TL;DR: AI agents are already completing real purchases with delegated payment credentials, and that shifts fraud detection from noisy human behaviour to clean, legitimate-looking transactions, according to WorkOS. The security model now depends on agent identity, scoped delegation, and transaction-level consent, because review cycles built for human intent cannot reliably catch hijacked agent actions.
At a glance
What this is: This is an analysis of how AI agents are changing commerce security by turning delegated payment credentials into a new fraud and liability surface.
Why it matters: It matters because IAM, PAM, and fraud teams need controls that bind agent identity, delegation scope, and consent together before autonomous purchasing patterns become normal.
By the numbers:
- Visa's Payment Ecosystem Risk and Control team reported a more than 450% increase in dark web posts mentioning "AI Agent" in the first half of 2026 compared to the prior six months.
- Bain & Company estimates that agentic AI will handle 15 to 25% of all e-commerce volume by 2030.
👉 Read WorkOS's analysis of agentic commerce security and delegated payments
Context
AI agentic commerce security is emerging because purchasing authority is no longer limited to a person at checkout. An agent can hold delegated payment credentials, saved addresses, and shopping preferences, which means fraud now targets the identity and consent chain behind the transaction rather than the shopper directly.
For IAM, this is a governance problem as much as a fraud problem. Once an agent can act with delegated authority, teams need to answer who the agent is, what it may buy, how long that delegation lasts, and when explicit user confirmation is required before money moves.
Key questions
Q: How should security teams govern AI agents that can make purchases on behalf of users?
A: They should treat the agent as a separately authenticated actor, not as an extension of the user session. That means binding each agent to a distinct identity, scoping what it may buy, limiting where and when it may transact, and forcing explicit confirmation for actions that change liability or spend.
Q: Why do delegated payment credentials increase fraud risk in agentic commerce?
A: Because the transaction can look legitimate even when the intent is compromised. Saved addresses, trusted payment tokens, and familiar merchants remove the noisy signals fraud teams rely on, so a hijacked agent can complete purchases that appear normal while still being unauthorised in practice.
Q: What breaks when agent consent is too broad in commerce workflows?
A: The control boundary collapses. A vague standing authorisation can let an agent buy from the wrong merchant, exceed the intended category, or continue transacting long after the original task ended. Broad consent turns delegation into open-ended access instead of a bounded instruction.
Q: Who is accountable when an AI agent makes an unauthorised purchase?
A: That answer is still unsettled in law and policy, which is why traceability matters now. If the programme can prove who delegated, which agent acted, what scope was granted, and whether consent was requested, it has the evidence needed for disputes, chargebacks, and accountability reviews.
Technical breakdown
Agent identity in commerce transactions
In agentic commerce, the merchant or payment platform needs to know both the user and the acting agent. A user delegation alone is not enough, because a stolen token or spoofed request can look identical to a legitimate purchase. The correct model gives the agent its own authenticated identity, then binds that identity to a specific user authorisation for a defined task. That lets systems distinguish genuine delegated activity from impersonation, replay, or compromised intermediary behaviour. The technical shift is from inherited trust to verifiable dual identity at transaction time.
Practical implication: require authenticated agent identities and verify delegation linkage on every purchase request.
Scoped delegation and step-up consent
Delegation in commerce must be narrower than a general spending allowance. Scope should cover purchase categories, merchant allow lists, amount limits, and time windows, with separate handling for new merchants or recurring commitments. Step-up consent is the final control point: when an action changes financial liability or personal data exposure, the user should confirm the specific transaction, not a vague standing authorisation. This also gives hidden prompt injection a chance to surface, because the manipulated cart or merchant appears in the confirmation flow before completion.
Practical implication: define transaction scope in policy and force explicit confirmation for high-stakes or first-time actions.
Audit trails for delegated purchasing
Agentic commerce needs end-to-end auditability from delegation issuance through transaction completion. Without that chain, disputes become assertions rather than evidence, and fraud teams cannot reconstruct whether the agent acted within bounds. The useful record includes who delegated, which agent executed, what merchants and items were involved, whether consent was requested, and what the merchant verified. This is more than logging. It is the evidence layer that determines whether chargebacks, misuse claims, and liability questions can be resolved after the fact.
Practical implication: log delegation scope, agent identity, consent prompts, and merchant checks as one transaction record.
Threat narrative
Attacker objective: The attacker wants to complete unauthorised purchases, drain available balance, or harvest payment data while the activity still looks like normal agent behaviour.
- Entry occurs when attackers target delegated payment credentials, spoof agent requests, or use prompt injection to alter the agent's purchase path.
- Escalation happens when the compromised agent reuses trusted payment tokens, saved addresses, and merchant relationships to make additional legitimate-looking purchases.
- Impact is clean financial fraud, because the transactions clear normal trust checks while the true intent remains hidden from traditional checkout controls.
Breaches seen in the wild
- Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
- MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Agentic commerce creates identity confusion at the point of sale. Merchant systems have historically assumed that a valid checkout request is already tied to a human customer with visible intent. That assumption breaks when the acting party is an AI agent carrying delegated credentials, because the transaction may be authorised in form but not in intent. The implication is that commerce identity now needs to separate user, agent, and platform trust instead of collapsing them into one session.
