Agentic commerce exposes an authorization gap in enterprise IAM

At a glance

What this is: Agentic commerce shifts purchasing into AI-mediated sessions, and the key finding is that authentication alone cannot govern the resulting action-level authorization risk.

Why it matters: IAM teams now have to govern non-human, autonomous, and human-initiated transactions across one delegation chain, or they will miss the point where access becomes action.

By the numbers:

• 80% of organizations cannot fully explain why an AI agent took a specific action.
• 48% of security professionals rank agentic AI as the #1 attack vector for 2026.
• Only 22% of teams treat AI agents as independent identity-bearing entities.
• 33% of organisations report their AI agents have accessed inappropriate or sensitive data beyond their intended scope.

👉 Read EnforceAuth's analysis of agentic commerce and runtime authorisation

Context

Agentic commerce is the point where a conversational interface becomes a transaction engine. A request to buy something no longer ends at product discovery, because the agent can query catalogues, use stored credentials, place the order, and trigger fulfilment without a traditional web session.

That changes the IAM problem from user login to action-level governance across non-human identities. The question is no longer whether the system knows who connected, but whether each delegated action was authorised for that actor, that context, and that moment.

The article is typical of the current market direction: enterprises are adding AI-mediated checkout faster than their governance models are adapting. The result is a widening gap between business convenience and identity control.

Key questions

Q: What breaks when AI shopping agents rely on session-based authorisation?

A: Session-based authorisation breaks because it assumes the actor’s intent stays stable for the life of the session. In agentic commerce, the agent can complete multiple privileged actions inside one conversational turn, so one approval can unintentionally cover catalog access, payment initiation, and data retrieval. Practitioners need action-level policy, not just session validation.

Q: Why do AI agents complicate identity and access management for retailers?

A: AI agents complicate IAM because they do not behave like a human user or a simple service account. They can chain tools, delegate work to sub-agents, and reuse credentials across multiple backend systems. That means access must be governed by action, context, and delegation scope, not just by the identity that opened the session.

Q: What do security teams get wrong about AI safety versus AI security?

A: Teams often confuse content safety with access control. A polite agent that never produces unsafe language can still access customer data, invoke payment APIs, or traverse systems it should not reach. AI safety is about output behaviour, while AI security is about who can do what, when, and with which credentials.

Q: How should organisations govern sub-agents in agentic commerce?

A: Organisations should treat sub-agents as separately governed actors with explicit scope, bounded delegation depth, and revocation tied to the parent workflow. If sub-agents inherit broad permissions automatically, the platform creates a recursive privilege surface that is hard to audit and harder to contain after misuse.

Technical breakdown

Action-level authorisation in agentic commerce

Agentic commerce turns a single customer request into a chain of privileged backend calls. A shopping agent may authenticate once, then query catalogues, inspect inventory, retrieve payment methods, and initiate fulfilment through multiple APIs. If authorisation is only checked at session start, the system assumes the agent's intent is stable. In practice, intent can shift across sub-agents, tools, and data calls. The control surface is each action, not the conversation as a whole.

Practical implication: enforce policy decisions on every tool call and data access, not just on login or token issuance.

Delegation chains and sub-agent privilege inheritance

Once a parent agent spawns recommendation, pricing, inventory, payment, and logistics sub-agents, the permission model becomes recursive. If those sub-agents inherit credentials or broad scopes, the effective access surface expands beyond what was deliberately assigned. This is a classic delegation problem with autonomous flavour: the executor is not a person, and the action path is not linear. Without chain-depth limits and scoped delegation, privilege can drift far beyond the original request.

Practical implication: bound delegation depth and make sub-agent entitlements explicit rather than inherited wholesale.

The authorization gap between identity and intent

The article's central technical point is that authentication proves an identity can connect, but not that a specific action is appropriate. In policy terms, the decision must incorporate context such as customer consent, transaction amount, record scope, and customer boundary. The system needs negative authorisation as much as allow rules. That is how bulk queries, cross-customer access, and out-of-scope transactions are stopped even when the agent presents valid credentials.

Practical implication: model consent, scope, and transaction context in the authorisation layer so valid credentials do not become a blanket pass.

Threat narrative

Attacker objective: The attacker wants to use a trusted agent workflow to exfiltrate customer data and drive unauthorised actions without tripping conventional perimeter controls.

1. Entry occurs when a poisoned data source influences a recommendation sub-agent through indirect prompt injection.
2. Credential access follows when the sub-agent reuses the parent shopping agent's broad API token to query customer data beyond the intended scope.
3. Escalation happens as the attacker extracts the returned sensitive data from the agent's response context on a later turn.
4. Impact is the unauthorised disclosure of customer data and transactional misuse carried out entirely through legitimate tools and credentials.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• New York Times breach — New York Times source code and credentials exposed via GitHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Agentic commerce is really an authorisation problem disguised as a convenience layer. Authentication can tell a retailer who opened the session, but it cannot by itself tell whether a product query, payment call, or fulfilment action belongs in that moment. The discipline shifts from identity proof to continuous decisioning across the transaction chain. Practitioners should treat checkout orchestration as a policy problem, not a front-end feature.

