TL;DR: AI is changing how consumers discover and evaluate products, but trust still limits deeper adoption at Shoptalk 2026, according to Signifyd. 49% use AI as a research assistant, 17% of product searches start with AI, and 80% of consumers distrust AI-driven outputs. The retail funnel is compressing, not disappearing, and visibility now depends on being selected by AI as well as humans.
At a glance
What this is: This is a retail and trust analysis showing that AI is reshaping product discovery and recommendation, while consumer purchasing still remains human-led and trust-constrained.
Why it matters: It matters to IAM, fraud, and identity teams because AI-mediated commerce changes how identity signals, trust decisions, and abuse controls must work across shoppers, accounts, bots, and delegated agents.
By the numbers:
- 49% of consumers use AI as a research assistant, but only 14% use it as a decision maker.
- 17% of product searches now start with AI assistance, while 27% still rely on traditional search engines.
- 69% of purchases still happen on retailer websites, and only ~10% happen directly through AI interfaces.
- 80% of consumers express distrust in AI-driven outputs.
👉 Read Signifyd's analysis of Shoptalk 2026, AI-assisted commerce, and trust
Context
AI-assisted commerce is the practical middle ground between traditional search and fully autonomous purchasing. The core issue is not whether AI can recommend products, but whether consumers and brands trust those recommendations enough to change how discovery, validation, and checkout happen.
That trust problem has direct identity implications. As commerce becomes AI-mediated, the signals that determine who or what is acting, what data is being used, and whether a recommendation can be trusted become part of the control plane for fraud prevention, account security, and delegated access governance.
Key questions
Q: How should organisations govern AI-assisted shopping journeys?
A: Organisations should define where AI can assist, where it can recommend, and where it can act on behalf of a user. The key is to separate assistance from authority, then log consent, scope, and audit evidence so delegated activity can be reviewed and challenged when needed.
Q: Why does AI-mediated commerce create identity risk?
A: AI-mediated commerce creates identity risk because the system may influence or carry out actions without a clear human present at every step. That blurs who authorised the action, what data the assistant used, and whether the resulting decision should be trusted as legitimate.
Q: What do security teams get wrong about AI visibility in commerce?
A: Teams often treat AI visibility as a marketing or search issue, when it is also a trust and governance problem. If a model cannot reliably interpret legitimate signals, it may prioritise manipulated, synthetic, or incomplete inputs and distort who gets seen or selected.
Q: Who is accountable when an AI assistant influences a bad purchase or fraud event?
A: Accountability should remain with the organisation that set the policy, exposed the data, and allowed the delegated workflow to operate. Human oversight does not disappear just because an AI assistant shaped the journey, so governance, fraud, and customer teams need a shared control model.
Technical breakdown
Hybrid discovery models and AI-assisted shopping
AI-assisted shopping sits between human search and autonomous purchasing. Consumers use AI to summarise options, compare products, and narrow choices, but most still validate before buying. That creates a hybrid discovery layer where the AI system influences the path to purchase without fully owning the decision. For security and trust teams, that matters because the influencing layer can be manipulated even when the transaction layer remains human-controlled. The result is a new exposure surface for misinformation, brand impersonation, and recommendation abuse.
Practical implication: monitor the signals that feed AI recommendation paths, not just the checkout and payment steps.
AI visibility, recommendation systems, and trust signals
AI visibility is becoming a competitive variable because models and assistants surface brands based on structured data, third-party validation, and contextual content. In practice, recommendation systems act as selection filters, not just search helpers. If a brand cannot be understood or trusted by the AI layer, it may never enter the consumer decision set. That same logic applies to identity and fraud controls: systems must be able to distinguish legitimate content, legitimate actors, and legitimate delegation from synthetic or manipulated inputs.
Practical implication: treat structured data, content authenticity, and source validation as governance inputs to digital trust.
Agentic commerce and delegated identity risk
Agentic commerce introduces a delegated identity problem. When AI systems make or assist decisions on behalf of people, organisations need to know what authority the agent has, what data it can access, and how its actions are bounded. That is an identity governance issue, not just a user experience shift. Delegated commerce can quickly blur the line between shopper intent, platform automation, and account abuse if organisations cannot distinguish authorised assistance from unauthorised automation.
Practical implication: define explicit policy for AI-assisted actions, including consent, scope, and auditability.
Threat narrative
Attacker objective: The objective is to steer purchasing decisions, capture traffic or transactions, and exploit trust in AI-mediated discovery before the consumer or control system can validate the source.
- Entry occurs when AI-enabled discovery channels are manipulated with misleading content, synthetic reviews, or impersonated brand signals that influence what shoppers see first.
- Escalation happens when automated assistants amplify those signals, narrowing consumer choice before verification steps can catch the distortion.
- Impact follows when trust is misplaced at scale, leading to fraud, diversion of demand, or customer account abuse through AI-mediated interactions.
