Are AI agents browsing your site right now? Almost certainly. The real question is whether you know which ones, what they’re doing, and whether that’s good for your business. 

AI agent traffic has quickly moved from edge case to operational reality. With AI-enchanced browsers and agentic payment frameworks on the rise, like Google’s recently announced Universal Commerce Protocol (UCP), agentic commerce is likely already part of both your key growth opportunities and your threat landscape. 

DataDome’s Global Bot Security Report 2025 showed a fourfold increase in AI traffic between January and August 2025, with 65% of that traffic hitting form pages, 23% targeting login pages, and 5% reaching checkout. And that volume reflects real demand, as 70% of consumers in the UK, US, and France have used AI for shopping in the past 12 months. 

This creates practical questions that most teams can’t afford to treat as theoretical: Which agents are accessing your sites, APIs, and MCPs? What are they doing there? What should be allowed, monitored, rate-limited, authenticated, or blocked? And how do you make those decisions in a way that holds up across security, product, marketing, and legal? 

We’ve built an action checklist for leadership into our recently published Agentic Commerce Guide to help out. Below is an adapted version you can use as a quick readiness assessment, with a short note under each line to clarify what “done” looks like.

Visibility & detection

☐ We can identify which AI agents are accessing our site
This means knowing which specific agents are active on your site, not just that you see agent traffic. If you can’t name them, it’s hard to decide whether they’re helpful (commercial or user-driven) or harmful (scraping, fraud, abuse).

☐ We can see which pages or endpoints they are visiting
Depending on whether agents concentrate on product pages, search, login, checkout, or specific APIs, you’ll need different approaches for each.

☐ We know why they are visiting our website
Intent is the difference between opportunity and risk. Are they indexing content? Comparing products for users? Attempting to extract pricing or catalog data at scale?

Policy & governance

☐ We have a documented AI agent access policy
This doesn’t need to be a 20-page manifesto. But you do need a clear internal position on what you allow, what you don’t, and under what conditions.

☐ We know actions we want to allow and actions we want to block
Be explicit here. Many organizations are comfortable with “browse and compare,” but draw the line at “change account details” or “complete purchases” without human confirmation.

☐ We can technically enforce our policies (block, rate-limit, authenticate)
A policy that can’t be enforced is wishful thinking. The question is whether you can apply controls consistently, especially when traffic patterns change fast.

Privacy & compliance

☐ Our privacy policy addresses AI agent interactions
If agents are interacting with your site (and potentially with user-specific flows), your public-facing language and internal governance need to reflect that reality.

☐ We restrict sensitive data access to authenticated users only
This is foundational, but it’s worth re-checking with agent behavior in mind. Assume anything exposed without authentication will be collected, summarized, or reused.

☐ We have server-side enforcement for privacy controls
Some agents don’t execute JavaScript or respect cookie banners. If your protections are mostly client-side, you may be relying on controls that certain agents never see.

Business strategy

☐ We understand the revenue impact of AI agent traffic
Before you invest heavily, ask: Is this traffic converting, influencing conversions, or shaping discovery? Without measurement, you’re arguing opinions.

☐ We’ve assessed monetization opportunities (APIs, licensing, partnerships)
In some industries, “allow or block” is too simplistic. There may be a third option: structured access with terms, pricing, or partnerships.

☐ Marketing, product, and security teams are aligned on strategy
Agentic commerce isn’t just “more bots.” It can change attribution, visibility, fraud patterns, and customer journeys, sometimes all at once.

Technical readiness

☐ Our catalog uses structured markup (JSON-LD, schema.org)
Agents prefer clean, structured data. If your product information is hard to parse, you’re harder to recommend—no matter how good the product is.

☐ Our APIs meet machine-time latency requirements (sub-second response)
Agents operate in “machine time.” Slow APIs can quietly remove you from consideration.

☐ Our infrastructure can handle agent traffic
Even well-intentioned agents can generate bursts of traffic. Make sure your systems can maintain performance and availability during sudden spikes or peak demand periods. 

Security & fraud

☐ We can detect malicious agent behavior
Detection matters because the threats won’t always look like classic bot attacks. You’ll need to spot suspicious patterns, not just obvious volume spikes.

☐ We protect against AI agent takeover, impersonation, and abuse
As agents become part of customer workflows, they also become targets that attackers can imitate, manipulate, or use as cover.

☐ We can automatically block unwanted or untrusted AI agents
Automation is essential for speed. Manual response is rarely fast enough when automated traffic scales instantly.

Cross-functional coordination

☐ We have shared success metrics and KPIs
Alignment is easier when teams agree on what success looks like—visibility, conversion impact, fraud reduction, latency, customer experience, or a combination.

☐ We have a working group or task force addressing AI agents
You don’t need a huge committee. But you do need a place where decisions get made, tradeoffs get documented, and ownership is clear.

☐ We understand what’s at stake: both opportunity and risk
This is a common failure point: When teams pursue conflicting objectives—one optimizing for agent access while another restricts it—you create control gaps and forfeit potential business value.

How to read your results

If fewer than half of the items on this list ring true for your organization, you have meaningful gaps in your AI agent readiness. The good news: you still have time to act. The key is to start now and put the right visibility, controls, and strategy in place.

This list is the quick gut-check. The full Agentic Commerce Guide goes deeper on what these items mean in practice—how to separate valuable agent traffic from risky automation, what to enforce server-side, and how to align teams without slowing down the business.

Download The Guide to Readying Your Business for Agentic Commerce to get the complete playbook, examples, and next steps. Or, if you’re ready to take the next step, schedule a live demo of DataDome to understand how our Agent Trust management solution can help.