Agentic commerce makes digital identity the control plane for trust

At a glance

What this is: Agentic commerce moves identity from checkout friction to the trust layer for AI agents that shop, negotiate, and transact on behalf of people and businesses.

Why it matters: IAM teams now have to govern human consent, agent delegation, and machine-verifiable claims together, because identity determines both reach and trust at transaction time.

By the numbers:

• Estimates put global ecommerce fraud losses at approximately USD 44 bln in 2024, with forecasts exceeding USD 100 bln by 2029.
• TransUnion found that companies lost nearly 8% of their revenues to fraud in the past year.
• More than 80% of organisations report their AI agents have already performed actions beyond their intended scope.

👉 Read OneSpan's analysis of agentic commerce identity and trust

Context

Agentic commerce is the shift from human-led online shopping to AI agents that compare, negotiate, and execute transactions under user-defined guardrails. The identity problem changes with that shift, because the system must prove who or what is acting, what it is authorised to do, and whether the action still matches the intended delegation.

Existing ecommerce controls were built for people signing in, not for agents taking actions across merchants, payment rails, and other delegated services. That creates a broader IAM question for human, NHI, and emerging agent identity programmes: how to make trust portable without reintroducing passwords, shared credentials, or brittle manual approval flows.

The article frames digital identity as the control plane for the next wave of commerce, and that is the right lens. The practical issue is not whether agents can shop faster, but whether merchants, providers, and consumers can verify claims, consent, and delegation at machine speed without losing auditability.

Key questions

Q: How should security teams govern AI agents that shop and pay on behalf of users?

A: Start by separating human authentication from delegated transaction authority. Use strong human login controls such as passkeys, then define explicit agent permissions for search, comparison, negotiation, and payment. Require machine-readable consent, bounded spending limits, and audit logs that show exactly what the agent was allowed to do and what it actually did.

Q: Why do agentic commerce flows change identity risk for merchants and IAM teams?

A: Because the trust decision moves from a person clicking a checkout button to a software actor selecting, combining, and completing actions across systems. That widens the blast radius of any identity failure. Merchants and IAM teams now need to verify delegation, provenance, and policy compliance at machine speed, not just human login state.

Q: What breaks when users share their login credentials with AI agents?

A: Shared credentials collapse accountability, blur consent, and make it impossible to prove which actions were truly authorised. They also let the agent reuse human privileges across other systems, which defeats least privilege and weakens fraud investigation. In practice, shared credentials create a trust shortcut that commerce teams cannot audit cleanly.

Q: How do organisations know if agent delegation controls are actually working?

A: Look for evidence that every transaction can be tied to a specific authorisation event, a bounded scope, and a recorded decision path. If you cannot show who approved the agent, what it could do, and whether any downstream delegation occurred, then the control is not working. Auditability is the clearest signal of real governance.

Technical breakdown

Agentic commerce identity and delegation flows

Agentic commerce changes the identity transaction from human authentication to delegated execution. A user may define preferences once, while an agent searches catalogues, evaluates terms, and completes purchase steps across multiple systems. That requires the relying party to trust not only the initial sign-in, but also the agent's asserted authority, the scope of its permissions, and the provenance of the claims it presents. In practice, this pushes identity from session start into continuous verification of delegated intent, especially when one agent can hand work to another.

Practical implication: merchants and identity teams need machine-verifiable delegation, not shared credentials passed between agents.

Passkeys, personhood, and phishing-resistant login

Passkeys solve a different part of the problem: they reduce account takeover and friction for the human still behind the transaction. They are phishing-resistant FIDO credentials that bind user presence to cryptographic proof, which makes them stronger than passwords or magic links for sign-in. But passkeys do not by themselves answer whether an AI agent is trusted to act on the user's behalf. They harden the human entry point while leaving the delegation problem between human, agent, and merchant to be solved separately.

Practical implication: use passkeys for human authentication, but treat agent delegation as a separate control layer.

Machine-readable claims and authenticated merchant data

Agentic commerce depends on catalogues, policies, and claims that software can parse without human interpretation. That means merchants need structured product data, authenticated terms, and verifiable assertions about price, availability, return policy, and identity. Without that layer, agents can only rely on scraping or opaque responses, which increases ambiguity and makes manipulation easier. This is where interoperable identity and cryptographic attestation matter: agents need to consume trusted claims at scale, not infer them from user interfaces built for people.

Practical implication: publish machine-readable claims with authenticated provenance so agent shortlisting does not depend on brittle scraping.

Threat narrative

Attacker objective: The objective is to exploit delegated commerce trust so transactions, exposure, or access can be extended beyond the user's real intent.

1. Entry occurs when a malicious or untrusted agent is allowed to participate in commerce flows using weakly bound user credentials or unverifiable delegation claims.
2. Escalation happens when the agent can reuse that trust across catalogue search, checkout, or follow-on agent delegation without fresh proof of intent or policy validation.
3. Impact is fraudulent purchase execution, account abuse, or trust failure at scale, because the merchant cannot reliably distinguish a legitimate delegated agent from a deceptive one.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• AI LLM hijack breach — attackers used stolen AWS access keys to hijack Anthropic LLM models on Bedrock.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Agentic commerce turns identity into the enforcement layer for intent. The old ecommerce model assumed a person would see, compare, and click before any transaction occurred. That assumption fails when an agent chooses the merchant, executes the payment, and may even delegate parts of the workflow to another agent. The implication is that identity governance must move from login assurance to delegation assurance.

