When Bots Outnumber People: Governing the Third Traffic Category
The Thales 2026 Bad Bot Report, now in its 13th consecutive edition, introduces a third category of automated traffic alongside good bots and bad bots: AI agents. They browse websites, gather data, and complete tasks for users. They’re built into browsers, search platforms, and enterprise tools. And they interact directly with applications and APIs.
Thales blocked 17.2 trillion bad bot requests in 2025. AI-driven bot activity increased 12.5 times year-over-year, with daily blocked requests rising from 2 million to 25 million. That isn’t an incremental shift in detection volume — it’s a structural change in what traffic looks like at the application layer. The defenders’ problem is no longer “bot or human” — it’s “bot, human, or agent acting on behalf of a human.” Most enterprise security stacks were built for the first version of that question. The third category breaks the assumptions underneath the second.
5 Key Takeaways
1. The internet is now mostly machines.
The Thales 2026 Bad Bot Report shows automated traffic accounts for 53% of all observed internet traffic — bad bots at 40%, benign automation at 13%. Human activity has fallen to 47%. The internet is no longer a place humans use; it’s a place machines use, and humans visit. Security stacks built around “is this a person?” are solving the wrong question.
2. AI agents are a new traffic category — not a subset of bots.
Thales added agents alongside good and bad bots because they behave differently: legitimate purpose, agent-issued requests, machine-speed pacing, indistinguishable from normal API calls. They use real browsers, valid fingerprints, and human-pattern timing because they’re actually running authorized workflows. Data loss through agent misbehavior does not look like a bot attack — it looks like normal operations.
3. The 12.5x AI bot attack increase is the leading indicator.
Daily blocked AI-driven requests rose from 2 million to 25 million in a single year. Thales blocked 17.2 trillion bad bot requests in 2025. Defender tooling built around “bot vs. human” is now solving last year’s problem. The supply chain attack surface this creates is structural — AI agents embedded in enterprise tools are potential vectors, not just productivity features.
4. The governance gap is structural, not tactical.
The Kiteworks 2026 Forecast Report found 100% of organizations have agentic AI on their roadmap, yet 63% cannot enforce purpose limits and 60% cannot terminate misbehaving agents. Adoption is racing ahead of containment by 15 to 20 points across every measured category. AI governance investment has gone into watching agents, not stopping them.
5. The fix is data-layer governance, not bot detection.
When agents look legitimate to traffic mitigation tools, the only durable enforcement point is the data they’re trying to access — with attribute-based access controls, content-layer least privilege, and tamper-evident audit logs. The Agents of Chaos study demonstrated that model-layer guardrails fail under adversarial conditions; data-layer governance holds when the agent is compromised.
You Trust Your Organization is Secure. But Can You Verify It?
How AI Agents Behave Differently From Bots
Bots have always tried to look human; AI agents don’t have to. They operate through legitimate browsers, valid fingerprints, and human-pattern timing because that’s their actual workflow — carrying out tasks a real user authorized. The Thales report describes this directly: AI-driven activity that once raised red flags now blends in with legitimate use, making detection and monitoring much harder.
Detectable AI traffic represents only a fraction of total AI-enabled activity. Attackers can deploy self-hosted LLMs that don’t identify themselves, and malicious operators can fine-tune those models for unauthorized use. That gap was demonstrated at scale in November 2025, when Anthropic disclosed GTG-1002, a Chinese state-sponsored campaign using Claude Code and MCP orchestration to target approximately 30 entities across technology, financial services, chemical manufacturing, and government. AI executed 80–90% of the tactical work. Human operators stepped in only for four to six critical decision points per campaign — running at thousands of requests per second, a tempo no human red team can match.
The CrowdStrike 2026 Global Threat Report puts the broader shift at an 89% year-over-year increase in attacks by AI-enabled adversaries, with average eCrime breakout time falling to 29 minutes. The Thales 53/40/13 split tells defenders what’s on the wire. The CrowdStrike and Anthropic data tell defenders what’s running on top of it.
Why Bot Mitigation Doesn’t Reach the Agent Layer
Bot management was built around three signals: identity (IP reputation, user-agent strings), behavior (rate limits, fingerprinting), and intent inferred from pattern. AI agents pass all three checks because they aren’t pretending — they really are running a browser, issuing requests for a logged-in identity, following a workflow that looks like normal use.
That isn’t a tooling failure. It’s a category error. As Thales’ Global VP and GM of Application Security put it in the report: “The challenge is no longer identifying bots. It’s understanding what the bot, agent, or automation is doing, whether it aligns with business intent, and how it interacts with critical systems.” The control surface has changed. The strategy has to change with it.
Where Most Organizations Actually Stand on Agent Governance
The Kiteworks 2026 Forecast Report found that 100% of organizations have agentic AI on their roadmap — zero exceptions. The problem is the gap between adoption and the controls that constrain what agents can do. Three containment controls define the gap:
Purpose binding — the ability to limit what an agent is authorized to do. 63% cannot enforce it. Kill switch — the ability to quickly terminate a misbehaving agent. 60% cannot. Network isolation — the ability to prevent an agent from accessing systems beyond its scope. 55% cannot.
Most organizations have invested in watching AI — 59% have human-in-the-loop, 58% have continuous monitoring. They have not invested in stopping it. Government is the most exposed: 90% lack purpose binding, 76% lack kill switches, 81% lack network isolation. These are organizations handling classified information and critical infrastructure with AI agents they cannot constrain, terminate, or isolate.
