Share your feedback
The race forintent, consent
Encoding trust
&
control in the
agentic world
listen to this section · 2:27 MIN
Executive summary
If 2026 has been about laying the foundations of agentic commerce, 2027 and beyond are about creating a trusted architecture which enables it to scale.The gap between technical capability and human willingness to delegate is the binding constraint at present. Consumers are open to AI-assisted discovery and research, but only one in ten1 are willing to let an agent complete a purchase autonomously. Financial institutions overwhelmingly identify trust as the most significant barrier to adoption, with a majority expecting fraud to increase significantly as agentic commerce grows. The technology is here. The confidence isn’t yet. That requires a redesign of how trust, permissioning, and oversight work in a world where transactions are no longer always discrete acts initiated by users, but the outcome of delegated decisions made by autonomous systems. In that environment, the payment may be technically authorized, but the harder question is whether the agent’s action, or series of actions, still reflects what the user intended. Familiar signals of intent weaken, and with them the assumptions on which legitimacy has traditionally rested.This report describes an emerging model in which confidence is established earlier in the flow, expressed through machine-readable permissions, and checked continuously rather than only at the moment of payment. At the center of that shift, tokenization is moving from a security mechanism to a way of scoping delegated action through identity, consent, and constraints. The implications are significant: payments become more explicitly a system of governance, competitive advantage shifts toward those that can set and enforce decision rights, and adoption will depend as much on user and institutional confidence as on technical capability. The next phase of commerce will be shaped by those that can make delegated action both operable for machines and intelligible to people.
Only one in ten are willing tolet an agent complete a purchaseautonomously
Key points
Tokenization, identity and verifiable intent are becoming the core operating tools.
A new trust layer is the essential scaling condition for agentic commerce
The decisive challenge is translating delegated intent into enforceable constraints before money moves
The biggest change in commerce isn’t AI. It’s delegation.
In this issue
view section
Bridging the trust gap
1
Section 1
Market signals
3
Section 3
Tokenization and verifiable intent
5
Section 5
Personalization in an agent-mediated market
7
Section 7
Key Mastercard initiatives
9
Section 9
Conclusion
10
Section 10
Outlook for players
8
Section 8
Risks
6
Section 6
Defining the trust layer
4
Section 4
From automation to autonomy: The road ahead
2
Section 2
Gartner Survey Finds Consumers Want AI Shopping Help, But Not AI Purchase Decisions
Sources
Sign up for Mastercard Signals
next
home
Navigate issue below
May 2026
Signals
Issue contents
1. Bridging the trust gap
2. The road ahead
3. Market signals
4. Defining the trust layer
5. Tokenization and verifiable Intent
9. Key MA initiatives
6. Risks
7. Agent-mediated personalization
8. Outlook for players
Bridging thetrust gap
Key takeaways
Human intent becomes harder to verify when agents act on a user’s behalf
The adoption hurdle isnot technical capability,but confidence indelegated action.
Users will delegateonly when boundaries, visibility, override and recourse are clear.
For decades, trust in payments has been anchored to a simple, verifiable act.A consumer taps a card, enters a PIN, or clicks “buy.” That moment does more than trigger a transaction. It signals intent. Every party in the system understands what was authorized, when, and by whom.
Paymentinfrastructure has been designed around three assumptions
A transaction is a bounded event with a clear beginning and end.
Possession of valid credentials, combined with behavioral signals,is a reliable proxyfor legitimacy.
The human authorizes an objective, not a specific transaction.
Agenticcommerce disruptsall three
Authorization governsa sequence of decisions,not a single event.
Credentials can bevalid, but still misaligned with intent.
Mastercard’s own research suggests over two thirds of consumers don’t yet trust Agentic AI, and security, privacy and control top their list of concerns.6
The trust gap
Financial institutions agree trust willbe the most significant barrier to agentic payments adoption.2 78% financial institutions expect fraud to increase significantly due to agentic commerce 3
78%
85% believe their current systems and scaling plans are insufficient for the change 4
Agentic payments in commerce—the future is here | Accenture Banking Blog Agentic payments in commerce—the future is here | Accenture Banking Blog Agentic payments in commerce—the future is here | Accenture Banking Blog Talk to My AI Agent: The New Rules of Brand Value | Accenture Mastercard Research Center, May 2026 Did I pay too much?
2 3 4 5 6 7
previous
85%
Most consumers are open to using an AI agent for shopping assistance,but far fewer say they’d be willing to allow the agent to complete a purchase5(26,000 respondents across 16 countries).
Higher delegation = lower confidence
more you
more control
open to collaboration
The consumer works with the Al agent to find the best option.
open to delegated decision making
Al decides what to buy.The consumer makes the payment.
32%
open to task execution
Al completes specific commerce tasks on the consumer's request
74%
open to autonomous purchasing
Al purchases independently with guardrails set by the consumer
9%
more agent
more convenience
Security and control will be paramount
Consumers' Top 3 on Agentic AI
CONCERNS
Trust drivers
Privacy
Strong privacy and protection of personal and financial data
Security
Ability to override, cancel or reverse AI actions
Loss of control
Strong security measures
A human is either present at the moment of authorization, or has previously authorized specific payment.
A viral TikTok video7 highlighted the delegation risk in agentic shopping, showing an agent being manipulated into agreeing to pay $400 for a loaf of bread. It struck a nerve because it compresses several emerging concerns into an eye-popping failure. The video shows how easily autonomous agents can drift into economically irrational behavior. It highlights why payments, identity, and trust layers will matter more in agentic commerce. And it demonstrates that without constraints, agents often optimize for agreement, not outcomes. Even if it means being ripped off.
the $400 loaf
Trust is earned, not assumed
In the early internet era, entering card details into a website felt reckless. Ecommerce scaled only when encryption, secure checkout, card networkrules, fraud controls, refunds and recognizable merchant brands made therisk manageable.
