Retail is being squeezed from all sides. In the last year brands like M&S, Harrods, Jaguar Land Rover and the Co-Op have all suffered disruptive cyber attacks. Meanwhile, consumer spending remains weak and retailers still face higher costs for everything from labour to raw materials, says Dan Holden, CISO at Commerce, parent company of the ecommerce platform BigCommerce.
To remain competitive many organisations are turning toward agentic AI to help them better connect with shoppers and help boost sales. However, this comes with its own risks as it may require them to open their platforms to data scraping bots, integrate external data and more.
If retailers want to remain relevant, both in terms of security and privacy law in this new environment, while still seizing the benefits of this transformative technology, they need to understand how the landscape has changed and the new tactics attackers are employing.
New high-cost operating environment for retailers
The internet used to be a low-cost distribution channel. An open ocean without the terror of constant pirates if you will. However, due to increased regulation, attacker threats and fraud trends it is now a high-cost operating environment for retailers. The combined pressures of AI infrastructure, bot mitigation, fraud prevention, identity verification, and vendor risk management are becoming permanent additions to the cost of goods sold.
For example, attackers are increasingly using AI, SMS phishing, scraped datasets, and SaaS platform breaches to automate fraud at industrial scale. This has made it one of the most expensive operating costs in ecommerce, reshaping margins and business models. Unfortunately, this trend shows no signs of abating soon, with research showing AI-enabled threats increased 1210 per cent throughout 2025. Meanwhile, Deloitte has warned AI-enabled fraud in the United States could reach 40 billion dollars in losses by 2027, up from 12.3 billion in 2023. For retailers this is especially concerning considering fraud already cost the UK £1,17 billion in 2024.
Who’s real and who’s not?
Against this backdrop retailers are also contending with the rise of AI agents, which need access to data from CRMs, loyalty systems, ERPs, service platforms, and analytics systems to operate with full context. However, this creates new exposure points and a larger attack surface. These AI agents also become new “entities” retailers must govern, monitor, and secure. This is creating a growing risk from third- and fourth-party SaaS vendors, where breaches can expose the marketing and behavioural datasets that power coordinated fraud.
This risk is only growing, with research showing almost half of all internet traffic is now non-human, and that nearly one third of total traffic consists of bad bots that increasingly behave like real shoppers. Likewise, automated traffic surpassed human traffic for the first time in 2024, reaching 51 percent of total web traffic, a shift driven by AI and LLM-powered automation.
These agents are hard to spot with traditional identity and behavioural signals no longer able to distinguish legitimate customers from automated adversaries. This means retailers are entering a digital “dark forest” where real and fake customers look the same.
Meanwhile, The European Union’s proposed “Digital Omnibus” package, would relax certain data protection rules to support AI innovation. Draft proposals include exemptions that would allow AI developers to process sensitive categories of personal data, such as political views, ethnicity, and health information, for training and operational use. This is an early signal that governments are reconsidering the balance between privacy protections and AI competitiveness which retailers will need to factor in.
Managing the balance
Retailers cannot avoid the race to build AI-driven capabilities in marketing, merchandising, supply chain operations, and customer service. To be effective, these systems require richer business context, which means more data ingestion, more integrations, and more dependence on external vendors and third-party AI platforms.
To combat this, retailers need to enter the next phase of ecommerce security, which requires verifying customer intent, not just identity. This could mean using behavioural analytics to detect anomalies in real-time or broadening . Organisations should also maintain a register of authorised AI agents which also records what they have permission to access and their capabilities. Finally, by implementing and expanding zero trust architecture brands can ensure bots only have access to the information they need to do their job while protecting more sensitive data.
Building for the future
Retailers stand at a defining point. Agentic AI promises better personalisation, leaner operations, and new revenue streams, but it also expands the attack surface at unprecedented speed. In a market already squeezed by thin margins and cautious consumers, the cost of inaction is simply too high.
The retailers that thrive will be those that treat cybersecurity not as a defensive cost centre, but as a strategic enabler of safe digital growth. In the AI economy, trust is currency. Brands that can create intelligent, connected experiences while proving they can protect customers, partners and data will earn a competitive advantage that is difficult to replicate.
