The payments industry has been refining its answer to one fundamental question, did the customer authorise this transaction? Agentic commerce is about to make that question much harder.
AI agents are developing from recommending products to selecting them, comparing prices and completing purchases on a customer’s behalf. This isn’t just a theoretical use case anymore as major technology companies and payment networks are building the infrastructure that will allow AI systems to participate directly in commerce.

The potential is enormous, an agent could reorder household essentials, negotiate a better mobile contract, book travel within a predefined budget or purchase supplies for a business without requiring someone to approve every step.

There is a problem however. Our payment and fraud controls were built for journeys in which a person directly chooses a product or visits a merchant and initiates a payment. In agentic commerce, the customer may not be present at the point of purchase at all.

The industry must therefore answer a new question, did the agent act within the authority and intent given to it?

Authentication is not the same as intent

A valid credential doesn’t automatically mean a valid decision. We already know this from account takeover where a fraudster using the correct password or payment credential can appear legitimate when viewed through a narrow authentication lens. The credentials may be real, but the person controlling them is not the rightful customer.

Agentic payments introduce another layer of complexity to this. The customer may have genuinely authorised an AI agent to act, but that authority will rarely be unlimited. Perhaps the agent was told to find a flight for less than €500. It might technically satisfy that instruction while booking an inconvenient route, using an unfamiliar travel provider or adding services the customer did not expect.

That could just be a poor outcome rather than fraud, but what happens when an agent is manipulated into choosing a malicious merchant? Or what if its instructions are altered? What if a compromised account gives an agent permission to make purchases that appear consistent with the customer’s normal activity?

The presence of a legitimate agent doesn’t remove fraud risk, it just changes where that risk sits. Authentication will still matter, but now it will not be enough. Payment providers will need to understand the relationship between the customer, the agent, the merchant, the credential and the transaction itself.

The industry is already beginning to establish some of this foundation. Visa’s Trusted Agent Protocol is intended to help merchants distinguish approved purchasing agents from malicious automation and communicate signals about agent identity and commerce intent. Mastercard’s Verifiable Intent similarly aims to create a verifiable record connecting the customer’s identity, the authority granted to an agent and the resulting action.

These mechanisms are necessary as they can help participants establish that an agent is legitimate and that a mandate exists. But proving who the agent is and what the customer authorised is only the starting point. Firms must also assess whether the agent’s behaviour, the merchant selected and the transaction that followed are consistent with that mandate and with the wider risk context.

Delegated authority must be visible

The payments industry already understands delegated authority in limited forms, like businesses issuing corporate cards with spending policies, or parents giving children controlled access to accounts. Some banking products allow secondary users to spend within agreed limits.

Agentic commerce takes delegated authority to another level because the software may make thousands of small decisions between the customer’s initial instruction and the final payment.

For risk controls to work, that authority must be explicit and available at the moment a decision is made.

What is the agent allowed to buy, and from which merchant, in which countries and up to what value? Does the customer need to approve certain categories or amounts? Without this context, a payment provider sees only the final transaction, it doesn’t see the mandate, constraints and approvals governing the agent’s actions

That creates a dangerous blind spot, as a transaction could look normal in isolation while sitting completely outside the customer’s original intent.

The answer can’t simply be to challenge every agent-initiated payment. That would remove the convenience agentic commerce is meant to create. The goal should be to identify when activity falls outside expected boundaries and introduce friction only where it is justified.

Fraudsters will target the journey

Fraudsters don’t need to break the payment rail if they can manipulate the decisions made before the payment reaches it.

They could target the customer’s account, the agent’s instructions, the communication between agents or the information used to select a merchant. They may create fake storefronts designed to appear attractive to automated shopping systems. They could also attempt to imitate legitimate agents or exploit weak connections between commerce platforms and payment providers.

This means fraud detection can’t start and end at authorisation. By the time an agent presents a transaction for payment, the compromise could have happened several steps earlier. A system looking only at the amount, card and merchant will be trying to detect the final symptom rather than the attack itself.

Effective prevention will depend on signals from across the journey. Those signals will need to be evaluated continuously rather than through a single check at checkout. Many existing fraud architectures will struggle because they rely on separate datasets and static rules.

Agentic commerce will create journeys involving multiple platforms, identities and automated decisions. No participant will see the whole picture on its own.

Connected intelligence isn’t a choice anymore

The industry talks about using AI to fight AI-driven fraud, and to be honest that’s too simplistic.

The competitive advantage won’t come from attaching an AI label to another isolated fraud model. It will come from giving risk systems enough context to make a good decision.

An agent-initiated transaction will need to be assessed against the customer’s previous behaviour, the agent’s historical activity, the merchant’s risk profile, associated devices, linked accounts and patterns seen elsewhere in the payments network. The more fragmented that intelligence is, the easier it becomes for malicious activity to hide between institutions and systems.

Agent identity, delegated mandates and verifiable intent will provide important new signals, but these signals must be connected to behavioural and network-level intelligence. A valid mandate should not automatically make every transaction executed under it low-risk, just as a valid payment credential does not guarantee that the person using it is legitimate.

Agentic commerce makes connected and network-level intelligence essential. Issuers, acquirers, PSPs and merchants don’t now have a choice to treat their part of the transaction as an independent event as the risk exists across the relationship between them.

To be clear, that doesn’t mean sharing every piece of customer data indiscriminately. It means building privacy-conscious ways to recognise linked behaviour and relevant risk patterns across the ecosystem.

Liability can’t remain an afterthought

There is also an uncomfortable question about responsibility. When a person makes an unauthorised card payment, existing rules provide a framework for investigating the transaction and determining liability. But what happens when a customer authorised the agent, the agent completed the purchase and the result was not what the customer intended?

Was the agent at fault or the technology provider responsible? Maybe the merchant should have recognised unusual automated behaviour or even the issuer expected to detect that the purchase exceeded an instruction it couldn’t see.

These questions require clearer standards for consent, mandates, audit trails and dispute resolution. Standards alone will not resolve every dispute. Better intelligence will be needed to apply them and establish whether an apparently valid action was also consistent with the customer’s expected behaviour and risk profile.

Firms will need evidence showing which agent acted, what authority it had, which constraints and approvals applied, how the transaction developed and why it was approved.

Explainability will matter as much as detection. A risk score without a clear audit trail will be of limited value when customers, investigators and regulators ask what happened.

Trust will determine how far agentic commerce can go

The industry doesn’t need to respond to agentic commerce by attempting to eliminate every possible risk before allowing innovation, that has never been how payments progress. But we should also not assume that existing controls can just be extended to cover autonomous purchasing.

An AI agent isn’t just another device or checkout channel. It introduces a new economic actor into the payment journey, one that operates with delegated authority and can make decisions without the customer being present.

Companies now need to support this autonomy without losing accountability which requires clearer mandates alongside continuous assessment and connected intelligence across the payment ecosystem. It also requires controls capable of understanding relationships and behaviour, not only credentials and individual transactions. Agentic commerce promises a future in which buying becomes almost invisible. Fraud prevention can’t become invisible with it.

João Moura, Founder and CEO of Fraudio