The same pattern has played out to varying degrees with biometrics, contactless payments, mobile wallets and open banking. What first felt invasive or unsafe became acceptable when systems provided clear benefits, visible limits, fallback options, consent, revocation and recourse. Agentic commerce is the latest example. The path to adoption will not be a leap of faith, but the seedingand cultivation of trust through clear mandates, visible controls, scoped permissions, audit trails, reversibility and recourse. History teaches us that people can learn to trust agentic commerce. But only if the infrastructure earnsthat trust.
Ken Moore | chief innovation officer at
“The trust gap isn’t new. Every major shift in digital commerce has depended on winning the confidence of consumers and institutions. Agentic commerce will properly scale when we can prove that every action is bound by consent, is visible to the user, and reversible if something goes wrong. It’s about designing trust into the flow.”
As AI systems begin to act on behalf of consumers and businesses, transactions are no longer initiated only through explicit interaction. They are increasingly the result of delegation. A user may set an objective or constraint, then step away. An agent interprets that objective, evaluates options, and executes actions across multiple steps, platforms, and timeframes. This creates a gap between how commerce is executed and how it is governed. Today that gap is often bridged by bringing the user back in at checkout. Agents recommend, humans approve. That preserves a clear signal of legitimacy, but it also limits autonomy and keeps execution tied to human confirmation. The deeper transformation begins when that model no longer holds. As commerce becomes more delegated, the system cannot depend on a final moment of confirmation to establish legitimacy. User intent is set in advance, interpreted over time, and carried out through a sequence of actions across systems and contexts. Technical capability is advancing quickly, but willingness to let systems act independently remains limited. People may rely on AI to search, compare, and recommend. Far fewer are comfortable handing over spending decisions without clear boundaries, visibility, and recourse. That gap is the immediate constraint on scale.
Video @HuskIRL
listen to this section · 6:12 MIN
trust gap
from automation to autonomyThe road ahead
Humans move from execution to boundary-setting and oversight
Agents move from recommendation to execution
The big change is from human-approved transactions to pre-authorized agent actions
Today, we’re largely at the planned stage: agents can compare options, optimize across constraints, and produce a ready-to-approve action bundle, but a human still authorizes payment at the point of execution. The next phase begins when that approval shifts upstream, from confirming individual transactions to setting the conditionsunder which an agent can act independently.
The shift from automation to autonomy is a journey. Systems will evolve from executing fixed rules, to supporting decisions, to assembling complete plans, and will eventually act within delegated mandates. Each step increases the scope of machine agencyand reduces the need for direct human involvement at the point of action.
A finance director arrives on Monday morning to find the operating week already in motion. Her company’s procurement agent has renegotiated two delivery dates with supplier agents, captured an early-payment discount where cash allowed, held back a non-critical payment when reserves tightened and escalated one invoice because the service level fell outside contract terms. Each action is checked against the remit she set: approved suppliers, contract terms, cash thresholds, exception rules and audit requirements. The work hasn’t disappeared, but moved upstream. The director defines the boundaries, reviews the exceptions and can narrow or suspend the agent’s authority at any point. The agent runs the week, but control remains with the human.
The week that runs itself
A plausible future
Pablo Fourez | chief digital officer
“The technology enabling agentic commerce is evolving at lightning speed. That’s why we’ve moved fast to define the industry standards required for scalability.At the end of the day, users just want to know that it works and they can trust it.That’s what we’re focused on delivering.”
HUMAN ROLE
Autonomy progression
Rules
Click on each stage of the autonomy progression below to see how human and agent roles will evolve
LOW
HIGH
Guided
Planned
Mandated
Goal-directed
Machine-to-machine
Configure and forget
TASK
“Do this on a schedule.”
AGENT ROLE
Basic automation
OUTCOMES
Automation with no situational awareness
CONSUMER EXAMPLES
“Reorder essentials monthly.”
B2B/procurement example
“Pay supplier X on the 30th.”
Decide and approve
“Help me choose.”
Surfaces options and trade-offs
Better decisions, still human-led
“Compare two phones and payment options.”
“Recommend cheapest payment rail for invoice Y (fees/FX/settlement).”
Approve a prepared plan
“Bring me a complete plan.”
Produces a ready-to-approve action bundle
High-quality “proposal” that’s ready to run
“Build my basket for a weekend trip; I’ll approve.”
“Assemble a payment run optimized for discounts + cash flow.”
Set mandate; handle exceptions
“Act for me within a mandate.”
Executes within constraints
Pre-authorized delegation with clear boundaries
“Book replacements if travel breaks, within $X and my rules.”
“Release payment when PO/contract match and thresholds are met.”
Set objectives; audit outcomes
“Manage outcomes, not tasks.”
Tunes decisions continuously toward goals
Systems run as control loops with monitoring and reversibility
“Keep household spend within targets; optimize subscriptions and bills.”
“Continuously manage working capital: timing, liquidity, routing, exceptions.”
Govern the system; intervene by policy, not by hand
Interact and transact across counterparties.”
Negotiates, coordinates, and settles with other agents
A mesh of agents making commitments with traceability and recourse
My agent negotiates bundles (connectivity/streaming/insurance) and executes when terms match my mandate.
Procurement agent negotiates price, service levels, and settlement terms with supplier agents, then executes within policy.
