By NHI Mgmt Group Editorial TeamPublished 2026-03-05Domain: Agentic AI & NHIsSource: Prove Identity

TL;DR: Agentic commerce is creating a trust gap because current identity systems were built to authenticate humans in bounded sessions, while agents can act asynchronously, chain decisions, and delegate spending authority across environments, according to Prove Identity. Without a verified human-to-agent binding, identity and authorisation break down before commerce can scale safely.


At a glance

What this is: This is a blog analysis of agentic commerce identity, arguing that current authentication and delegation models do not reliably bind agent actions back to a verified human.

Why it matters: It matters because IAM, fraud, and identity governance teams now need controls that cover delegated agent behaviour, not just human login and session assurance.

👉 Read Prove Identity's analysis of why agentic commerce needs a KYA roadmap


Context

Agentic commerce expands identity from human login into delegated machine action. The core problem is not just whether an account is authenticated, but whether the agent acting from that account is legitimately tied to the human who authorised it. Current identity models were built for people in bounded sessions, which is why agentic systems expose a governance gap as soon as delegation becomes dynamic.

That gap affects IAM, fraud, and lifecycle governance at the same time. Merchants need to know who owns the agent, consumers need visibility into where delegated activity is happening, and security teams need a way to distinguish legitimate automation from spoofed or synthetic agent behaviour. The issue is structurally closer to NHI governance than to conventional consumer authentication.

For practitioners, this is the point where identity programmes need to treat agent identity as a first-class governance problem rather than an edge case. The relevant design question is no longer only how to authenticate a user, but how to preserve attribution, authorisation, and accountability when the executor is a non-human identity acting on behalf of that user.


Key questions

Q: How should organisations govern AI agents that act on behalf of customers?

A: Organisations should require every delegated agent action to remain traceable to a verified human owner, a verified authorisation event, and a controlled session context. That means treating the agent as a governed identity with lifecycle rules, audit trails, and revocation paths, not as anonymous automation. If attribution cannot be preserved, the transaction should not be trusted.

Q: Why do agentic systems complicate IAM and fraud controls?

A: Agentic systems complicate IAM and fraud controls because they blur the boundary between a user, a device, and an executing non-human identity. Traditional controls assume a person is present during authorisation, but agents can delegate, persist, and act across channels. That creates gaps in attribution, session trust, and abuse detection.

Q: What breaks when agent identity is not portable across platforms?

A: When agent identity is not portable, every platform reinterprets trust from scratch, which weakens authorisation and makes fraud detection inconsistent. Merchants, issuers, and application owners end up relying on incompatible signals rather than a common identity chain. The result is higher false trust and more room for spoofed or synthetic agents.

Q: Who is accountable when an AI agent makes a bad transaction?

A: Accountability should sit with the human or organisation that delegated authority, but only if the delegation was clearly verified and the agent’s actions were traceable. If the system cannot prove ownership and authorisation, accountability becomes disputed and incident response becomes harder. Governance should make that chain explicit before transactions are allowed.


Technical breakdown

Why human-centric authentication breaks in agentic commerce

Traditional authentication assumes a person logs in, stays present, and completes a transaction inside a bounded session. Agentic commerce breaks that model because agents can operate synchronously or asynchronously, change form factors, and execute with delegated authority that may outlive the original interaction. The result is a mismatch between static identity proofing and dynamic runtime behaviour. The real issue is not whether an agent can be identified at enrolment, but whether the identity layer can preserve trust across chained actions, changing contexts, and multiple execution environments.

Practical implication: identity teams need to map where existing login, session, and delegation controls assume human pacing and replace those assumptions with delegated-actor governance.

Human-to-agent binding as the missing trust primitive

A KYA model is effectively a chain-of-custody framework for delegated identity. Its purpose is to link an agent to a verified human, a verified authorisation event, and a secure session that can be traced across subsequent actions. Without that linkage, downstream checks on approval, payment, or access become ambiguous because the system cannot prove who initiated the action or whether the agent was later hijacked, forked, or impersonated. This is the core trust problem in agentic commerce: attribution has to survive delegation, not just initial authentication.

