What happened
AWS Security Blog (July 14, 2026) detailed a new Web Bot Authentication (WBA) capability in AWS WAF Bot Control, letting legitimate AI crawlers/agents cryptographically verify identity on CloudFront distributions instead of relying on IP/heuristic detection (requires Bot Control Rule Set v4.0+).
Why it matters
As agentic AI traffic to web applications grows, cryptographic bot authentication gives site operators a non-heuristic way to distinguish legitimate AI agents from malicious bots/scrapers, reducing false blocks and improving enforcement precision at scale.
Applicability
Organizations running CloudFront/WAF who need to differentiate and govern AI agent/crawler traffic should evaluate the v4.0 rule set now.