NHI Mgmt Group analysis
AI-assisted commerce is not autonomous commerce, but it is already an identity governance problem. The article shows that consumers are using AI to research and narrow choices long before they hand over final judgment. That means the trust boundary is shifting upstream, where identity, content authenticity, and recommendation integrity all matter. Practitioners should treat AI-mediated discovery as a governed access path, not a marketing feature.
Trust is becoming the new control surface for digital commerce. When 80% of consumers distrust AI-driven outputs, the issue is not simply adoption speed. It is whether the ecosystem can prove source integrity, validate recommendations, and distinguish genuine assistance from manipulation. For identity leaders, that makes provenance, delegated authority, and anti-impersonation controls part of the commerce trust stack.
AI visibility creates a new version of identity exposure: being selectable is now as important as being discoverable. Brands that cannot be interpreted correctly by AI systems are effectively absent from the decision set, even if they remain visible in traditional search. This creates a governance gap around structured content, authoritative signals, and content verification. The practitioner takeaway is clear: identity and fraud controls now sit alongside content and data governance.
Agentic commerce will expand unevenly, so governance must focus on high-risk decision paths first. Routine replenishment and low-risk purchases will be easier to automate than high-consideration transactions. That means security teams should prioritise delegated account controls, transaction verification, and abuse detection where automation could create real loss. The field will not converge on full autonomy quickly, so hybrid controls remain the practical baseline.
What this signals
AI-assisted commerce will force identity programmes to think beyond login and checkout. When recommendation engines and assistants shape the path to purchase, the governance problem becomes who or what is authorised to influence the transaction. That pushes identity, fraud, and customer trust controls closer together than many programmes currently allow.
The operational signal is that delegated decision-making will expand faster than fully autonomous purchase execution. Teams should therefore focus on auditability, consent boundaries, and source provenance now, before AI assistants become embedded in higher-risk account and transaction flows.
The broader programme implication is that commerce trust will increasingly depend on evidence of legitimate delegation, not just authentication. That is where IAM, fraud, and data governance start to overlap in a way that warrants common policy and shared telemetry.
For practitioners
- Define policy for AI-assisted purchasing flows Map where AI can assist, recommend, or act, and require explicit consent, scope limits, and audit logging for each step in the buyer journey.
- Validate the provenance of recommendation inputs Review structured data, reviews, merchant feeds, and external signals that influence AI discovery so manipulated or impersonated sources do not shape purchase decisions.
- Separate human intent from delegated automation Apply identity and access rules that distinguish a shopper acting directly from an assistant acting on their behalf, especially for account changes and checkout actions.
- Strengthen fraud controls around AI-mediated journeys Add detection for abnormal recommendation loops, synthetic content, and account takeover patterns in the discovery-to-checkout path.
Key takeaways
- AI-assisted commerce is compressing the retail funnel by changing discovery faster than purchase behaviour, not by removing human judgment.
- Trust remains the constraint: consumers use AI for research, but they still validate outputs before acting, especially in higher-risk decisions.
- For practitioners, the governance task is to control delegated influence, validate source signals, and preserve auditability across AI-mediated journeys.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 address the attack surface, NIST AI RMF and NIST CSF 2.0 set the technical controls, and GDPR define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | Agent-assisted purchase flows raise delegated authority and tool-use risks. | |
| NIST AI RMF | GOVERN | Governance is central when AI influences or executes commerce actions. |
| NIST CSF 2.0 | PR.AC-4 | Access control applies when assistants act on behalf of users. |
| GDPR | Art.32 | Personal data used in AI shopping and trust decisions may require security safeguards. |
Assign ownership for AI-mediated journeys and document accountability for delegated actions.
Key terms
- AI-assisted commerce: A shopping model where AI helps consumers search, compare, and narrow choices without fully replacing human judgment. The assistant influences the path to purchase, but the person still validates or completes the decision, which creates a hybrid trust and governance problem.
- Delegated identity: A situation where software acts on a person’s behalf with some level of authority to access data, recommend actions, or complete tasks. In commerce, this creates a need to define scope, consent, and auditability so the assistant’s behaviour remains bounded and attributable.
- Recommendation integrity: The reliability of the inputs and signals that drive an AI system’s suggestions. It depends on trustworthy content, authentic sources, and defensible validation so the model does not amplify manipulated, synthetic, or misleading information into a business decision.
What's in the full article
Signifyd's full post covers the operational detail this post intentionally leaves for the source:
- The underlying Shoptalk session references and speaker context behind the AI-assisted commerce findings.
- The full set of consumer behaviour comparisons across discovery, validation, and purchase channels.
- The commerce visibility observations that show how on-site and off-site signals affect AI selection.
- The broader fraud and returns context that sits behind the retail trust discussion.
Deepen your knowledge
The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, secrets management, and agentic AI identity. It helps security practitioners build the control foundation for delegated access, auditability, and lifecycle governance across modern identity programmes.
Published by the NHIMG editorial team on 2026-03-30.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org