Transaction review models built for human shopping no longer catch the right failure mode. Traditional fraud controls look for mismatched devices, unusual geographies, or abnormal purchasing patterns. Agentic fraud can bypass all three by using saved addresses, familiar merchants, and normal-looking baskets, which creates a clean-fraud problem rather than a noisy-anomaly problem. Practitioners need to stop treating checkout resemblance as proof of legitimacy.
Scoped delegation is the new control boundary for commerce authorisation. The useful control question is no longer whether an agent has access to pay, but exactly what it can buy, where, when, and under which approval conditions. That framing aligns with OWASP-NHI and zero trust principles because the transaction itself becomes the enforcement point. Teams that do not model delegation scope will keep over-authorising agents by default.
Consent has become a security control, not just a user experience step. In agentic commerce, a confirmation prompt is the last durable boundary before money leaves the account. If that boundary is too broad, attackers can ride inside a valid delegation; if it is too narrow, legitimate agent utility collapses. The field should treat confirmation design as part of access governance, not as an afterthought in checkout flow design.
From our research:
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%), according to AI Agents: The New Attack Surface report.
- 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
- That visibility gap is why practitioners should pair agent identity controls with a dedicated governance model, as described in OWASP Agentic AI Top 10.
What this signals
Agentic commerce will force IAM teams to separate identity from intent. A transaction can now be valid, authenticated, and still wrong because the acting agent was manipulated. The programme response is to model delegation as a governed privilege, not a convenience feature, and to treat the confirmation step as part of access enforcement rather than checkout UX.
For commerce-heavy environments, auditability becomes the difference between dispute handling and guesswork. If the organisation cannot reconstruct who delegated, what the agent did, and what the merchant accepted, it will struggle to prove innocence or liability. That is especially true once agent purchasing scales across consumer and enterprise workflows.
Search the problem space through the lens of agent identity and consent design, not just fraud detection. The broader pattern aligns with the OWASP Agentic AI Top 10, where tool misuse and prompt injection turn trusted behaviour into unauthorised action. For identity leaders, the governance question is which delegated actions need a hard approval boundary before money moves.
For practitioners
- Bind each commerce agent to a distinct identity Require the agent to authenticate as itself before any purchase flow, and bind that identity to the delegated user authorisation so merchants can verify who is acting. Treat pass-through user sessions as insufficient for delegated purchasing.
- Scope delegation by category, merchant, amount, and time Define transaction categories, allow lists, per-transaction limits, per-session limits, and expiry windows. Avoid broad standing authorisations that let an agent roam across merchants or continue shopping after the original task is over.
- Force step-up consent for liability-changing actions Require explicit user confirmation before purchases, subscriptions, refunds, first-time merchants, or any action that creates a binding commitment. The confirmation should show the exact item, merchant, and amount the agent is about to commit to.
- Build a full delegation-to-transaction audit chain Capture who delegated, which agent acted, what scope was granted, what items were selected, whether consent was requested, and what the merchant verified. Keep the record durable enough to support chargeback, dispute, and forensic review.
- Treat prompt injection as a commerce control issue Review agent confirmation flows so a hidden instruction on a product page cannot silently alter the cart without user visibility. Use the consent step to surface changes before checkout completes, especially when agents browse untrusted merchant content.
Key takeaways
- Agentic commerce breaks the old assumption that a valid checkout request is automatically a legitimate human purchase.
- The scale signal is already visible: AI agent abuse is rising fast, and current fraud controls were built for a different threat model.
- Practitioners need agent identity, scoped delegation, explicit consent, and durable audit trails before purchasing workflows scale further.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | AG-02 | Agent identity and tool misuse are central to delegated commerce fraud. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Delegated payment tokens and scoped access map directly to NHI credential governance. |
| NIST Zero Trust (SP 800-207) | PR.AC-4 | Zero trust requires continuous verification of the acting identity and transaction context. |
Bind every agent purchase flow to a distinct identity and enforce explicit approval on liability-changing actions.
Key terms
- Agent Identity: The separately authenticated identity assigned to an AI agent or automated actor so systems can distinguish it from the human user behind the task. In commerce, this identity must be verifiable on every transaction and linked to a specific delegation, otherwise the agent inherits trust it has not earned.
- Scoped Delegation: A bounded set of permissions that defines what an agent may do, where it may do it, and for how long. In agentic commerce, scope should cover purchase category, merchant, amount, and expiry so the delegation remains limited to the intended task.
- Step-up Consent: An explicit approval step required before an agent completes a higher-risk action. For purchasing workflows, it is the control that forces the user to confirm the exact item, merchant, and amount before the transaction becomes binding.
- Transaction Audit Trail: A durable record that ties delegated authority to actual actions taken during a transaction. It should capture who delegated, which agent acted, what scope was granted, what was purchased, whether consent was requested, and what the merchant verified.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or programme maturity, it is worth exploring.
This post draws on content published by WorkOS: How to secure agentic commerce transactions. Read the original.
Published by the NHIMG editorial team on 2026-06-18.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org