Why Security Teams Should Shift From Bot Detection To Bot Diplomacy

InnovationWhy Security Teams Should Shift From Bot Detection To Bot DiplomacyByKaustubh Phatak,Forbes Councils Member.for Forbes Technology CouncilCOUNCIL POSTExpertise from Forbes Councils members, operated under license. Opinions expressed are those of the author. | Membership (fee-based)May 28, 2026, 10:00am EDTKaustubh Phatak is a seasoned product leader at AWS, driving strategy, execution, and GTM for cloud services serving global enterprises. getty​Six months ago, I wrote about the AI bots crisis facing publishers: Traffic is plummeting, unauthorized scraping is surging and the industry is scrambling to protect its assets.The problem of increasing bots hasn't been solved since then, but it has been inverted. Last month, I watched a major retailer's security team block an AI agent that was trying to complete a legitimate purchase on behalf of a customer. Their bot-detection system worked perfectly. It identified non-human traffic and shut it down. But should it have? The "bot" was a paying customer's personal shopping agent, authorized and authenticated, attempting to do exactly what the customer asked.Bot traffic now exceeds human traffic on the internet, crossing 51% in 2025 according to Imperva's annual report. Many of these bots are legitimate and useful, but our entire security apparatus still operates on a binary model: human or threat. We've built a multi-billion-dollar industry around a question that's no longer the right one to ask.​Why The Binary Model Is Broken​​For two decades, bot management meant one thing: detection. Identify the non-human traffic, challenge it, block it. CAPTCHAs, behavioral analysis, device fingerprinting and the entire toolkit assumes that identifying automation is synonymous with identifying threats.​Today's AI agents, however, are authorized representatives carrying credentials, budgets and user intent. Customer's travel agents can query airline APIs to book a flight. A procu...