Session-based IAM assumptions collapse when the actor can complete the business task inside one conversational turn. Session duration was designed for human-paced behaviour, where access persists long enough to be reviewed and revoked. That assumption fails when an agent can discover, decide, and execute before a human review cycle even begins. The implication is that review cadences, token TTLs, and approval gates no longer describe the real control boundary.

Delegation chain depth is becoming a named governance concept for agentic systems. The article shows why inherited permissions across recommendation, pricing, payment, and logistics sub-agents create a permission surface no one explicitly intended. When sub-agents inherit broad tokens, the organisation loses line of sight to the actual actor that made the decision. Practitioners should understand that the blast radius is now created by delegation design, not just by privilege size.

Polite behaviour is not a security control. The article correctly separates AI safety from AI security: a courteous agent can still execute unauthorised calls, misuse customer context, and pass content filters while violating access policy. That failure mode matters because it hides in plain sight. The governance conclusion is simple: organisations need identity-aware enforcement, not just content guardrails.

Owning non-human identity lifecycle is now part of commerce governance, not a back-office technicality. The moment an AI shopping workflow can spawn sub-agents and reuse shared API keys, joiner, mover, leaver discipline applies to machines as much as to people. The same lifecycle controls that govern service accounts now have to govern agent identities, delegated scopes, and revocation timing. Practitioners should treat agent onboarding and offboarding as a first-class governance domain.

From our research:

• 80% of organizations cannot fully explain why an AI agent took a specific action, according to AI Agents: The New Attack Surface report.
• Only 33% of organisations report AI agents accessing inappropriate or sensitive data beyond their intended scope, according to the same report.
• For the governance angle, see Ultimate Guide to NHIs , 2025 Outlook and Predictions for how agentic identity pressure is changing programme design.

What this signals

Delegated commerce is forcing security teams to treat authorisation as a runtime control rather than a provisioning event. If the transaction can happen inside one conversational session, then the old split between login, review, and execution no longer matches reality. Teams should expect more demand for policy engines that can reason over customer consent, transaction amount, and delegation depth in the same decision path.

Agent identity sprawl will increasingly look like classic NHI sprawl, but with faster failure modes. Retail workflows that combine recommendation, payment, logistics, and inventory sub-agents create a denser entitlement graph than most service-account estates. Practitioners should prepare for more scoped credentials, more revocation pressure, and greater audit burden as agentic commerce expands.

Politeness Trap: AI systems that pass safety checks may still fail access policy, which means security programmes must separate content moderation from identity enforcement. That distinction will shape how organisations design controls, write policy exceptions, and explain incidents to auditors and boards.

For practitioners

• Map every agentic transaction to discrete authorisation decisions Break the purchase flow into catalog query, inventory check, payment initiation, and fulfilment steps, then require an explicit policy decision for each step. Do not let a single authenticated session authorise the full sequence by default.
• Bound delegation depth for sub-agents Set a hard limit on how many subordinate agents can inherit privileges from a parent workflow, and require explicit scope declarations for any delegated payment or data access capability. Recursive inheritance should fail closed.
• Eliminate shared API keys in agent workflows Replace shared service account tokens with scoped, short-lived credentials tied to a specific agent role and customer context. Shared credentials make attribution and containment impossible when an agent behaves outside expectation.
• Instrument negative authorisation rules for bulk and cross-boundary access Write deny policies for large result sets, cross-customer queries, and transaction patterns that exceed a delegated amount or scope. This prevents valid credentials from becoming blanket authorisation.
• Add lifecycle controls for agent identities and delegated scopes Treat agent provisioning, scope changes, and revocation as governed identity events with clear ownership. If an agent is retired, its tokens, delegated rights, and tool connections must be removed together.

Key takeaways

• Agentic commerce expands the IAM problem from user access to action-by-action authorisation across a delegated non-human identity chain.
• The article's evidence shows that the control gap is already operational, with shared credentials, inherited permissions, and poor action attribution creating real exposure.
• Retailers and other transaction-heavy organisations should move toward runtime policy enforcement, bounded delegation, and lifecycle governance for AI agents now.

Key terms

• Agentic Commerce: Agentic commerce is purchasing or transaction flow executed through an AI agent rather than a traditional user session. The identity problem shifts from logging in a person to governing each delegated action, including data access, payment initiation, and fulfilment, across a chain of non-human identities.
• Delegation Chain: A delegation chain is the sequence of permissions passed from a parent actor to one or more subordinate actors, such as sub-agents or service accounts. In agentic systems, the chain can expand quickly and create hidden privilege inheritance unless scope, depth, and revocation are explicitly controlled.
• Action-level Authorisation: Action-level authorisation is a control model that evaluates each tool call or data access request as it happens. It is stricter than session-based access because it checks context, scope, consent, and transaction details before allowing the next step.
• Politeness Trap: The politeness trap is the false assumption that an AI system is safe because it behaves courteously or passes content filters. That assumption fails when the system still has broad credentials, can access sensitive data, or can trigger actions outside its intended scope.

Deepen your knowledge

Agentic commerce and AI agent authorisation are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building controls for delegated transactions or sub-agent governance, it is worth exploring.

This post draws on content published by EnforceAuth: The Shift That Changes Everything in agentic commerce and AI-mediated checkout. Read the original.