TL;DR: Agentic shopping is moving from experimentation to near-term reality, and the article argues that merchants will face a sharper trade-off between customer control and traffic loss as AI assistants take over more purchasing steps. Riskified also reports LLM-referred traffic as 2.3x riskier in one ticketing example and 1.8x riskier in electronics.
At a glance
What this is: This is an analysis of how AI shopping agents could change ecommerce, with the central finding that fraud signals and merchant control both weaken as purchasing shifts away from direct human interaction.
Why it matters: It matters because fraud teams, identity practitioners, and commerce security leaders may need to govern account access, transaction trust, and delegated purchasing without the behavioral signals traditional controls depend on.
👉 Read Riskified's analysis of agentic commerce and fraud risk
Context
Agentic commerce is the point at which software systems begin making or completing purchases on behalf of people, shifting trust from a visible human session to an automated decision chain. The governance problem is that current fraud and identity controls were built around human behaviour, not delegated purchasing at machine speed, and that creates a new boundary between identity assurance and transaction risk.
Riskified frames this shift through ecommerce, but the wider implication reaches IAM and identity verification teams as well. If AI assistants can act across merchant sites, payment rails, and customer accounts, organisations need to decide how much trust to place in the agent, the account it uses, and the transaction context it produces.
Key questions
Q: How should merchants govern AI shopping agents without losing customer trust?
A: Merchants should treat shopping agents as delegated identities with narrow, explicit permissions. That means separating browsing, carting, payment, and repeat-purchase rights, then enforcing policy at each stage. Customer trust improves when the system can prove which actions were authorised, which were blocked, and which require step-up review before the purchase completes.
Q: Why do AI shopping agents create more fraud risk than normal ecommerce traffic?
A: AI shopping agents remove many of the human behavioural signals that fraud teams depend on, such as browsing rhythm, mouse movement, and device consistency. They can also amplify abuse by repeating high-risk actions across many accounts or merchants. The risk rises because the same legitimate interface can be used at scale with less visible intent.
Q: What breaks when merchants rely on old fraud signals in agentic commerce?
A: Old fraud models break when they assume a human is always the actor behind the session. In agentic commerce, those models can misread legitimate automated purchases as suspicious or miss hostile automation that looks normal at the checkout layer. Merchants need controls that evaluate delegated intent, not just visible user behaviour.
Q: Who is accountable when an AI agent makes an unauthorised purchase?
A: Accountability should be shared across the merchant, the platform exposing the agent workflow, and the organisation that allowed the delegation. The practical test is whether the scope of the agent’s authority was defined, monitored, and revocable. If those controls were absent, responsibility cannot be pushed solely onto downstream fraud detection.
Technical breakdown
Agentic shopping changes the trust boundary in ecommerce
Traditional ecommerce controls assume a human user can be observed through stable signals such as browsing cadence, device fingerprint, and interaction patterns. An AI shopping agent collapses those signals by acting through APIs, browser automation, or delegated purchase flows. That means the trust boundary moves from session behaviour to authorization context, token scope, and merchant-side policy enforcement. In practical terms, the challenge is not just detecting fraud faster. It is deciding which signals still prove legitimate intent when the buyer and the actor are no longer the same thing.
Practical implication: merchants and payment teams need controls that validate delegated intent, not just human behaviour.
Why agent takeovers resemble identity abuse, not only payment fraud
The article’s agent takeover scenario is important because it starts with compromised customer accounts and then uses legitimate commerce features for abuse. That is an identity problem first: stolen credentials, session persistence, and over-trusted account recovery create the conditions for fraudulent purchasing. In machine-mediated commerce, the boundary between account compromise and transaction fraud becomes thinner, because a valid login can still drive harmful automated behaviour. This makes identity assurance, step-up authentication, and session risk analysis central to commerce fraud defence.
Practical implication: account security and fraud teams should share telemetry on anomalous access, not operate in separate queues.
Spend limits and tokenized credentials do not eliminate delegated risk
The article notes that payment networks are working on secure agent-driven transactions with spending limits and tokenized credentials. Those measures reduce exposure, but they do not solve the governance problem of who authorised the agent, what it is allowed to do, and how exceptions are monitored. Tokenization protects the payment instrument, not the full decision chain. For merchants, the real question is how to enforce least privilege for commerce actions, including cart creation, price comparison, coupon use, and checkout completion.
Practical implication: treat agent permissions as a policy problem, not only a payments integration problem.
Threat narrative
Attacker objective: The attacker aims to turn delegated commerce into scalable fraud, reselling, or account abuse while preserving the appearance of legitimate purchasing.
- Entry begins when attackers compromise customer ecommerce accounts or deploy their own shopping agents into commerce workflows.
- Escalation occurs when the agent is allowed to reuse trusted purchase features, merchant sessions, or delegated payment capabilities at scale.
- Impact follows when fraudulent purchases, arbitrage, or multi-merchant abuse are automated faster than traditional behavioural controls can detect.
NHI Mgmt Group analysis
Agentic commerce creates a delegated identity problem before it creates a fraud problem. When a software agent is allowed to research, compare, and purchase on behalf of a user, the organisation must govern the delegated action chain, not just the customer login. That changes the control surface from session authentication to authorization scope, policy enforcement, and accountability for machine-initiated commerce. Practitioners should treat this as a new identity governance boundary, not an incremental ecommerce feature.
