The old web-security question was simple enough:
Is this request coming from a human or a bot?
That question is now breaking.
A human may use an AI agent to research products, compare prices, summarize pages, book travel, file forms, negotiate appointments, monitor changes, or interact with online services. A business may use agents to watch suppliers, update listings, answer customers, test its own websites, or coordinate workflows. Some of that traffic will be legitimate. Some will be abusive. Some will be ambiguous.
The web now needs to answer a harder question:
Is this request backed by a real human, organization, or accountable agent - and under what authority?
That is why Cloudflare’s PACT announcement matters.
PACT, short for Private Access Control Tokens, is being framed as a privacy-preserving way for websites to distinguish legitimate human-backed or user-authorized agent traffic from malicious automation without falling back on CAPTCHAs, mandatory logins, or invasive browser fingerprinting.
That is the right problem.
CAPTCHAs are a tax on humans. Fingerprinting is a privacy problem. Blanket bot blocking breaks useful automation. Unauthenticated scraping creates abuse, cost, fraud, and content theft. And as AI agents become normal, the line between “bot” and “user” becomes less useful every month.
The web does not just need to know whether something is automated.
It needs to know whether the automation is accountable.
Bot, Human, Agent
For years, defenders have sorted web traffic into rough categories:
- human visitor,
- known good bot,
- unknown bot,
- malicious bot.
That model is too flat for the agentic web.
An AI shopping assistant may be automated, but authorized by a human. A research crawler may be automated, but acting for a legitimate organization. A malicious scraper may impersonate a user. A fraud system may use real human clicks to mask automated abuse. A model agent may act through a browser session, an API, a plugin, a marketplace, or a remote tool.
So the binary test - human or bot - is no longer enough.
A better security question is:
What is the authority chain behind this action?
- Who or what initiated it?
- Who is accountable for it?
- What is it allowed to do?
- What rate, scope, and purpose are acceptable?
- Can that authority be revoked?
- Can the interaction be audited without exposing unnecessary personal data?
This is where PACT becomes interesting.
The basic idea is that a trusted party with strong knowledge that a human is involved can issue anonymous credentials. A browser or agent can later present those credentials to another site as evidence that the request is human-backed or authorized, without revealing the user’s identity or full browsing history.
If that works, it could reduce friction for legitimate users and agents while giving websites a better signal than “looks suspicious” or “solve this puzzle.”
But the protocol question is only half the story.
The governance question is the real story.
The Gatekeeper Problem
The cryptography may be elegant. The web still has to decide who gets to issue trust.
- Who can be an anchor?
- Who can vouch for a person?
- Who can vouch for an agent?
- Who decides which issuers are acceptable?
- What happens to users, small businesses, open-source agents, researchers, journalists, activists, and regional platforms that do not fit neatly into the approved trust network?
A system designed to reduce bot abuse could accidentally create a two-tier web:
- credentialed traffic that passes smoothly,
- and everyone else treated as suspicious by default.
That risk is not theoretical.
Much of the web already sits behind a small number of infrastructure providers, identity providers, app stores, browsers, cloud platforms, and fraud-prevention systems. If the next layer of web access depends on tokens issued or accepted by a few dominant actors, then the open web may become more controlled at the exact moment AI agents make access more important.
The danger is not that PACT is a bad idea.
The danger is that a good idea can become infrastructure before the governance model is settled.
The New Perimeter
Cybersecurity has spent years saying identity is the new perimeter.
That remains true, but it is no longer sufficient.
For the agentic web, the next perimeter is provenance.
Not just: who logged in?
But: what acted, under whose authority, using which credential, for what purpose, with what limits, and with what evidence left behind?
An AI agent acting for a person should not be treated exactly like a human click. It is not the same thing.
But it should also not be treated exactly like a hostile bot. That is not the same thing either.
We need a middle layer: accountable automation.
That means security systems will need to preserve more than IP addresses, user-agent strings, cookies, and rate limits. They will need to preserve authority context.
A useful agent request may need to say, in effect:
- This action is automated.
- It is acting under user or organizational authority.
- It has limited scope.
- It is not asking to be personally identified.
- It is willing to be rate-limited.
- It can be revoked.
- It leaves enough evidence for abuse response.
- It does not require the user to surrender unnecessary privacy.
That is a very different model from today’s bot fight.
From Detection to Negotiation
Most bot defense has been adversarial detection.
- Can we catch the bot?
- Can we fingerprint the browser?
- Can we block the request?
- Can we make the human prove they are human?
The agentic web may require more negotiation.
A site may want to say:
- You may summarize this page but not republish it.
- You may compare prices but not scrape inventory every second.
- You may complete a transaction only with explicit user confirmation.
- You may access public content, but not bypass paywalls.
- You may cache this answer for personal use, but not train a model on it.
- You may act for this account, but not delegate to another agent.
That is not just bot mitigation. That is policy expression.
It is web access control for a world where humans increasingly act through software agents.
PACT does not solve all of that. It is not a complete governance model. It does not by itself answer copyright, scraping, identity, fraud, privacy, platform power, or agent liability.
But it points at the right frontier.
The web is moving from asking “is this a bot?” to asking “what kind of agency is this?”
The Security Test
For security leaders, the test should be practical.
Any PACT-like system should be evaluated against questions like these:
- Does it reduce friction for real users?
- Does it protect privacy better than fingerprinting?
- Does it help distinguish malicious automation from legitimate user-authorized agents?
- Does it allow small sites and independent developers to participate?
- Does it prevent one infrastructure provider from becoming the de facto passport office for the web?
- Does it preserve enough evidence for abuse investigation without creating a surveillance layer?
- Does it make authority revocable?
- Does it support local policy, or does it force everyone into one global trust model?
Those are governance questions as much as technical ones.
And that is the lesson.
The Web Needs Accountable Agency
The next phase of AI security will not be only about models.
It will be about relationships among humans, agents, browsers, websites, platforms, content owners, merchants, infrastructure providers, and regulators.
- If AI agents are going to act in the world, they need bounded authority.
- If websites are going to accept agent traffic, they need evidence of legitimacy.
- If users are going to delegate tasks, they need privacy and control.
- If infrastructure providers are going to mediate access, they need accountability too.
PACT may become part of that stack. Or it may be one early attempt among many. Either way, it marks a real transition.
The question is no longer whether automation is present.
Automation is everywhere.
The question is whether the automation is accountable, bounded, revocable, and governed.
That is the next web perimeter.