TL;DR: Agentic commerce can let shoppers buy through chat interfaces while merchants receive only basic transaction data, reducing fraud visibility and shifting liability to the merchant even when the customer never visits the store, according to Riskified. The control problem is not just fraud detection but preserving enough identity and device context to make defensible approvals in an agent-mediated checkout flow.
At a glance
What this is: Agentic commerce moves purchasing into chat interfaces and leaves merchants with less transaction context, which raises fraud, chargeback, and abuse risk.
Why it matters: IAM, fraud, and identity teams need to understand how delegated shopping flows weaken traditional trust signals, because decisions now depend on the identity and behaviour of the human, the account, and the AI-mediated channel.
By the numbers:
- According to a recent Riskified survey, shoppers are embracing AI assistants like ChatGPT for product ideas (45%), to summarize reviews (37%), and to compare prices (32%).
- This photo showing a wall of 1,250 smartphones running scams at one facility in Cambodia illustrates how organized fraud can be operationalized at scale.
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials.
👉 Read Riskified’s analysis of fraud and policy abuse in agentic commerce
Context
Agentic commerce is a shopping model where an AI assistant can help select products, query merchant catalogs, and complete checkout inside the conversation. The security problem is that the merchant receives less identity, device, and behavioural context than in a normal web or app purchase, while the fraud and chargeback liability does not disappear.
For IAM and fraud teams, the issue sits at the boundary between identity verification, delegated access, and payment risk. The identity of the buyer may be uncertain, the account may be compromised, and the AI channel may hide signals that would normally support step-up checks or trust scoring. That makes agent-mediated commerce a governance problem, not just a checkout feature problem.
Riskified frames this as a merchant exposure issue, and that starting position is typical for the category: the operational pain lands with the retailer even when the abuse starts elsewhere.
Key questions
Q: What breaks when agentic commerce does not provide enough identity context?
A: The merchant loses the evidence needed to distinguish legitimate shoppers from compromised accounts, stolen payment credentials, and coordinated abuse. That weakens fraud scoring, makes chargebacks harder to contest, and shifts liability onto the seller even when the customer never directly visited the store. In practice, low-context approval becomes a loss amplifier.
Q: Why do AI-mediated checkout flows increase fraud and policy abuse risk?
A: Because they reduce the merchant’s visibility into the buyer while preserving enough payment validity to pass authorization. That makes account takeover, stolen-card use, reseller automation, and buyer remorse harder to separate. The more seamless the assistant-led purchase path becomes, the easier it is for abuse to look like normal commerce.
Q: What do security and fraud teams get wrong about valid payment tokens?
A: They often treat a valid token or approved wallet transaction as proof of trustworthy intent. In agentic commerce, that is not enough. A valid payment method only proves that the transaction cleared, not that the initiating actor was authorized, non-compromised, or aligned with merchant policy. Attribution still matters.
Q: Who is accountable when AI-assisted purchases lead to chargebacks or abuse?
A: The merchant remains accountable for most downstream business impact, including chargebacks, refunds, support costs, and inventory loss, unless the payment rail or wallet contract explicitly shifts liability. That means merchants, fraud leaders, and platform owners need governance controls before enabling agentic commerce at scale.
Technical breakdown
How agentic commerce changes checkout trust signals
In a standard ecommerce flow, fraud teams use device fingerprinting, account history, shipping consistency, behavioural signals, and sometimes step-up authentication to assess risk. Agentic commerce compresses that evidence set. The AI assistant may ask clarifying questions and submit a valid token or payment credential, but the merchant can lose the richer context that normally links a purchase to a specific user session. That weakens velocity checks, anomaly scoring, and dispute defence. The core change is not the payment rail itself, but the reduction in identity assurance at the point of authorization.
Practical implication: merchants need risk models that score agent-mediated transactions with explicit uncertainty, not legacy web-checkout assumptions.