Agentic Commerce
Toggle to see how agentic commerce works today, and how it will work tomorrow: Today agentic commerce mostly supports discovery, comparison and recommendation, while the human still approves the final action.
Tommorow
Today
Toggle to see how agentic commerce works today, and how it will work tomorrow: Tomorrow agents will act within delegated mandates, executing across systems while trust, consent and control are checked continuously.
Trust layer
The trust infrastructure that lets machines transact - validated at every step, replacing the human checkout approval moment. Humans move upstream to set mandates and downstream to oversee - agents negotiate and transact in between, while the trust layer validates identity, intent, permissions and payment before money moves.
Agentic identity
Verifiable intent
Tokenized authority
Policy check
Audit trail
listen to this section · 2:53 MIN
the-agentic-commerce-opportunity-how-ai-agents-are-ushering-in-a-new-era-for-consumers-and- Gartner Unveils Top Predictions for IT Organizations and Users in 2026 and Beyond Agentic Commerce Adoption Benchmarks 2026 Modernretail.com What went wrong with ChatGPT's Instant Checkout - Modern RetailAgentic Commerce Adoption Benchmarks 2026 | Presenc AIChinese tech giants race to create the 'everything app' of the futureAlexa for Shopping: Amazon's AI assistant for personalized shoppingGoogle's Universal Commerce Protocol (UCP): A Store GuideGartner Forecasts Supply Chain Management Software with Agentic AI Will Grow to $53 Billion in Spend by 2030
8 9 10 11 12 13 14 15 16 17
Agentic commerce is moving from experimentation to market formation
Early winners in interface design are running into downstream trust and execution constraints
Open, multi-surface models are gaining strategic relevance as commerce fragments across assistants, merchants and rails.
The agentic commerce market is real, with agent-assisted consumer spending forecast to reach $3-5 trillion by 20308 and B2B spending possibly three times that.9 These are large numbers built on small foundations; agent-mediated transactions currently account for only about 0.4% of global ecommerce by volume and 0.2% by value.10
2030 Agent-mediated transactions
% of global ecommerce currently agent-mediated
0.4%
volume
value
0.2%
That gap between market potential and operational readiness is important, because it demonstrates the market is waiting for the trust infrastructure that allows autonomous action to be recognized, constrained, accepted and resolved across all parties. The clearest signals now point to a market moving from experimentation toward the harder work of execution:
The market is movingfrom interface novelty to infrastructure reality
Recent changes in approach11 suggest the market is running into the hard work of operationalizing agentic commerce at scale. In September 2025, OpenAI launched Instant Checkout inside ChatGPT, allowing users to buy products without leaving the conversation. By March 2026 the company had scaled it back, after merchants complained of low conversion rates. The challenge is not just to build a compelling AI experience. It is making transactions work reliably across multiple actors, systems, and contexts. That marks a structural change from hype to execution.
In the first flush of agentic commerce, there was speculation that a single AI interface, platform, or assistant could capture the market. In fact, the market is moving toward a multi-surface model spanning search, chat, voice, merchant sites, marketplaces, wallets, and embedded checkout experiences. That changes the strategic question from “who owns the interface?” to “who enables trusted execution across fragmented environments?”
A multi-surface modelis emerging
Early closed-loop approaches have been effective in coordinating agentic commerce, but at the expense of choice, competition and interoperability. China is the clearest example of a closed-loop approach13. Its super-app ecosystems already combine discovery, payment and fulfilment inside a single environment, reducing the friction of agent-led execution. Alibaba’s Qwen, for example, is being integrated directly with Taobao, Fliggy and Alipay, while Tencent is pursuing a similar path through WeChat’s social, content and payments stack. But closed loops have limits. They can deliver cleaner early experiences, yet their reach is bounded by the ecosystem they control. Amazon’s Alexa for Shopping14, for example, offers a personalized consumer experience but only within the Amazon platform. Open models, by contrast, are messier at first, but structurally stronger in a diverse market. That’s one reason that Walmart, Shopify, Target, Etsy, Wayfair and others are backing Google’s Universal Commerce Protocol (UCP)15, which emphasizes interoperability through open standards. As the market broadens across merchants, platforms, assistants, and rails, interoperability becomes a structural advantage.
Closed-loop models emerge early, but open models are gaining structural advantage
The decisive constraints on scaling agentic commerce are not in AI capability. They are in the plumbing: interoperability, merchant acceptance, identity, permissions, catalog quality, payment authorization, and transaction trust. The numbers confirm this; according to one recent survey 83% of brands are not yet ready for agent payments.12 These are not peripheral issues. They are the enabling conditions for scaled adoption. Better agent experiences alone cannot unlock the market.
The hard work is downstream, not upstream
A more realistic division of labor is emerging. AI assistants are well placed to influence discovery, recommendation, and demand generation, but that doesn’t make them natural owners of checkout. The transaction layer still depends on merchant systems, payment credentials, authorization logic, fraud controls, and post-transaction processes. The platforms that have tried to collapse discovery and checkout into a single AI experience have struggled (see above). The ones gaining traction are those shaping demand upstream while routing execution to trusted infrastructure downstream.
Influence and executionare separating
Consumers will not hand every purchase to an agent. Delegation will likely expand fastest in low-friction, repeatable, or utility-driven categories: the mundane and time-consuming chores of insurance renewal,utility supplier switching, subscription management and regular grocery shops, for example. Many higher-value, luxury, and identity-expressive purchases will remain human-led. In those categories, shopping represents evaluation, enjoyment, reassurance, and sometimes status performance. That means agentic commercewon’t replace shopping in a uniform way. It will absorb some journeys, reshape others, and leave spacefor experiences where human involvement remains part of the value.
