Every few years, the enterprise opens a new channel. The web. Mobile. APIs. Each one expanded the surface where customers could transact, and each one brought threats the previous generation of security tools wasn’t designed to handle. Agents are that next channel — and the transition is moving faster than most security teams realize.
Traffic from AI agents and agentic browsers grew 7,851% year over year in 2025. AI-driven traffic to U.S. retail sites grew 393% year-over-year in Q1 2026 alone. AI agents drove 20% of global orders during the 2025 holiday season — $262 billion in sales. Bain projects 15–25% of total online retail sales could flow through agentic channels by the end of this decade. McKinsey puts the global figure as high as $3–5 trillion by 2030.
Adobe Analytics tracked AI-driven traffic to U.S. retail sites surging 805% year over year on Black Friday 2025 alone, and 393% year-over-year across all of Q1 2026. AI agents drove 20% of global orders during the 2025 holiday season – $262 billion in sales. Bain projects 15-25% of total online retail sales could flow through agentic channels by the end of this decade. McKinsey puts the global figure as high as $3-5 trillion by 2030. This isn’t a trend to anticipate; it’s a transition already underway. And it carries a security problem that identity frameworks alone can’t solve.
What’s different this time is the nature of the actor. Unlike web traffic, mobile sessions, or API calls — all of which assume a human somewhere in the loop — the agentic channel introduces a new primary consumer of enterprise applications: the agent itself. As enterprises deploy self-built, third-party, and open-source agents simultaneously, they need infrastructure built for that reality, not adapted from what came before.
Step one: detecting agents at all
Before you can govern agent access, you have to know an agent is there.
This sounds simpler than it is. An AI agent browsing products and completing a checkout could be a consumer’s legitimate shopping assistant or an automated fraud operation. In traffic logs, they look the same. The behavior is identical; the intent is not. Agents use natural language, follow browsing patterns that look organic, hold multi-turn conversations with your applications, and operate at human tempo. Traditional bot detection and response — rate limits, IP reputation, browser fingerprinting — was designed for a different adversary.
The detection problem is genuinely new. A bot is a program trying to masquerade as a human. An agent may not be trying to hide at all. It’s just doing what it was told, at scale, using the same channels your human customers use. Distinguishing agents from bots, and both from humans, requires observing the full behavioral sequence — not just a single request, but the pattern of how an entity navigates, queries, and transacts over time. The goal isn’t to treat every agent as a threat, but to build the visibility that lets you tell them apart and treat them accordingly.
Behavioral analysis is the foundation here. You can’t identify what you can’t detect, and you can’t detect agents using signals built for a world where the only question was “human or bot?”
Step two: understanding agent identity — and what it’s actually worth
Once you can detect an agent, the next question is who it is and who sent it. The identity ecosystem for agents is developing fast and already fragmenting. Microsoft Entra Agent ID provides an OAuth 2.0 and OpenID Connect-compliant framework that issues tokens agents use to authenticate to APIs, supporting both application-only and delegated access scenarios — natively integrated with Copilot Studio and Conditional Access. Okta’s cross-application agent delegation (XAA) and ID-JAG specifications address enterprise-to-enterprise agent delegation. The IETF’s WIMSE working group is working to bridge SPIFFE SVIDs — short-lived, cryptographically bound workload credentials — with OAuth, covering the ephemeral agents that spin up, act, and disappear within a single session. OIDC-A is the emerging standards-body ratification layer. On the consumer side, World’s Agent Kit ties Orb-verified iris identities to AI agents using zero-knowledge proofs, anchoring agent behavior to a verified human without exposing personal data.
These frameworks are not interchangeable, and they don’t offer the same level of assurance. A JWT token carries a claim. A DPoP-bound token adds cryptographic proof of possession. A CIMD attestation ties an agent’s runtime identity to its declared manifest. A SPIFFE SVID is short-lived and bound to a specific workload. World ID’s iris credential anchors the chain to a verified human principal.
The right analogy is human identity: a username and password is weaker than a Google login, which is weaker than a smart-card PKI credential. Agent identity works the same way. The framework an agent presents tells you how much its self-declaration should be trusted — and over time, verification of these identities will help categorize agents as internal, external, or unknown, feeding risk profiles and confidence-based controls.
But it doesn’t tell you what the agent is actually doing.
Step three: why identity is necessary but not sufficient
This is the part that’s easy to skip, and the part that matters most. Even a cryptographically verified agent — bound to a legitimate user, operating on a trusted platform, presenting a clean identity credential — can do unauthorized things. Not because it’s malicious, but because agents are neither humans nor bots in any morally meaningful sense.
A human with good intentions makes human mistakes but is generally accountable for them. A bot has a fixed program: it does what it was built to do, and intent is just a function of who built it. An agent sits in uncomfortable middle ground. It has good intentions by design. It can still do bad things.
