TL;DR: Digital assets are changing payments, tokenized assets, and compliance models in financial services, with Chainalysis framing the shift around stablecoins, real-world asset tokenization, and agentic payments. The governance challenge is no longer whether institutions can participate, but whether identity, authorization, and risk controls can keep pace with new transaction models.
At a glance
What this is: This is a Chainalysis report preview on how digital assets are changing financial infrastructure, with a focus on payments, tokenization, agentic payments, tokenomics, and compliance.
Why it matters: It matters because financial institutions now need governance that spans transaction risk, identity assurance, and control design across both traditional and on-chain systems.
👉 Read Chainalysis' report on digital assets reshaping financial infrastructure
Context
Digital assets are no longer a side-channel to finance, they are increasingly part of the operating model for payments, settlement, and asset transfer. The governance gap is that institutions often still treat these as product questions when they are really control questions about authorization, compliance, and accountability. For teams responsible for IAM, PAM, and fraud oversight, the identity question becomes more complex when software is allowed to initiate or execute transactions.
The article’s focus on agentic payments makes the identity bridge explicit. If an AI system can spend on behalf of a user, the institution needs a stronger model for delegation, approval scope, and transaction provenance than conventional user-centric controls provide. That makes this a finance story, but also an identity governance story for non-human and delegated access.
Key questions
Q: How should financial institutions govern AI systems that can spend money on behalf of users?
A: Treat the AI system as a delegated non-human identity with a narrow transaction scope, explicit ownership, and revocation controls. The governance model should define what it may spend, when human approval is required, and how every action is logged. Without those boundaries, agentic payments become an uncontrolled authorization channel rather than a managed capability.
Q: Why do digital asset rails create new identity governance risks?
A: Digital asset rails shift trust from familiar payment intermediaries into wallets, signing mechanisms, and programmable policies. That makes identity, authority, and transaction provenance harder to separate, especially when automation or AI can initiate transfers. If control evidence does not follow the transaction, institutions lose accountability even when the transfer itself is technically valid.
Q: What breaks when payment delegation is not tightly scoped?
A: The main failure mode is authority creep, where a system granted limited spend rights gradually accumulates broader transactional power than intended. In practice, that leads to larger transfers, weaker segregation of duties, and harder revocation. Teams should assume any standing delegation will eventually be overused unless scope and expiry are enforced.
Q: Who is accountable when an AI agent executes a payment incorrectly?
A: Accountability should remain with the business owner of the delegated authority, not with the model itself. Organisations need a recorded approval chain showing who granted the spend right, what policy governed it, and when it can be revoked. That evidence is essential for audit, dispute handling, and regulatory review.
Technical breakdown
Stablecoins and digital payment rails: where authorization changes
Stablecoins can move value quickly across boundaries that were historically controlled by correspondent banking, card networks, or internal transfer logic. The technical shift is not just speed, it is the relocation of trust into wallet controls, smart contract rules, exchange onboarding, and policy layers that sit outside legacy payment authorization paths. That means the security model must account for who can initiate, sign, route, and settle transactions in systems that may not resemble traditional banking rails.
Practical implication: map transaction authority to explicit control points, not to assumed user session trust.
Agentic payments and delegated authority
Agentic payments describe AI systems that are authorised to spend on behalf of users or organisations. That creates a delegated authorization problem, because the actor making the decision is not always the actor holding the economic intent, and the system may chain actions without human review at each step. In identity terms, the AI agent behaves like a non-human delegated identity with transaction scope, limits, and revocation needs. Governance must therefore cover delegation boundaries, spending ceilings, and auditability of every action the agent takes.
Practical implication: treat agentic payment permissions as scoped delegation, with revocation and logging at the transaction layer.
Compliance standards for on-chain finance
Compliance in digital asset environments depends on linking on-chain activity to identity, entitlement, and risk evidence that regulators and internal control teams can trust. On-chain analytics helps, but it does not replace governance over who owns a wallet, who approved a transfer, or which policy allowed a transaction to proceed. Institutions need controls that bind identity assurance to wallet custody, transaction review, and exception handling so that compliance is enforceable rather than retrospective.
Practical implication: align wallet ownership, approval workflows, and monitoring evidence so controls remain auditable end to end.
Threat narrative
Attacker objective: The objective is to move value through trusted digital rails while bypassing the approval and monitoring steps that would normally stop unauthorized transactions.
- Entry occurs when an attacker or rogue workflow gains control over a wallet, payment integration, or delegated agent capable of moving funds.
- Escalation follows when that actor inherits broader transaction scope than intended, allowing repeated or high-value transfers without fresh approval.
- Impact is financial loss, compliance failure, or reputational damage when unauthorized payments are executed at scale through trusted rails.
NHI Mgmt Group analysis
Digital asset governance is becoming an identity problem before it is a payments problem. Once value can move through programmable rails, the critical question is no longer only what the transaction did, but who or what was authorised to make it happen. Financial institutions should treat wallets, signing services, and agentic spend controls as governed identities, not as adjacent technical components.
