Notifications
Clear all
Topic starter
12/06/2026 10:21 pm
TL;DR: Agentic commerce creates a new fraud surface where malicious AI agents can browse, transact, and imitate legitimate customer behaviour at scale, according to Fingerprint. Existing device and session controls can reduce bot activity, but they do not by themselves resolve the identity trust problem once agents start acting like users.
NHIMG editorial — based on content published by Fingerprint: What is agentic commerce? And how are fraudsters exploiting it?
Questions worth separating out
Q: How should security teams detect malicious AI agents in commerce flows?
A: Security teams should combine persistent device intelligence, pre-login risk signals, and action-level behaviour monitoring.
Q: Why do agentic commerce workflows create more fraud risk than ordinary bots?
A: Agentic commerce is riskier because the actor can adapt during the session, combine actions dynamically, and mimic user intent more convincingly than a fixed script.
Q: When should teams challenge an agent-driven transaction instead of letting it continue?
A: Teams should challenge transactions when device reputation drops, the session shows high-velocity action chaining, or the same environment repeatedly reaches sensitive steps without stable user evidence.
Practitioner guidance
- Strengthen pre-login risk scoring Use device reputation, anonymity network indicators, and repeated environment signals before checkout or account actions begin so high-risk sessions are challenged earlier.
- Correlate device and behavior signals Combine persistent device intelligence with velocity, sequence, and transaction anomalies so a legitimate browser does not automatically inherit trust for every action.
- Define agent-specific policy triggers Create rules for unusual action chaining, rapid page traversal, and repeated session reuse that can flag malicious AI agents even when the user experience looks normal.
What's in the full article
Fingerprint's full blog post covers the operational detail this post intentionally leaves for the source:
- Specific device intelligence and Smart Signals combinations used to distinguish risky automation from legitimate shoppers
- Practical examples of how to block malicious crawlers and agent-driven abuse without overwhelming real users
- The article's fraud-prevention framing for commerce platforms that need to balance friction, coverage, and customer experience
👉 Read Fingerprint's guide to agentic commerce fraud and security risks →
Agentic commerce fraud - what should fraud and IAM teams do?
Explore further
13/06/2026 1:04 am
Agentic commerce turns fraud prevention into an identity governance problem. The core issue is no longer only whether a transaction is legitimate. It is whether the platform can tell when a software actor is exercising user-like authority without the governance guardrails that IAM, fraud, and device controls were designed for. That pushes the discipline toward runtime identity decisions across both machine and human journeys. Practitioners should treat agentic commerce as a governance boundary problem, not just a detection problem.
A few things that frame the scale:
- 98% of companies plan to deploy even more AI agents within the next 12 months, despite documented rogue behaviour in 80% of current deployments, according to AI Agents: The New Attack Surface report.
- Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
A question worth separating out:
Q: What is the difference between legitimate automation and malicious agent behaviour?
A: Legitimate automation usually operates within known, bounded workflows, while malicious agent behaviour adapts to the environment, chains actions opportunistically, and seeks to complete a goal with minimal friction. The distinction is not whether software is acting, but whether the platform can govern its authority, timing, and trust boundaries.
👉 Read our full editorial: Agentic commerce fraud exposes gaps in device identity controls