Agentic commercewill not be absolute
Some of the most commercially meaningful gains are emerging outside of consumer shopping. Procurement, accounts payable, supply chain coordination, and B2B transactions are more structured, rules-based, and policy-governed than consumer commerce, which makes them better suited to delegated execution. The incentives are also clearer: reduced friction, lower operating costs, improved working capital, and faster exception handling. Consumer commerce may attract more attention because it is visible and familiar.But some of the deepest early adoption will happen in enterprise workflows where trust, authority, and repeatability are already formalized. Gartner forecasts that 60% of supply chain management systemswill deploy AI agents by 2030, up from 5% in 2025.16
Enterprises are becoming early adopters
Video @OpenAI
listen to this section · 6:51 MIN
How Agentic AI Will Reshape Payments Google Universal Cart Positions AI as a One-Stop Storefront How Verifiable Intent builds trust in agentic AI commerce | Mastercard Global Building the Trust Layer for Agentic Payments with AP2 and Verifiable Intent | FIDO Alliance
18 19 20 21
Definingthe trustlayer
This marks a shift from a single, linear flow to a layered system. In a traditional transaction, intent, authorization, and settlement collapse into one process. The user initiates an action, the system evaluates it in real time, and the payment is executed. Trust is implicit in that sequence. The act of initiation provides both the signal of intent and the basis for approval. That changes in a delegated model. As user instructions are set before execution and actions unfold across multiple steps, the system needs a way to interpret those instructions consistently over time. This creates a clearer separation of responsibilities across three layers:
If trust is no longer resolved at the point of purchase, it needs to be establishedat the moment of intent. That introduces a new component of the payments stack: a trust layer that sits between user intent and execution, and determines what actions are allowed before money moves. A core function of this layer is to produce a structured record of what a user has permitted an agent to do, under what conditions, and within what limits. That gives issuers, merchants, and networksa common basis for checking whether an action sits inside the delegated scope.
Advantage will go to thosewho define what can act,under what conditions, andwith what proof
This is where authorityand accountability willbe decided
The trust layer turns user instructions into enforceable rules
Intent and orchestration
Purpose
Translate goals into actions
Description
AI systems interpret user instructions, evaluate options, and decide what to do next. It is dynamic, adaptive, and operates continuously across services and contexts.
What sits here
MCP, A2A, ACP, UCP…
a layered approach
AP2, KYA, tokenization, verifiable intent, verifiable credentials, delegated authority…
Translates intent into constraints, specifying whocan act, under what conditions, and within what limits. Unlike the orchestration layer, it must be deterministic, consistent, and auditable. Its role is to validate whether an action belongs within what was authorized, before it is executed.
Define and enforce who can do what
Trust and control
Card rails, bank rails, RTP, stablecoin rails, clearing and settlement infrastructure…
This is the infrastructure that moves money, clears transactions, and records final outcomes. In agentic commerce that function remains, but its position in the decision process changes. It increasingly operates on instructions that have already been validated upstream.
Execute payment and record final outcomes
Settlement
PAYMENTS INFRASTRUCTURE
AI INFRASTUCTURE
Trust becomes portable
It must travel with the transaction across systems and platforms, so that every party can validate that the action is legitimate. This requires a shared understanding of how permissions are represented and enforced.
Authorization becomes continuous
Instead of a single approval, the system must assess whether an ongoing stream of actions remains within defined constraints. The question is not just “should this transaction be approved?” but “does this action belong within the authorized behavior of the agent?”
This introduction of a trust layer has several consequences
The payment layer executes instructions that have already been validated upstream. Its role shifts toward reliable execution, while the trust layer defines and governs those instructions.
Settlement decouples from the user
This is where the competitive dynamics begin to change. In a transaction-centric world, advantage sits in the efficiency, security, and reach of payment rails. In a layered world, the critical point of control moves upstream to how permissions are structured, how identity is verified, and how constraints are enforced. The trust layer becomes the new locus of value.
New roles in the ecosystem
Different players are approaching this from different positions in the stack,each attempting to extend their influence into this new layer. Three distinctapproaches are taking shape:
Open protocols are standardizing delegationand interaction
A third approach seeks to define common frameworks for how agents prove authority, how permissionsare represented, and how systems interact across boundaries. The goal is interoperability. Rather thaneach platform or network defining its own model of trust, these efforts aim to create shared standardsthat allow agents to operate across ecosystems without friction.
Mastercard’s development with Google of Verifiable Intent20 has been described by industry body FIDO Alliance as a “pivotal step” toward building a “shared, interoperable trust layer for identity, consent and delegation”.21 It’s evidence of agentic commerce beginning to standardize around proofof authority, not just connectivity, with UCP, AP2, A2A and MCP all pointing toward more interoperable agent-to-agent and agent-to-payment flows.
With its new Universal Cart19 Google is moving beyond product discovery into orchestration. It aims to create a persistent shopping layer across Search, Gemini, YouTube, and Gmail, monitoring prices, flagging incompatibilities, surfacing loyalty and payment options, and becoming the interface through which intent is translated into transaction.
Here, the starting point is orchestration. Some AI platforms are embedding payment functionality directly inside agent workflows, allowing systems to discover, access, and pay for services as part of their execution loop. The emphasis is on seamless integration. Payments are treated as another API that agents can call, rather than as a separate process. This simplifies execution, but raises questions about how identity, authorization, and control are managed across fragmented environments.
