By NHI Mgmt Group Editorial TeamDomain: Identity Beyond IAMSource: SiftPublished September 29, 2025

TL;DR: Agentic commerce shifts e-commerce from user-driven actions to AI agents that can search, decide, and complete transactions, creating new fraud and privacy risks as these systems operate across channels and on behalf of consumers, according to Sift. The governance problem is no longer just purchase fraud, but delegated action without clear accountability or reliable guardrails.


At a glance

What this is: Agentic commerce uses AI agents to shop, decide, and transact on behalf of consumers, and the key finding is that autonomy expands both convenience and fraud exposure.

Why it matters: It matters to IAM, fraud, and identity teams because delegated AI action changes how trust, consent, access, and accountability have to be governed across consumer journeys and payment flows.

By the numbers:

  • Agentic commerce is no longer a theoretical commerce innovation: according to Gartner, by 2028, 33% of enterprises are expected to adopt agentic AI in their operations, signaling a broad shift in how businesses approach automation and customer engagement.
  • A recent survey from Salesforce of 2,700 commerce leaders revealed that businesses have growing interest in the strategic use of AI across retail, marketplaces, and digital platforms.
  • 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials.

👉 Read Sift's analysis of agentic commerce, fraud risk, and AI guardrails


Context

Agentic commerce describes AI systems that can interpret intent, choose actions, and complete purchases with less direct human input. The primary governance gap is that these agents sit between consent and execution, so the user may understand the goal but not every intermediate decision or data exchange. For identity and fraud teams, that means delegated trust now extends into transaction authorisation, seller verification, and payment handling.

The article frames agentic commerce as a commercial evolution, but the real security issue is accountability across autonomous action. When an AI agent can reorder, compare, negotiate, and checkout across multiple channels, traditional session-based controls and simple user approval prompts are not enough. That creates a genuine boundary problem for identity, consent, and fraud prevention programmes.

This is an early but increasingly common pattern in consumer-facing AI: the starting position is typically enthusiasm for automation, followed by a lag in governance and control design.


Key questions

Q: What breaks when an AI shopping agent can act without clear purchase limits?

A: Without clear purchase limits, an AI shopping agent can move from convenience to delegated financial risk. It may complete purchases the customer would not approve, accept manipulated offers, or reuse account and payment details in ways that are hard to unwind. The control failure is scope, not speed, so teams need explicit authority boundaries and step-up checks.

Q: Why do AI shopping agents create a fraud risk beyond normal e-commerce bots?

A: AI shopping agents create more risk because they can infer intent, combine signals across channels, and act with delegated authority rather than waiting for each user click. That makes them vulnerable to spoofed sellers, fake reviews, and malicious prompts. The issue is not automation alone, but autonomous decision-making under imperfect trust.

Q: How do security teams know if agentic commerce guardrails are actually working?

A: Guardrails are working when the agent consistently stays within defined purchase limits, escalates unusual transactions, and produces logs that explain why each action was taken. If the agent can still buy outside policy, ignore trust signals, or act without a review trail, the controls are cosmetic rather than enforceable.

Q: Who is accountable when an AI agent authorises an unwanted purchase?

A: Accountability should sit with the business function that approved the agent’s scope, the team operating the fraud controls, and the governance owners who defined delegated authority. If those roles are unclear, incidents become disputes instead of remediations. Organisations need ownership, review, and revocation responsibilities before agents transact.


Technical breakdown

How agentic commerce changes transaction trust

Agentic commerce shifts the trust model from a person clicking through a purchase flow to a system acting on inferred intent. That matters because the control point moves away from explicit user interaction and toward policy, guardrails, and identity assurance around the agent itself. In practice, the agent may consume preference data, compare options, and trigger checkout without a fresh approval at each step. The technical challenge is not just fraud detection at payment time, but binding the agent’s runtime actions to a verified authority and a constrained scope.

Practical implication: teams need policies that define what an agent can buy, when it can act, and which signals must trigger re-authorisation.