Practical implication: governance models must require durable human attribution for agent actions, especially where payments, offers, or account changes are involved.

Protocol fragmentation creates a weak assurance layer

The current protocol landscape is fragmented, with multiple initiatives defining agent identity, signing, delegation, and interoperability in different ways. That fragmentation matters because the same agent can receive very different assurance levels depending on the platform, merchant, or channel involved. In practice, this means trust is becoming environment-specific rather than portable. When identity proofs do not travel with the agent, fraud opportunities expand and merchants are left reconciling incompatible signals instead of enforcing a common trust policy.

Practical implication: architecture teams should avoid assuming any single agent protocol provides cross-channel assurance and should evaluate portability of identity evidence as a design requirement.


Threat narrative

Attacker objective: The attacker’s objective is to execute transactions or abuse delegated authority while avoiding reliable attribution to the real human owner.

  1. Entry begins when attackers exploit fragmented agent identity protocols to create synthetic agents or impersonate legitimate delegated actors in commerce flows.
  2. Escalation occurs when those agents inherit spending or decisioning authority without a stable verification chain back to the human owner, allowing unauthorised actions to look legitimate.
  3. Impact is realised when merchants, issuers, and consumers can no longer reliably distinguish approved agent activity from spoofed or hijacked automation, increasing fraud and eroding trust.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.


NHI Mgmt Group analysis

Agentic commerce is exposing an identity trust crisis, not just a payments problem. The article is right to treat authentication, authorisation, and attribution as one chain of custody. Once agents can transact asynchronously or in swarms, the old assumption that a session maps cleanly to a human actor stops holding. Practitioners should treat delegated agent behaviour as a governance domain, not a feature of customer authentication.

Human-to-agent binding is the central trust primitive for agentic identity. A verified human relationship to the agent is what gives meaning to every later authorisation event. Without that binding, merchants and platforms can verify a transaction signature but still not know whether the actor was legitimate, spoofed, or repurposed mid-session. The implication is that identity programmes need durable attribution, not just stronger login signals.

Protocol fragmentation is becoming the real security debt in agentic commerce. Competing agent identity and delegation approaches are creating inconsistent assurance across ecosystems, which makes trust portable in theory but brittle in practice. That fragmentation does not merely slow adoption, it multiplies the number of policy models merchants and issuers must reconcile. Practitioners should assume that interoperability will be an identity governance problem before it is a commerce problem.

Agentic commerce is collapsing the assumption that identity is always human-paced and session-bounded. That assumption was designed for interactive login and visible user presence. It fails when an actor can spin up, delegate, transact, and disappear outside a human review loop. The implication is not that teams need a better review cycle, but that they need to rethink which identity signals remain meaningful when execution is delegated and temporally fluid.

Chain-of-custody for delegated identity: this is the right concept to name the control gap emerging here. It captures the need to preserve proof of ownership, authorisation, and session integrity across every agent action. For practitioners, the lesson is that agent identity must be governed as a traceable lifecycle, not a one-time authentication event.

From our research:

  • 98% of companies plan to deploy even more AI agents within the next 12 months, despite documented rogue behaviour in 80% of current deployments, according to AI Agents: The New Attack Surface report.
  • Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
  • For the broader governance pattern, see OWASP Agentic AI Top 10 for the risks that emerge when agents can select tools and act at runtime.

What this signals

Agentic commerce will force identity programmes to extend lifecycle governance into delegated execution. As soon as agents can spend, book, or negotiate on behalf of humans, the relevant control question becomes whether delegation can be proven, revoked, and audited across every channel where the agent acts. That is a lifecycle problem, not a point-in-time login problem.