Agentic payments create a new delegated authority model that conventional IAM does not yet describe cleanly. An AI system that can spend on behalf of a user is not a simple automation script, because it can decide, sequence, and execute actions within a bounded mandate. That means institutions need explicit lifecycle control for delegation, including issuance, scope, monitoring, and revocation. Practitioners should define non-human payment authority as a governed entitlement class.
Compliance in digital asset finance will increasingly depend on provable linkage between identity, wallet control, and transaction intent. On-chain analytics is useful, but it does not answer the accountability question on its own. The governance challenge is to prove why a specific wallet or agent was trusted to transact, under what policy, and with what oversight. Institutions that cannot produce that chain of evidence will struggle to scale participation safely.
Tokenization does not remove control requirements, it redistributes them across a wider trust boundary. Real-world assets, stablecoins, and blockchain-native settlement each shift risk into new places, but none of them eliminate the need for access control, segregation of duties, or exception management. The category is moving toward policy-governed financial automation, and teams should prepare for controls that follow the transaction rather than the platform.
What this signals
Delegated spend authority will force finance teams to adopt non-human identity controls faster than many IAM programmes expect. Once AI systems can initiate value transfer, the old split between application logic and identity governance stops working cleanly. Teams should prepare for entitlement models that treat agentic payments like privileged access, with approval scope, expiry, and traceable ownership.
Transaction provenance will become as important as transaction validity. In digital asset environments, a transfer can be technically correct and still be governance-bad if the underlying authority chain is unclear. That means the operational question shifts from whether the payment cleared to whether the institution can prove who, or what, was allowed to clear it.
Control design should move toward policy-bound financial automation. The programmes that scale safely will be the ones that connect identity lifecycle, entitlement governance, and monitoring across both wallet and enterprise systems. Financial institutions should expect more pressure to show how delegated authority is created, used, reviewed, and withdrawn.
For practitioners
- Define delegated payment identities Classify wallets, signing services, and AI spenders as governed identities with named owners, approval scope, and revocation paths.
- Set transaction-level approval thresholds Require step-up review for high-value, cross-border, or policy-sensitive transfers so that agentic or automated spend cannot silently expand scope.
- Bind wallet control to entitlement records Link each wallet or payment integration to an entitlement registry that records purpose, business owner, and allowed transaction types.
- Audit on-chain and off-chain evidence together Combine on-chain analytics with IAM and PAM evidence so investigators can reconstruct who authorised the transfer and why.
Key takeaways
- Digital assets are changing finance by moving trust into programmable rails, wallets, and delegated systems that need explicit governance.
- Agentic payments introduce a non-human authority problem that conventional user-centric IAM does not fully solve.
- Financial institutions should tie wallet control, approval scope, and audit evidence together before digital asset usage scales further.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST AI RMF, NIST CSF 2.0 and NIST SP 800-53 Rev 5 set the technical controls, while ISO/IEC 27001:2022 and GDPR define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST AI RMF | GOVERN | Agentic payments require clear governance over delegated AI authority. |
| NIST CSF 2.0 | PR.AC-4 | Transaction and wallet authority depend on least-privilege access management. |
| NIST SP 800-53 Rev 5 | IA-5 | Wallets and signing services rely on secure authenticator management and revocation. |
| ISO/IEC 27001:2022 | A.5.15 | Access control policy is central to delegated spend and wallet governance. |
| GDPR | Relevant only if payment data or identity evidence includes personal data. |
Document who can initiate, approve, and revoke digital-asset transactions under a formal access policy.
Key terms
- Agentic Payments: Payments initiated or executed by an AI system within an authorised mandate. The important governance issue is not automation itself, but whether the system’s decision scope, approval chain, and revocation path are explicit and auditable.
- Delegated Authority: Permission given to a person, service, or AI system to act within defined limits on behalf of another party. In financial systems, delegated authority must be bounded by policy, monitored continuously, and withdrawn cleanly when the business need ends.
- Wallet Governance: The controls that determine who can create, sign, recover, and use digital asset wallets. It combines identity assurance, entitlement management, and audit evidence so the wallet is treated as a governed access point rather than a simple technical container.
- Transaction Provenance: The evidence trail that explains who or what initiated a financial transaction, under what authority, and through which controls. Provenance is essential when AI systems or programmable rails can move value without a traditional human approval step.
What's in the full report
Chainalysis' full report covers the operational detail this post intentionally leaves for the source:
- Specific market analysis on how stablecoins are affecting payment and point-of-sale infrastructure.
- Detailed discussion of real-world assets and the liquidity or access patterns tokenization may unlock.
- Expanded treatment of agentic payments, including how AI-enabled spend changes governance expectations.
- Compliance and risk-management considerations for institutions evaluating digital asset participation at scale.
Deepen your knowledge
The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, workload identity, and secrets management. It helps practitioners build the control models needed for delegated authority and non-human access governance.
Published by the NHIMG editorial team on 2026-04-07.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org