Subscribe to the Non-Human & AI Identity Journal

Why does AI-mediated commerce create identity risk?

AI-mediated commerce creates identity risk because the system may influence or carry out actions without a clear human present at every step. That blurs who authorised the action, what data the assistant used, and whether the resulting decision should be trusted as legitimate.

Why This Matters for Security Teams

AI-mediated commerce changes the identity problem from “who logged in” to “which system, model, or agent was allowed to act, on whose behalf, and with what limits.” That matters because purchasing, approvals, refunds, order changes, and customer data access can all become machine-executed decisions. When identity is not explicit at each step, auditability weakens, privilege expands quietly, and fraud or misuse becomes harder to detect.

NHI Management Group’s Ultimate Guide to NHIs frames the core issue well: once a software actor can initiate actions, it needs governance comparable to any other identity with authority. That becomes especially important in commerce flows where payment APIs, CRM platforms, and order management systems are chained together. The NIST Cybersecurity Framework 2.0 is still relevant, but the identity risk now sits in both access control and decision integrity, not just account security.

In practice, many security teams first discover this exposure after an agent has already issued a legitimate-looking action that no one can clearly explain.

How It Works in Practice

In AI-mediated commerce, the identity boundary is often distributed across user accounts, service accounts, API keys, session tokens, model endpoints, and workflow automations. A customer may ask an assistant to reorder supplies, an employee may approve a quote through chat, or an agent may trigger a refund based on policy context. Each step can be technically valid while still being identity-risky if the system cannot prove who initiated it, what policy constrained it, and whether the action exceeded intended authority.

Practitioners should treat this as a combination of authorization, provenance, and transaction integrity. The assistant should not inherit broad standing access simply because it can interpret natural language. Current guidance suggests binding agent actions to narrowly scoped, time-limited permissions, with explicit step-up controls for money movement, profile changes, and data export. That aligns with the spirit of NIST SP 800-53 Rev. 5 Security and Privacy Controls, especially around access enforcement, audit logging, and separation of duties.

Operationally, stronger implementations usually include:

  • Per-action authorization rather than blanket agent access.
  • Immutable logs that record user intent, model output, tool invocation, and downstream side effects.
  • Policy checks that block sensitive actions unless a human confirms the transaction.
  • Secrets and tokens isolated from the model, so the assistant cannot freely reuse credentials.
  • Continuous detection for anomalous commerce patterns, such as repeated cart changes, unusual refunds, or address manipulation.

These issues connect directly to the NHI patterns documented in 52 NHI Breaches Analysis. NHIMG research also notes that 72% of organisations have experienced or suspect a breach of non-human identities, which is a strong reminder that machine identities are already being targeted in the wild. These controls tend to break down when commerce workflows rely on shared service credentials and the platform cannot separate customer intent from agent execution.

Common Variations and Edge Cases

Tighter control often increases latency and operational overhead, requiring organisations to balance conversion speed against fraud resistance and audit quality. That tradeoff becomes sharper in low-friction retail, subscription updates, travel booking, and B2B procurement, where too many approval steps can hurt user experience while too few can let an assistant act too broadly.

There is no universal standard for this yet. Best practice is evolving toward tiered trust: low-risk actions may be auto-executed, while payment changes, shipping-address edits, identity profile changes, and external disclosures require explicit confirmation. That same pattern applies when an assistant uses a retrieved context from RAG or a connected tool, because the risk is not only model error but also over-authorization of the action itself. The Top 10 NHI Issues page is useful here because many commerce risks come from the same weak points: excessive privilege, poor secret handling, and missing lifecycle governance.

Edge cases also matter. Shared household devices, delegated purchasing, marketplace seller tools, and customer service automation can make intent ambiguous even when authentication is strong. In those environments, identity risk is not solved by stronger login alone; it requires policy design that distinguishes the person, the agent, and the transaction. That is why many failures surface first as disputed orders or unexplained account changes rather than as classic account takeover.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 and OWASP Agentic AI Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST AI RMF set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
NIST CSF 2.0 PR.AC-4 Least-privilege access is central when agents can act on behalf of users.
NIST SP 800-53 Rev 5 AC-6 Least privilege limits how far an AI-mediated workflow can act on its own.
OWASP Non-Human Identity Top 10 NHI-2 Non-human identity lifecycle gaps create unauthorized commerce actions and abuse paths.
OWASP Agentic AI Top 10 A2 Prompt and tool abuse can steer agents into unauthorized commercial actions.
NIST AI RMF GOVERN AI governance is needed to assign accountability for autonomous commerce decisions.

Validate prompts, tool inputs, and outputs before allowing sensitive transaction steps.