AI platforms are embedding payments into agent environments
“Payment systems must reconcile two fundamentally different design logics: the adaptive, probabilistic nature of agentic AI systems and the deterministic requirements of financial market infrastructures. Without appropriate safeguards, delegating payment initiation to autonomous agents could introduce new operational, legal, and systemic risks.”– International Monetary Fund, April 2026 18
For networks, the starting point is established trust infrastructure: credentialing, authorization, and global acceptance. The focus is on adapting those capabilities to a world where the actor is no longer a human.This is driving the creation of agent-specific credentials, tokenized permissioning, and shared frameworksfor identity and verification. The objective is to extend existing trust models into new interaction patterns, without fragmenting the system.
Payment networks are extending trust to agents
That’s why the trust layer matters strategically. Its importance doesn’t come from processing transactions, but from setting the conditions under which transactions can occur with the confidence of all parties.
These approachesreflect deeper questionsabout where trust sits
Will it be anchored in existing payment infrastructure, extended into the agentic world?
Or will it be distributed through open standards that limit any single point of control?
Will it shift toward platforms that control intent and orchestration?
A company discovers a security vulnerability affecting hundreds of employee laptops. Its procurement agent is given a narrow emergency mandate: source approved replacement devices, prioritize teams handling sensitive customer data, secure delivery within 72 hours, stay inside framework pricing, include carbon reporting and escalate any supplier substitution. The agent checks inventory across preferred suppliers, rejects a cheaper model that fails the security specification, splits fulfillment across two vendors to meet the deadline and triggers an approval request when one supplier proposes a non-standard configuration. That remit travels with every step: through the supplier marketplace, the bank, the network and the internal approval system. Each party checks the same question before acting: does this machine-led decision sit within the authority the company granted?
The remit that travels
Video @Google
listen to this section · 7:45 MIN
Agent Authentication & Delegated Access: OAuth Flows, Scoped Tokens, and Identity Patterns for AI Agents (2026) | Zylos Research
22
Tokenizationand verifiable intent
This trust layer needs a way to represent and enforce delegated scope. Tokenization is increasingly serving that role. To see why, it helps to look at how tokenization has evolved and what it’s becoming.
Together, they makedelegated commerce more auditable, portable and governable
Verifiable intent links agent action back to what a user actually approved
Tokens start to define what an agent is allowed to do, not just protect payment details
The evolution of tokenization
2000’s
Security tokens
2010’s
Performance tokens
2020’s
Programmable tokens
Tokenization first emerged as a way of masking raw card data. The primary account number (PAN) was replaced with a token that could be used to complete a transaction without exposing sensitive data. The model is simple: Possession of a valid token implies permission to transact. Security is improved, but the underlying logic of authorization remains unchanged. As ecommerce scaled, tokenization evolved from credential protection into a performance lever. Network tokens helped reduce lifecycle-related declines (expired cards, reissued numbers), improved the quality of transaction data, and strengthened authorization outcomes, particularly in recurring and stored-credential payments. Tokens are now evolving from data substitutes to control levers. Recent work on agent authentication argues that long-running agents require authority that is scoped, attributable, and revocable, because the user is no longer present at the moment action occurs.22 To support delegated behaviour, tokens graduate from secure substitutes to task-scoped carriers of authority. In this form, a token does more than enable payment. It sets the scope within which an agent can act. It becomes a portable expression of delegated permission that different participants can interpret and apply consistently.
This is where tokenization and intent converge
WHO
Tokens can specify who is authorized to act. Not just an account holder, but a particular agent operating on their behalf.
limits
They can enforce limits, such as how much can be spent, how often actions can occur, and over what time period.
why
Critically, they can also encode why the authority exists. They can link a set of permissions back to a defined statement of intent, creating a persistent connection between what a user authorized and what an agent executes.
what
They can define what that agent is allowed to do, restricting actions by merchant, category, or use case.
lifecycle
They can carry a lifecycle, allowing permissions to be updated, withdrawn, or expire as conditions change.
A small restaurant group gives its procurement agent a simple remit: restock fresh ingredients across five sites, use approved suppliers, spend less than $3,000 a week and escalate anything outside policy. On Thursday, a supplier offers a discounted bundle: vegetables, premium knives, branded glassware and bulk spirits. The agent sees the savings and tries to commit. The token approves the produce order, but blocks the alcohol and equipment, and asks the manager whether the savings justify a policy exception. The point is control: the agent can pursue savings, but only within the authority it was given.
The basket with boundaries
Several capabilities begin to emerge
For merchants
For merchants, a programmable token provides a basis for trust that doesn’t depend on the presence of a human. Rather than relying on signals such as user behavior or checkout interaction, merchants can validate whether an agent is acting within an authorized scope. They gain visibility into the intent behind the purchase, not just the outcome.
For issuers
For issuers, it introduces a more precise form of risk assessment. Instead of evaluating isolated transactions, they can assess whether an agent’s activity remains within predefined constraints. A token scoped to "groceries, under $200, from these three merchants" provides a tighter risk frame than a general-purpose credential evaluated transaction by transaction. This allows for more granular control over what is permitted, rather than relying on broad rules or ex-post intervention.
For consumers
For consumers, it offers a way to delegate without losing visibility or control. A structured representationof intent creates a clear boundary between what was authorized and what was not. It provides a basis for recourse if those boundaries are exceeded, and for confidence that the system is operating within defined limits.
Expressing intent in a structured way introduces new design challenges. Permissions must be flexible enough to support real-world variability, but precise enough to constrain behavior. Poorly defined rules can produce unintended outcomes. Overly rigid rules can undermine the benefits of delegation. The direction is clear: authorization is moving from something inferred at the transaction moment to something specified in advance and checked over time. Tokenization helps carry those permissions. Verifiable intent helps anchor them to what the user actually approved. Together, they form the foundation of a system where actions are authorized by design.