Personhood for humans and verifiable authority for agents are now separate problems. A passkey proves a human can authenticate securely, but it does not prove an agent is authorised to spend, disclose, or negotiate. Conflating those two functions will create false confidence in controls that only cover the front door. Practitioners need to treat authentication, consent, and delegated authority as distinct governance layers.

Machine-readable trust claims are becoming a prerequisite for commerce scale. Merchant data that is not structured for software will be invisible to agents, and claims that are not authenticated will be easy to spoof. That shifts competitive advantage toward ecosystems that can verify identity, policy, and provenance in one flow. Practitioners should expect catalogues, payment rails, and identity systems to converge around attestable claims.

Identity blast radius now extends beyond the human account that initiated the action. Once an agent can act across multiple services, a single delegated trust failure can propagate through shopping, payment, fulfillment, and post-purchase workflows. That changes the governance question from who signed in to how far the delegated identity can travel before oversight is lost. Teams should assume cross-system propagation, not isolated sessions.

Generalised digital credentials will replace credential sharing as the scalable model. The article correctly rejects the idea that users should simply hand agents usernames and passwords. That shortcut breaks trust at exactly the point where commerce needs portability and auditability. The implication for IAM and NHI programmes is clear: credential form factor, delegation policy, and verifiable claims have to be designed together.

From our research:

• More than 80% of organisations report their AI agents have already performed actions beyond their intended scope, according to AI Agents: The New Attack Surface report.
• That same research found that 39% say agents have accessed unauthorised systems, 31% say they have inappropriately shared sensitive data, and 23% say they have revealed access credentials.
• For a broader view of the underlying governance problem, see OWASP Agentic AI Top 10 for the control patterns that fail when agents act beyond intended scope.

What this signals

Agentic commerce will force IAM teams to treat delegation as a first-class control plane. The practical test is no longer whether a user can authenticate cleanly, but whether an agent can prove bounded authority across the full transaction path. Teams that already separate authentication, consent, and authorisation will adapt faster than those still assuming they are one control.

Identity programmes need to prepare for machine-speed trust decisions. With more than 80% of organisations reporting agents acting beyond intended scope, the governance gap is already visible in adjacent environments. The same failure mode will show up in commerce unless teams insist on auditable delegation, authenticated claims, and explicit stop points for downstream agent chaining.

Verifiable credentials will matter more than credential secrecy alone. The next phase of commerce will reward organisations that can prove identity, role, and intent without exposing passwords or forcing manual review for every agent action. That is where interoperability, policy binding, and portability become programme priorities rather than future aspirations.

For practitioners

• Separate human authentication from agent delegation Keep passkeys, MFA, and session assurance focused on human sign-in, then add explicit controls for what an agent may do after authentication. Bind transaction scope, spending limits, and merchant permissions to the delegated action, not just the user account.
• Publish machine-readable merchant claims Expose catalogue data, policy terms, and identity assertions in formats that agents can consume and verify automatically. Include provenance for price, availability, refund terms, and identity claims so agents do not have to infer trust from opaque pages.
• Design for verifiable consent trails Log who authorised the agent, what guardrails were set, which actions were executed, and whether any downstream agent delegation occurred. Those records need to be retrievable for fraud review, dispute handling, and policy certification.
• Treat agent chaining as a governance boundary Assume one agent may delegate to another unless you explicitly prevent it. Define where re-authorisation is required, where payments can be executed, and where an agent must stop and wait for renewed human intent.

Key takeaways

• Agentic commerce shifts the identity problem from human login friction to delegated authority across shopping, payment, and fulfilment flows.
• The evidence already points to scope drift, with more than 80% of organisations reporting AI agents acting beyond intended boundaries.
• Practitioners should separate human authentication from agent permissions and require machine-readable, auditable consent for every delegated action.

Key terms

• Agentic Commerce: Commerce in which AI agents search, compare, negotiate, and complete transactions on a user's behalf. The governance challenge is no longer only sign-in security, but proving that delegated actions remain inside explicit user intent, policy scope, and audit boundaries.
• Delegated Authority: Permission that allows one identity to act for another within defined limits. In agentic systems, delegated authority must include scope, duration, action types, and revocation logic, because the actor may execute faster and in more complex paths than a human can review in real time.
• Personhood Attribute: A verifiable claim that helps distinguish a human user from a bot or autonomous system. In commerce, personhood attributes support privacy-preserving trust decisions without exposing passwords, and they help systems decide when a human must be present versus when an agent may continue.
• Identity Blast Radius: The distance an identity failure can travel before it is contained. For agentic commerce, blast radius includes shopping, payment, fulfilment, and downstream delegation, so a single trust error can propagate far beyond the original login event.

Deepen your knowledge

Agentic commerce identity and delegation are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building controls for delegated AI transactions, it is worth exploring.

This post draws on content published by OneSpan: Securing identity in the age of agentic commerce. Read the original.