As AI Agents Flood the Internet, Businesses Can No Longer Tell Users From Bot

As automation overtakes human activity online, businesses face growing challenges around security, infrastructure costs, and digital visibility

The internet is becoming increasingly machine-driven, forcing businesses to rethink long-held assumptions about who — or what — is interacting with their digital services. New findings from cybersecurity firm Thales’ 2026 Bad Bot Report: Bad Bots in the Agentic Age show that bots accounted for 58% of all internet traffic in Singapore in 2025, surpassing human activity, which fell to 42%. More notably, the report found that more than half of that automated traffic was malicious — a sign of how deeply automation has embedded itself in the country’s digital ecosystem. Globally, the picture is similar but less extreme: Thales found bots made up 53% of worldwide web traffic in 2025, up from 51% the year before, with human activity falling to 47% and bad bots alone accounting for 40% of all global traffic.

While automated traffic has long been a feature of the internet, the latest data suggests a more fundamental shift is underway. The rise of artificial intelligence is creating a new category of online participant that doesn’t fit neatly into traditional definitions of either legitimate users or malicious bots. According to the report, AI-driven bot attacks surged 12.5 times year-over-year in 2025. At the same time, AI agents are emerging as autonomous systems capable of retrieving information, interacting with applications, navigating APIs, and performing tasks on behalf of users.

This development is beginning to blur the distinction between human and machine activity online, creating new challenges for businesses that increasingly depend on digital platforms, APIs, and AI-powered services.

“The challenge is no longer identifying bots. It’s understanding what the bot, agent, or automation is doing, whether it aligns with business intent, and how it interacts with critical systems,” said Tim Chang, Global Vice President and General Manager of Application Security at Thales, in the report.

For businesses across Asia, the implications extend well beyond cybersecurity. As AI agents become more capable and widespread, companies may need to rethink how they measure users, secure infrastructure, allocate computing resources, and maintain visibility in an internet where machines increasingly interact with other machines.

The Internet Is No Longer Just Human Versus Bot

For much of the past two decades, internet traffic was generally sorted into two broad groups: human users and automated bots. Bots themselves were typically divided further — “good” bots, like search engine crawlers and indexing tools that help websites remain discoverable, and “bad” bots, associated with activities such as credential stuffing, web scraping, fraud, and distributed attacks.

The emergence of AI agents is beginning to challenge that framework. Unlike traditional bots that perform narrowly defined tasks, AI agents can retrieve information, reason through instructions, interact with APIs, and complete increasingly complex workflows with limited human intervention. They’re becoming embedded in AI assistants, enterprise software platforms, search tools, and customer-facing applications.

The result, according to Thales, is the emergence of a third category of internet traffic alongside good and bad bots. These systems aren’t inherently malicious, yet they operate autonomously and often resemble the traffic patterns traditionally associated with bots. That shift is making intent, rather than identity, the primary challenge for security and infrastructure teams. The report argues that organizations are increasingly operating with incomplete visibility into how AI-driven systems interact with their applications and data, creating new operational and governance risks.

The Hidden Cost of Machine-Driven Traffic

The growing presence of automation is also creating economic consequences that are often overlooked. As businesses migrate services to the cloud and scale digital operations, they pay for bandwidth, computing resources, API requests, storage, and infrastructure consumption regardless of whether the traffic originates from customers or machines.

Speaking with AsiaTechDaily, Andy Zollo, Senior Vice President for Application and Data Security in Asia-Pacific and Japan at Thales, said organizations are increasingly dealing with the financial and operational consequences of servicing traffic that generates little business value.

“The exact financial impact will vary by business model, traffic profile, and cloud architecture, so it is difficult to attach a single number to margin pressure. But the pressure is real: when bots account for 58% of Singapore’s traffic and more than half of that activity is malicious, companies are effectively serving a large volume of machine traffic that does not create business value, which can increase infrastructure costs and reduce efficiency,” Zollo said.

“The infrastructure cost is real, but it is only part of the picture. The wider burden is operational. Unverified traffic distorts demand signals, inflates compute spend, and creates constant pressure on systems that were sized for human activity. Over time, it shows up gradually in cloud bills, in system load, in analytics that no longer reflect reality.”

The issue is becoming more relevant as organizations deploy AI-powered products and absorb rising cloud computing costs. Unlike traditional cybersecurity incidents that create immediate disruption, excessive bot traffic can quietly erode margins while making it harder to understand genuine customer behavior.