Fraud patterns that exploit autonomous AI agents

The article points to spoofed sellers, fake listings, manipulated reviews, and misleading prompts as the main abuse paths. These are not new fraud techniques, but agentic systems can scale their impact because an agent may process them faster and more consistently than a human. If the agent cannot reliably distinguish legitimate from adversarial inputs, it may amplify scams instead of filtering them. This creates a fraud problem that blends prompt manipulation, identity deception, and payment abuse into one attack path.

Practical implication: combine fraud scoring with input authenticity checks, reputation signals, and transaction-level step-up controls.

Guardrails for delegated purchase authority

Guardrails are the operational control layer for agentic commerce. They define role, data access, channel boundaries, and the actions an agent can take without human intervention. In identity terms, this resembles a constrained non-human identity pattern: the agent is not a person, but it still needs scoped permissions, lifecycle oversight, and auditable activity. Without those controls, a consumer convenience feature becomes a high-risk delegated identity with unclear ownership and weak reviewability.

Practical implication: treat shopping agents like privileged delegated identities and govern them with least privilege, logging, and expiry rules.


Threat narrative

Attacker objective: The attacker’s objective is to convert a trusted shopping agent into a fraud execution layer that authorises unwanted transactions or exposes payment and personal data.

  1. Entry occurs when a fraudster injects misleading prompts, fake listings, spoofed communications, or adversarial content into the agent’s decision path.
  2. Escalation follows when the agent trusts those inputs and acts with the consumer’s delegated authority across payment, shopping, or account workflows.
  3. Impact is unauthorized purchase, data exposure, or transaction misuse that the consumer may only discover after the harm is complete.

NHI Mgmt Group analysis

Delegated commerce is becoming a non-human identity problem, not just a payments problem: once an AI system can shop, decide, and transact, it behaves like a constrained identity with authority to act. That means governance has to cover identity scope, authorization boundaries, and auditability, not just fraud scoring at checkout. The article correctly points to autonomy as the risk, but the deeper issue is that many organisations still lack a policy model for non-human decision-makers. Practitioners should govern shopping agents as delegated identities.

Agentic commerce creates a trust expansion window: the more channels and data sources an agent can see, the more opportunities attackers have to shape its decisions. Fake product data, spoofed sellers, and misleading prompts all become inputs to a system that may act before a human review happens. That makes consent timing a control issue, not a user-experience detail. Practitioners should assume any agent that can act across channels needs stronger validation than a human user would tolerate.

Trust and safety controls must move upstream of the transaction: fraud teams cannot rely on post-purchase detection alone when the agent may have already committed the action. The control gap is not just detection latency, but the absence of pre-execution policy checks for intent, seller authenticity, and abnormal purchase patterns. This is where identity and fraud disciplines meet. Practitioners should design control points before checkout, not only after loss.

Agentic commerce will force a convergence between identity governance and fraud governance: consumer-facing AI agents need scoped authority, reviewable behaviour, and lifecycle controls similar to other high-risk delegated systems. The market is moving toward more autonomous digital actors, which means governance models built only for humans will become increasingly brittle. Guardrails for delegated action: that is the core design problem here. Practitioners should build controls that follow the agent from onboarding to revocation.

What this signals

Delegated purchase authority is the operational boundary that will decide whether agentic commerce scales safely. The first programme risk is not model quality, but unbounded action scope, especially when the agent can cross channels and reuse payment context. Teams should connect transaction policy to identity policy and use the NIST AI Risk Management Framework to structure accountability, measurement, and escalation.

Consent is becoming a runtime control rather than a one-time user event. That changes how fraud, IAM, and privacy teams should design approval flows, because a customer’s initial intent is not the same thing as ongoing authority to spend. A practical programme should record when the agent acted, what it consumed, and whether its decision path matched the customer’s declared preference.

