Rethinking Who (or What) We Trust Online Rethinking Who (or What) We Trust Online The internet was built on the assumption that humans are the only genuine users. It’s baked into our authentication flows, our CAPTCHAs, our security heuristics, and even our language. We talk about "users" as people, and "bots" as threats. The internet was built on the assumption that humans are the only genuine users. It’s baked into our authentication flows, our CAPTCHAs, our security heuristics, and even our language. We talk about "users" as people, and "bots" as threats. But that assumption is breaking. But that assumption is breaking. Today, some of the most essential actors in software systems aren’t human at all. They’re agents: headless, automated, credentialed pieces of software that do everything from retrieving payroll data to reconciling insurance claims to processing royalties at scale. They’re deeply integrated into the services we rely on every day, and yet, many platforms treat them as intrusions. Today, some of the most essential actors in software systems aren’t human at all. They’re agents: headless, automated, credentialed pieces of software that do everything from retrieving payroll data to reconciling insurance claims to processing royalties at scale. They’re deeply integrated into the services we rely on every day, and yet, many platforms treat them as intrusions. “It’s time to stop confusing automation with adversaries,” says Laurent Léveillé, Community Manager at Deck. “Many of these bots aren’t attackers. They’re your customers' workflows, breaking silently because your system doesn’t know how to trust them." “It’s time to stop confusing automation with adversaries,” says Laurent Léveillé, Community Manager at Deck. “Many of these bots aren’t attackers. They’re your customers' workflows, breaking silently because your system doesn’t know how to trust them." The Legacy of Human-Centric Trust Models The Legacy of Human-Centric Trust Models Security teams have long relied on a binary heuristic: humans are good; machines are bad. This led to a proliferation of CAPTCHAs, bot filters, rate limiters, and user-agent sniffers that make no distinction between adversarial automation and productive agents. Security teams have long relied on a binary heuristic: humans are good; machines are bad. This led to a proliferation of CAPTCHAs, bot filters, rate limiters, and user-agent sniffers that make no distinction between adversarial automation and productive agents. These models worked for a time. But the modern internet runs on APIs, scheduled jobs, and serverless triggers. Internal agents and external integrations behave just like bots, because they are. They log in, request data, act predictably, and don’t click around like a human would. And that’s the point. These models worked for a time. But the modern internet runs on APIs, scheduled jobs, and serverless triggers. Internal agents and external integrations behave just like bots, because they are. They log in, request data, act predictably, and don’t click around like a human would. And that’s the point. "What we’re seeing now is that the same heuristics designed to keep bad actors out are breaking legitimate use cases inside," says YG Leboeuf, Co-founder of Deck. "That includes everything from from airline rewards to health insurance providers" "What we’re seeing now is that the same heuristics designed to keep bad actors out are breaking legitimate use cases inside," says YG Leboeuf, Co-founder of Deck. "That includes everything from from airline rewards to health insurance providers " A Better Definition of "Genuine" A Better Definition of "Genuine" So how do you distinguish between harmful bots and helpful ones? So how do you distinguish between harmful bots and helpful ones? Deck proposes a shift: from human-first models to intent-first frameworks. Genuine users are not defined by their biology but by their behavior. Deck proposes a shift: from human-first models to intent-first frameworks. Genuine users are not defined by their biology but by their behavior. A genuine user is: A genuine user is: Authenticated: They are who they claim to be.Permissioned: They’re accessing what they’re supposed to.Purposeful: Their actions are consistent with a known and allowed use case. Authenticated: They are who they claim to be. Authenticated : They are who they claim to be. Permissioned: They’re accessing what they’re supposed to. Permissioned : They’re accessing what they’re supposed to. Purposeful: Their actions are consistent with a known and allowed use case. Purposeful : Their actions are consistent with a known and allowed use case. Consider a scheduled agent that pulls expense data from 150 employee accounts at the end of each month. It’s credentialed, scoped, and auditable. But most systems flag it as suspicious simply because it logs in too fast or accesses too much. Consider a scheduled agent that pulls expense data from 150 employee accounts at the end of each month. It’s credentialed, scoped, and auditable. But most systems flag it as suspicious simply because it logs in too fast or accesses too much. Meanwhile, a real human could engage in erratic or malicious activity that flies under the radar simply because they're using a browser. Meanwhile, a real human could engage in erratic or malicious activity that flies under the radar simply because they're using a browser. This is a flawed paradigm. We need to flip it. This is a flawed paradigm. We need to flip it. The Hidden Costs