This is part of an ongoing series by Dave Byrne, TrustRaise founder and BSI Advisory Board Member, about where we find the practice of brand safety & suitability in 2026. You can find all the articles here.
A few months ago, I handed a ChatGPT-style agent my frequent-flyer numbers, my window-on-redeye / aisle-on-daytime preferences, my travel windows for an upcoming trip, and a credit card. I asked it to book the flights.
It didn't go well.
On a couple of carriers it got close: fares pulled, seats provisionally selected, passenger details auto-filled. On most of the rest, it never made it past the homepage. The page wouldn't render. Form fields refused submission. The website’s bot detection cut the session before checkout, sometimes within seconds of landing. By the end I had a notes file that read like a list of small, anticlimactic failures: blocked, blocked, blocked, blocked.
The airlines weren't doing anything wrong. They were doing exactly what their fraud and security teams had asked them to do: detect machine-perfect form fills, a missing mouse path, a headless browser, a session that pattern-matches the SIVT bucket their vendors have been honing for a decade, and shut it down. The system worked. I was the customer. I was also, for fifteen years' worth of fraud-detection logic, indistinguishable from the problem it was built to catch.
The same fraud stack that turned me away from a half-dozen airline checkout flows is scoring your media right now, sitting between your ad spend and what's about to be a meaningful chunk of your highest-intent buyers. And it is about to start getting the wrong answer at scale.
Bots versus humans isn't quite the right binary anymore, and part of the reason this conversation has been slow to land is that the industry doesn't have a clean word for what's coming. So let me offer one.
Call them intent-bearing non-humans, or IBNs: an AI agent acting on a real user's behalf, using their credentials, their preferences, often their payment method. Mechanical at the transport layer, authentic at the intent layer. Headless browser, real wallet. From a fraud detector's view in 2026, indistinguishable from sophisticated invalid traffic. From a CFO's view in 2027, customers.
This isn't hypothetical and it isn't narrowly distributed. OpenAI has launched "Buy it in ChatGPT," an Instant Checkout flow integrated with Target, Best Buy, Sephora, Nordstrom, Lowe's, Home Depot, Wayfair, Etsy, and roughly a million Shopify merchants, available to every U.S. ChatGPT user. They've shipped ChatGPT Atlas, an agentic browser that completes end-to-end shopping tasks. Perplexity has Comet. Anthropic has Claude on Chrome. Google has Project Mariner. Visa expects millions of consumers buying through agents by holiday 2026.
The honest answer on volume is that agent-driven commerce is still a small fraction of total transactions today. The timing argument isn't that the conversion loss is material right now. It's that the fraud stack decisions you're making today, the contract language with your verification vendors, the default settings on your allow-lists, will probably still be in place when the volume reaches that point. Infrastructure takes longer to fix than adoption curves take to move — that's the actual urgency.
In November of 2025 Amazon sued Perplexity over its Comet browser, alleging that Comet's AI agents were being used to access password-protected sections of Amazon's website — effectively allowing the browser to shop and transact on Amazon on users’ behalves without Amazon's consent. In March of this year a federal judge issued an injunction blocking Comet from accessing Amazon’s marketplace. Amazon's stated argument was security and unauthorized training data. Perplexity's argument, in plainer language, was that Amazon wasn't really protecting the consumer; it was protecting its ad load. Both sides, I think, are right.
Here's why advertisers should be watching this suit: An agent visiting a retail search results page reads it, evaluates relevance, and has no reason to click the sponsored results sitting above the organic listing the user actually wanted (a suggestion that brings up a broader topic of the role of advertising/sponsored results in an agentic world, which I will cover in a future article). It skips them, buys the organic one, completes the task, and returns the result. The retail site registers the agent as non-human traffic, and therefore doesn’t count the visit as a chargeable impression. A person technically visited the site and a transaction was made, but no ads were seen or charged for. Multiply that across a million daily sessions and you're looking at a structural threat to the ad-supported web that nobody is currently pricing into 2026, much less 2027.
Amazon is choosing, for now, to block this traffic outright rather than figure out how to route it. That's a holding action. The marketplace that figures out how to welcome a verified, signed agent, and price the placement for the way that agent actually shops, is going to take quiet share from every competitor still treating the same traffic as fraud.
It's worth being fair to the legacy fraud playbook before talking about why it's cracking, because it's more nuanced than "bot or human" and the people who built it are not foolish.
The field evolved in waves. The first generation of fraud was easy to catch: datacenter IPs, declared crawlers, simple scripts on a clock. The MRC's invalid traffic guidelines call this general invalid traffic, GIVT, and most of it can be filtered at the network edge. That was the easy half of the war.
The harder half came when fraudsters started laundering their traffic to look human, with residential proxies routing through compromised home routers, hijacked Chrome extensions clicking ads inside real users' browsers, and mobile emulators good enough to fake device fingerprints and sensor data. The MRC calls this sophisticated invalid traffic (SIVT), and catching it is essentially why vendors like HUMAN, DoubleVerify, and Integral Ad Science exist as standalone businesses. Their MRC accreditation is its own commercial moat; few companies can produce a defensible IVT score that both buyer and seller will accept as the basis for an invoice adjustment.
What they do, under the hood, is layer signals in real time.
The output is a probability score in risk tiers, with a carve-out for declared non-fraud, non-human traffic like search crawlers. By the standards of the open web, it's the most sophisticated trust infrastructure we've ever built, and it's profitable. Fraudlogix pegs invalid traffic at roughly 20% of programmatic impressions, about $37 billion in U.S. advertiser dollars, with Juniper's global figure above $100 billion.