The failure modes are real and documented. Prompt injection can redirect a fully authenticated agent mid-session — a malicious instruction embedded in a document, a web page, or a tool response can cause it to exfiltrate data, escalate privileges, or take actions the user never intended. Hallucination can lead an agent that hits dead ends to start guessing — probing endpoints it wasn’t supposed to access, retrying failed operations indefinitely, escalating scope because it decided the job required it. One enterprise we tracked saw an AI coding agent make thousands of tool calls over 48 hours: guessing filenames, probing file paths, and eventually attempting write operations its credentials didn’t authorize. No one asked it to; it just decided the task required it.
Across all automated interactions analyzed at scale, only half a percentage point separates the rate of benign automation from the rate of malicious automation. The margin is razor thin.
Static permissions tell you what an agent is allowed to do. They say nothing about what it’s actually doing in the moment, or whether that matches the job it was given. As we explored in our analysis of Anthropic’s agent security framework, the attack surface isn’t the model, it’s the behavior at runtime.
This is why the industry is converging on the concept of an agent wrapper: infrastructure that intercepts tool calls before they reach resources, applies policy outside the agent’s execution context, and can return a full response, a shaped response, an error, or a human-confirmation redirect. Identity verification answers “who is this agent?” The wrapper, powered by behavioral analysis, answers “is this agent doing what it’s supposed to be doing?” Both questions need answers. Only one is getting enough attention right now.
What behavioral analysis of agents actually looks like
The behavioral signals that matter for agents are different from the signals used for bots — and subtler. With bots, the question is whether traffic patterns match what a human would produce. With agents, the question is whether an agent’s runtime behavior matches its declared purpose. Cequence’s AI Gateway tracks three categories of behavioral signal that identity frameworks don’t surface:
Privilege drift
Agents using permitted tools in ways that don’t match their declared job description. A customer service agent that begins read-then-write chains across unrelated systems, or fans out to services it doesn’t normally touch, is exhibiting lateral expansion that static permissions won’t catch. The credential is valid, but the behavior is anomalous.
Velocity and burst patterns
Sessions that diverge from an agent’s own historical baseline in call rates, payload sizes, or destination patterns. This catches the agent that’s been running cleanly for weeks and then, following a prompt injection or a model update, suddenly starts behaving like a different entity. The identity hasn’t changed; the behavior has.
Cross-session pattern anomalies
The threat sequences that per-request scanners miss. A JWT pulled from a secrets vault in one session, exfiltrated to an external sink thirty minutes later in a different session. A CRM query that fans out to Slack, email, and a webhook in a single tool-call sequence. An SSN flowing from a CRM server through an agent to a messaging channel. These sequences are invisible to any analysis that doesn’t track behavior across the full session graph.
This is the same analytical foundation Cequence has applied to bot traffic for years — session-level behavioral modeling, baseline deviation detection, cross-session correlation. As we covered in why behavioral security still matters, the vendors who understand automated actor behavior are the ones who engaged with it directly, not at arm’s length. The signals are different for agents, but the methodology transfers smoothly.
The challenge, not the block — and why the distinction matter
There’s one more thing that’s different about agents, and it changes the response playbook in a way that most security teams haven’t fully reckoned with. With a bot, blocking is usually correct. A bot doing something unauthorized is following its program. Blocking it is the right call.
With an agent, blocking is often the wrong response, even when behavior is anomalous. The agent may be acting on behalf of a real user with a legitimate task. Blocking it silently fails that user. It also tells you nothing about whether the anomaly was a prompt injection, a hallucination, or an edge case the agent’s developers didn’t anticipate.
The distinction between “human-in-the-loop” and “human-on-the-loop” matters here, and it’s worth being precise. Human-in-the-loop means the human must explicitly authorize before the agent proceeds — a pre-action gate. Human-on-the-loop means the human monitors and can override after the fact. For high-risk actions in regulated industries — exporting large datasets, calling admin endpoints, modifying untouched configurations — pre-action authorization isn’t optional. It’s the mechanism that breaks coercion chains while preserving the legitimate use case the agent was deployed for.
The right response to a behavioral anomaly is the challenge, not the block. Surface it to the human who authorized the agent. Require re-authorization before the agent continues. If the user confirms intent, the agent proceeds. If they don’t recognize the action, you’ve just intercepted a prompt injection or an unauthorized data move — and captured the signal that makes the next detection sharper.
This is the same principle behind Biometric Check — when detection flags a request, the answer isn’t to block silently, it’s to bring the human back in before the action completes. For agents, that principle extends naturally: challenge and guide the agent back to its allowed path rather than terminating the session and failing the user.
The fourth channel
Web, mobile, APIs, agents. Each channel created new attack surfaces and required new thinking. Each time, the security vendors who got ahead of it were the ones who understood the new channel from the inside out; not just its protocols, but its behavior.
The agentic channel is here. Gartner projects 33% of enterprise applications will include agentic AI by 2028, up from less than 1% in 2024. The identity frameworks are being built now. The behavioral analysis layer is what separates “we let agents in” from “we let agents in safely.”
Knowing who an agent is gets you to the door. Watching what it does is how you keep the door worth opening.
Want to talk through how behavioral analysis applies to the agents your enterprise is deploying? Get in touch.