According to Zollo, organizations need better visibility into how automation interacts with their systems rather than simply blocking all machine traffic.

“The answer is not simply blocking more traffic, as not all automation should be blocked. The answer is visibility into what automation is actually doing: separating legitimate demand from machine activity that serves no business purpose. Companies that can make that distinction stop paying for traffic that adds no value,” he said.

APIs Emerge as the New Battleground

The report also highlights how attackers are increasingly shifting focus away from websites and toward APIs, which have become critical infrastructure for modern digital services. APIs now power everything from banking applications and e-commerce platforms to enterprise software and AI systems. As organizations expose more functionality through APIs, they create new openings for automated systems to interact directly with backend services. According to the report, 27% of bot attacks now target APIs, allowing attackers to bypass traditional user interfaces and engage directly with business logic at machine speed.

The impact is particularly visible in sectors handling high-value transactions and sensitive data. In Singapore, financial services accounted for 79% of all bot attacks recorded during the period analyzed. The computing and IT sector experienced the highest proportion of account takeover attacks, at 45% of incidents, while the gambling industry recorded the highest concentration of bad bot traffic of any sector.

The findings suggest that as businesses become increasingly API-driven, cybersecurity strategies built primarily around websites and user interfaces may no longer be sufficient.

The AI Search Dilemma

The rise of AI agents is also creating a new challenge for businesses seeking online visibility. Historically, companies optimized websites for search engines and allowed trusted crawlers to index content. Today, AI-powered search platforms and assistants increasingly rely on automated agents to discover, retrieve, and interpret information across the web. That creates a difficult balancing act: organizations want to protect content, intellectual property, and infrastructure from malicious scraping, but blocking AI crawlers too aggressively could reduce visibility in emerging AI search platforms and conversational interfaces.

Speaking with AsiaTechDaily, Zollo said businesses should avoid treating all automated systems as a single category.

“The tension is real. AI search engines depend on crawlers to index content, so a blanket block does carry discoverability risk. But the answer is not choosing one or the other — it is precision over blunt force,” he said. “Founders should not treat all AI crawlers as the same. The data shows the problem is already playing out in practice. In 2025, more than 10% of AI fetch agents and nearly 9% of AI crawlers triggered security controls even when operating as legitimate tools. The line between helpful and harmful automation is thin, and it requires more than a blocklist to manage.”

He added that organizations increasingly need to make access decisions based on behavior and intent rather than broad classifications.

“The better approach is understanding what each crawler is actually doing and making access decisions based on that, not simply a blanket block or allow. Done right, you stay visible to legitimate AI search engines while keeping the scrapers out.”

A New Internet Shaped by Machines

The findings point to a broader transformation that extends well beyond cybersecurity. AI agents are becoming embedded across search, commerce, productivity software, customer service platforms, and enterprise systems. As these systems become more capable, machine-generated traffic is likely to keep growing as a share of overall internet activity.

For businesses, the challenge is no longer simply distinguishing between humans and bots. Increasingly, it’s understanding which forms of automation create value and which introduce risk. The internet was originally built around human interactions; as AI agents become active participants in the digital economy, organizations may need to redesign how they measure engagement, manage infrastructure, secure applications, and evaluate online activity.

The rise of AI agents suggests the next phase of the internet may be defined not by humans versus machines, but by how effectively businesses manage an online environment where both increasingly coexist.

Quick Takeaways

• Bots accounted for 58% of all internet traffic in Singapore in 2025, surpassing human activity and signaling a broader shift toward a machine-driven internet.
• AI-driven bot attacks increased 12.5 times year-over-year, while AI agents emerged as a new category of online traffic that blurs the line between legitimate users and automated systems.
• APIs are becoming a primary target for attackers, with 27% of bot attacks aimed at APIs that power modern digital services and applications.
• Financial services accounted for nearly 80% of bot attacks in Singapore, highlighting the growing focus on high-value sectors and sensitive data.
• While conversing with AsiaTechDaily, Thales said businesses are increasingly paying a hidden “bot tax” through higher cloud, compute, and infrastructure costs generated by non-human traffic.
• The rise of AI search and AI agents is creating a new challenge for organizations: remaining discoverable to legitimate AI platforms while defending against malicious scraping and automated abuse.