Comment by Galanwe

At this point, I see no identity verification or proof of some kind of humanity working.

I think what we need is the equivalent of what was done for CORS: client/server cooperation.

That is, APIs should mark that they are human only, and harnesses should cooperate with such flags and prevent calling said APIs.

It's not perfect, as it's client side enforcement, and one could still theorically build their own harnesses without, but that's the only way forward.