What the Agents of Chaos Study Adds That Telemetry Cannot
The February 2026 Agents of Chaos study, a 38-author collaboration across Northeastern, Harvard, MIT, Stanford, CMU, and other institutions, deployed agents in a live laboratory for two weeks and documented at least 10 significant security breaches across 11 case studies. Three structural deficits explain why model-layer guardrails fail:
No stakeholder model. Agents have no reliable mechanism for distinguishing between someone they should serve and someone manipulating them. They default to satisfying whoever is speaking most urgently — because LLMs process instructions and data as tokens in the same context window, prompt injection is a structural feature, not a fixable bug.
No self-model. Agents take irreversible actions without recognizing when they exceed their competence. They convert short-lived requests into permanent background processes with no termination condition.
No private deliberation surface. Agents cannot reliably track which communication channels are visible to whom. They leak sensitive information through the wrong channels even after explicit confidentiality instructions.
Tooling that depends on the agent doing the right thing is depending on a property the agent does not reliably have. Containment has to come from outside the agent.
The Architecture That Closes the Third-Category Gap
If bot rules don’t reach agents and agents can’t be trusted to constrain themselves, the durable enforcement point is the data layer. Three properties define a fit-for-purpose architecture:
Authorization travels with the data, not the identity. An agent acting on behalf of a user inherits the user’s authorization, but the authorization follows the content — not the session. Attribute-based access controls evaluate each request against data sensitivity, requester clearance, declared purpose, and policy in force. Most existing access stacks were designed for folder-level roles; they don’t survive contact with retrieval-augmented generation, where an agent reads across a corpus in milliseconds.
Policy enforcement happens before the agent reaches the data. Decisions are made at the data boundary, not inside the agent. This is what the Kiteworks 2026 Forecast Report frames as purpose binding — the control 63% of organizations cannot enforce today.
Audit trails capture the full chain at evidence quality. The Kiteworks 2026 Forecast found 33% of organizations lack adequate audit trails and 61% have fragmented logs that are not actionable. When a regulator asks who accessed what, through which agent, the answer needs to be a single queryable record. The Kiteworks AI Data Gateway and Kiteworks Secure MCP Server implement this pattern — governed access at the data layer, content-layer policy enforcement, and tamper-evident logs across email, file sharing, MFT, SFTP, web forms, and AI traffic in a single control plane.
What CISOs Should Do This Quarter
First, inventory the agents already operating in your environment. Browser plugins, embedded copilots, third-party SaaS automations, and developer tools have all introduced agents performing actions on user behalf. The operational inventory typically lags the roadmap by quarters. Build the actual list before governing it.
Second, close the kill-switch gap. If a misbehaving agent has to be stopped today, can your team do it inside an hour? 60% cannot. That control is the floor of any responsible deployment and should be in place before scope expands.
Third, enforce purpose binding at the data layer. Don’t trust the agent to honor its scope — bind it through ABAC policy that evaluates every request. This is the largest single gap in the Kiteworks 2026 Forecast survey and the highest-leverage control to close.
Fourth, route agent traffic through a control plane with evidence-quality audit logs. Fragmented logging across nine tools doesn’t survive a regulatory inquiry, a plaintiff’s discovery request, or a serious incident review. 61% of organizations are on fragmented infrastructure that cannot support evidence-quality audit trails — that is the single biggest infrastructure gap to close before agent volume scales further.
Fifth, treat agent runtimes and tool connectors as privileged infrastructure. The GTG-1002 disclosure is the clearest available case study. Lock down who and what can run tools, enforce allowlists, monitor high-rate automation, and maintain a kill switch for suspicious agent activity. The same controls required for service accounts now apply to every agent identity, internal or third-party.
To learn more about governing AI data, schedule a custom demo today.
Frequently Asked Questions
AI agents pass traditional bot detection signals because they are running real browsers and authorized workflows — not spoofing them. Bot mitigation rules don’t reach them. 63% of organizations cannot enforce purpose limits on agents and 60% cannot terminate misbehaving ones per the Kiteworks 2026 Forecast. Treat agents as a separate category and enforce access controls at the data layer, not the network edge.
HIPAA‘s minimum necessary access requirement applies to any system touching PHI, including AI agents acting on a clinician’s behalf. Healthcare lags on containment — 68% lack purpose binding and 59% lack kill switches per the Kiteworks 2026 Forecast. Bind authorization to specific PHI elements through ABAC policy and log every agent access at evidence quality for audit defensibility.
It raises the bar on CMMC’s AC and AU control families. The GTG-1002 case demonstrates agents can execute a full intrusion lifecycle when access controls are absent. 61% of organizations operate on fragmented infrastructure that cannot support evidence-quality audit trails per the Kiteworks 2026 Forecast. Route agent traffic through a governed control plane covering CUI access before the assessment.
Governance controls watch — human-in-the-loop, continuous monitoring, data minimization. Containment controls stop — purpose binding, kill switches, network isolation. The Kiteworks 2026 Forecast documents a 15-to-20-point gap between the two, with 60%+ of organizations unable to terminate a misbehaving agent. Watching without stopping fails audit, fails incident response, and fails any meaningful definition of control.
Bot management covers the network edge; agent governance needs to sit at the data layer. 100% of organizations have agentic AI on their roadmap yet 55% cannot isolate AI from broader network access per the Kiteworks 2026 Forecast. Add ABAC policy enforcement at the data boundary, content-layer least privilege, and tamper-evident audit trails — controls that hold regardless of whether the agent looks like a bot. The Kiteworks Private Data Network delivers this architecture across every data exchange channel.
Additional Resources
- Blog Post
Zero‑Trust Strategies for Affordable AI Privacy Protection - Blog Post
How 77% of Organizations Are Failing at AI Data Security - eBook
AI Governance Gap: Why 91% of Small Companies Are Playing Russian Roulette with Data Security in 2025 - Blog Post
There’s No “–dangerously-skip-permissions” for Your Data - Blog Post
Regulators Are Done Asking Whether You Have an AI Policy. They Want Proof It Works.