Fraud models that depend on human behavioural signals will lose precision as shopping becomes machine-mediated. Device fingerprinting, click-path analysis, and browsing rhythm have value only when human behaviour is still visible. Once agents take over the shopping path, those signals may disappear or become intentionally synthetic, which creates a broader trust gap between identity, intent, and purchase legitimacy. Teams should expect higher false negatives unless they redesign risk decisions around delegated intent and account provenance.
Commerce platforms will need least privilege for shopping actions, not just for payments. Tokenized credentials and spending caps are useful, but they only address the last step in the transaction. The more important governance question is whether an agent can search, compare, subscribe, reorder, or repeat purchases beyond the user’s intended scope. The practitioner conclusion is clear: policy must govern the full commerce workflow, not only checkout.
Agent takeovers collapse fraud prevention and IAM into the same operational problem. If a compromised account can be used by an agent to complete purchases across multiple merchants, then account recovery, session management, step-up authentication, and transaction monitoring all become part of the same control chain. That intersection means fraud teams need identity telemetry and IAM teams need fraud context. Practitioners should align ownership before agentic shopping becomes a production channel.
Agentic commerce exposes a new form of control gap we can call delegated purchase drift. This is the gradual expansion of what an agent is permitted to do, often without a clear human review point after the initial consent. Once drift begins, merchants may not notice until inventory abuse, chargebacks, or customer account misuse appears in the loss data. The practical response is to define explicit action scopes and review triggers before agent-led shopping becomes normal.
What this signals
Delegated purchase drift: the risk is not only that AI agents will buy on behalf of users, but that their permitted scope will expand faster than controls are updated. For identity and fraud programmes, that means the governance model needs revocation, review, and telemetry that can track machine-initiated action chains before loss data appears.
As agentic commerce matures, teams should expect a convergence between fraud operations, IAM, and customer account protection. A merchant that cannot answer who authorised an action, what the agent was allowed to do, and how that authority can be withdrawn will struggle to defend chargebacks, abuse, and disputes.
The policy question is no longer whether AI agents can transact, but whether organisations can prove those transactions stayed inside the intended boundary. That is where delegated authorization, account recovery, and transaction monitoring need to be designed together rather than managed as separate controls.
For practitioners
- Define delegated purchase scopes Limit what shopping agents can do across search, comparison, cart creation, payment initiation, and repeat buying. Keep each action separately permissioned so a delegated session cannot silently expand into broader commerce behaviour. The goal is to make agent authority narrow enough to audit.
- Add identity signals to fraud scoring Blend account provenance, step-up authentication outcomes, and session integrity into transaction risk decisions. Do not rely only on device or click behaviour when an agent may be acting on behalf of the customer.
- Set controls for agent takeover scenarios Detect when a customer account begins behaving like a machine-operated purchasing workflow, especially across multiple merchants or repeated checkout patterns. Tie that detection to account lock, review, or enforced re-authentication before further purchases proceed.
- Separate payment token safety from action safety Treat tokenized credentials as one control layer and the commerce action policy as another. A protected payment token does not prevent abusive carting, account misuse, or automated arbitrage unless the surrounding workflow is constrained.
Key takeaways
- Agentic commerce changes the core trust problem from human shopping behaviour to delegated machine action.
- Riskified’s examples suggest that LLM-referred traffic can be materially riskier, which makes old fraud models less reliable as purchasing shifts to agents.
- Merchants need scoped delegation, stronger identity signals, and explicit review points before agent-led checkout becomes routine.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and OWASP Non-Human Identity Top 10 address the attack surface, NIST CSF 2.0 set the technical controls, and GDPR define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | Agentic shopping creates delegated action and tool-use risks central to this framework. | |
| OWASP Non-Human Identity Top 10 | NHI-03 | Delegated commerce depends on controlled machine identities and scoped credentials. |
| NIST CSF 2.0 | PR.AC-4 | The article hinges on managing access and least privilege for delegated purchasing. |
| GDPR | Art.32 | If shopping agents process personal data, security of processing and access governance apply. |
Assess whether agent workflows protect personal data with appropriate access and accountability controls.
Key terms
- Agentic Commerce: Commerce in which software agents research, compare, and complete purchases on behalf of a user. The governance challenge is that the buyer, the actor, and the authoriser may no longer be the same entity, which changes how trust and accountability must be enforced.
- Delegated Identity: A delegated identity is a permissioned representation of a user or system that can act within a defined scope. In agentic commerce, it should carry explicit limits, revocation paths, and auditability so the delegate cannot expand its authority without detection.
- Delegated Purchase Drift: Delegated purchase drift is the gradual expansion of what an AI shopping agent can do beyond the original user intent. It often appears when permissions are left broad, review points are missing, or transaction monitoring focuses on outcomes rather than authorised scope.
What's in the full article
Riskified's full analysis covers the operational detail this post intentionally leaves for the source:
- Traffic and risk examples by merchant segment, including the transaction patterns behind the 2.3x and 1.8x figures.
- The fraud vectors the vendor expects to emerge as agents become more common, including account takeover and automated arbitrage.
- How Riskified suggests merchants adapt operationally as agent-driven shopping becomes a real channel.
- The vendor's discussion of how risk teams can think about policy, loss prevention, and customer experience together.
Deepen your knowledge
The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, secrets management, and machine identity security. It helps security and identity practitioners build the control thinking needed when delegated systems start acting on behalf of users.
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org