of Getting It Wrong The Hidden Costs of Getting It Wrong Misclassifying agents as threats doesn’t just lead to bad UX. It introduces risk: Misclassifying agents as threats doesn’t just lead to bad UX. It introduces risk: Product failure: Automated flows break silently. Payroll doesn’t run. Reports aren’t filed. Data is lost.Customer churn: Users blame the product, not the security rules. Support tickets spike.Engineering debt: Developers are forced to create ad hoc exceptions. Fragility creeps in.Security blind spots: Exceptions weaken systems, opening up paths for actual abuse. Product failure: Automated flows break silently. Payroll doesn’t run. Reports aren’t filed. Data is lost. Product failure : Automated flows break silently. Payroll doesn’t run. Reports aren’t filed. Data is lost. Customer churn: Users blame the product, not the security rules. Support tickets spike. Customer churn : Users blame the product, not the security rules. Support tickets spike. Engineering debt: Developers are forced to create ad hoc exceptions. Fragility creeps in. Engineering debt : Developers are forced to create ad hoc exceptions. Fragility creeps in. Security blind spots: Exceptions weaken systems, opening up paths for actual abuse. Security blind spots : Exceptions weaken systems, opening up paths for actual abuse. At Deck, one client had built a multi-step claim appeals workflow that relied on an internal agent syncing EOB data nightly. When their legacy security provider began rate-limiting the agent, it created a cascade of downstream failures. It took weeks to diagnose. At Deck, one client had built a multi-step claim appeals workflow that relied on an internal agent syncing EOB data nightly. When their legacy security provider began rate-limiting the agent, it created a cascade of downstream failures. It took weeks to diagnose. Designing for Hybrid Identity Designing for Hybrid Identity Modern systems need to accommodate both humans and non-humans in their trust models. Here’s what that looks like: Modern systems need to accommodate both humans and non-humans in their trust models. Here’s what that looks like: Separate credentials: Don’t reuse human tokens for agents. Use scoped service accounts.Intent-aware rate limits: Expect agents to move fast and operate 24/7. Throttle by role, not raw volume.Auditability: Agents should log their actions. Create structured telemetry pipelines.Lifecycle management: Track agent ownership, rotate secrets, and deprecate outdated processes.Behavioral baselines: Monitor what “normal” looks like for each identity. Flag anomalies, not automation. Separate credentials: Don’t reuse human tokens for agents. Use scoped service accounts. Separate credentials : Don’t reuse human tokens for agents. Use scoped service accounts. Intent-aware rate limits: Expect agents to move fast and operate 24/7. Throttle by role, not raw volume. Intent-aware rate limits : Expect agents to move fast and operate 24/7. Throttle by role, not raw volume. Auditability: Agents should log their actions. Create structured telemetry pipelines. Auditability : Agents should log their actions. Create structured telemetry pipelines. Lifecycle management: Track agent ownership, rotate secrets, and deprecate outdated processes. Lifecycle management : Track agent ownership, rotate secrets, and deprecate outdated processes. Behavioral baselines: Monitor what “normal” looks like for each identity. Flag anomalies, not automation. Behavioral baselines : Monitor what “normal” looks like for each identity. Flag anomalies, not automation. A Cultural Shift in Security A Cultural Shift in Security Security isn’t just about saying "no." It’s about enabling systems to work as intended, safely. Security isn’t just about saying "no." It’s about enabling systems to work as intended, safely. "The teams that win aren’t the ones with the most rigid defenses," says Léveillé. "They’re the ones who design infrastructure that understands the difference between risk and friction." "The teams that win aren’t the ones with the most rigid defenses," says Léveillé. "They’re the ones who design infrastructure that understands the difference between risk and friction." This means: This means: Shifting from gatekeeping to enablementReplacing blunt detection rules with contextual analysisBuilding not just for prevention, but for resilience Shifting from gatekeeping to enablement Shifting from gatekeeping to enablement Replacing blunt detection rules with contextual analysis Replacing blunt detection rules with contextual analysis Building not just for prevention, but for resilience Building not just for prevention, but for resilience Don’t Fear the Agents. Learn From Them. Don’t Fear the Agents. Learn From Them. Not every user is human. That’s not a threat. It’s a reality. And increasingly, it’s an opportunity. Not every user is human. That’s not a threat. It’s a reality. And increasingly, it’s an opportunity. By recognizing and respecting automation as part of the user base, we unlock better reliability, faster scale, and stronger systems. The companies that embrace this shift will outbuild the ones that resist it. By recognizing and respecting automation as part of the user base, we unlock better reliability, faster scale, and stronger systems. The companies that embrace this shift will outbuild the ones that resist it. It’s time we stop asking: “Is this a bot?” and start asking: “Is this trusted?” It’s time we stop asking: “Is this a bot?” and start asking: “Is this trusted?”
