Your customer now has an agent. So does the fraudster. They use the same tools, and they arrive at the same login page. Telling them apart is the entire problem.
There's a lot of confusion about what agentic traffic actually is. People picture some all-seeing super-intelligence descending on their login flows. The reality is a lot more mundane, and understanding why is the whole game.
The technology these agents run on is the same infrastructure that has powered automation for the last ten years. Headless browsers, cloud compute, accessibility features that drive a mouse and keyboard, APIs wiring one system to another. None of the parts are new. The only thing that's new is who's sending them, and what they're trying to do.
Today your customer has a personal AI agent, and they want it to go do things for them. I do this myself. I'm traveling in a couple of weeks, and I want my agent to read my calendar, work out where I need to be, find the hotel I like, and book it. We've been talking about personal AI for years, going back to the original Siri vision, and it's finally real. The catch is that the same technology letting a personal agent do that work is the technology letting a fraud operation spin up thousands of fake accounts overnight. Same headless browser, same cloud approach. When you democratize a capability, you democratize it for everybody. Good actors do good things with it, bad actors find ways to make money, and both show up using the exact same tools.
The industry hasn't really absorbed that yet, and it breaks the question we've leaned on for a decade.
Today at Identiverse we're launching Arkose Agent Trust Manager to answer the question that replaces it: a new capability inside Arkose Titan that sees every agent hitting your flows, classifies it by population and intent, and enforces the response you choose, in real time. But before I get to what it does, I want to be clear about why the old approach can't get there.
FOR TEN YEARS, ONE QUESTION ORGANIZED EVERYTHING
For a decade the question was simple. Is this a bot or a human? You got a score, you set a threshold, you blocked whatever fell on the wrong side. The whole bot-management category, every WAF, every device-fingerprinting vendor, was built to answer that one question.
Those tools did exactly what they were built to do, and for years that was enough. What's changed is that the traffic arriving now doesn't resolve to bot-or-human, and it doesn't resolve to block-or-allow either.
An agent acting for a real, paying customer isn't a bot. An adversarial agent running a credential-stuffing campaign isn't a traditional bot either. They're both agents, they turn up at the same login page, and their intent could not be more different.
That leaves every team stuck. Block all agent traffic and you shut out legitimate AI-assisted customers and the revenue they bring. Allow it unfiltered and you take on fraud at machine scale. There's a real cost either way.
And the revenue side isn't hypothetical. Traffic from AI sources to US retail sites grew 393% year over year in the first quarter of 2026, and by March it was converting 42% better than a year earlier, according to Adobe Analytics . Salesforce put the number at roughly $262 billion of online spend influenced by AI and agents over the 2025 holiday season, about a fifth of the global total . The agents acting on your customers' behalf are already moving real money, so blocking them on reflex isn't the safe play it used to be.
So the question worth asking in 2026 isn't "is this a bot?" It's: what is the intent of this agent, and should it be trusted to do what it's trying to do?
As I put it in After Bots, the book I wrote on how consumer agent use is reshaping this problem: detection was a prerequisite. Classification is the work.
THREE POPULATIONS, ONE INTERNET
So start with what's actually showing up. Through the lens of consumer workflows, login, signup, money movement, agentic traffic breaks into three populations.
Self-disclosing good agents. These cooperate. They publish IP ranges, sign their requests, and use emerging standards like Web Bot Auth to tell you who they are. Most of the industry is racing to serve this group because it's the easy one. Disclosure handles it.
Non-disclosing good agents. These are working on behalf of a real user for legitimate reasons, but they'll never declare themselves. Think most of the agentic browsers and computer-use tools running on a real person's laptop, using their real Chrome and their real network. A lot of them have no way to self-identify even if they wanted to. What gives them away is behavioral, not anything in the network headers. This is the group the rest of the market has no real answer for, and it's where most legitimate agent traffic is going to live.
Malicious agents. Account takeover, fake accounts, payment fraud, scraping. Usually cloud-hosted at scale, running spoofed devices, loading big files of stolen identity data to probe your fraud rules and figure out what works. Their tell is often the spoofing itself.
Here's the wrinkle: good and bad intent can show up in any of these. So working out which population you're looking at is the first job, and working out what it's there to do is the second.
YOU CAN ACTUALLY DETECT THIS TODAY
The reassuring part is that it's not as scary as it sounds once you look at the technical footprint. An agent can only reach your workflow a handful of ways, and each one leaves its own fingerprint.
Cloud-hosted agents spin up a synthetic browser in a data center and drive it from there. They aren't real devices, so they fail device-spoofing checks and carry data-center network signatures. Comparatively easy to spot.
