AI-driven automation now outpaces human activity on the internet, with 40% found to be malicious, according to a report by Thales.

Global tech firm Thales has published its 2026 bad bot report: bad bots in the agentic age, which highlights the extent to which internet traffic is now generated by AI-driven bots. These bots fall into two categories: ‘good bots’ responsible for legitimate or useful automated tasks and ‘bad bots’ responsible for malicious, abusive or deceptive tasks.

In 2025, automated bots made up more than 53% of all web traffic. Of that, 40% was generated by bad bots, up from 37% the year before. Human traffic, accounting for 47% of traffic, now represents a shrinking share of overall activity.

According to Thales, the figures reflect not only the surge in AI-driven bot activity, but also a fundamental shift in the nature of internet traffic.

A key challenge is that AI bots are increasingly interacting directly with applications and APIs to retrieve data and perform tasks on behalf of users. This is making it harder for organisations to distinguish between legitimate and malicious automation as both operate through similar channels and workflows.

According to the report, AI-enabled bot attacks have surged by over 12 times compared to previous years. Approximately 27% of bot attacks are aimed at APIs where they bypass traditional user interface defences and interact directly with backend systems at machine speed where they exploit business logic, extract sensitive data or manipulate workflows at scale.

Tim Chang, global vice-president and general manager of application security at Thales, said: “AI is transforming automation from something organisations try to block into something they must also manage. 

“The challenge is no longer identifying bots. It’s understanding what the bot, agent or automation is doing, whether it aligns with business intent, and how it interacts with critical systems.”

As much of today’s AI-driven activity remains unverified or indistinguishable from legitimate traffic, Thales says organisations are facing increased cyber security risks. In 2025 alone, Thales said it blocked 17.2 trillion bot requests.

The report warns that traditional security approaches focused on identifying and blocking bots are no longer sufficient. It says that “organisations must move towards a governance-based model, combining visibility, policy enforcement and behavioural analysis to distinguish between acceptable and harmful automation”.