Subscribe to the Non-Human & AI Identity Journal

How should retailers control AI agents that shop on behalf of customers?

Retailers should treat delegated shopping as a policy problem, not only a checkout problem. Define which actions an agent may take, require re-confirmation for higher-risk changes, and bind permissions to purpose, spend limits and transaction scope. The goal is to verify authorised intent, not just whether a payment instrument is valid.

Why This Matters for Security Teams

Retailers are no longer only securing customer logins and payment cards. When an AI agent shops on behalf of a customer, the security problem shifts to delegated authority: what the agent can view, add, remove, substitute, and finalise. That introduces risk across fraud, privacy, refund abuse, account takeover, and policy bypass. Current guidance suggests treating the agent as a bounded actor with explicit purpose, spend, and transaction limits, not as a free-form assistant.

This matters because agentic systems can execute too quickly for normal customer-service controls to keep up. The same delegation pattern that enables convenient reordering can also enable unintended purchases, coupon abuse, or silent changes to delivery and account details. NHIMG research on OWASP NHI Top 10 shows how quickly AI-driven access can exceed intended scope when permissions are too broad. In practice, many security teams only discover agent overreach after dispute volume, chargebacks, or support escalations have already increased.

How It Works in Practice

Retailers should implement delegated shopping as a layered control model. The first layer is identity and intent binding: the customer authorises the agent for a specific purpose, such as replenishment or gift shopping, and that consent is tied to a duration, merchant category, budget ceiling, and eligible product set. The second layer is step-up verification for higher-risk events such as changing shipping addresses, using stored payment methods, or placing an order above a threshold. The third layer is logging and replayable audit evidence, so the retailer can show what the agent was allowed to do and what it actually did.

Security teams should also validate the agent’s inputs and outputs. That means restricting tool access, limiting catalog and profile data exposure, and checking for prompt injection or malicious product content before the agent acts. Guidance in the NIST AI Risk Management Framework and the OWASP Agentic AI Top 10 both point toward governance, traceability, and abuse-resistant design rather than trust-by-default.

  • Bind the agent to a customer, a purpose, and a narrowly defined shopping scope.
  • Use spend limits, category limits, and order-value thresholds to trigger re-confirmation.
  • Separate browsing authority from checkout authority and from post-purchase changes.
  • Log the policy decision, the agent action, and the final human-confirmed transaction state.
  • Review exceptions for gift purchases, subscriptions, substitutions, and split shipments.

NHIMG’s AI Agents: The New Attack Surface report notes that 80% of organisations say their AI agents have already performed actions beyond intended scope, which is exactly why retailers need policy gates before the checkout step. These controls tend to break down when merchants reuse generic bot logic across accounts, subscriptions, and support workflows because the agent then inherits too much ambient authority.

Common Variations and Edge Cases

Tighter agent controls often increase friction, so retailers must balance convenience against abuse resistance and support cost. There is no universal standard for this yet, especially where shoppers want automation for routine purchases but still expect a smooth checkout experience. The practical tradeoff is between allowing low-friction repeat buying and forcing extra confirmation when the agent deviates from the customer’s usual pattern.

Edge cases matter. Gift shopping usually needs broader address flexibility but tighter spend controls. Subscription management may justify recurring authority, but only for a defined merchant and product class. Returns and refunds should be treated separately from shopping because they can be abused through policy gaps. For high-risk categories, current guidance suggests using shorter-lived delegation and more frequent re-approval. For identity-sensitive flows, retailers should also consider whether the agent is acting under a verified customer identity or only a session token, because the assurance level changes the trust model.

The strongest practice is to apply the same discipline used for high-risk automation in other sectors: least privilege, explicit consent, traceable actions, and rapid revocation. The MITRE ATLAS adversarial AI threat matrix is useful for thinking about manipulation and abuse patterns, while NHIMG’s OWASP Agentic Applications Top 10 helps teams map those risks to concrete agent controls. Retail programmes tend to fail when they optimise for conversion alone and leave delegated authority unbounded.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Agentic AI Top 10, MITRE ATLAS and CSA MAESTRO address the attack and risk surface, while NIST AI RMF and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
OWASP Agentic AI Top 10 A2 Agentic systems need bounded authority and abuse-resistant action controls.
NIST AI RMF GOVERN Delegated shopping requires governance, accountability, and traceable decision-making.
MITRE ATLAS ATLAS-001 Attack patterns cover manipulation, prompt injection, and autonomous abuse of agent workflows.
NIST CSF 2.0 PR.AC-4 Least-privilege access is central when an agent acts on behalf of a customer.
CSA MAESTRO TRM-02 Agentic AI governance needs explicit trust boundaries and control validation.

Constrain shopping agents to explicit purpose, scope, and step-up approval for sensitive actions.