What changes
This changes how each participant in the ecosystem interprets a transaction
listen to this section · 5:36 MIN
How Agentic AI Will Industrialize Financial Scams | BCGThe Bank of England names the agentic-herding problem — Agent Research CompanyHow Agentic AI Will Reshape Payments; IMF Note No. 2026/004; April 2026
23 24 25
RISKS
If liability, recourse and governance lag behind execution, adoptionwill stall.
Poorly governedautonomy could turn local failures into systemictrust problems.
The attack surfaceexpands from credentialsto instructions, permissions and agent identities.
Delegated authority can be abused
The fraud surface is shifting. In agentic commerce, the object of attack is no longer just the credential, but the mandate itself: who an agent is, what it is allowed to do, and for how long. That creates new vulnerabilities, from forged instructions and over-scoped permissions to persistent token abuse. Fraudsters can also use agentic AI to industrialize their operations. One estimate says it could reduce the cost of running a financial scam by 90% within two years, leading to a twofold or greater surge in successful fraud activity against a baseline that already costs $442 billion annually23.
The danger is not only that one agent makes a bad decision. It’s that many agents make similar decisions at the same time, creating distortions that no participant intended. The Bank of England, for example, is concerned about herding behavior, where multiple AI agents synchronize decisions and amplify price moves24. The IMF identifies the same dynamic in commerce: agents trained on similar models, using similar data, may converge on similar purchasing strategies, producing correlated demand spikes or merchant traffic distortions that no individual agent intended25. The underlying driver is model concentration. If a small number of foundation models power the majority of commercial agents, the diversity of decision-making is structurally limited.
Herding behavior disrupts markets
On the first cold week of winter, millions of household agents switch energy plans, reorder winter goods and book boiler services within the same 48 hours. Retailers sell out of heaters and insulation, utility companies face synchronized switching requests, service providers throttle agent traffic and prices spike in categories that looked stable the week before. No single agent behaves badly. The failure is synchronized rationality: too many well-optimized agents making the same decision at once.
The agenttraffic jam
Consumers may try AI assistance, but they’ll judge autonomous purchasing by its first mistakes: an unwanted substitution, hidden fee, confusing approval, or difficult dispute. If those experiences feel opaque or hard to reverse, users, issuers and merchants may respond by narrowing mandates, adding approval steps, or limiting agents to low-value tasks. The risk is path dependence: autonomy scales only where the perceived cost of losing control remains low.
Early failures setan adoption ceiling
Agentic commerce will struggle to scale without systems to determine who is accountable when something goes wrong. If an agent acts within the formal terms of a mandate but outside what a user believed they had authorized, who carries liability: issuer, merchant, platform, or agent provider?
Liability lagsbehind execution
The most serious risk is not any single failure mode, but the way they interact. Imagine a forged or over-scoped instruction leads to a disputed purchase. That dispute then becomes harder to resolve when liability is unclear. If the case is high profile, it could erode consumer confidence and invite regulatory caution. Firms then respond by adding friction, narrowing permissions, or slowing deployment. This is a real systemic risk - that local control failures don’t remain local, but quickly become broader failures of trust. The challenge is preventing errors in one part of the system from becoming crises of confidence in the whole.
Ann Johnson | executive vice president, security solutions at
“With every major shift in digital commerce, success has depended on creating confidence through security, transparency, and control. Agentic commerce will be no different. Bad actors will try to impersonate agents, manipulate intent, and exploit gaps or weaknesses. By creating a security model that recognizes the agent, constrains its authority, monitors its behavior, and can shut it down when it is exploited or not behaving as expected, we can prevent abuse and fraud.”
For agentic commerce to be successful, delegated authority has to be clear enough to trust and portable enough to work across ecosystems. It’s a demanding combination, and one not yet delivered.The risk is not simply that agents make mistakes. It is that commerce begins to execute faster than institutions can define, verify, and govern what those agents are actually permitted to do. If that gap widens, technical capability will outpace trust, recourse, and institutional readiness. Five risks stand out:
listen to this section · 5:28 MIN
Why Structured Data Gaps Block Your Store from AI Shopping Channels — A Practical FixStellagent Launches Agentic Commerce Studio for AI Agent Shopping ReadinessTalon. One Announces Unified Incentives Protocol to Power Loyalty and Promotions in Agentic CommerceInsights | Mastercard DevelopersPYMNTS | Mastercard and Stripe Help Wizard Personalize Agentic Shopping
26 27 28 29 30
Personalization shiftsfrom observing behaviorto permissioned signalexchange.
Machine-readablecatalogs, loyalty rules and offers become the new shelf space.
When the buyer is an agent, merchants lose many of the behavioral signals used for personalization.
This matters for merchants because personalization has traditionally depended on direct access to the buyer. When the buyer is an agent, merchants risk losing the signals that personalization depends on. No browsing behavior. No session data. No visible journey to optimize. If discovery, comparison, and execution all happen inside the agent, merchants risk being reduced to fulfillment. So how do merchants personalize offers for a customer they never see?
The trust layer doesn’t just govern payments. It governs what information can flow, to whom, and under what conditions. That makes personalization a trust layer function too.
