TL;DR: 61.5% of consumers have used AI for product discovery, yet 55.0% are not comfortable letting AI agents buy on their behalf and 50.8% assign responsibility for unauthorized purchases to the AI platform, according to Riskified’s Q1 2026 Agentic Commerce Pulse. The data shows agentic commerce is advancing faster than trust, authentication expectations, and accountability models.
At a glance
What this is: Riskified’s latest survey shows consumers are using AI across shopping journeys, but trust, fraud concerns, and liability expectations are limiting autonomous purchasing.
Why it matters: For IAM and fraud teams, the issue is not AI discovery but who, or what, is authorised to act, how transactions are verified, and where accountability sits when an agent spends on a user’s behalf.
By the numbers:
- 61.5% of consumers have used AI tools for product discovery and recommendations
- 55.0% are not comfortable with AI agents making purchases on their behalf
- 73.9% expect strong safeguards such as biometric or one-time password authentication
- 50.8% believe AI platforms should be responsible for unauthorized purchases
👉 Read Riskified's survey on trust, fraud, and accountability in agentic commerce
Context
Agentic commerce moves AI from recommendation into execution, which changes the control problem from browsing assistance to authority over transactions. The first question is no longer whether a shopper uses AI, but how the system proves intent, limits spending, and records who approved the action.
For identity and fraud programmes, this is a governance problem as much as a customer experience problem. Consumer hesitation shows that autonomous shopping still lacks a stable trust model for authentication, liability, and step-up verification, and that makes the boundary between digital identity and fraud prevention more visible than ever.
Key questions
Q: How should security teams govern AI agents that browse and transact on behalf of users?
A: Security teams should govern AI agents as delegated actors with narrow, task-scoped permissions, not as enhanced browsers. The right model is to bind access to the specific action being performed, preserve auditability at the transaction layer, and separate machine identity from the human principal wherever possible.
Q: Why do AI shopping agents create accountability problems for merchants and platforms?
A: Because the person who benefits from the purchase, the platform that executed it, and the merchant that accepted it may all be different parties. Without clear delegation records, no one can easily prove whether the action was intended, authorised, or erroneous. That makes accountability a design issue, not a post-incident debate.
Q: What do organisations get wrong about biometric verification in agentic commerce?
A: They often treat biometrics as a blanket trust signal rather than a step-up control for specific risky actions. In agentic commerce, biometrics should verify presence and intent at the point of purchase, not replace policy limits or audit logging. Strong verification still needs constrained delegation behind it.
Q: Who is accountable when AI-assisted purchases lead to chargebacks or abuse?
A: The merchant remains accountable for most downstream business impact, including chargebacks, refunds, support costs, and inventory loss, unless the payment rail or wallet contract explicitly shifts liability. That means merchants, fraud leaders, and platform owners need governance controls before enabling agentic commerce at scale.
Technical breakdown
Why agentic commerce changes transaction authorisation
Agentic commerce introduces a software intermediary that can interpret a user’s intent, select items, and complete actions with limited or no human intervention. That breaks the old assumption that each purchase is directly initiated by a person in a single session. The technical challenge is not only authentication, but delegated authority, session scope, and evidencing consent at the point of execution. In practice, the control plane must distinguish discovery from purchase, and policy must define what an AI agent can do without creating an open-ended authority channel.
Practical implication: teams need explicit policy boundaries for agent-assisted buying, not just stronger login controls.
Why biometric and one-time password checks matter here
Biometric verification and one-time passwords are both forms of step-up authentication, but they serve slightly different purposes. Biometric checks can bind a transaction to a human presence, while OTPs provide a short-lived proof that the user is available at the moment of approval. In agentic commerce, these controls are less about stopping all automation and more about proving that the consumer intended a specific high-risk purchase. Without that proof, liability disputes become harder to resolve and fraud controls lose auditability.
Practical implication: use step-up verification for high-value or unusual purchases where delegated action needs human confirmation.
Accountability becomes a control design issue
When consumers say the AI platform should be responsible for unauthorized purchases, they are describing a gap between technical execution and business accountability. That gap matters because the entity that operates the model, the merchant that accepts the order, and the identity provider that vouches for the session may all hold part of the risk. Good design therefore needs traceable decision logs, clear delegation boundaries, and transaction records that can support post-incident review. This is where identity governance intersects with fraud operations and legal accountability.
Practical implication: retain verifiable transaction evidence so liability can be traced across platforms, merchants, and identity providers.
Threat narrative
Attacker objective: The attacker objective is to complete an unauthorised or deceptive purchase while making the transaction look like a legitimate AI-driven action.
- Entry occurs when a consumer authorises an AI shopping assistant to browse or act on their behalf inside a commerce workflow. Escalation happens when that assistant is allowed to progress from recommendation to checkout without fresh human confirmation. Impact follows when fraud, erroneous purchase, or disputed liability occurs because the transaction trail does not clearly prove intent or delegation scope.
NHI Mgmt Group analysis
Agentic commerce creates an identity and liability boundary problem, not just a payment problem. Once an AI system can complete a purchase, the programme must decide whether the actor is the human, the platform, or the merchant flow. That distinction matters because fraud controls, consent capture, and post-incident accountability all depend on it. The practical conclusion is that commerce teams need explicit delegation policy, not just stronger checkout security.
