• Home
  • Opinion
  • ‘Prove you're human’ is the wrong security question in agentic commerce

‘Prove you're human’ is the wrong security question in agentic commerce

Bots are no longer the enemy, and the inversion dilemma is real, explains Judy Winn, CISO at Peach Payments
Judy Winn, CISO, Peach Payments.
Judy Winn, CISO, Peach Payments.

For 20 years, payment security treated bots as the enemy. Agentic commerce just flipped that assumption upside down.

Over the last year, agentic commerce has shifted from a conference concept to reality. Visa enrolled local banks in its Agentic Ready programme, Mastercard unveiled Agent Pay, and OpenAI and Stripe integrated Instant Checkout

By March 2026, Mastercard and Google open-sourced Verifiable Intent. The underlying premise is elegant: an AI agent acts for you, and the payment just happens.

McKinsey projects AI agents could mediate between $3 trillion and $5 trillion in global agentic retail commerce by 2030. But removing the human loop creates an entirely new attack surface. When a human is no longer in the room, how do we know an autonomous agent is doing what the customer actually asked for?

The great inversion

Almost every cyber defence we’ve built rests on a single assumption: humans are legitimate, and automation through bots is suspect. CAPTCHAs, rate limits, and behavioural biometrics exist to block automated traffic.

Agentic commerce completely inverts this paradigm. Now, your most valuable traffic arrives as a bot. The question “prove you're human” is obsolete. The new question is: “Prove you're an authorised agent acting within scope.”

The challenge is running two regimes simultaneously. Malicious bots haven't disappeared, and card-testing and scraping are still rampant. We must block hostile automation while welcoming legitimate agents, and tell them apart in milliseconds. Added to that, AI agents reason and adapt, and they can be socially engineered. That makes a legitimate agent hijacked via prompt injection a trusted actor carrying out an attacker’s instructions, not a ‘bad bot’.

Three questions to ask now

Who is the agent, really? Cryptographic wrappers like Google’s Agent Payments Protocol (AP2)’s Mandates and Mastercard’s Verifiable Intent are major milestones. However, these competing protocols are still settling into interoperable standards under the FIDO Alliance’s newly formed 2026 working groups, which work towards a passwordless society.

What happens when the agent gets hijacked? Prompt injection is a critical risk. If an attacker slips malicious, invisible text into a product description, they can alter the agent's instructions (e.g., tripling an inventory order and changing the shipping address). The defensive plumbing is documented by the Open Worldwide Application Security Project (OWASP), but field-tested defenses in live payment flows remain thin.

How fast can fraud happen? Human fraud is limited by human speed. Agents operate in milliseconds, executing thousands of attempts before an analyst can refresh a dashboard. Legacy fraud signatures like typing cadence or session velocity are useless here.

What can leaders do now?

First, get a seat at the table early. Security teams should join product conversations before the architecture is locked in. Retrofitting agent identity into a production checkout is incredibly painful.

Next, treat intent as a first-class security problem. Don't assume networks fully solve delegation. Build controls that explicitly define what an agent is authorised to do, who proves it, and how that authority is revoked.

Thirdly, recalibrate fraud detection. Retrain models to recognise machine-speed behaviour, distinguishing between automated abuse and legitimate autonomous purchases.

Finally, extend AI governance. Apply your existing AI governance frameworks to third-party agents transacting against your systems.

AI security that treats agentic commerce seriously is not a Silicon Valley luxury. In fragmented financial landscapes like African payments, intelligent orchestration delivers immense value, but weak controls will do profound damage.

The companies that treat agent identity and machine-speed fraud as core design requirements today will hold a definitive advantage. This is where payment security and AI governance converge, and it is the most critical problem our industry faces.

Share

Read more
ITWeb proudly displays the “FAIR” stamp of the Press Council of South Africa, indicating our commitment to adhere to the Code of Ethics for Print and online media which prescribes that our reportage is truthful, accurate and fair. Should you wish to lodge a complaint about our news coverage, please lodge a complaint on the Press Council’s website, www.presscouncil.org.za or email the complaint to enquiries@ombudsman.org.za. Contact the Press Council on 011 484 3612.
Copyright @ 1996 - 2026 ITWeb Limited. All rights reserved.