
Agentic AI traffic up 7,851% y/y wipes out fraud signals. Only 0.5% separates legitimate bots from malicious ones. Mastercard's Agent Pay offers a fix, but payment rails are being tested now.
Bots now generate more web traffic than people do. Automated systems account for 57.4% of all web requests worldwide, according to a Thursday report from NBC citing Cloudflare data. In North America the share reaches 68.6%.
The number itself is a problem. The bigger break is that the web's security rules, identity systems and payment rails were all built for the 42.6% that is left. A 2026 Human Security report found agentic AI traffic surged 7,851% year over year. Retail and eCommerce now represent 46.6% of that traffic, the firm said, drawing from its analysis of more than one quadrillion interactions. Agents browse, manage accounts and complete purchases on the same surfaces fraud has always targeted.
The fraud signal has collapsed. Human Security found that only half a percentage point separates legitimate automation from malicious automation across its entire platform. Rapid browsing, automated form entry and fast checkout were once reliable attack indicators. They are now standard agent behavior.
Carding volume has jumped 250% since 2022. Post-login account takeover attempts quadrupled, Human Security reported. CrowdStrike's 2026 Global Threat Report in February showed 82% of intrusions used no malware; attackers moved straight through legitimate credentials and authorized access. Block all automated traffic, and a company loses revenue. Accept it, and it absorbs the fraud.
The root problem is straightforward: the web cannot verify whether an agent is authorized, by whom, or within what limits. A person logs in once and leaves a behavioral trail fraud detection can read. Agents act continuously, spawn other agents and carry permissions that spread in ways no one mapped when access was first granted.
PYMNTS Intelligence found in October that 59% of firms face bot-driven fraud as an active threat and that companies lose 3.1% of annual revenue to identity gaps. The Financial Stability Board this week said it was strongly encouraging financial institutions to establish safeguards against agentic AI, warning that agents create risks that materialize faster than human oversight can catch.
Identity and payments share the same gap. Human Security found 2.3% of all agentic activity now occurs at checkout, with no human confirming the final step. Payment systems were not built for software completing a purchase on someone's behalf.
Mastercard's Agent Pay lets agents transact using tokens tied to a verified agent identity, with spending limits the account holder sets, the company said. AI-driven traffic to U.S. retail sites surged more than 4,700% over the past year. PYMNTS reported that payment networks are now building infrastructure for agentic commerce at scale. Mastercard's Alpha Score sits at 62 out of 100, a Moderate label in the Financials sector, based on proprietary data from AlphaScala. The stock page tracks the company through this transition.
The Financial Stability Board's warning is not a regulatory action. It is a signal that the system has moved faster than the guardrails. Agentic AI traffic will keep climbing. Whether the identity layer catches up is the open question.
Prepared with AlphaScala editorial tooling from the source reporting linked above. Indexable analysis may include a cited Alpha Score value. Publishing checks screen each story before release. Educational coverage, not personalized advice.