Subscribe to the Non-Human & AI Identity Journal

What breaks when trust registries are missing in agentic commerce?

Without trust registries, relying parties cannot quickly determine whether a delegated identity is current, verified, and permitted. That usually leads to manual review, inconsistent approvals, and weaker fraud response, especially when agent volume rises faster than human operations can keep up.

Why This Matters for Security Teams

In agentic commerce, a trust registry is the difference between a delegated identity that can be trusted in real time and one that has to be reviewed by hand. Without it, merchants, payment partners, and marketplaces cannot quickly verify whether an agent is current, verified, and within scope. That pushes teams into slower approval workflows and creates inconsistent decisions across channels, which is exactly where fraud and policy abuse thrive.

This is not a theoretical gap. NHIMG’s AI Agents: The New Attack Surface report shows how quickly agent governance falls behind deployment: 80% of organisations report AI agents have already acted beyond intended scope, including accessing unauthorised systems and revealing credentials. In practice, missing trust registries turn every high-risk transaction into a human exception, even when the agent is legitimately acting on behalf of a user or service. Current guidance from the NIST AI Risk Management Framework and the OWASP Agentic AI Top 10 both point to the same operational reality: identity context must be available at decision time, not reconstructed after the fact. In practice, many security teams discover the registry gap only after approvals slow down or a fraudulent delegated action has already cleared.

How It Works in Practice

A trust registry in agentic commerce functions as a shared source of truth for delegated identities, issuer trust, permission scope, and status changes. It helps the relying party answer four questions at runtime: who issued the identity, what can the agent do, for whom is it acting, and is that permission still valid. This is especially important when AI agents chain actions across storefronts, payment processors, logistics APIs, and customer support tools.

Operationally, the registry should support fast lookups and policy checks rather than static allowlists. That means pairing registry data with intent-aware authorization, short-lived credentials, and workload identity so the agent proves what it is and what it is allowed to do at the moment of use. The research in OWASP NHI Top 10 is especially relevant here because it frames the failure mode as stale or unverifiable identity context, not just weak passwords or missed rotation.

Practitioners usually need the registry to expose at least these fields:

  • Issuer and attestation source for the delegated identity
  • Delegation scope, audience, and expiration time
  • Revocation or suspension status
  • Policy tags for fraud, payments, and high-risk actions
  • Links to the human principal or service account that sponsored the agent

For implementation, the CSA MAESTRO agentic AI threat modeling framework and NIST AI Risk Management Framework both support runtime governance, but there is no universal standard for trust registries yet. These controls tend to break down in federated commerce ecosystems where multiple marketplaces, wallets, and agent issuers cannot share revocation and assurance signals consistently.

Common Variations and Edge Cases

Tighter registry checks often increase latency and integration overhead, so organisations must balance fraud reduction against checkout friction and partner complexity. That tradeoff is most visible when the agent acts on behalf of a consumer in one domain but executes payment, shipping, or support actions in another.

Best practice is evolving for cross-domain delegation. Some environments can rely on internal policy engines and direct issuer trust, while others need external attestations, signed claims, or real-time status checks before approving a transaction. A registry alone does not solve abuse if its entries are stale, if revocation is not propagated quickly, or if business teams bypass it for urgent exceptions. The OWASP Top 10 for Agentic Applications 2026 and MITRE ATLAS adversarial AI threat matrix both reinforce that autonomy changes the threat model because agents can pivot across tools faster than manual control loops can respond.

In high-trust sectors, organisations may also need stronger identity proofing for delegated agents than for ordinary customer logins, especially when the agent can initiate refunds, purchase orders, or account changes. That is why missing trust registries are not just a governance issue, but a control-plane failure for transaction integrity.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF, NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
OWASP Agentic AI Top 10 A2 Covers insecure delegation and missing runtime trust for agent actions.
CSA MAESTRO TRT Addresses trust, runtime policy, and agent authorization decisions.
NIST AI RMF GOVERN Trust registries support governance, accountability, and traceability for agents.
NIST CSF 2.0 PR.AC-4 Least privilege and access control depend on current identity context.
NIST Zero Trust (SP 800-207) SC-7 Zero trust requires continuous verification of identity and context.

Define accountable owners for delegated identities and document who may issue, approve, and revoke them.