By late 2025, you could ask ChatGPT for a pair of running shoes under $100 and finish the purchase without leaving the chat window. The mechanism behind that, Stripe's Shared Payment Token, hands an AI agent a credential scoped to one merchant and one basket total, then lets it expire. No card number changes hands. By 2026 the same pattern had spread well past retail: Amazon's assistant navigating third-party sites to buy on a user's behalf, MoonPay issuing non-custodial wallets to agents, and Ant International shipping a mobile-first agentic payment protocol. The transaction stopped being a moment and became a standing permission.
That reads like a checkout improvement. Its bigger consequence is to the threat model, and most identity stacks have not caught up to it.
Authenticate once, then what?
Traditional payment security assumes a defined interaction: a person, a checkout screen, a single authorization. You enter a card, confirm a one-time code, the transaction clears. Fraud teams built two decades of tooling around that shape, mostly hunting for stolen credentials used inside that narrow window.
Agentic payments do not have that shape. An agent holds delegated authority. It can evaluate, decide, and execute across many transactions and environments without pausing for a human at each step. The user authenticates the agent once, sets a few guardrails, and steps back. The question security teams now face is an awkward one: after that first authorization, what actually confirms the right party is still in control three hundred transactions later?
This is not hypothetical. Industry groups spent the first half of 2026 arguing over who even counts as the regulated party when a platform keeps the ability to redirect or withhold funds an agent is moving. The protocols racing to fill the gap, from the Agentic Commerce Protocol to competing standards out of the card networks and wallet providers, all converge on the same three requirements: bind the payment to a verified human, scope what the agent can spend, and keep an auditable record of who authorized what.
Why real-money platforms are the stress test
If you want to watch scoped authority and human-in-the-loop verification working under pressure, look at industries that already move large sums for individual users and get punished hard when they get it wrong.
Online banking is the obvious case. So is any platform processing high-value withdrawals, where the payout rather than the deposit is where fraud concentrates. Regulated gambling operators sit squarely in that category, and they have been forced to solve the verification problem in public. Most require a full identity check before a user's first withdrawal, no matter how the deposit arrived, specifically to stop account takeover and money laundering at the point where money leaves the system. One hands-on review of safe online casinos in Canada timed those payout flows across more than a dozen sites and mapped how each one gates a cashout behind document verification, two-factor confirmation, and device checks; you can read the full guide for the site-by-site breakdown. The detail worth borrowing is structural. The heaviest verification fires at the moment of value transfer, not only at onboarding.
That is exactly the control agentic systems are missing. A scoped token can cap what an agent spends in one session. On its own it does little to re-confirm the human behind a string of withdrawals or transfers kicked off days apart.
What builders should actually take from this
Three patterns are worth designing in from the start rather than retrofitting after the first incident.
Scope every credential tightly. Stripe's token model is a useful template: a credential good for one merchant and one amount, with a short life, is far less valuable to an attacker than a card sitting on file. Treat agent authority the same way. Per-action limits, per-merchant binding, and expiry should be defaults, not settings buried three menus deep.
Re-verify at value transfer, not just at login. The payout pattern from regulated operators generalizes cleanly. The riskier the action, the more recent the proof of identity should be. A step-up check before a large or unusual transfer costs the user a few seconds and closes the precise window agentic fraud exploits.
Assume the face on the camera might be synthetic. This is the part teams underestimate. Through 2026, injection tools and live deepfakes have been defeating the selfie-and-liveness checks that underpin most onboarding. The World Economic Forum's January 2026 review of face-swap and camera-injection tools found that most bypassed standard biometric checks, and Deloitte projects U.S. fraud losses climbing toward $40 billion by 2027 on the back of generative methods. If your verification layer still trusts a single liveness frame, an agent acting for a fabricated identity will sail through. A practical rundown of where detection actually holds up lives in this breakdown of identity verification APIs with deepfake detection, and it is worth reading before you commit to a vendor.
The part nobody gets to skip
Agentic commerce is being sold on convenience, and the convenience is real. The constraint was never innovation. It is trust. An agent that can spend continuously on your behalf is only as safe as the system deciding whether it is still you.
The teams that get this right in 2026 will not be the ones with the smoothest checkout. They will be the ones who treated delegated authority as a liability to be scoped and re-verified, the way high-stakes payment operators already do, instead of a convenience to be expanded. Build for the three-hundredth transaction, not the first.
Comments
Loading comments…