Agentic commerce fraud exposes gaps in device identity controls

At a glance

What this is: This is Fingerprint’s guide to agentic commerce fraud and the security controls needed to protect platforms from malicious AI agents.

Why it matters: It matters because fraud, bot management, and identity teams now have to govern machine-like actors that can operate through customer-facing journeys without obvious human signals.

👉 Read Fingerprint's guide to agentic commerce fraud and security risks

Context

Agentic commerce is the use of AI agents that can browse, compare, and act across shopping or service workflows with limited human supervision. That changes the trust model for identity, because traditional fraud controls were built around human users, scripted bots, or static abuse patterns, not runtime decision-making by software actors.

For IAM, fraud, and security teams, the challenge is not just blocking automation. It is deciding how to distinguish legitimate assisted commerce from malicious agent-driven activity when device signals, session continuity, and behavioral checks may all be present but no longer sufficient on their own.

Key questions

Q: How should security teams detect malicious AI agents in commerce flows?

A: Security teams should combine persistent device intelligence, pre-login risk signals, and action-level behaviour monitoring. A malicious AI agent often looks legitimate in isolation, so the key is to score the full journey, including repeated environment reuse, velocity, and unusual sequencing, rather than relying on one control signal alone.

Q: Why do agentic commerce workflows create more fraud risk than ordinary bots?

A: Agentic commerce is riskier because the actor can adapt during the session, combine actions dynamically, and mimic user intent more convincingly than a fixed script. That makes simple bot rules weaker and shifts the decision point toward runtime identity assurance, behavioural thresholds, and cross-session correlation.

Q: When should teams challenge an agent-driven transaction instead of letting it continue?

A: Teams should challenge transactions when device reputation drops, the session shows high-velocity action chaining, or the same environment repeatedly reaches sensitive steps without stable user evidence. The goal is to interrupt abuse before the transaction completes, not after the damage is already done.

Q: What is the difference between legitimate automation and malicious agent behaviour?

A: Legitimate automation usually operates within known, bounded workflows, while malicious agent behaviour adapts to the environment, chains actions opportunistically, and seeks to complete a goal with minimal friction. The distinction is not whether software is acting, but whether the platform can govern its authority, timing, and trust boundaries.

Technical breakdown

How agentic commerce changes the identity trust model

Agentic commerce introduces software actors that can complete tasks previously associated with human shoppers, including navigating pages, evaluating options, and initiating purchases. That matters because fraud controls often assume either a person behind the browser or a script with predictable patterns. AI agents sit between those categories. They can appear interactive, vary their timing, and reuse session context in ways that weaken classic bot heuristics. In practice, the trust boundary moves from login time to runtime behaviour, where identity must be inferred from a mix of device, session, and action patterns rather than a single authentication event.

Practical implication: teams need controls that evaluate runtime behaviour, not just pre-login identity.

Why device intelligence still matters against malicious agents

Device intelligence helps because it can link activity to a persistent browser or environment rather than to a single request. In fraud scenarios, that allows teams to correlate repeated behaviour, unusual device changes, and high-risk access patterns across sessions. But device intelligence is not a complete answer for agentic commerce. A sophisticated agent can still operate through a legitimate device, a real user session, or a compromised environment. The value is in coverage and correlation, not certainty. Teams should treat device signals as one layer in a broader identity and fraud stack that also considers velocity, action sequence, and post-authentication behaviour.

Practical implication: use device intelligence as a correlation layer, not as the only trust decision.

Where pre-login signals beat pure session controls

Pre-login signals matter because many fraud decisions are easiest to make before a high-value action is completed. Once an agent has established a session and started moving through checkout or account workflows, the cost of disruption rises and the evidence becomes more ambiguous. Pre-login intelligence can expose anonymity networks, repeated device reuse, or patterns associated with fraud rings before the transaction path is fully opened. That does not eliminate risk, but it improves the odds of stopping malicious agent-driven activity before it becomes a completed purchase, account takeover, or abuse event.

Practical implication: shift risk scoring earlier in the journey, before the transaction path is fully opened.

