The structural change in online traffic: bots surpass humans
For decades, companies have operated with a simple assumption: most internet traffic came from people. This assumption is no longer valid. The latest 2026 Bad Bot Report: Bad Bots in the Agentic Age by Imperva confirms a structural change that is now impossible to ignore. Automated traffic has surpassed human traffic, representing over 53% of all web traffic in 2025, compared to 51% the previous year. Human activity has dropped to 47% and continues to decrease.
This is not a temporary spike caused by a specific attack cycle or technological trend. It reflects a fundamental transformation in how the internet functions. Increasingly, companies are not just serving customers but also machines.
Key data from the 2026 Bad Bot Report
The report highlights several alarming trends:
- Bots now generate 53% of web traffic, definitively surpassing human traffic, which was at 51% in 2024.
- 27% of bot attacks target APIs, allowing attackers to completely bypass user interfaces and operate at machine speed.
- The financial sector is the most affected, representing 24% of all bot attacks and 46% of account takeover incidents.
- AI agents represent a new category of internet users. They no longer just scan websites but retrieve data, perform workflows, and act on behalf of users.
The rise of AI agents and the new normal of automated traffic
Automation is not new on the internet, but its scale, sophistication, and purpose have changed radically. AI agents are emerging as a new category of internet participants. These systems do not just interact with websites but actively use them, retrieve data, perform transactions, and test application behavior.
In practice, this means that what appears to be an interaction with a customer could instead be an AI system querying price data, completing a transaction, or testing an application's behavior. For companies, this blurs a fundamental line: the distinction between legitimate and malicious traffic is becoming increasingly difficult to define, as both operate through the same systems, use the same interfaces, and follow the same logic.
The risk of uncontrolled automation
The real danger is not the presence of bots but the fact that much of this automation is uncontrolled. In the past, bot activity was episodic and often easier to identify. Today, automation is persistent, continuously operating on digital services and often indistinguishable from legitimate use. This creates a new category of risk that many organizations are not yet equipped to handle.
Uncontrolled automation can distort business metrics, increase infrastructure costs, degrade performance, and expose sensitive workflows. For example, bots can continuously query pricing or availability systems, creating artificial demand signals. They can interact with promotional systems at scale, exploiting business logic in ways that traditional security controls are not designed to detect.
Even seemingly benign automation, if left uncontrolled, can exert sustained load on systems designed for human behavior.
APIs and identity systems at the heart of modern risk
As automation evolves, so do attacker strategies. The traditional model of targeting websites at a surface level is giving way to a more direct approach. Bots are increasingly interacting with the same APIs that power core business functions, including authentication, payments, searches, and inventory systems.
This is particularly evident in sectors where digital transactions are closely tied to revenue. For example, financial services have accounted for 24% of all bot attacks and 46% of account takeover incidents. The goal is not disruption for its own sake but direct monetization.
In this context, identity systems are no longer just a security layer. They have become a primary point of exposure.
How AI agents are silently rewriting business models
The shift toward machine-driven interaction is not just about security but is beginning to redefine how companies operate. If an increasing share of traffic is automated, then traditional metrics like user engagement, conversion rates, and demand signals become harder to interpret. A traffic spike might not indicate customer interest, nor might a performance drop be caused by user behavior.
At the same time, AI-based systems are creating new forms of demand. Companies are starting to consider how and whether to allow AI agents to access their services and under what conditions. This raises questions about access, control, pricing, and even monetization.
Some organizations are exploring models where AI-based access is authenticated, measured, and potentially governed as a distinct channel. Although still in an early stage, this indicates a future where companies will need to actively manage not just who accesses their systems but also what accesses them.
From bot detection to automation control
For years, cybersecurity strategies have focused on detecting and blocking malicious activities. This approach is becoming increasingly insufficient in a world where automation is both pervasive and often legitimate. The most important question is no longer whether traffic is automated but whether it aligns with business intent.
This shift, from blocking bad bots to governing all automation based on intent, requires a new approach. Organizations must move from considering bots as anomalies to actively managing all types of automation. This means not only distinguishing between good and bad bots but also adapting metrics to better reflect human activity.
The impact on data analysis and business intelligence
The increase in automated traffic is also affecting data analysis and business intelligence. Traditional metrics might be distorted by automation, making it difficult for companies to truly understand their customers' behavior. For example, an increase in traffic on a product page could be due to bots scanning prices rather than potential customers interested.
Companies must develop new analysis models that account for automated traffic. This could include segmenting traffic based on its origin, analyzing AI agent behavior, and adapting metrics to better reflect human activity.
Legal and regulatory implications
With the rise of automation, new legal and regulatory challenges also emerge. Privacy and data protection laws, such as GDPR, were designed with human users in mind. However, AI agents that collect and use data raise complex questions about who the data controller is, who is responsible for their use, and how they must be protected.
Companies must work with legislators to develop regulatory frameworks that account for this new reality. This could include defining clear rules on how AI agents can access and use data, as well as creating mechanisms to ensure transparency and accountability.
The future of the web: a hybrid ecosystem
The future of the web seems to be a hybrid ecosystem where humans and AI agents constantly interact. Companies that can manage this complexity will have a significant competitive advantage. This will require not only investments in advanced security and automation technologies but also a reorganization of business strategies to adapt to this new paradigm.
The rise of AI agents and automated traffic is radically transforming the digital landscape. Companies must quickly adapt to manage this new reality while ensuring security, efficiency, and regulatory compliance. The traditional approach to security and automation has become insufficient, and a new paradigm is necessary to address the challenges of the future.
Editorial Note and Disclaimer
The guides and content published on GoYou are the result of independent research and analysis activities, for informational, educational, and in-depth purposes.
GoYou does not constitute a journalistic publication or an editorial product pursuant to Law No. 62/2001 and does not provide real-time information.
The GoYou project does not provide professional, technical, legal, or financial advice and disclaims all liability for the improper use of the information published.
In the Crypto sector, every investment involves risks: readers are invited to always inform themselves independently before making any decision.