How “Buy For Me” AI Agents Are Locking Up Inventory Before Customers Can Check Out

Picture this: An AI agent adds 500 units of your hottest product to the cart in milliseconds—across multiple retailer sites, multiple sessions, under multiple accounts. The items sit there, inventory locked, while the agent decides whether to complete the purchase. Real customers see “out of stock.”

Was this legitimate comparison shopping? Strategic cart-holding? A coordinated scalping operation preparing to cherry-pick the best deal? Or an agent acting outside its authorization?

This isn’t hypothetical. Many online retailers urgently need answers about what guardrails must exist when AI agents autonomously research, initiate, and complete transactions. The question keeping payment processors awake at night: Who’s liable when the transaction goes through?

But here’s what’s becoming clear: by the time you’re asking about liability at checkout, you’re already too late. The real question is how to assess an agent’s intent from the moment it lands on your site—before it ever reaches the payment page.

Because in the world of agentic commerce, every add-to-cart could become inventory hoarding if the agent never completes the purchase.

What are AI shopping agents? (“Buy for me” bots explained)

“Buy for me” agents—also called AI shopping agents—are AI-powered assistants that autonomously research products, compare prices across competitors, monitor inventory, and complete purchases with varying levels of human oversight. They’re not just recommending products, but executing transactions.

Ask your agent to “find the best running shoes under $150 and buy them,” and it will scan inventory across retailers, assess reviews, compare prices, and execute the transaction. 

The technology is already here: OpenAI Operator, Perplexity shopping features, Google AI Mode shopping capabilities. Adoption is accelerating rapidly. A recent study found that 70% of consumers across the UK, US, and France have consciously used AI for shopping in the past 12 months. 

How AI agent traffic differs from humans and bots 

The critical distinction: AI shopping agents generate bot-like traffic patterns with legitimate authorization behind them, but they can also be leveraged by fraudsters in the same way as malicious bots, making the need for protection that monitors behavior so crucial. Traditional bot detection was built to distinguish humans from non-humans—it was not built to distinguish authorized agents from malicious agents.

This is the core agentic AI risk: legitimate users deploying automated shopping bots that exhibit the same traffic patterns as malicious scalper operations—but with valid credentials. Or fraudsters spoofing legitimate shopping agents to gain access to websites and then commit fraud or scalping. According to research conducted by Galileo, the DataDome threat research team, 80% of AI agents don’t properly identify themselves. 

The implications for e-commerce and online retailers 

When agents shop autonomously, every assumption underlying traditional e-commerce security breaks down:

Speed: Agents operate in milliseconds, generating traffic equivalent to hundreds of human shoppers

Scale: A single agent can add items to cart across multiple sites simultaneously as part of “normal” comparison shopping

Attribution: Is this one user with an aggressive agent, multiple users with similar configurations, or a coordinated botnet?

Intent: The same agent can legitimately browse one moment and aggressively hoard inventory the next

Most critically: traditional fraud detection happens at checkout. But with agentic commerce, the damage can occur earlier, like when items are added to the cart. 

AI agent risks: Inventory hoarding and automated cart attacks

Every price drop or product release is now a flash sale 

When a leading retailer releases a new item or drops the price on an existing item, that will trigger a cascade of shopping agents to the website, instantly adding items to the cart. That brief window of availability becomes a high-stakes security event. Every add-to-cart must be scrutinized with the vigilance typically reserved for completed transactions. 

Agentic commerce takes this dynamic and applies it to your entire catalog, 24/7. It’s not just limited drops anymore—it’s your everyday inventory, your seasonal items, your entire supply chain. Now every add-to-cart requires scrutiny because you can’t yet tell if it’s legitimate shopping or inventory hoarding.

Traditional queue systems can’t handle this because they were built to manage traffic volume, not verify intent. They treat all traffic equally, allowing real customers to compete against unauthorized automated traffic.

DataDome’s Priority Protect addresses exactly this scenario—a virtual waiting room with a built-in agent trust framework that filters fraudulent bot and AI traffic before it ever enters the queue, so real customers (and their authorized agents) get fair access when it counts. Unlike standalone queue solutions, Priority Protect continuously re-evaluates traffic throughout the session, catching agents that change behavior after entry.

The intent assessment challenge

Consider these scenarios—all using legitimate credentials, all technically “authorized”:

Aggressive price-checking: An agent pings your site and fifteen competitors every few minutes, checking prices and inventory levels. Over the course of a day, thousands of requests. This might be legitimate deal-hunting, but is it good for your business infrastructure? 

Inventory hoarding: An agent monitoring a product release adds items to cart across multiple retailers the moment inventory appears. It’s not completing purchases yet—just holding inventory while the user decides on shipping terms. The user thinks they’re being strategic. You see ghost carts locking up stock while real customers see “out of stock.”

Unintentional scalping: A user casually mentions, “Let me know if the PlayStation ever comes back in stock.” The agent interprets this as an automatic purchase directive. Three months later, the user disputes a charge for a console they forgot about. Who’s liable?

The uncomfortable truth: These patterns look identical in their early stages. By the time the distinction becomes clear, inventory is locked, and the opportunity for intervention has passed.

The liability question

This is what payment processors are grappling with: when an agent completes a transaction autonomously, and something goes wrong, who bears responsibility?

The merchant processed a valid transaction. The payment processor facilitated a properly authenticated payment. The agent executed what it believed was the user’s intent. And the user claims they never authorized the purchase.