NHI Mgmt Group analysis

Agentic commerce turns fraud prevention into an identity governance problem. The core issue is no longer only whether a transaction is legitimate. It is whether the platform can tell when a software actor is exercising user-like authority without the governance guardrails that IAM, fraud, and device controls were designed for. That pushes the discipline toward runtime identity decisions across both machine and human journeys. Practitioners should treat agentic commerce as a governance boundary problem, not just a detection problem.

Device intelligence reduces blind spots, but it does not restore trust once the actor can adapt. Persistent device signals help teams link activity across sessions and spot abuse patterns, yet a malicious agent can still inherit legitimacy from a real browser context or a compromised environment. That means the real failure mode is overconfidence in one control layer. The practitioner takeaway is to combine device intelligence with action-level policy and behavioural thresholds.

Agentic commerce exposes a new named risk: runtime authority drift. In this model, the actor starts with limited intent but can expand its effective authority during the interaction, especially when the platform treats continued session activity as proof of legitimacy. This is different from classic bot volume or account takeover. The implication is that policy must follow the action sequence, not just the authenticated identity.

Fraud and IAM teams are converging because the trust question is converging. The same controls that govern who may act, under what conditions, and with what evidence now need to work across customer identity, device intelligence, and software actors. That makes cross-functional ownership unavoidable. Teams that keep fraud tooling and identity governance separate will miss the shared failure modes that agentic commerce creates.

From our research:

• 98% of companies plan to deploy even more AI agents within the next 12 months, despite documented rogue behaviour in 80% of current deployments, according to AI Agents: The New Attack Surface report.
• Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
• If you are formalising controls for agentic commerce, start with OWASP Agentic AI Top 10 and map the controls to runtime identity governance, not just bot detection.

What this signals

Runtime authority drift: agentic commerce creates a control gap where software actors can start inside an approved journey and expand their effective authority as the session progresses. That means security teams should watch for policy that only validates entry, because the risky decision point increasingly happens after authentication and before completion. For governance teams, this is where identity and fraud telemetry must be fused with OWASP Agentic AI Top 10 style runtime controls.

The operational signal is not simply higher bot volume. The stronger warning sign is a widening gap between what the platform thinks it authenticated and what the actor is able to do by the end of the workflow. As agentic commerce grows, teams should expect more demand for cross-functional review between fraud operations, IAM, and application security, especially where device intelligence must be interpreted alongside session and action evidence.

For practitioners

• Strengthen pre-login risk scoring Use device reputation, anonymity network indicators, and repeated environment signals before checkout or account actions begin so high-risk sessions are challenged earlier.
• Correlate device and behavior signals Combine persistent device intelligence with velocity, sequence, and transaction anomalies so a legitimate browser does not automatically inherit trust for every action.
• Define agent-specific policy triggers Create rules for unusual action chaining, rapid page traversal, and repeated session reuse that can flag malicious AI agents even when the user experience looks normal.
• Align fraud and identity ownership Assign shared accountability for suspicious automation patterns so fraud operations and identity teams can investigate the same session evidence and response thresholds.

Key takeaways

• Agentic commerce creates fraud patterns that sit between classic bots and human users, so conventional identity checks are no longer enough on their own.
• Device intelligence, pre-login risk scoring, and action-level monitoring together provide better coverage than any one control, especially when the actor can adapt mid-session.
• Fraud prevention and IAM now share the same trust problem, which means governance has to follow runtime behaviour as closely as it follows authentication.

Key terms

• Agentic commerce: Commerce flows in which AI agents can browse, compare, and act on behalf of a user with limited supervision. In identity terms, the important change is that software can now exercise user-like authority inside customer journeys, so trust decisions must account for runtime behaviour, not just authentication.
• Device intelligence: Signals that help identify a browser, device, or environment consistently across sessions and actions. For fraud and identity teams, it is useful because it supports correlation, but it does not prove legitimacy by itself when malicious actors can operate through real devices or compromised sessions.
• Runtime authority drift: A failure mode where an actor begins with a narrow, acceptable level of access or intent, then expands its effective authority as the session unfolds. In agentic systems, this often appears when the platform keeps trusting the interaction after the actor has already started to deviate from the original purpose.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or governance in your organisation, it is worth exploring.

This post draws on content published by Fingerprint: What is agentic commerce? And how are fraudsters exploiting it? Read the original.