The invisible traffic problem: why AI agents are your biggest blind spot

Most executives have no idea how much of their website traffic comes from AI agents.

If you were to ask which AI agents are legitimate and which are impersonating trusted names to scrape data, they’d struggle to tell them apart, a problem that’s growing by the day.

Co-Founder & CEO, DataDome.

In early 2026, AI and bots generated billions of requests, outpacing internet traffic from humans.

This is no longer a fringe activity; AI agents are now a persistent, substantial portion of the traffic hitting websites.

Yet most organisations can’t tell you what that traffic is doing, where it’s really coming from, and whether it’s helping or hurting their business.

The Volume Trap

When organisations hear that AI agent traffic is creating billions of requests, the instinct is often to treat it as a monolithic category. It’s not. Lumping all AI agents together is like treating all humans as identical users; it misses the nuance that determines value.

Take two agents from the same company: one built to improve search relevance, potentially driving referral traffic back to a website, and another designed purely for large-scale data extraction to train AI models, offering zero benefit to organisations.

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Both show up in traffic reports, both generate similar volumes, but only one has any upside for businesses. Without the ability to distinguish between them, companies can’t make informed decisions about either. Organisations are flying blind, and the cost of that blindness is steep.

The Trust Problem

Here is where it gets trickier: even when an AI agent identifies itself, organisations can’t trust it. Recent data shows that well-known, trusted AI agent names are being actively impersonated at scale. Meta-ExternalAgent was spoofed over 16 million times in early 2026. ChatGPT-User saw nearly 8 million fraudulent requests using its name. PerplexityBot had nearly 2.4% of all requests claiming to be legitimate turn out to be fake.

If website allowlists – approved lists granted automatic access - certain AI agents by name, assuming they are legitimate crawlers, a fake agent string is essentially a skeleton key. Bad actors know this and are using trusted agent identities as cover to bypass defenses and extract whatever data they want.

The exposure isn’t theoretical. Testing across 700k high-traffic websites revealed that the vast majority return full access to spoofed AI agent requests with no verification whatsoever.

The Agentic Browser Challenge

Traditional AI crawlers are only part of the story. A newer, more sophisticated vector is emerging: agentic browsers. These tools don’t just request a page, they simulate full browser sessions and interact with a site like a human user.

They’re harder to detect and harder to distinguish from legitimate traffic, and they are showing up in force across the industries with the most valuable transactional data.

In February 2026, agentic browser traffic was concentrated in ecommerce and retail (about 20% of volume) and travel and tourism (15%). These sectors hold some of the most valuable transactional data on the internet: pricing data, inventory information, customer behavior patterns, and competitive intelligence.

For businesses in any of these sectors it’s time to start actively monitoring for agentic browser activity, as organisations may be leaking data without realising it.

What This Means for Decision Makers

The implications of this visibility gap are immediate and material. Invisible traffic is unmanaged traffic. Companies that can’t identify traffic can’t decide what to do with it. Should it block it? Throttle it? Allowlist it? Monetise it? Without clear visibility, decisions become guesswork.

High volume does not equal high value. Some AI agents drive search visibility and referral traffic. Others extract data and contribute nothing in return. By treating them the same, organisations are subsidising data collection efforts with no upside for a business.

Relying on basic bot detection doesn’t cut it anymore. Agentic browsers behave like real users and simple signal-based detection misses them. Organisations need behavioural analysis that accounts for session patterns, timing, interaction signatures, and other contextual indicators.

Where to Start

Getting control of AI agent traffic starts with visibility. Organisations need to log and classify what is hitting sites, by agent type, behaviour, and claimed identity without relying solely on user-agent strings, as they’re easy to spoof.

Agent classification is an ongoing practice. As the AI agent ecosystem evolves quickly, with new agents appearing regularly and existing ones changing behaviour, in-time assessments go stale fast.

Establish a tiered access framework, but make it session-specific, not agent-specific. The same AI agent can exhibit legitimate behaviour in one session and extractive behaviour in another.

Intent-based detection evaluates what an agent is doing in real time, not just what it claims to be. Is it browsing product pages at a human pace or scraping an entire catalogue? The behaviour in each session should determine the response.

Companies should stop assuming that because something identifies itself as a known agent, it is legitimate. The cost of blind trust is too high. Verify everything.

AI agents are not going away. Their traffic will continue to grow, and their behaviour will continue to evolve. The organisations that thrive in this environment will be the ones that can see clearly what is happening on their websites and make deliberate, informed decisions about what to allow and what to block.

Right now, most organisations can’t, and that needs to change. AI agents are already interacting with websites. The question is whether organisations know what they’re doing while they’re there.

We feature the best website builders.

This article was produced as part of TechRadar Pro Perspectives, our channel to feature the best and brightest minds in the technology industry today.

The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/pro/perspectives-how-to-submit