As TFA points out, a major change is that bot traffic now comes from honest users via their LLM sessions, so you don't even necessarily want to block automated bots anymore.

The game is shifting to a better ideal: how do you design a service knowing that any user/request might be automated?

Especially in place of the historical, easy solution/hack where you have some sort of gate that, once passed, puts the user in some trusted low-scrutiny tier, like a forum's registration page.

It's a similar question to designing a system so that it's resilient to account take-overs. (i.e. The user was a trusted human until now, and now it's a spammer)

Example: on a forum, run new posts through an LLM to classify it as spam which is a magic solution we always wish we had (remember akismet?) but was too rudimentary.

You use API tokens for things intended to be machine to machine communication and captchas for things intended to be filled out by humans. Not every site or service wants automated input, even if it's being directed by a human. I dont want forums like HN just filled with a bunch of agents talking to eachother, where's the human connection?