There’s currently no agreed-upon framework in card network rules for this scenario. Traditional chargeback processes require evidence of authorization—but what constitutes authorization when an AI agent is involved? A conversation? A configuration setting? Implicit permission based on history?

Payment processors are rightfully concerned because the volume is coming fast, and there’s no clear legal or operational framework for dispute resolution.

Price scraping by AI agents

While inventory hoarding creates a visible impact when customers see “out of stock,” price scraping by AI agents creates invisible competitive damage.

The traditional price scaping model: Periodic checks, detectable by rate limiting, and easy to distinguish from legitimate shoppers through velocity analysis and IP reputation.

The AI agent price scraping method: Continuous monitoring across competitors, session-aware behavior that mimics human browsing, indistinguishable from comparison shopping until scale becomes apparent.

Business impact of automated price intelligence

An agent checking prices across 15 retailers every 10 minutes generates real-time competitive intelligence. Your dynamic pricing algorithms adjust based on perceived demand. Competitors using agent-gathered data can undercut you within minutes. What looks like 50 curious shoppers is actually one agent price-checking your entire catalog.

The authorization gap

A user may authorize an agent to “find the best deal on running shoes.” The agent interprets this as license to:

• Price-check your entire athletic footwear catalog
• Monitor every competitor’s pricing
• Check inventory levels across all sites
• Repeat this process every hour, indefinitely

By the time you detect the pattern, your pricing strategy has been exposed and exploited. Without bot and agent trust management, the retailer misses this entirely because the behavior resembles enthusiastic comparison shopping. 

Why traditional bot protection fails against agentic commerce

For decades, the checkout page has been the critical control point. We verify payment information, apply fraud scoring, and make go/no-go decisions. But with agentic commerce, by the time an agent reaches checkout:

• Inventory has been locked in carts across multiple sites
• Infrastructure has processed thousands of reconnaissance requests
• Pricing algorithms have been triggered by browsing patterns
• Competitors have adjusted strategies based on perceived demand signals

Catching a problem at checkout is like locking your doors after you’ve been robbed. This is why traditional bot mitigation that doesn’t assess intent in real-time will fail against agentic AI risks. The damage happens upstream, in the browsing and cart stages, so legacy systems without Agent Trust aren’t designed to detect it. 

Why identity verification isn’t enough 

Agent authentication standards like Web Bot Auth (WBA) and KYA (Know Your Agent) enable cryptographic identity verification—we can confirm that ChatGPT-user is actually ChatGPT-user.

But here’s the critical gap: knowing who is at the door doesn’t tell you why they want in.

A verified agent with perfect credentials can still:

• Browse legitimately for 100 requests
• Suddenly pivot to adding items to cart across multiple sites without completing purchases
• Shift to vulnerability probing or aggressive scraping
• Return to normal behavior

Identity verification sees: “Verified Agent. Allowed.”

But what changed was intent—and identity-based systems are blind to it. 

Trusted identities are already being exploited by attackers to weaponize AI agent infrastructure. DataDome’s Galileo team has documented several such cases, including OpenAI used for SQL injections, Perplexity used for reflected XSS, and Comet Browser for fake account creation. 

The solution: Assessing intent across the entire user journey 

The solution isn’t better fraud detection at checkout. It’s a comprehensive intent assessment throughout the entire journey, combining identity verification with behavioral analysis.

You need both:

• Identity answers: “Who or what is this?” (ChatGPT? Perplexity? Legitimate agent?)
• Intent answers: “What are they trying to accomplish, and is it aligned with business interests?”

DataDome’s Agent Trust score operationalizes this dual approach. For every AI agent, DataDome combines identification strength—how reliably the agent can be verified using cryptographic protocols or advanced fingerprinting—with fraud history to assign a 100-point trust score. 

The score is tailored per customer and adapts as behavior evolves, catching agents that authenticate legitimately but pivot to malicious activity mid-session.

Ready your business for “buy for me” agents

AI agents are now in your checkout flow, adding products to cart, monitoring inventory, and completing transactions.

The old paradigm—detect fraud at checkout—worked when humans were shopping. But agents move faster, at greater scale, with less visible intent. By the time they reach payment, inventory decisions have already been made, competitive intelligence has been gathered, and the opportunity for intervention has passed.

The new paradigm: verify identity AND assess intent from first interaction.

Payment processors developing liability frameworks need systems that consider both authentication and behavioral legitimacy. Identity tells you the agent is who they claim to be. Intent assessment tells you whether their behavior is legitimate and aligned with business interests.

Because in the world of “buy for me” agents:

• Every add-to-cart could lock up inventory that never gets purchased
• Every browsing session could be reconnaissance for competitive intelligence
• Every checkout raises questions of authorization and liability
• Every transaction could become a dispute months later

This is the fundamental shift in bot protection for agentic commerce: from binary human-vs-bot detection to nuanced assessment of authorization, identity, and intent across the entire customer journey.

Ready to secure agentic commerce? DataDome combines agent verification with continuous intent detection—protecting against authenticated agents with malicious patterns while enabling legitimate commerce without friction. Our bot protection platform assesses behavioral signals from first page view through checkout, giving you the context to distinguish legitimate AI shopping agents from inventory-hoarding operations. 

Book a demo to discuss your agentic commerce security strategy and see how intent-based detection prevents damage before it happens.