AI-driven bot attacks surged 12.5x in 2025, signaling a major shift where automated activity now exceeds human internet traffic, with bots accounting for more than half of global web visits.

Human activity fell to about 47% of web traffic in 2025, while roughly 40% of bot traffic was malicious, underscoring the growing risk from automated abuse.

Artificial bot traffic now makes up more than half of global internet traffic, and bad bots comprise nearly 40% of all web traffic, according to Thales findings for 2025.

Attackers often leverage legitimate-looking requests with valid credentials to exploit backend systems, enabling large-scale data extraction and workflow manipulation.

The report argues traditional bot-blocking is insufficient and advocates a governance-based security model centered on visibility, policy enforcement, and behavioral analysis to manage acceptable versus harmful automation.

A governance-based approach should combine API and identity controls with adaptive defenses, emphasizing governance over mere blocking.

In Kenya, four critically endangered mountain bongos were repatriated from the Czech Republic to Nairobi, quarantined on arrival, and slated for release into Mount Kenya Wildlife Conservancy to bolster genetic diversity.

There is a growing visibility gap as much AI-driven activity is unverified or indistinguishable from legitimate traffic, complicating risk assessment for organizations.

Tim Chang of Thales stresses shifting from blocking bots to managing and understanding bot behavior in line with business intent, highlighting the visibility gap in AI-driven automation.

AI agents are emerging as a distinct category of internet traffic, interacting with applications and APIs and blurring lines between legitimate automation and malicious activity.

Recommendations include defining which AI agents are allowed, enforcing controls at API and identity layers, and designing adaptive defenses as bots evolve.

The report invites readers to download the full 2025 findings and join a webinar, emphasizing actionable guidance for defending APIs and digital infrastructure.