Guardrails for delegated action: the concept that matters here is not just fraud detection, but pre-execution constraint design. Once an AI system can initiate transactions, teams should expect attackers to work on its input surface rather than only its payment surface, and that requires identity-aware telemetry, policy enforcement, and auditability.


For practitioners

  • Define agent purchase authority Set explicit limits on what categories, values, merchants, and channels an AI shopping agent can use, and require step-up approval when a transaction leaves those limits.
  • Verify input authenticity before action Check seller identity, listing reputation, review integrity, and prompt provenance before allowing an agent to act on recommendations or payment instructions.
  • Log agent decisions end to end Capture the agent’s inputs, chosen options, approvals, and final actions so fraud teams can reconstruct why a purchase happened and whether the agent was manipulated.
  • Treat the agent as a delegated identity Assign ownership, lifecycle review, expiry conditions, and revocation procedures to every commerce agent that can transact on a customer’s behalf.

Key takeaways

  • Agentic commerce turns AI assistants into delegated decision-makers, which expands the fraud surface beyond the point of checkout.
  • The main control gap is not transaction volume but unbounded authority, weak input trust, and poor auditability of agent action.
  • Organisations should govern commerce agents like delegated identities, with explicit scope, step-up checks, and end-to-end logging.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Agentic AI Top 10 and OWASP Non-Human Identity Top 10 address the attack surface, NIST AI RMF and NIST CSF 2.0 set the technical controls, and GDPR define the regulatory obligations.

FrameworkControl / ReferenceRelevance
OWASP Agentic AI Top 10Agentic commerce exposes prompt, tool, and action abuse patterns in autonomous systems.
OWASP Non-Human Identity Top 10NHI-07Delegated shopping agents need lifecycle and privilege governance similar to other NHIs.
NIST AI RMFGOVERNCommerce agents need clear accountability, oversight, and policy ownership.
NIST CSF 2.0PR.AC-4Least privilege and access control are central when agents can transact on behalf of users.
GDPRArt.32The article discusses personal data use, privacy concerns, and delegated processing in commerce flows.

Assign shopping agents owners, scopes, and revocation rules, then review them on a fixed lifecycle cadence.


Key terms

  • Agentic Commerce: Agentic commerce is a commerce model where AI systems can interpret intent and complete purchasing tasks with limited human prompting. In practice, the agent becomes a decision-making layer between the customer, the merchant, and the payment flow, which creates new governance requirements for consent, auditability, and fraud control.
  • Delegated Identity: A delegated identity is a non-human or indirect actor that is allowed to perform actions on behalf of a user or business process. It must be scoped, monitored, and revocable, because the authority it carries can be abused if its boundaries, ownership, or activity trail are unclear.
  • Guardrails: Guardrails are the policy, technical, and procedural limits that constrain what an AI system can see, decide, and execute. They are most effective when they are enforced before action, not only detected after the fact, and when they include logging, re-authentication triggers, and explicit scope limits.
  • Trust Expansion Window: A trust expansion window is the period in which an autonomous system can consume multiple inputs and execute actions before a human or control layer intervenes. The wider that window becomes, the easier it is for fraudsters to shape outcomes through fake data, spoofed entities, or manipulated prompts.

What's in the full article

Sift's full post covers the operational detail this analysis intentionally leaves for the source:

  • Examples of agentic commerce use cases in retail, travel, and subscriptions, including how agent behaviour changes by scenario.
  • Sift's breakdown of fraud patterns such as spoofed sellers, manipulated reviews, and misleading prompts that influence autonomous purchase decisions.
  • The article's full set of commerce leader survey findings on AI priorities, including personalization, operational efficiency, and fraud detection.
  • Implementation framing around responsible AI deployment, governance, and agent accountability for consumer transactions.

👉 Sift's full post covers agent behaviour, fraud paths, and governance considerations for autonomous shopping

Deepen your knowledge

The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security, and secrets management in a way that helps teams build durable control models. It gives practitioners a practical foundation for governing delegated systems across identity and security programmes.
NHIMG Editorial Note
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org