Fireside Chat: Mr. 403 Meets the Agent Economy
If you’ve ever tried to run an AI agent at scale across the open web, you’ve likely hit a wall of “403 Forbidden.” Behind many of those blocks is Akamai, the world’s largest edge security and bot management platform. At the Agentic Commerce event, Skyfire sat down with David Senecal—Akamai’s Director of Engineering for Fraud and Abuse and author of Reign of Botnets—for a candid fireside chat about how the internet’s gatekeepers are thinking about the agent economy.
Senecal has been on the frontlines of web security for over 25 years. He has helped Akamai build the infrastructure that detects and mitigates billions of automated requests daily. Until now, bot management has been binary: human good, bot bad. That model collapses when AI agents become a legitimate part of commerce and workflows.
During the chat, Senecal explained the scope of the problem. Automation isn’t new: web crawlers, ad networks, and SEO bots have existed for decades, but they’ve always been easier to classify. Googlebot announces itself. Bingbot announces itself. “Nice” bots generally follow rules. But the new wave of AI agents often mask themselves as browsers, mimic human behavior, and don’t self-identify. From Akamai’s perspective, if it looks like a bot and smells like a bot, it’s a bot. And it gets blocked.
That creates a crisis for developers and enterprises adopting agentic AI. If your agent scrapes ticketing data for personal use, is that fraud or just the next generation of consumer search? If your agent pulls your bank account data into a personal finance app, is that malicious scraping or user-authorized aggregation? Today, the security infrastructure has no way to tell.
This is why Akamai is collaborating with Skyfire on KYA+Pay. The protocol gives agents a verifiable identity and scoped permissions. Instead of faking a Chrome fingerprint, a Mint.com or Plaid-style agent could register, assert its identity, and carry a Skyfire-issued KYA token that confirms what it’s allowed to do. Akamai’s systems could then infer intent, not just behavior, and pass legitimate agents through while blocking malicious ones.
Senecal compared it to Mint.com’s early days, when banks struggled to distinguish its bots from attackers. With KYA+Pay, that ambiguity disappears. Banks (or any other publisher) can see exactly which agent is requesting data, under what credentials, and with what authorization. Payments for access can happen in real time, which means publishers aren’t forced to give data away for free or resort to blunt-force blocking.
The discussion also looked forward to how agents will access the web in general. Senecal expects a hybrid future. Some companies will evolve toward MCP servers and programmatic APIs. Others will remain HTML-driven for years. Agents will need to handle both—the click-simulating old world and the tokenized, machine-readable new world.
The takeaway for builders: the age of anonymous agents is ending. Enterprises and infrastructure providers like Akamai are creating a trust layer where agents can act autonomously but still be identified, authorized, and paid for. Without that, the agent economy won’t scale beyond prototypes. With it, we’re on the path to a more open and sustainable model for agentic AI.
You can watch the full fireside chat and read more about the Skyfire–Akamai collaboration on Skyfire’s blog.