Why account takeover and stolen payment credentials become harder to separate
Agent-mediated shopping blurs three cases that fraud teams normally distinguish: a legitimate user, a compromised account, and a fraudster using stolen payment data. A valid token or approved payment method does not prove the buyer is authorized if the upstream account or channel was hijacked. That is why the merchant may approve the order and still face chargebacks, refunds, support costs, and inventory loss. In identity terms, the challenge is attribution. The channel can validate the transaction while failing to validate the actor behind it.
Practical implication: map agentic checkout events to the identity evidence needed for post-transaction disputes and investigation.
Policy abuse and reseller automation use the same access path
The article also points to policy abuse, where resellers create multiple AI-assisted accounts to buy at scale, often without classic fraud indicators. This is not always theft, but it is still a governance problem because the merchant loses control over who can purchase, how much, and under what constraints. In practice, the same low-friction flow that improves conversion can also industrialise over-purchasing, claims abuse, and inventory distortion. The merchant is left with weaker enforcement at checkout and more pressure on post-purchase controls.
Practical implication: add policy enforcement and abuse controls to agentic commerce reviews, not only fraud scoring.
Threat narrative
Attacker objective: The attacker objective is to convert low-context, AI-mediated checkout into scalable financial abuse while shifting detection and liability onto the merchant.
- Entry begins when a shopper uses an AI assistant to browse and initiate a purchase inside the chat interface, often with reduced merchant-side context.
- Escalation occurs when attackers exploit compromised accounts, stolen cards, or automation to submit valid-looking transactions that bypass normal fraud confidence signals.
- Impact is chargebacks, refund abuse, inventory loss, and support overhead that the merchant must absorb even when the buyer never directly visited the store.
NHI Mgmt Group analysis
Agentic commerce creates an identity deficit at the point of payment: the merchant can receive a valid transaction while losing the behavioural and device context needed to judge who is actually buying. That breaks a long-standing fraud assumption that authorization context and purchaser context can be correlated. For IAM and fraud programmes, the consequence is that identity confidence must extend across delegated shopping flows, not stop at account login. Practitioners should treat the checkout channel as part of identity governance.
Agent-mediated purchase flows amplify the gap between authentication and attribution: a successful token or wallet authorization does not prove the initiating actor is trustworthy, especially when the account or device may already be compromised. This is where fraud, IAM, and identity verification overlap. The merchant needs a defensible model for linking the human user, the AI-assisted session, and the payment event. Practitioners should build investigation-ready evidence chains before abuse volumes increase.
Policy abuse is the named concept this market is underestimating: agentic commerce does not only enable fraud, it also enables industrial-scale circumvention of merchant policies around quantity, eligibility, and resale. That matters because abuse may look legitimate at the payment layer while still distorting inventory and customer trust. The right governance lens is not only loss prevention but access control over who can buy what, when, and through which mediated channel. Practitioners should extend policy controls into agent-facing purchase paths.
Fraud teams will need identity-aware control points before merchants can trust AI-mediated checkout: the article shows that the commerce layer can become a low-data, high-volume abuse surface. That means identity proofing, account risk, device intelligence, and post-purchase dispute evidence need to be designed together. The longer merchants rely on the checkout token alone, the more they subsidize attacker economics. Practitioners should assume the trust boundary has moved into the conversation itself.
AI assistants are becoming part of the commerce identity stack, whether merchants planned for that or not: once a shopper delegates discovery and purchase to an agent, the merchant is no longer evaluating a simple human session. That introduces governance questions about delegated authority, session provenance, and the minimum evidence required to approve an order. For identity and fraud leaders, this is an early signal that agentic commerce will demand new controls rather than just more tuning of existing ones. Practitioners should plan for delegated identity in commerce workflows.
What this signals
Identity context is becoming a commerce control, not just a security signal. As AI-assisted checkout grows, merchants will need to prove who initiated a purchase, which data the assistant used, and whether the order was consistent with policy. That pushes fraud and IAM teams toward delegated identity governance, especially where a human account, an AI assistant, and a payment instrument are all part of the same transaction.
