TL;DR: Agentic commerce is shifting product discovery and checkout into AI-mediated flows, and Signifyd says AI agent referrals in its Commerce Network rose 1,247% while sales from those referrals climbed 894% in October 2025. The governance problem is no longer just fraud detection at checkout, but identity, intent and accountability across the full buying journey.
At a glance
What this is: This is a Signifyd analysis of agentic commerce and the finding that AI agent referrals and sales are growing rapidly across retail journeys.
Why it matters: It matters because agent-mediated shopping changes where trust is established, how fraud is detected, and which identity and control signals retailers and IAM teams can rely on.
By the numbers:
- In October 2025, orders from AI agent referrals in Signifyd’s Commerce Network were up 1,247% from a year earlier.
- Sales from those referrals climbed 894% in October 2025.
👉 Read Signifyd's analysis of agentic commerce and retailer readiness
Context
Agentic commerce compresses the traditional online shopping journey by allowing AI agents to browse, compare and sometimes purchase on a shopper’s behalf. That shift matters because the control point moves away from the storefront and toward the data, policies and decisioning that shape what the agent can see and do.
For security and identity teams, the key issue is not whether an agent can place an order, but how the merchant verifies intent, distinguishes legitimate automation from abuse and preserves accountability when the transaction path is no longer fully human-readable. That makes identity signals, fraud controls and post-purchase verification part of the same governance problem rather than separate functions.
Key questions
Q: How should retailers control AI agents that shop on behalf of customers?
A: Retailers should treat delegated shopping as a policy problem, not only a checkout problem. Define which actions an agent may take, require re-confirmation for higher-risk changes, and bind permissions to purpose, spend limits and transaction scope. The goal is to verify authorised intent, not just whether a payment instrument is valid.
Q: Why do AI shopping agents complicate fraud detection?
A: AI shopping agents complicate fraud detection because they can shift the transaction origin away from the browser session and toward an external platform or delegation layer. That makes device signals, velocity checks and site-level bot rules less reliable on their own. Teams need provenance and context, not only behavioural heuristics.
Q: What do security teams get wrong about agent-driven purchases?
A: The common mistake is assuming agent-driven purchases can be governed with the same controls used for ordinary ecommerce traffic. In reality, the important questions are who authorised the agent, what it was allowed to do and whether the transaction stayed within that delegated scope. Without those answers, accountability stays weak.
Q: What should teams do when agentic commerce creates chargeback and dispute risk?
A: Teams should preserve evidence about the agent, the shopper’s original instruction and the policy context of the purchase before disputes arise. That includes order provenance, any confirmation steps, and changes made after checkout. Clear evidence shortens investigation time and helps distinguish fraud from consumer confusion.
Technical breakdown
How agentic commerce changes the trust model at checkout
Agentic commerce introduces an intermediary between the customer and the merchant, which changes the meaning of trust at checkout. The system may rely on structured product data, shopping policies, prior preferences and platform permissions rather than direct human review. That creates a new trust chain: shopper to agent, agent to merchant, merchant to payment and fraud controls. If any link is weak, the transaction can still look legitimate while the underlying intent is unclear. In practice, this weakens the assumptions embedded in traditional checkout risk models, which were built for a human browsing path.
Practical implication: Practitioners need checkout controls that validate agent context, not just payment legitimacy.
Why identity signals matter when bots can buy on behalf of people
Identity signals in agentic commerce are about proving who authorised the action, what the agent was allowed to do and whether the purchase aligns with an expected pattern. That is different from basic authentication. A shopping agent may be authorised to reorder staples but not to change delivery addresses, shift spend thresholds or purchase high-risk items. In identity terms, this resembles task-scoped delegation, but the risk is that delegated intent can be broader than the controls actually enforcing it. Without durable identity and policy binding, merchant systems may treat agent traffic as ordinary automation or ordinary customer activity.
Practical implication: Teams should bind authorisation rules to agent purpose, spend limits and transaction scope.
Why site-level fraud controls can miss agent-driven purchases
Site-level fraud tools often inspect the browser session, velocity, device or interaction pattern that reaches a merchant endpoint. Agent-driven purchases can bypass those assumptions if the purchase is created upstream by an external platform, an orchestration layer or a delegated assistant. That makes classic bot detection, carding rules and behavioral heuristics less reliable on their own. The real challenge is not simply more automation, but a different transaction origin with fewer visible cues. Retailers need to understand whether the fraud decision belongs at the merchant edge, the agent platform, the identity layer or all three.
Practical implication: Fraud teams should redesign detection around transaction provenance, not just site telemetry.
Threat narrative
Attacker objective: The attacker aims to exploit delegated shopping trust to generate fraudulent purchases, account abuse or credential theft while appearing to operate through a legitimate agent flow.
- Entry occurs when a consumer-facing agent or shopping bot becomes the transaction intermediary, giving attackers a new surface for impersonation or manipulation.
- Escalation follows when fraudsters abuse trusted agent flows, steal credentials, or hijack a bot account to place purchases or alter purchase intent.
- Impact occurs as merchants face chargebacks, impersonation disputes, bypassed fraud controls and reduced confidence in whether the buyer’s intent was genuine.
NHI Mgmt Group analysis
Agentic commerce creates an identity and intent problem, not just a fraud problem. Retailers may be tempted to treat AI-mediated checkout as a channel issue, but the real governance issue is whether the actor can prove authorised intent at the point of purchase. Without that, merchant controls will keep optimising for session legitimacy while missing delegated misuse. For practitioners, the control boundary now sits between the shopper, the agent and the merchant.