Local browser agents are forks of Chromium with an agentic layer bolted on top. They claim to be Chrome but they're running a forked engine, and that mismatch shows up in static quirks and render anomalies even when the fingerprint looks clean at a glance.
Local OS-level agents drive a real browser on a real machine, and these are the trickiest. The tell is behavioral, in what we call the vision-reasoning-action loop. The agent takes a screenshot, runs character recognition and then a vision model to find where to click, sends that instruction back to its harness, does the click, and repeats the whole loop to the end of the task. That produces timing and interaction patterns no human exhibits. It's very fingerprintable, and because it's baked into how these models work, it isn't going away any time soon.
There's an advantage here that's easy to miss, and honestly it's been a refreshing change. For ten years we had to reverse-engineer adversarial bots we could never actually get our hands on. Agents aren't like that. The models, the agentic browsers, the harnesses, they're all sitting in our research lab. For the first time we can train detection directly on the thing we're trying to catch. Our lab tracks a growing list of agentic browsers and we add to it every month.
WHAT THIS LOOKS LIKE IN PRODUCTION
This is about the hardest version of the problem there is: a legitimate user pointing an agent at something they shouldn't. A global education platform runs our technology on its exam engine. Over a two-week window we identified roughly 15,000 agentic sessions and more than 1,200 exams attempted with agentic browsers.
The signal was interaction timing. Flagged exams clustered in sub-100ms answer bursts, way faster than anyone can read a question and pick an answer. Nearly 29% of agentic exams came back anomalous, and inside those, the median anomalous-question rate was around two-thirds. We could even watch students handing control back and forth, calling in the agent for the hard questions and answering the easy ones themselves. Perplexity's Comet dominated the vector.
None of that is a roadmap promise. It's running in production right now against the worst case, a non-disclosing legitimate user turning an agent on you, and the same engine carries straight over to account takeover, fake accounts, and agentic commerce.
ENFORCEMENT STOPS BEING A SINGLE GATE
Once you can classify, enforcement opens up. Instead of one gate you get a spectrum: allow, monitor, challenge, throttle, block. Each session gets the response that fits it. A verified agent reading a content endpoint for a real customer is nothing like an unverified one probing your account-recovery flow, and it shouldn't be treated the same.
Authorization is your call, not ours. Only you know which workflows you're comfortable letting agents touch. Our job is to hand you the classification and intent signals so you can decide, and then enforce whatever policy you set.
Two things matter most at the adversarial end. First, blocking is usually the wrong default. A hard block just tells the attacker what not to try next time, so for most vectors a challenge works better: good users get through it, and abuse gets expensive fast. Second is the final mile, the genuinely malicious agents, and they won't follow any policy unless it pays them to. For those we've built challenges today's models can't reason their way through. The agent burns cycles, gets nowhere, and hands control back to a human. We call it forcing the human back into the loop. Pair that with proof-of-work tuned to cloud economics and the math flips. The agents helping your real customers sail through, and the ones trying to abuse you either spend real money or give up.
WHAT ARKOSE AGENT TRUST MANAGER DOES
So here's what we shipped. Agent Trust Manager does three things: it shows you what's already there, it classifies every session in real time, and it enforces the policy you choose.
First, visibility. Most teams can't tell you how much of their traffic is already agentic. This is where you find out, agent-versus-human composition across login, signup, checkout, and account recovery, broken down by population and intent.
Second, classification. Every session resolves to human, or to one of the three agent populations, in real time and inline — and intent detection runs on top, so the same agent gets a different verdict when it's price-checking than when it's credential-stuffing.
Third, enforcement. Not a single yes-or-no, but a policy you set per endpoint and per population, that keeps watching and re-rates a session if its behavior drifts from what the agent declared. Control isn't a one-time gate at the door.
Agent Trust Manager is a product within Arkose Titan and runs on the signal stack our customers already use, so if you have bot detection with us today, you turn classification and enforcement on over what you've already got, with no new placement. My colleague Shimon Modi has written the companion piece on how the classification and enforcement work in practice, including how we extend the same trust layer to APIs and MCP servers.
A NOTE ON TIMING
The people making platform decisions right now are doing it under pressure, with tools built for the last question and good instincts about why those tools are coming up short. From everything we see in the field, this is a when, not an if. And most teams can't yet measure their own exposure, which is exactly why getting a classification layer in place early matters: you can't manage what you haven't measured.
Companies that close the agentic blind spot in the next twelve months will spend the year after building on the advantage. We built Arkose Agent Trust Manager to make the first path the easy one.
The best way to see it is on your own traffic. Book a demo of Arkose Agent Trust Manager and we will measure your agent composition, by population and intent, against your own flows.