Agentic commerce will reward organisations that can keep evidence, not just block bad orders. Post-transaction disputes, refund abuse, and reseller activity are all easier to manage when the merchant retains session provenance and behavioural context. In governance terms, the control objective is defensible attribution, not only approval rates.
Fraud and identity programmes should expect the boundary between checkout and access control to keep narrowing. The assistant is not just a user interface, it is a decision layer that can obscure or amplify risk. Merchant teams that treat this as a pure payments issue will miss the identity governance implications that determine long-term loss rates.
For practitioners
- Define a separate risk model for agentic checkout Classify AI-mediated purchases separately from standard web and app orders, then weight device, velocity, account age, and shipping consistency more heavily because conversational flows provide less behavioural context.
- Require upstream identity evidence for dispute defence Preserve the session, account, device, and payment evidence needed to distinguish legitimate shoppers from compromised or fraudulent actors after chargeback claims arrive.
- Add policy abuse checks to commerce workflows Monitor for reseller-style behaviour, repeated low-value basket creation, unusual quantities, and clustered shipping patterns that indicate automated policy circumvention rather than classic payment fraud.
- Push for richer data sharing in agentic commerce Insist that platforms expose end-user IP, device, behavioural, and session signals so merchant-side fraud controls can operate with enough context to make defensible decisions.
- Align fraud, IAM, and customer support evidence Create a shared playbook so identity evidence collected at checkout can support fraud review, refunds, and escalation handling without duplicating manual investigation work.
Key takeaways
- Agentic commerce changes who bears the risk because merchants can lose identity context while still receiving a valid payment event.
- The scale problem is real: AI-assisted shopping is already mainstream, and organized fraud can industrialise it faster than manual review can keep up.
- Merchants need identity-aware fraud controls, policy enforcement, and better evidence retention before delegated shopping becomes a default channel.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-1 | Agentic checkout depends on how identities are authenticated and authorised. |
| NIST SP 800-53 Rev 5 | IA-2 | Identity verification at checkout maps to authentication strength and assurance. |
| NIST AI RMF | GOVERN | AI-mediated commerce needs clear accountability for delegated decisions and abuse handling. |
Review agent-mediated purchase flows against PR.AC-1 and require stronger evidence before approval.
Key terms
- Agentic Commerce: A shopping model where an AI assistant can discover products, interact with merchant systems, and complete transactions on behalf of a user. The security challenge is that the merchant often receives less identity and behavioural context than in a normal checkout, which weakens fraud assessment and dispute attribution.
- Policy Abuse: The misuse of a legitimate transaction flow to bypass merchant rules around quantity, eligibility, resale, refunds, or claims handling. It may not always be fraud in the narrow sense, but it still creates governance risk because the merchant loses control over how buying privileges are exercised.
- Attribution: The ability to link a transaction or action to the real actor behind it. In agent-mediated commerce, attribution matters because a valid payment token or account login does not necessarily prove who initiated the purchase or whether the session was compromised.
- Chargeback Liability: The financial responsibility a merchant carries when a card transaction is disputed and reversed. In AI-mediated commerce, this liability can remain with the merchant even when the purchase happened through a third-party assistant and the merchant had limited visibility into the buyer’s identity.
What's in the full article
Riskified's full article covers the operational detail this post intentionally leaves for the source:
- Merchant-side fraud response considerations for agentic commerce and chargeback exposure.
- How data-sharing gaps affect order review, dispute handling, and abuse prevention.
- The practical implications of policy abuse, reseller behaviour, and refund exploitation in AI-assisted checkout.
- Why fraud teams may need to change escalation and review workflows as agent-mediated commerce expands.
Deepen your knowledge
The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, secrets management, and workload identity through a practitioner lens. It helps security and identity teams connect delegated access patterns to the controls that keep programmes defensible.
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org