With 33% of organisations already reporting AI agents accessing inappropriate or sensitive data beyond intended scope, according to our research, the same pattern is likely to surface in commerce systems whenever identity evidence is fragmented. Teams should assume that authorisation drift will show up first in delegated workflows, then in the broader IAM control plane.

Chain-of-custody for delegated identity will become a practical design requirement for commerce, fraud, and IAM teams. If your programme cannot answer who owns the agent, who delegated authority, and whether that delegation is still valid, you do not have a governance model yet.


For practitioners

  • Map delegated agent use cases to identity controls Inventory where agents can transact, negotiate, or change account state on behalf of users, then identify which steps still rely on human-centric session assumptions.
  • Require durable human attribution for agent actions Define policy so every material agent action retains a verifiable link to the human owner, the delegation event, and the session context that authorised it.
  • Test protocol portability across channels Validate whether agent identity evidence survives movement between apps, merchants, and devices, and flag any flow where assurance resets at each boundary.
  • Treat agent identity as a lifecycle problem Build enrolment, delegation, revocation, and offboarding steps for agents the same way you would for other non-human identities, with auditability from start to finish.
  • Align agent governance with OWASP guidance Use the OWASP Agentic AI Top 10 and the OWASP NHI Top 10 to pressure-test where delegated execution, identity binding, and tool use can fail.

Key takeaways

  • Agentic commerce turns identity into a delegated trust problem, where authentication alone is no longer enough to prove legitimacy.
  • The scale signal is already large, with analysts projecting $1.7 trillion in new economic value over the next decade, which explains why identity gaps are becoming a board-level issue.
  • Practitioners need lifecycle and attribution controls for agents now, or they will inherit commerce flows that cannot reliably distinguish approved activity from spoofed automation.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Agentic AI Top 10 and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST AI RMF, NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Agentic AI Top 10AG-01Agentic commerce depends on runtime identity and delegation controls.
OWASP Non-Human Identity Top 10NHI-01The article is fundamentally about non-human identities acting on behalf of people.
NIST AI RMFGOVERNThe article centers governance and accountability for autonomous-like AI behaviour.
NIST CSF 2.0PR.AC-4Delegated commerce relies on access management and least-privilege enforcement.
NIST Zero Trust (SP 800-207)Agentic commerce needs continuous verification across changing contexts and channels.

Assign ownership for agent behaviour and define approval, oversight, and escalation paths under GOVERN.


Key terms

  • Agentic Commerce: Commerce in which software agents can transact, negotiate, or take action on behalf of a person or organisation. The identity challenge is that execution may be delegated, asynchronous, and cross-channel, so governance must preserve attribution and authorisation beyond the initial login event.
  • Human-to-Agent Binding: The verified relationship that links an agent’s actions back to the human who delegated authority. In practice, this must survive session changes, device changes, and platform boundaries so that the system can prove ownership and accountability when the agent acts.
  • Chain Of Custody For Identity: A traceable sequence of proof that shows who owned an identity, who authorised its use, and what actions it performed. For delegated agents, this becomes the core trust model because downstream parties need evidence that the actor remained legitimate throughout execution.
  • Delegated Non-Human Identity: A non-human identity that is allowed to act on behalf of a human or organisation within approved limits. The key governance issue is not just whether the identity exists, but whether its authority can be bounded, audited, and revoked across its full lifecycle.

What's in the full article

Prove Identity's full blog covers the operational detail this post intentionally leaves for the source:

  • The article's breakdown of KYA as a chain-of-custody model for agentic identity and delegated commerce
  • The discussion of protocol fragmentation across ACP, AP2, UCP, and related agent identity efforts
  • The description of how verified human-to-agent binding is meant to preserve attribution and session integrity
  • The vendor's positioning of Prove Verified Agent as an implementation of the KYA framework

👉 Prove Identity's full blog covers the protocol wars, chain of custody, and verified human-to-agent binding

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an identity security programme, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-03-05.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org