Consumer reluctance is a useful signal that trust frameworks have not caught up with automation. The survey shows people will use AI for discovery faster than they will delegate execution. That asymmetry is predictable because discovery has low consequence while purchase carries financial and legal exposure. Practitioners should treat this as evidence that transaction-level assurance must be built separately from conversational AI adoption.
Agentic shopping should be governed like a high-risk identity transaction with fraud controls attached. The more autonomous the shopping flow becomes, the more it resembles a privileged workflow with narrow approval rules and traceable evidence. That makes identity verification, transaction logging, and responsibility mapping central rather than optional. The field should stop treating AI shopping as a UX feature and start treating it as a governed authority model.
OWASP-style agent risk thinking belongs in commerce because the failure mode is delegated misuse. The risk is not only prompt manipulation or model error, but an agent acting within an authority envelope that the consumer did not fully understand. That places this topic at the intersection of identity, fraud, and AI governance. Practitioners should design for constrained delegation and auditable consent from the start.
What this signals
Agentic commerce will force security teams to separate identity assurance from transaction assurance. Authentication proves who is present, but it does not by itself prove what an AI agent is authorised to buy. That means programme owners need a clearer model for delegated consent, especially where a consumer and an AI system share the same workflow.
Static credentials are a poor fit for AI-enabled buying because the risk is not only access, but unsupervised execution. Our research shows 67% of organisations still rely heavily on static credentials despite the risks they pose to agentic AI deployments. For commerce teams, the practical next step is to combine policy-bound delegation with stronger verification and evidence retention.
Fraud, IAM, and product teams will need a common control language for agentic checkout. Without it, each team will solve part of the problem while leaving the accountability gap untouched. The most resilient programmes will treat delegated shopping as a governed workflow, with clear approval thresholds and audit-ready transaction records.
For practitioners
- Define explicit agent purchase boundaries Set hard policy for what an AI shopping assistant can do, including spend limits, merchant categories, and whether checkout can proceed without human confirmation. Tie those rules to transaction context rather than broad account permissions.
- Require step-up verification for high-risk transactions Use biometric verification or one-time passwords when an AI-driven flow moves from discovery to checkout, especially for first-time merchants, unusual basket values, or changed delivery destinations.
- Log delegated intent and approval evidence Capture which identity initiated the task, which system executed it, what approvals were present, and whether a human confirmation was recorded before submission. Keep that evidence available for dispute handling and fraud review.
- Align fraud and IAM ownership Map responsibility across identity, fraud, product, and legal teams so unauthorized purchases have a clear containment and claims process. This is especially important when AI platforms, not just merchants, are part of the purchase path.
Key takeaways
- Agentic commerce creates a new trust problem because AI can move from recommendation to execution without a human at every step.
- Consumers are already using AI for discovery, but most still want strong safeguards and clear liability boundaries before they hand over purchase control.
- The control answer is not broader automation, but constrained delegation, step-up verification, and transaction evidence that can withstand dispute review.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 address the attack surface, NIST AI RMF, NIST SP 800-63 and NIST CSF 2.0 set the technical controls, and GDPR define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | NHI-08 | Agent misuse and delegated action risks map closely to agentic commerce. |
| NIST AI RMF | GOVERN | AI governance is central where an agent can act on behalf of a consumer. |
| NIST SP 800-63 | SP 800-63B | Transaction step-up verification depends on authenticating the user at the point of risk. |
| NIST CSF 2.0 | PR.AC-1 | The article centres on who is authorised to act within commerce workflows. |
| GDPR | Art.32 | Security of processing matters where personal data and payment decisions intersect. |
Protect personal and transaction data with controls that support confidentiality, integrity, and accountability.
Key terms
- Agentic Commerce: Agentic commerce is a buying and transaction model where software agents act on behalf of a person. The identity challenge is not just proving who owns the account, but constraining what the agent may do, for how long, and under what revocation and audit rules.
- Delegated Agent Authority: The permission granted to an AI agent to act on behalf of a human user or another agent, inheriting some or all of their access rights. Delegated authority must be explicitly scoped, time-limited, and auditable.
- Step-Up Verification: Step-up verification is a stronger identity check applied when risk increases, such as during password reset, device change, or privileged access request. It uses higher-assurance signals than a static question, such as device possession, authenticated context, or approved administrative review.
- Transaction Evidence: Transaction evidence is the record showing what action occurred, why it was allowed, and which policy conditions were met at the time. It is more than a log entry. It is the audit-friendly proof layer that helps identity teams defend exceptions, delegated approvals, and automated decisions.
What's in the full report
Riskified's full article covers the operational detail this post intentionally leaves for the source:
- Question wording and survey segmentation across U.S. and U.K. consumers, useful for comparing market expectations.
- Full breakdown of consumer preferences for AI tools, retailer sites, and opting out of agentic commerce.
- The survey methodology behind the 2,000 respondent sample, including purchase recency and demographic framing.
- Riskified's discussion of merchant implications for fraud prevention and account liability.
Deepen your knowledge
The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, secrets management, and workload identity in practical terms. It is designed for practitioners who need to apply identity controls across modern digital systems and emerging agent-driven workflows.
Published by the NHIMG editorial team on July 14, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org