Merchants should combine behavioural analytics with device trust, transaction history and policy scope rather than relying on browsing depth alone. Legitimate AI agents often move quickly and with fewer human signals, so the control goal is to identify customer-authorised automation without opening the door to hostile bots. That requires risk scoring before checkout, not after the order is already complete.
Why This Matters for Security Teams
Merchants are not just dealing with “good bots” and “bad bots” anymore. AI agents can browse, compare, add to cart, and even support customer workflows with far fewer human-like signals, while fraud bots often probe for account takeover, card testing, inventory abuse, or coupon exploitation. The operational problem is distinguishing authorised automation from hostile automation before checkout, because post-order review is too late to prevent loss.
That distinction is especially important where agentic systems can use customer credentials, session tokens, or delegated permissions. NHIMG research on AI Agents: The New Attack Surface report highlights how quickly AI agents can move beyond intended scope when governance is weak. Current guidance suggests merchants should treat automation as a policy and trust question, not a browser-fingerprint question. The goal is to validate intent, scope, and risk before the transaction proceeds, consistent with the NIST AI Risk Management Framework and the OWASP Agentic AI Top 10.
In practice, many merchants discover they have been optimising for page view anomalies after abuse has already been monetised, rather than separating legitimate agentic commerce from fraud at the policy layer.
How It Works in Practice
Effective differentiation starts with a risk model that combines behaviour, device trust, transaction context, and authorisation scope. A legitimate AI agent may act quickly, skip scrolling, and submit structured actions, but it should still show stable policy signals: known customer account, approved tool scope, predictable purchase pattern, and an auditable origin. A fraud bot, by contrast, often shows broad enumeration, repetitive retry logic, proxy churn, and mismatched account or payment signals.
Merchants should evaluate automation using layered controls rather than a single detector. Practical controls include:
- Challenge only when intent is unclear, not simply because the session is fast.
- Bind customer-authorised automation to a declared purpose, scope, and expiration.
- Check device reputation, IP volatility, and session continuity alongside account history.
- Use pre-checkout scoring for cart, coupon, payment, and inventory actions.
- Log agent-specific decisions so fraud, support, and compliance teams can review them later.
For agentic commerce, the better question is whether the system has permission to do what it is trying to do. That is where NHI thinking becomes useful: an AI agent may need a distinct, bounded identity with scoped credentials, just as human users do, and that identity should be governed with the same rigor as other privileged access. The OWASP NHI Top 10 and MITRE ATLAS adversarial AI threat matrix are useful references when designing detection and containment logic for autonomous activity.
These controls tend to break down in guest checkout, flash-sale traffic, or heavily proxied mobile environments because legitimate and malicious automation can look operationally similar at speed.
Common Variations and Edge Cases
Tighter automation controls often increase friction for legitimate shoppers, so merchants have to balance fraud reduction against conversion loss and customer support overhead. There is no universal standard for this yet, especially when AI agents act on behalf of consumers in ways the merchant did not directly provision.
One common edge case is shopper-authorised assistants that search, compare, and prefill carts while a human still approves payment. Another is marketplace or reseller tooling that may look like inventory scraping but is permitted under contract. Best practice is evolving toward explicit policy tiers: allowed automation, restricted automation, and blocked automation, with different limits on rate, checkout authority, and sensitive actions.
Merchants also need to account for delegated identity and secrets exposure. If an AI agent is operating with a reusable token or cached session cookie, the real risk may be credential misuse rather than bot volume. NHIMG coverage such as Moltbook AI agent keys breach shows why token hygiene and scope enforcement matter when automation has lasting authority. For implementation context, the NIST AI Risk Management Framework and CSA MAESTRO agentic AI threat modeling framework both support governance-first design, while the Ultimate Guide to NHIs is useful when merchants need to formalise non-human access policies.
Where merchants operate across affiliates, marketplaces, and regional payment flows, this guidance becomes harder to apply because ownership of the agent, the customer intent, and the payment instrument may all sit in different control domains.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and MITRE ATLAS address the attack and risk surface, while NIST AI RMF, NIST CSF 2.0 and NIST SP 800-53 Rev 5 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST AI RMF | AI risk governance is needed to classify authorised agents versus abusive automation. | |
| OWASP Agentic AI Top 10 | Agentic systems need controls for scope, tool access, and misuse prevention. | |
| MITRE ATLAS | Adversarial AI tactics help distinguish hostile automation from legitimate agent behaviour. | |
| NIST CSF 2.0 | PR.AA-01 | Identity and access assurance supports distinguishing trusted automation from fraud bots. |
| NIST SP 800-53 Rev 5 | AC-2 | Account management is relevant when agents use scoped credentials or delegated sessions. |
Classify non-human access paths and enforce policy-based authentication before sensitive commerce actions.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on July 10, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org