DataDome — AI Agent Identity Crisis Drives H1 2026 Threat Landscape
AI relevance: The AI agent identity problem directly undermines security controls for AI-operated infrastructure — if defenders cannot distinguish legitimate AI agents from attackers spoofing agent identities, bot detection, rate limiting, and access controls for AI pipelines all become unreliable.
What happened
- DataDome's Galileo threat research team published their H1 2026 retrospective, documenting multiple converging crises in the AI agent threat landscape — all centered on the failure of agent identity verification.
- 80% of AI agents don't properly identify themselves when visiting websites, relying on easily spoofed User-Agent strings instead of proper identification methods like published IP ranges, reverse DNS, or authentication protocols like Web Bot Auth.
- When DataDome tested ~700,000 reachable sites with a spoofed ChatGPT-style User-Agent, 79.7% let it through without blocking or challenging — most websites cannot distinguish a legitimate AI agent from an attacker pretending to be one.
- Nearly 8 billion AI agent requests hit DataDome's network in just the first two months of 2026, a 5% quarter-over-quarter increase. Known trusted agent names are actively used as cover: Meta-ExternalAgent was the most impersonated (16.4M spoofed requests), ChatGPT-User followed at 7.9M, and Perplexity had the highest impersonation rate at 2.4%.
- Attackers are using legitimate AI infrastructure as attack delivery — not just spoofing it. Documented cases include: Perplexity executing reflected XSS against an e-commerce site, Meta's crawler probing a tourism site for vulnerabilities (from a verified Meta IP), OpenAI's infrastructure sending time-based blind SQL injection against a financial news portal, and Comet Browser automating fake account registration.
- A separate finding: in June 2025, Microsoft shipped Playwright 1.53.0 with an undocumented change — when an AI agent drives Playwright,
navigator.webdriveris now set tofalse, the same value a human-operated browser returns. This silently disables one of the most fundamental bot-detection signals for AI-driven browser sessions. - Compromised AI agent frameworks are being recruited into botnets. OpenClaw instances with default configurations were hijacked within weeks of launch, concentrated in South/Southeast Asia. ~50% of traffic from compromised instances was vulnerability scanning; the rest was scraping, account takeover, and payment fraud.
Why it matters
The AI agent identity problem creates a dual failure: legitimate AI agents can't be trusted because they don't authenticate, and security systems can't reject impostors because they rely on the same weak signals. When Playwright silently sets navigator.webdriver to false for AI-driven sessions, it removes the primary fingerprint defenders use to detect automation. Combined with the fact that attackers are now using real AI infrastructure IPs (Meta, OpenAI, Perplexity) to deliver attacks, traditional IP-based and User-Agent-based security controls are becoming unreliable for any traffic that might be AI-operated.
What to do
- Don't trust User-Agent strings for AI agent identification. Implement challenge-based verification (e.g., Web Bot Auth, published IP range checks, or cryptographic attestation) for any traffic claiming to be a known AI agent.
- Audit your AI referral traffic. Sudden spikes in chatgpt.com or Perplexity referrals may be scraping bots routing through residential ISPs — not genuine AI crawlers.
- If you operate AI agent infrastructure (coding agents, browser automation, scraping pipelines), ensure your agents identify themselves via published
robots.txtrules, IP ranges, or authentication protocols — not just User-Agent strings. - Monitor for Playwright-based automation using signals beyond
navigator.webdriver— check for CDP artifacts, TLS fingerprint anomalies, and interaction timing patterns. - Harden AI agent defaults. If deploying agent frameworks, ensure management APIs and plugin marketplaces are not exposed to the internet without authentication.