Delegated shopping exposes a new category of weak accountability we can call intent blindness. The merchant may know an order was placed, but not whether the agent stayed within the consumer’s purpose, limits or preferences. That creates an audit gap that affects chargebacks, fraud review and dispute handling. For identity and fraud teams, the answer is not just better detection, but clearer provenance for who authorised what and under which policy.
Agentic commerce will pressure merchants to treat identity as a transaction control, not a login control. Traditional IAM often ends at authentication, but agent-led purchasing requires persistent policy binding across discovery, carting, checkout and post-purchase communication. That is especially relevant when the transaction is initiated by software on a person’s behalf. Practitioners should expect identity governance to move deeper into commerce flows.
Site-level fraud logic alone will not survive agent-mediated shopping at scale. The article’s core warning is that merchant-side heuristics can be blind to upstream automation, which means fraud responsibility will be distributed across platforms. That pushes the market toward shared provenance, stronger delegation controls and clearer verification points. The practical conclusion is that fraud and IAM teams must design for the full decision chain, not just the checkout page.
Agentic commerce is an early signal that consumer identity, machine identity and payment risk are converging. Shopping assistants will increasingly act with partial authority, and organisations will need policies that distinguish human intent from delegated execution. That convergence will make lifecycle, consent and dispute evidence more important, not less. Practitioners should prepare for identity governance to become a commerce-control discipline as well as a security one.
What this signals
Agentic commerce is likely to push more organisations toward controls that understand intent, delegation and provenance rather than simply authenticating a user once at session start. That is a useful pattern for any programme handling software acting on a person’s behalf, including identity verification, payments and assistant-mediated workflows.
Delegation provenance gap: the emerging failure mode is not the absence of login controls, but the inability to prove why an agent acted and whether the action stayed inside its permitted scope. That concept will matter to fraud, IAM and compliance teams alike, because evidence quality becomes a control in its own right.
Retailers should expect stronger alignment between identity governance and transaction monitoring as agent-mediated shopping matures. The practical signal is that the most resilient programmes will be the ones that can connect authorisation, purchase intent and dispute evidence across the full lifecycle.
For practitioners
- Strengthen delegated-authorisation rules Define which agent actions are allowed, which require re-confirmation and which are prohibited, then bind those rules to spend limits, product classes and delivery changes.
- Instrument transaction provenance Capture where the purchase originated, which assistant or platform mediated it, and what policy or prompt triggered the order so dispute teams can trace the path end to end.
- Revise fraud models for agent-mediated behavior Add controls that score upstream automation, abnormal delegation patterns and unexpected checkout origin rather than relying only on device, velocity or browser heuristics.
- Tighten post-purchase verification Require stronger confirmation for address changes, returns, subscription changes and high-risk item purchases when the original order came through an agent.
- Align identity and fraud ownership Create joint review paths for IAM, fraud and payments teams so delegated purchasing, account abuse and impersonation cases are assessed under one operating model.
Key takeaways
- Agentic commerce changes retail trust by moving purchase decisions into delegated software flows that are harder to verify and govern.
- The strongest evidence in the article is the rapid rise in AI agent referrals and sales, which shows the channel is already moving beyond theory.
- Retailers should respond by treating identity, fraud and provenance as a single control problem across discovery, checkout and post-purchase handling.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST AI RMF, NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST SP 800-63 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST AI RMF | GOVERN | AI-mediated purchasing introduces governance and accountability needs for delegated actions. |
| NIST CSF 2.0 | PR.AC-4 | Delegated buying depends on access and authorisation boundaries that CSF addresses. |
| NIST SP 800-53 Rev 5 | IA-5 | Agent-mediated transactions depend on stronger authenticator and delegation management. |
| NIST SP 800-63 | SP 800-63C | Federated identity and proofing matter when third-party agents act on behalf of users. |
Assign ownership for agentic commerce risk and define approval boundaries for delegated buying.
Key terms
- Agentic Commerce: A shopping model where an AI agent helps a person discover, compare, select or purchase goods on their behalf. The important security issue is that the agent becomes an intermediary, so trust, intent and accountability must be governed across the transaction path, not only at login.
- Delegated Intent: The purchase goal or shopping instruction a person gives to an agent, along with the limits attached to that instruction. In security terms, delegated intent becomes a control boundary when the system must prove that the agent stayed within the authorised purpose, scope and thresholds.
- Transaction Provenance: The evidence showing where a transaction originated, what systems mediated it and which policy or instruction triggered it. It is a practical control for disputes and fraud review because it helps teams separate legitimate automation from impersonation, manipulation or unauthorised agent activity.
- Bot-Takeover: A form of account takeover in which an attacker gains control of an automated agent or bot rather than a normal user session. In commerce, that can let the attacker place purchases, alter preferences or generate fraudulent activity while appearing to operate through a trusted assistant.
What's in the full article
Signifyd's full article covers the operational detail this post intentionally leaves for the source:
- Category-by-category merchant implications for grocery, apparel, electronics and travel
- Practical preparation steps for product data, checkout design and fraud controls
- Detailed examples of how agent-driven shopping can change returns, disputes and identity verification
- The article's discussion of how merchants can evaluate declines before treating them as losses
Deepen your knowledge
The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, workload identity and secrets management. It helps practitioners build the control foundations needed to manage delegated access and software acting on behalf of people.
Published by the NHIMG editorial team on 2026-05-19.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org