A fundamental assumption about the internet has broken.
Automated traffic now accounts for the majority of online activity, and a growing share of that activity is not malicious but functional. Software agents are booking travel, managing subscriptions, executing purchases, and interacting with platforms on behalf of users.
The implications for identity and authentication are profound. Findings in the new report, “How Enterprises Can Build a ‘Know Your Agent’ Defense: Digital Identity Verification in the Age of Bots,” a PYMNTS Intelligence and Trulioo collaboration, reveal that over 90% of organizations report that managing bot traffic is now a challenge.
After all, digital security and authentication infrastructure has rested on a simple premise: that people interact with systems, and systems respond. Identity frameworks, fraud models and authentication layers were all built to answer a single question of whether there was the right human on the other side.
But in today’s environment increasingly shaped by automated agents and evolving threats, identity cannot be treated as a static attribute. Not all bots are malicious. Many are legitimate agents acting on behalf of users. The challenge lies in distinguishing between helpful automation and adversarial behavior.
This ambiguity is reshaping the threat landscape, forcing enterprises to rethink the very concept of identity.
Advertisement: Scroll to Continue
Identity as a Continuous System
Larger organizations, with more complex operations and higher transaction volumes, face a disproportionate burden. Their systems must process a broader range of interactions across geographies, regulatory environments, and user types. As complexity increases, so does the likelihood of both false positives and false negatives. Scale, once a source of resilience, is acting as a multiplier of risk.
Behavior itself becomes a critical signal. Instead of relying solely on credentials or static data, systems must assess whether actions align with expected patterns. Trust is no longer a binary decision but a probabilistic judgment, recalibrated in real time. This requires moving beyond authentication toward a model of continuous life cycle management.
These models must by nature incorporate multiple layers. They typically begin with foundational identity verification and establishing that a person or entity exists and is legitimate. But it also extends into authorization, defining what actions are permitted; credentialing, ensuring that agents can act securely on behalf of principals; and real-time validation, monitoring behavior for anomalies or changes in context.
This approach may blur traditional boundaries. Security, product design and user experience converge into a single system of decision-making. The goal is not simply to block threats, but to enable legitimate activity with minimal friction.
Read the report: How Enterprises Can Build a ‘Know Your Agent’ Defense: Digital Identity Verification in the Age of Bots
In the past, identity and action were tightly coupled. A user logged in and performed actions directly. In the agent economy, that coupling loosens. Users grant permissions to agents, which then act on their behalf within defined constraints.
Agentic commerce introduces new complexities. Systems must not only verify the identity of the principal but also ensure that the agent’s actions are authorized, bounded and traceable. Permissions must be granular, specifying limits, conditions and contexts, and enforceable in real time.
After all, one of the most underappreciated consequences of outdated identity systems is not fraud, it’s friction. Large enterprises can have false-positive rates as high as 3.3% per the report, meaning a significant share of legitimate users are incorrectly flagged as suspicious. The economic impact is substantial. Businesses collectively lose nearly $100 billion annually due to fraud and missed opportunities tied to inadequate identity verification.
Agentic will only magnify those inefficiencies at a new scale.
The goal is not to eliminate automation but to govern it. Enterprises must build systems that can differentiate between authorized and unauthorized agents, enabling legitimate activity while preventing abuse.
As enterprises navigate this transition, the imperative is clear: rethink identity not as a checkpoint but as a continuous, multilayered system of trust. Those that succeed will not only mitigate risk but unlock new forms of value in the age of machine-driven commerce.
For all PYMNTS AI coverage, subscribe to the daily AI Newsletter.