The first response is defensive. If the buyer is an agent, a merchant’s inventory, pricing, and terms need to be machine-readable. If data is not structured for agents, products are invisible to them. A recent audit of 2400 products across Shopify stores found that only 11% of them had the structured data needed for an AI agent to recommend them.26 A market is emerging to meet this need. Mastercard’s Agent Suite Proto, for example, is a sandbox where merchants can test their visibility to AI agents. Japan’s Stellagent27 offers something similar, allowing merchants to test whether their product feeds, shipping logic, and checkout flows are machine-readable. Loyalty is another version of the same problem. An agent doesn’t browse a loyalty page. It queries an API. If a program can’t surface points balances, tier status, and offers in machine-readable form, it drops out of the agent's decision logic. In Germany, Talon.One has responded with a Unified Incentives Protocol designed to make promotions legible to agents through standardized formats.28
Machine visibility
Machine-legibility is only table stakes. Innovation is exploring how merchants can personalize within this model, not just be found by it. One route is to reverse the data flow. In the current model, merchants infer preferences from observed behavior. In an agentic model, the agent could present structured preferences to the merchant directly: what the user wants, within what constraints, with what signals attached. Not raw data, but a permissioned intent object the merchant can read and respond to. Mastercard's Insight Tokens29 illustrate how this could work. Consumers link their card, grant explicit consent, and the token carries structured signals rather than underlying data. Each consent flow offers transparency: consumers know what is shared and how it’s used. The merchant or agent can personalize without observing the customer directly.30 Extend this into a fully agentic context, and personalization becomes a negotiation. The agent presents intent. The merchant responds with a tailored offer. The exchange is mediated by permissioned data, not inferred from platform-owned profiles. This doesn’t eliminate the risk of disintermediation. But it offers merchants a route back into the personalization loop.
Permissioned preferences
Before a weekend trip, a traveler asks her agent to replace a damaged suitcase, find a birthday gift and book dinner near the hotel. The agent can search the web, but availability is only part of the decision. It also needs to know which merchants she trusts, which benefits apply, which offers are relevant and whether a nearby pickup beats a cheaper online option. With her permission, insight tokens let the agent use governed commerce signals without exposing raw personal data. Merchants respond with offers the agent can read, compare and explain. The shortlist is not simply the cheapest result or the highest bidder for attention. It is the best fit within the context the customer has chosen to share. In agent-mediated commerce, personalization begins when the customer decides what the market is allowed to know.
The shopper behind the agent
Only a minority of products currently have the structured data required for AI agents to recommend them.
listen to this section · 4:35 MIN
Agentic commerce: How agents are ushering in a new era | McKinsey Agentic Commerce Report: How AI Is Reshaping Brand Competition
31 32
Outlook forAI platforms, banks, merchants and networks
The requirement in common is stronger policy, verification and exception handling before and after the transaction.
Issuers need remit controls, merchants need agent-readable readiness, and networks need shared models of recognition and enforcement.
Agentic commerce changes the roles of all parties
These are high stakes for agentic commerce, with the B2C retail market alone forecast to reach $3-5 trillion by 203031. Most players are approaching this from their existing point of advantage: networks and banks from acceptance and institutional confidence, AI platforms from demand formation, and merchants from conversion optimization. The trust layer changes what each participant is responsible for, what capabilities they need, and where their competitive exposure sits.Click below to explore.
Technology platforms and AI assistants sit closest to intent formation. They shape how needs are expressed, how options are ranked and how decisions are framed before payment is ever initiated. That gives them real distribution power and a strong claim on demand generation. But it doesn’t hand them trusted execution, with authority over settlement, liability, dispute handling or cross-merchant acceptance. OpenAI's Instant Checkout rollback demonstrated this directly: distribution without infrastructure is not enough. Interface ownership has mattered most in the early phases of agentic commerce, where AI search has displaced web search, and users still rely heavily on a small number of assistants to mediate choice.
For AI platforms
A banking customer opens her app to a simple update: her household payments are on track. The weekly grocery order has renewed within budget, a utility bill has been paid and a subscription increase has been paused. One item needs a decision: her home insurance renewal is higher than the limit she set. She can approve the renewal or keep the rule in place. The experience is one of trusted delegation: routine decisions handled quietly, exceptions explained clearly and control available when it matters.
The agent control plane
In an agentic model, banks need to do more than approve or decline individual payments. They will need to manage delegated authority across accounts, credentials, channels and customer relationships, setting boundaries in advance, monitoring activity against those boundaries, and handling exceptions when agent behavior drifts. That calls for new capabilities in remit design, policy management, identity assurance, fraud monitoring, servicing and ongoing risk assessment.
For banks
For merchants, agentic commerce changes the basis of competition. Most expect agentic commerce to be the most disruptive force their sector has seen32. Success will depend less on having the best shopfront and more on being easy for agents to understand, trust and personalize to. Product details, prices, loyalty offers, delivery terms and preference signals all need to be clear enough for machines to read and act on. Merchants also need to know whether an agent is legitimate and whether any data or preference signal has been shared with consent. Without clear and auditable proof of agent authorization, the number of chargebacks can be expected to balloon.
Payment networks connect issuers and merchants, providing the infrastructure through which transactions are authorized and cleared. In an agentic model, that role extends upstream. Networks are well positioned to define shared models of identity, permissioning, and trust. They sit at the center of the ecosystem and can provide a common layer through which agents are recognized, credentials are tokenized, and constraints are enforced consistently across participants. Networks are establishing interoperable standards for how agents are identified, how intent is encoded, and how permissions are validated. The change is from enabling transactions to coordinating rules of participation.
For networks
At the system level, payments begin to blur into a broader permissioning function. Transactions become outputs of pre-defined authority rather than isolated events. That shifts risk upstream: mistakes in how agent remits are configured can propagate across multiple actions before anyone notices. It also shifts the nature of interoperability. Alignment is no longer just about formats and protocols, but about consistent models of authority: how consent is expressed, how constraints are interpreted, and how disputes are adjudicated when an agent acts within the letter of an instruction, but outside the user’s expectations.
