Virtual Round Table · Jul 22

View the event
Akamai says AI bots are now 47.9% of commerce traffic as agentic fraud grows
Cybersecurity

Akamai says AI bots are now 47.9% of commerce traffic as agentic fraud grows

Akamai's latest State of the Internet report puts hard numbers on a problem retail security teams have felt for months: half of the traffic hitting commerce sites is now automated, and attackers are hiding inside the same agent flows retailers are racing to support.

PublishedJuly 18, 2026
Read time7 min read
Share

What Akamai measured

On July 15 Akamai published a State of the Internet report titled Securing the Agentic Storefront: Attacks on Commerce, and the headline figure is hard to ignore. As of December 2025, AI bots made up 47.9% of all commerce traffic across Akamai's global network. Nearly half of the requests hitting product pages, search endpoints and carts now come from software rather than a person with a browser. For a retail technology leader, that number reframes basic capacity and observability assumptions, because dashboards built to reason about human sessions are now describing a population that is close to half machine.

AI training crawlers drive most of that volume, accounting for more than 70% of AI bot triggers in commerce, with OpenAI, ByteDance and Anthropic ranked as the top three sources observed. Akamai notes that more than 90% of this bot activity is currently placed in a monitor category, and about 75% of the remainder is allowed through unrestricted. Most retailers, in other words, are watching this traffic rather than governing it. That posture was defensible when bots were a rounding error, but at half of all traffic it leaves pricing, inventory and content exposed to scraping and abuse with no explicit policy attached.

Retail is the primary target

The report frames commerce as the world's most targeted industry, and retail carries the heaviest load inside it. Commerce endured nearly 3 trillion Layer 7 DDoS attacks in 2025, and the retail vertical alone absorbed 84% of that volume. For a CTO running a high-traffic storefront, that concentration means peak-season resilience planning has to assume sustained application-layer pressure rather than occasional spikes. The math also changes the cost conversation, because absorbing that volume at the edge is now a permanent line item rather than a seasonal insurance policy that only matters around a few marquee sales events each year.

Regional data underlines how broad the surge is. North America logged roughly 33 billion bot counts, while Asia Pacific saw a 63% jump in bot activity and Latin America a 48% increase. The growth tracks the same regions where retailers are pushing hardest on digital commerce, which means the traffic curve security teams are trying to filter is rising in lockstep with the revenue curve merchandising teams are trying to grow. Any retailer expanding into new markets should assume the attack surface scales with the addressable market, and budget the defensive infrastructure as part of the market-entry cost rather than a later add-on.

The API layer is where retailers are exposed

Agentic shopping runs on APIs, and Akamai's data suggests that is exactly where defenses are thinnest. Web attacks targeting APIs rose 9% year over year. In Akamai's companion 2026 API Security Impact Study, 85% of commerce respondents said they had experienced at least one API-related incident in the past year, yet only 22% could say which of their APIs expose sensitive data. That visibility gap is the real finding: you cannot defend an endpoint you have not inventoried, and most commerce teams are shipping new APIs faster than their security teams can catalog what those APIs return.

That gap matters for build-versus-buy decisions on the commerce stack. As retailers open more programmatic access to inventory, pricing and checkout so that partners and shopping agents can transact, each new endpoint becomes an attack surface that most teams cannot fully inventory. Akamai also reports that only 35% of organizations use true microsegmentation, even though 92% use basic segmentation, so lateral movement after a breach stays easier than it should be. The pattern rewards retailers who treat API discovery and segmentation as prerequisites for opening the storefront to agents, not as hardening work to schedule after launch.

Agent hijacking and synthetic accounts

The novel threats in the report sit at the intersection of AI and fraud. Akamai describes agent hijacking, where attackers compromise legitimate AI assistants and abuse the stored payment credentials those agents are trusted to use. When a retailer accepts an authenticated agent as a proxy for a real customer, a hijacked agent inherits that trust and the transaction looks routine. The failure mode is uncomfortable for fraud teams because nothing about the request is malformed: the credential is valid, the agent is recognized, and the abuse only becomes visible after the money has moved.

The second technique uses large language models to generate synthetic identities, what Akamai calls Frankenstein accounts, assembled to bypass static defenses built around fixed rules. Pam Lindemoen, chief security officer and vice president of strategy at RH-ISAC, describes autonomous shopping agents as creating signal masking by mimicking human microbehaviors closely enough to blend in. The behavioral tells that fraud systems have relied on for years, mouse movement, typing cadence, dwell time, get harder to read when a machine can reproduce them convincingly. Detection has to shift from how an entity behaves toward whether it can prove who authorized it.

The trust problem retailers now own

Patrick Sullivan, Akamai's chief technology officer of security strategy, sums up the shift plainly: the customer is increasingly an AI agent operating on behalf of a human user. That sentence reframes a lot of retail infrastructure. Bot management tuned to block automation outright will also block the good agents that commerce teams want to welcome, so a hard wall is no longer a viable default. The security team's mandate quietly changes from keeping automation out to sorting authorized automation from hostile automation, which is a much harder classification problem than a simple allow-or-deny rule.

The practical requirement is agent verification. Retailers need a way to tell an authorized shopping agent carrying a verified consumer mandate apart from a hijacked or spoofed one, and to attach that signal to every downstream API call. This is where the emerging agentic payment protocols and verified agent identity efforts intersect with security roadmaps, because the same credential that authorizes a purchase can also carry the trust signal that fraud and bot systems need. Retailers that treat verification as shared plumbing across payments, fraud and edge security will move faster than those solving it three times in three silos.

What this means for the roadmap

Phishing volume gives the timeline urgency. Between November 2025 and April 2026, malware represented 56.5% of observed endpoint threat activity and phishing 37.6%, and average daily phishing volume across Akamai's commerce customers climbed from 56,600 in February to 134,600 in April. Attacker tooling is scaling on the same AI curve as the defenders, and staffing plans built for last year's volume will not hold. A near-tripling of daily phishing in three months is the kind of slope that breaks manual triage and forces retailers to automate detection or accept a widening backlog of unreviewed threats.

For retail technology leaders, the report is a prompt to move agent traffic out of the monitor bucket and into an explicit policy. That means inventorying APIs and classifying which expose sensitive data, adopting agent verification before opening more programmatic checkout access, and pressing commerce and security teams to plan the agentic storefront together. The demand side of AI commerce is arriving faster than the governance side, and closing that gap is now a board-level line item rather than a backlog ticket. The retailers who welcome shopping agents deliberately, with verification and segmentation in place, will capture the upside without inheriting the fraud that rides alongside it.

Tagged#news#retail#retail-ai#ecommerce#agentic-commerce#cpg#security#api-security#fraud#akamai#bot-traffic#agentic-fraud#soti-report#commerce-security#web-scraping