leaves for the source:
- How the three agent categories map to practical fraud handling decisions in login and signup flows
- The modern fraud indicators used to distinguish malicious automation from legitimate business agents
- Examples of behavioural signals such as endpoint consistency, rate-limit respect, and novelty testing
- The article's classification framework for deciding when to challenge, allow, or investigate automation
👉 Read Arkose Labs' analysis of how AI agents are rewriting fraud prevention →
AI agent traffic and fraud detection: what changes for IAM teams?
Explore further
12/06/2026 7:39 am
Identity classification has become the primary control plane for agentic fraud. The article describes a world where traffic alone no longer distinguishes a customer service agent, a payment processor, and a credential stuffer. That is a governance shift, not just a detection shift, because the decision is now about authorisation to act rather than whether the traffic is automated. For identity programmes, this pushes fraud prevention into the same operating model as NHI governance and access policy. Practitioners should treat classification as an identity function, not a perimeter function.
A few things that frame the scale:
- 98% of companies plan to deploy even more AI agents within the next 12 months, despite documented rogue behaviour in 80% of current deployments, according to AI Agents: The New Attack Surface report.
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, sharing sensitive data, and revealing access credentials.
A question worth separating out:
Q: Who should own controls for AI agent traffic: fraud teams or IAM teams?
A: Both teams need shared ownership because the problem is simultaneously about abuse detection and identity governance. Fraud teams understand adversarial traffic patterns, while IAM teams control identity, entitlement, and authorisation policy. The operational model should join those disciplines so one team is not approving traffic the other team is trying to stop.
👉 Read our full editorial: AI agent traffic is rewriting fraud prevention and access trust