The entire stack is built to detect inauthenticity at the transport layer, the telltale machine-ness of a session. That's what makes it brilliant against the bots ad-tech grew up fighting, and exactly what is going to make it useless against the agents now showing up in front of your media. A legitimate AI agent acting on a real customer's behalf will trip almost every signal in the stack, for the same reason the airlines tripped on mine. The agent is mechanical, even if the intent behind it is real.
The standards bodies have noticed, and the work is further along than most buyers realize. For example, the IAB Tech Lab has unveiled an Agentic Advertising roadmap with a workstream covering measurement updates for zero-click search and AI user agents. Cloudflare has shipped Web Bot Auth, cryptographic signing that lets a legitimate agent prove who it is and who it's acting for, and partnered with GoDaddy on Agent Name Service. The IETF spun up a working group on the same primitive. Visa, Mastercard, and Stripe are quietly building delegated-authority payment rails for agent commerce. None of this is finished. All of it is the same shape.
What's emerging is a parallel rulebook for how legitimate agents identify themselves, authorize their actions, and earn the trust that lets them transact. Call it Know Your Agent, or KYA, the agentic cousin of KYC. The promise is a signed, verifiable handshake at the front of the session that says, in effect: I am an agent, I represent this user, I have this mandate, I have this budget. Once that handshake exists at scale, the question your fraud vendor is paid to answer today — whether this is a human — stops being the question that matters.
For fifteen years the question driving the fraud stack has been whether this is a human: a question of identity, answered through behavioral and technical signals at the moment of the impression. The question replacing it is whether this session has a human-delegated mandate. That's provenance, a chain of authorization that ties an action back to an authenticated person who asked for it. Identity is a verification problem. Provenance is a trust problem.
The most underappreciated consequence of agentic traffic isn't the blocked session. It's the conversion that disappears from your reporting without explanation.
Consider how an agent actually shops: A user asks it to find and buy the best noise-cancelling headphones under $300. The agent researches across a dozen review sites, comparison tools, and retailer pages, evaluating specs, prices, and availability in parallel. Then it completes the purchase, either in a native agent checkout flow or by navigating a retailer's site directly. The user gets a confirmation. The task is done.
Every attribution model in use today assumes that the device doing the research and the device completing the purchase are connected through a continuous session or a shared identity graph. The entire logic of multi-touch attribution, view-through crediting, and cross-device matching rests on that assumption. An agent acting on behalf of a user breaks it; The research sessions look like one entity to your measurement stack, while the conversion looks like another. The publisher who captured the agent's attention during the research phase gets no credit, and the advertiser who influenced the decision has no visibility into whether their media drove it.
Last-click attribution is already too blunt an instrument for the buying journeys people actually take. In an agentic world, it doesn't just undercount; it produces results that can't be reconciled with what actually happened, because the conversion event happens on a surface that was never part of the measured journey. The advertiser who builds a provenance-aware model, one that can follow the chain of agent authorization from research through to transaction, will have a measurement picture their competitors are missing entirely. That advantage compounds. Better attribution means better optimization, which means better efficiency, and the gap between the prepared and the unprepared shows up in CAC and ROAS before most people realize there's a problem.
The reasonable objection to everything above is that HUMAN, DoubleVerify, and IAS have adapted to every previous shift in how the ecosystem evolves. Residential proxies, device ID spoofing, app-ads.txt evasion, SDK fraud in mobile: the vendors kept up. Why won't they just update their models for agents and close the gap?
Every previous wave of detection worked on the same underlying problem: classify whether a session is behaving like a human or like a bot. When fraudsters got better at mimicking human behavior, detectors got better at finding the residual tells. The model gets retrained on new labeled data, the weights shift, the cat-and-mouse continues. That loop works because the thing being verified, behavioral signals, exists in both legitimate traffic and fraudulent traffic. Separation is a solvable classification problem.
Agent verification requires something that doesn't exist yet across most of the ecosystem: a credential to check. The fraud stack can't approve a signed agent until the signing infrastructure is built, adopted, and integrated into the allow-list logic. Cloudflare, the IAB Tech Lab, and Visa are building pieces of that infrastructure right now, but there's a sequence that can't be shortcut. First the signing standard has to stabilize. Then agents have to be issued credentials. Then verification has to be built into stack allow-lists as a configurable option. Then that option has to become the default rather than something you have to specifically request and negotiate.
That sequence runs on a multi-year timeline even in the optimistic scenario. During that entire window, the default setting in your verification vendor's stack is block by default. The conversion loss accumulates quietly, showing up only as a gradual softening in purchase data that nobody can attribute to a cause. The brands that get ahead of this, by defining what allow-list treatment for signed agents should look like before their next vendor contract renewal, will have that infrastructure in place when the volume makes it matter.
This isn't about pointing fingers at the security stack. It's about making sure your technical standards match your customer's new behaviour. Get your ad-fraud vendor and your security team in a room together and look at the allow-list roadmap for agent traffic.
Ask: What happens when a signed, legitimate agent hits our flow?
If the default answer is "we treat it as a headless browser and kill the session," you have a looming conversion problem. The work is to move from a posture of block by default to verify by provenance.
Here's the cheat sheet I'd take into that meeting:
| The 2015 question (GIVT/SIVT) | The 2027 question (IBN/provenance) |
|---|---|
| Is there a human behind this mouse? | Is there a human mandate behind this token? |
| Is the browser headless? | Is the agent signed? |
| Block the bot to save the budget. | Verify the agent to save the customer. |
The bots ad-tech grew up fighting are not the bots showing up at your door now. The cost of treating one like the other won't show up on the IVT report. It'll show up as the customers you used to have.