Bots Run the Internet. Now Someone Has to Run Them.

AI agents, eCommerce, agentic commerce, internet bots

Bots now generate more web traffic than people do.

    Get the Full Story

    Complete the form to unlock this article and enjoy unlimited free access to all PYMNTS content — no additional logins required.

    yesSubscribe to our daily newsletter, PYMNTS Today.

    By completing this form, you agree to receive marketing communications from PYMNTS and to the sharing of your information with our sponsor, if applicable, in accordance with our Privacy Policy and Terms and Conditions.

    Automated systems account for 57.4% of all web requests worldwide, according to a Thursday (June 4) report from NBC, which cited new data from Cloudflare.

    In North America, that number reaches 68.6%, NBC reported. The web’s security rules, identity systems and payment rails were all built for the 42.6% that’s left.

    Bot detection had one job: find the machine, and block it. That logic breaks when the machine is the customer. According to a 2026 cybersecurity report from Human Security, agentic AI traffic grew 7,851% year over year. Retail and eCommerce now account for 46.6% of all agentic traffic, Human Security said in its report, citing its analysis of more than one quadrillion interactions. Agents browse, manage accounts and complete purchases on the same surfaces fraud has always targeted.

    The fraud signal is gone. Only half a percentage point separates legitimate automation from malicious automation across Human Security’s entire platform, the company found. Rapid browsing, automated form entry and fast checkout—once reliable signals of an attack—are now standard agent behavior.

    Carding volume has surged 250% since 2022 and post-login account takeover attempts quadrupled, Human Security reported. CrowdStrike’s 2026 Global Threat Report in February found that 82% of intrusions used no malware, with attackers moving through legitimate credentials and authorized access. Block all automated traffic, and you turn away revenue. Accept it all, and you absorb the fraud.

    Identity Systems Have No Model for Non-Human Actors

    The security problem has one root: the web can’t verify whether an agent is authorized, by whom, or within what limits. A person logs in once and leaves a behavioral trail fraud detection can read. Agents act continuously, spawn other agents and carry permissions that spread in ways no one mapped when access was first granted.

    PYMNTS Intelligence found in October that 59% of firms face bot-driven fraud as an active threat and that companies lose 3.1% of annual revenue to identity gaps. The Financial Stability Board said this week it was strongly encouraging financial institutions to establish safeguards against agentic AI, warning that agents can create risks that materialize faster than human oversight can catch.

    Payment Rails Have No Native Support for Machine Buyers

    Identity and payments share the same gap. Human Security found that 2.3% of all agentic activity now occurs at checkout, with no human confirming the final step. Payment systems were not built for software completing a purchase on someone’s behalf.

    Mastercard’s Agent Pay lets agents transact using tokens tied to a verified agent identity, with spending limits the account holder sets, the company said. AI-driven traffic to U.S. retail sites surged more than 4,700% over the past year. PYMNTS reported that payment networks are now building infrastructure for agentic commerce at scale.