The Bot/Human Binary is Dead
For 30 years, the security question was simple: bot or human? A request either came from a person or from a machine. Machines were suspicious.
That question just became obsolete.
In 2025, AI agents started doing what humans do: they log into accounts. They navigate product pages. They compare prices. They complete purchases. And according to HUMAN Security's 2026 benchmark report, they are indistinguishable from fraud.
The numbers are stark. According to data analyzing 1 quadrillion interactions across the internet last year, agentic AI traffic grew 7,851% year over year. But here's the part that keeps security teams awake: across every request HUMAN analyzed in 2025, only half a percentage point separated benign automation from malicious automation.
An AI agent shopping for you. An automated fraud ring stealing from you. Same behavior. Different intent.
The bot/human binary is gone. In its place sits a new problem that neither retail, publishing, nor most e-commerce infrastructure is ready for.
The Collapse of Intent Detection
Let's be precise about what's happening. Traditional automation was dumb. Search crawlers, monitoring bots, conventional scraping tools-they read the web in bulk. They were easy to distinguish from human behavior because, well, no human behaves that way.
AI agents don't read the web. They act on it.
According to HUMAN's report, ChatGPT Atlas (launched October 21, 2025) is a browser interface that embeds AI directly into a shopping experience. A user can ask it: "Find me the cheapest outdoor light bulb under 20 dollars." The agent navigates product pages, compares specifications, reads reviews, fills in shipping info, and checks out.
What does that look like to your security team? If you're using traditional bot detection, it looks like:
- Automated page navigation
- Rapid form submission
- Account authentication from an unknown IP
- Transaction completion in milliseconds
Now imagine someone else's AI agent-one trained to simulate legitimate users, optimized to extract credit card data and checkout information. It does the exact same sequence.
The behavior is identical. The signature is identical. Your rule-based detection fires on both equally.
HUMAN notes that for every interaction logged across their platform in 2025, only 0.5% separated the rate of benign automation from the rate of malicious automation. That margin has compressed so far that traditional security assumes guilt by default. But default guilt breaks legitimate AI commerce tools.
This is the core of the crisis: we've built a binary classifier (bot/human, legitimate/fraudulent) when the actual problem is a spectrum with overlapping distributions.
The 0.5% margin between legitimate automation and fraud is narrowing fast.
Three Categories of AI Traffic (And Why The Distinctions Matter)
HUMAN's report breaks AI-driven traffic into three types, and the distinction is crucial for understanding why fraud detection is failing:
Training Crawlers still dominate (roughly 67.5% of observed AI bot traffic in 2025), but their share is collapsing. These bots bulk-extract data to build or refine machine learning models. They gathered roughly 90% of all AI bot volume in January, but dropped to 74% by December. E-commerce and travel sites supplied 85% of the data.
Real-Time Scrapers represent the inference layer of AI products. Unlike crawlers (which batch-extract), scrapers pull fresh data on every query: live pricing, current inventory, breaking news summaries. They grew 597% in 2025. Media led the traffic here at 41%, since AI search engines need constant fresh content to ground answers.
Agents are the novel category. They don't read the web-they automate actions on it. Agentic browsers like ChatGPT Atlas embed AI in a full browsing context. General-purpose agents like ChatGPT Agent and OpenClaw operate autonomously across applications. According to HUMAN, agentic traffic grew 7,851% year over year.
The problem: every category looks like automation to your detection system. But the first two are mostly legitimate AI infrastructure. The third is where fraud hides.
The Concentration Problem (And Why It Matters For Your Brand)
If there's a silver lining, it's this: AI traffic is highly concentrated.
OpenAI's bots (ChatGPT User, OAI-SearchBot, GPTBot, ChatGPT Agent) accounted for 69% of all observed AI-driven traffic in 2025. Meta-ExternalAgent contributed 16%. Anthropic (ClaudeBot, Claude-SearchBot) made up 11%. Everything else-dozens of identified bots from smaller companies-represented less than 5%.
That concentration means access policy decisions made by three companies determine the vast majority of your exposure to AI-driven traffic.
It also means spoofing is rampant. HUMAN's threat intelligence team found that a significant portion of requests claiming to be ChatGPT, Mistral, or Perplexity bots did not originate from those operators' infrastructure. Attackers are spoofing user-agent strings to exploit the trust organizations extend to known AI crawlers, bypassing robots.txt allowlists and rate-limit exemptions.
If your security is whitelisting crawler traffic based solely on user-agent strings, you're granting access to an unknown number of unauthorized actors.
Agent transactions now happen at scale. Most fraud detection still can't see them.
What Happens When Fraud Looks Like Commerce
The behavioral manifestation of this crisis is already visible.
In 2025, automated traffic grew 23.51% year over year, while human traffic increased just 3.10%. Automation is growing eight times faster than people.
Retail and media accounted for more than 80% of AI-driven traffic. E-commerce alone drove roughly half of all agentic growth. These are the verticals where structured, frequently updated data carries the highest commercial value, checkout flows are standardized enough for agents to automate, and fraud margins are high relative to legitimate transaction volumes.
The risk isn't abstract. For retailers running on thin margins, even a 2-3% fraud rate in agent traffic can erase profitability. For media sites, a torrent of scraper requests can consume 40-50% of infrastructure capacity.
More broadly, the inability to distinguish benign agents from malicious ones creates a chilling effect: either you block all agent traffic (and you break legitimate AI commerce), or you allow it (and you're vulnerable to new attack vectors you can't detect).
Most companies are defaulting to the latter. That's a vulnerability preview.
The Intent Layer Has To Go Somewhere Else
The security industry has a phrase for this moment: "shifting the burden of proof." The bot/human binary failed because it tried to infer intent from behavior. Intent and behavior are now decoupled.
So where does intent detection move?
Right now, the answers are fragmented:
API authentication as a proxy for trust. If a request comes from OpenAI's infrastructure, with proper cryptographic credentials, it's presumably legitimate. But this only works if organizations actually validate identity, not just user-agent strings.
Rate limiting based on request patterns. Agents that crawl products at human speed look different from agents that extract 10,000 product pages in an hour. But creative adversaries can mimic human behavior.
Policy and contract enforcement. OpenAI's terms explicitly forbid using ChatGPT agents for scraping. But terms are only as strong as the ability to detect violations.
Integration-based whitelisting. Some platforms (e.g., Shopify, WooCommerce) are building native integrations with AI commerce platforms, creating a designated "safe" channel for agent traffic. But this only protects early movers and big players.
None of these are comprehensive. None eliminate the 0.5% margin of error.
The deeper problem: the industry is trying to solve a problem (distinguishing legitimate agents from fraud) at the wrong layer. Intent isn't a technical property-it's a legal and contractual one.
What Happens Next
The HUMAN Security report was published in April 2026. It's now June.
Most e-commerce platforms have not fundamentally altered their fraud detection systems. Most publishers are still rate-limiting or blocking agent traffic based on user-agent strings. Most security teams are still operating under a bot/human framework.
But the behavior is changing. Agents are transacting at scale. Agent traffic is no longer a quarterly anomaly-it's a structural feature of how the internet operates.
The cost of inaction is simple: either you get eaten by fraud you can't detect, or you block legitimate AI commerce and you lose the revenue from an entire new commerce channel.
The real crisis isn't that AI agents exist. It's that we're trying to solve an intent problem with a behavior detector.
And behavior detectors just failed.
Related: Read about how AI agents break marketing measurement and why agentic AI adoption is failing.