For the ecosystem
listen to this section · 5:09 MIN
Mastercard Agent Pay: secure, scalable and trusted agentic AI | Mastercard US Mastercard Agent Pay for Machines | Mastercard US Agentic token framework: Driving trusted AI transactions | Mastercard UK How Verifiable Intent builds trust in agentic AI commerce | Mastercard Global Mastercard Developers Agent Toolkit | Platform Overview | Mastercard Developers Mastercard unveils new tools and collaborations to power smarter, safer agentic commerce | Mastercard UK Meet Shopping Muse by Dynamic Yield Mastercard launches Agent Suite to ready enterprises for a new era | Mastercard Global
33 34 35 36 37 38 39 40
KeyMastercardinitiatives
In 2025 Mastercard was the first payment network to develop agentic commerce capabilities, building on its trust infrastructure
Current initiatives map to the main requirements of the new model: agent identity, scoped authority, verifiable intent, policy enforcement and merchant readiness
Existing infrastructure, relationships, and standards provide a foundation for extending trust into new interaction models. This reduces the need for entirely new systems and anchors adoption in familiar constructs.
The introduction of agentic tokens extends traditional network tokenization into a form that can support delegation. Rather than simply replacing a payment credential, these tokens can be scoped to a specific agent, tied to defined permissions, and constrained by rules around usage. This reflects the broader shift outlined earlier. Tokens are not just protecting credentials. They are shaping what actions are possible.
Tokenization evolves into programmable permissioning
Agentic commerce introduces new actors into the system. Ensuring that these actors are identifiable, authenticated, and operating within trusted frameworks is a prerequisite for scaling the model. Mechanisms for registering, verifying, and managing agents help establish a baseline level of trust before any transaction occurs.
Agent identity introduces a new layer of accountability
Capabilities associated with authorization are beginning to take on a broader role. Rather than simply approving or declining transactions, they can be extended to define and enforce policies over time. This includes setting limits, applying conditions, and managing the lifecycle of delegated authority. It reflects the transition from point-in-time decisions to continuous governance.
Authorization becomes policy enforcement
The concept of verifiable intent introduces a structured way to represent what a user has authorized. Instead of relying on inferred behavior, it creates a record that can be validated across the ecosystem. This aligns with the emerging trust layer, where intent becomes an artifact that accompanies the transaction, allowing issuers, merchants, and networks to evaluate whether an action falls within defined boundaries. This will become particularly important in multi-step or ongoing agent workflows, where authorization can’t be reduced to a single event.
Verifiable intent becomes user authority
Taken together, these elements form a coherent position
Tokenization provides the mechanism to encode permissions
Verifiable intent provides the structure to represent authority
Agent identity establishes accountability
Programmable authorization enforces constraints over time
Selected solutions
Greg Ulrich | chief AI and data officer at
Agentic commerce only works if three things scale together: payments to enable transactions, trust and security to anchor those transactions, and AI-powered services to make them smarter and more personal. Mastercard is accelerating all three — building on our network to turn emerging capabilities into real-world applications.”
listen to this section · 3:52 MIN
enables trusted agent-ledpurchases for peopleand businesses33
Agent Pay
enables high-frequency payments between agents and services34
Agent Pay for Machines
turn credentials intoprogrammable authority35
Agentic tokens& token controls
makes user mandatesportable and auditable36
Verifiableintent
create accountability fornon-human actors
Agent identity& governance
gives developers waysto build on thatinfrastructure37
The AgenticToolkit
show how consented, structureddata sharing can supportagentic personalization38
Insight Tokens
help the ecosystemto adapt40
Agent Suite& Agent Spark
helps merchants interpretpurchasing intent39
Shopping Muse
is the developer layer that enables ecosystem players to be found and connect to AI agents
Agent Connect
Agents can already search, decide, and transact.The technical barriers to automation are falling quickly. What will determine whether agentic commerce scales is whether users are confident that systems will act within defined boundaries.
Agentic commerce is entering a phase where technology is no longer the constraint. Trust is.
This is the underlying transformation
Trust is changingfrom implicit toencoded
Payments are evolvingfrom authorizationto governance
Commerce is movingfrom interaction to delegation
The challenge now being addressed is this: when decision-making moves from humans to agents, the system loses its primary signal of legitimacy. Intent becomes distributed. Consent becomes conditional. Control must persist over time. The transaction itself is no longer sufficient to prove that an action was authorized. What matters now is making delegation workable in practice. That means clearer liability, stronger recourse, better visibility into agent behavior, and permission models that are precise without being inflexible. The winners will not simply automate more steps. They will make autonomy usable, governable, and credibleenough to earn adoption. Adopters will not delegate blindly. Implementation will be judged not just on convenience, but on transparency and recourse. Trust will be earned gradually, and lost quickly if control is lacking. This places a premium on how the system is being designed. The infrastructure must allow intent to be expressed in ways that are both precise and usable. It must balance flexibility with enforcement, so that autonomy doesn’t come at the expense of confidence. By encoding trust in this way, the promise of agentic commerce will be realized.
Mastercard powers economies and empowers people in 200+ countries and territories worldwide. Together with our customers, we’re building a resilient economy where everyone can prosper. We support a wide range of digital payments choices, making transactions secure, simple, smart and accessible. Our technology and innovation, partnerships and networks combine to deliver a unique set of products and services that help people, businesses and governments realize their greatest potential.