What this year’s Black Friday taught security teams about agentic commerce
Summary
This year's Black Friday revealed a new reality for retail security teams, characterized by the rise of agentic commerce where consumers use AI agents for shopping. This trend, coupled with malicious actors employing similar AI technologies for automated fraud, makes distinguishing between authentic customers, legitimate agents, and hostile automation increasingly difficult. Traditional security defenses, focused on a binary "bot or not" classification, are proving inadequate as both harmless and destructive AI agents can mimic human browsing patterns, honor rate limits, and execute full-browser flows. The challenge extends beyond traditional fraud, as even legitimate agents can distort analytics and demand signals by, for example, monitoring pricing APIs or booking and canceling inventory at machine scale. Retailers like Harrods, Marks & Spencer, and Co-op have already faced large-scale hacks, underscoring the urgency for new security toolkits.
Key takeaway
For CTOs and VPs of Engineering overseeing retail security, your teams must evolve beyond traditional bot detection. Focus on implementing real-time, multi-layered detection systems that evaluate the *intent* behind automated interactions, not just their behavior. Establish clear internal policies for AI agent use and secure machine-to-machine infrastructure to confidently manage agentic commerce and capitalize on its revenue opportunities while mitigating sophisticated AI-driven threats.
Key insights
Agentic commerce blurs lines between legitimate and malicious automated traffic, requiring new security paradigms.
Principles
- AI agents mimic human browsing.
- Intent-led detection is crucial.
- Binary bot classification fails.
Method
Security teams must shift from classifying users as "bot or not" to evaluating the intent behind automated interactions, requiring real-time, multi-layered detection and internal policy mapping for AI agent usage.
In practice
- Map internal AI agent usage.
- Define clear access boundaries.
- Invest in intent-led detection.
Topics
- Agentic Commerce
- AI Agents
- Cybersecurity
- Fraud Detection
- Automated Threats
Best for: CTO, VP of Engineering/Data, Director of AI/ML, AI Security Engineer, Security Engineer, AI Product Manager
Related on AIssential
Editorial summary, takeaway, and curation by AIssential. Original article published by Tech Monitor.