For 20 years, payment security treated bots as the enemy. Agentic commerce just flipped that assumption upside down.
Over the last year, agentic commerce has shifted from a conference concept to reality. Visa enrolled local banks in its Agentic Ready programme, Mastercard unveiled Agent Pay, and OpenAI and Stripe integrated Instant Checkout.
By March 2026, Mastercard and Google open-sourced Verifiable Intent. The underlying premise is elegant: an AI agent acts for you, and the payment just happens.
McKinsey projects AI agents could mediate between $3 trillion and $5 trillion in global agentic retail commerce by 2030. But removing the human loop creates an entirely new attack surface. When a human is no longer in the room, how do we know an autonomous agent is doing what the customer actually asked for?
The great inversion
Almost every cyber defence we’ve built rests on a single assumption: humans are legitimate, and automation through bots is suspect. CAPTCHAs, rate limits, and behavioural biometrics exist to block automated traffic.
Agentic commerce completely inverts this paradigm. Now, your most valuable traffic arrives as a bot. The question “prove you're human” is obsolete. The new question is: “Prove you're an authorised agent acting within scope.”
The challenge is running two regimes simultaneously. Malicious bots haven't disappeared, and card-testing and scraping are still rampant. We must block hostile automation while welcoming legitimate agents, and tell them apart in milliseconds. Added to that, AI agents reason and adapt, and they can be socially engineered. That makes a legitimate agent hijacked via prompt injection a trusted actor carrying out an attacker’s instructions, not a ‘bad bot’.
Three questions to ask now
Who is the agent, really? Cryptographic wrappers like Google’s Agent Payments Protocol (AP2)’s Mandates and Mastercard’s Verifiable Intent are major milestones. However, these competing protocols are still settling into interoperable standards under the FIDO Alliance’s newly formed 2026 working groups, which work towards a passwordless society.
What happens when the agent gets hijacked? Prompt injection is a critical risk. If an attacker slips malicious, invisible text into a product description, they can alter the agent's instructions (e.g., tripling an inventory order and changing the shipping address). The defensive plumbing is documented by the Open Worldwide Application Security Project (OWASP), but field-tested defenses in live payment flows remain thin.
How fast can fraud happen? Human fraud is limited by human speed. Agents operate in milliseconds, executing thousands of attempts before an analyst can refresh a dashboard. Legacy fraud signatures like typing cadence or session velocity are useless here.
What can leaders do now?
First, get a seat at the table early. Security teams should join product conversations before the architecture is locked in. Retrofitting agent identity into a production checkout is incredibly painful.
Next, treat intent as a first-class security problem. Don't assume networks fully solve delegation. Build controls that explicitly define what an agent is authorised to do, who proves it, and how that authority is revoked.
Thirdly, recalibrate fraud detection. Retrain models to recognise machine-speed behaviour, distinguishing between automated abuse and legitimate autonomous purchases.
Finally, extend AI governance. Apply your existing AI governance frameworks to third-party agents transacting against your systems.
AI security that treats agentic commerce seriously is not a Silicon Valley luxury. In fragmented financial landscapes like African payments, intelligent orchestration delivers immense value, but weak controls will do profound damage.
The companies that treat agent identity and machine-speed fraud as core design requirements today will hold a definitive advantage. This is where payment security and AI governance converge, and it is the most critical problem our industry faces.
Share



