TL;DR: FIDO’s new AP2 and Verifiable Intent standards define how AI agents can act within cryptographic limits, but they leave the root identity question unresolved: how to verify the human and business behind the delegation chain, according to Prove Identity. Without that anchor, agentic commerce becomes a trust problem disguised as a protocol problem.
At a glance
What this is: This is an analysis of FIDO’s agentic commerce standards work and its central gap: protocol-level delegation is not the same as verified identity.
Why it matters: Identity, IAM, and fraud teams need to understand that agent permissions, payment authority, and trust registries are governance problems, not just protocol details.
By the numbers:
- When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes and as quickly as 9 minutes in some cases.
- 92% agree governing AI agents is critical to enterprise security, yet only 44% have implemented any policies to do so.
👉 Read Prove Identity's analysis of FIDO's agentic commerce blueprint
Context
Agentic commerce depends on more than a cryptographic permission chain. FIDO’s AP2 and Verifiable Intent work clarifies how an AI agent can be authorised to act within spend limits, merchant boundaries, and time windows, but the model still depends on a trustworthy identity at the start of that chain.
For identity programmes, the unresolved problem is not whether an agent can be constrained. It is whether the person, business, and delegation record behind that agent can be verified well enough for transactions, disputes, and audit trails to hold up across the full lifecycle.
That makes this topic relevant to both human identity and non-human identity governance. The agent is the executor, but the trust anchor, liability chain, and assurance model are still identity problems, and they now sit at the centre of emerging commerce infrastructure.
Key questions
Q: How should security teams govern AI agents that transact on behalf of users?
A: Security teams should govern AI agents as delegated actors whose permissions, consent, and evidence must be traceable from issuance to revocation. The key is not only limiting what the agent can do, but proving who it acts for, what authority exists, and what records will support audit or dispute resolution.
Q: Why do agentic commerce systems still need strong identity verification?
A: Because a cryptographically valid delegation chain does not prove that the human or business at the root is genuine. Without strong identity verification, the agent can faithfully execute actions for a synthetic or fraudulently claimed identity, which turns the protocol into a laundering mechanism for bad actors.
Q: What breaks when trust registries are missing in agentic commerce?
A: Without trust registries, relying parties cannot quickly determine whether a delegated identity is current, verified, and permitted. That usually leads to manual review, inconsistent approvals, and weaker fraud response, especially when agent volume rises faster than human operations can keep up.
Q: Who is accountable when an AI agent makes an unauthorised purchase?
A: Accountability depends on the consent record, the verification strength of the root identity, and the evidence retained across the delegation chain. If those controls are weak, liability becomes harder to assign because the transaction may appear valid even when the underlying identity or authority was compromised.
Technical breakdown
Delegation chains in agentic commerce
AP2 and Verifiable Intent define a structured delegation chain. A trusted issuer vouches for a user, the user authorises an agent, and the agent operates within defined limits such as spend ceilings and approved merchants. That is useful because it turns a vague “let my AI handle it” instruction into a verifiable control model. But the control model only works if the root credential and delegation context are trustworthy. Cryptography can prove sequence and integrity, but not the legitimacy of the identity claims that began the sequence. Practical implication: identity teams must treat delegation as a governed lifecycle, not a one-time authentication event.
Practical implication: treat delegation as a governed lifecycle, not a one-time authentication event.
Why the trust anchor matters more than the protocol shape
The article’s core limitation is that protocol shape is not the same as identity proof. AP2 and VI can specify what an agent is allowed to do, but they do not by themselves verify whether the human or business behind the transaction is real, current, or fraudulently represented. In identity terms, this is the difference between authorisation scope and assurance. If the foundational identity is synthetic or weakly verified, the delegation chain can still be perfectly valid and still be unsafe. Practical implication: identity assurance must be defined before transaction authorisation is allowed to matter.
Practical implication: define identity assurance before transaction authorisation is allowed to matter.
Trust registries and dispute resolution become identity infrastructure
Agentic commerce introduces a new operational layer that looks a lot like identity governance plus evidentiary management. A relying party needs to resolve whether the delegated identity is trustworthy, whether the payment authority is valid, and whether the consent record is defensible after the fact. That pushes trust registries, key management, and dispute handling into the same conversation as authentication and federation. The missing piece is not another API call. It is an end-to-end chain of custody from identity proofing through transaction execution and review. Practical implication: design for auditability before volume and fraud pressure make it mandatory.
Practical implication: design for auditability before volume and fraud pressure make it mandatory.
Threat narrative
Attacker objective: The objective is to launder an unverified or synthetic identity into a trusted transaction so the resulting action appears legitimate.
- Entry begins when an attacker or fraudster exploits a weakly verified human or business identity at the start of an agentic delegation chain.
- Escalation occurs when the delegated AI agent is allowed to act within a cryptographically valid but fraudulently anchored permission context.
- Impact follows when the transaction, payment, or data action is executed under valid-looking trust signals that later complicate dispute resolution and accountability.
Breaches seen in the wild
- Meta AI Instagram Account Takeover — 20,225 Instagram accounts hijacked via compromised Meta AI support chatbot with overprivileged access.
- Replit AI Tool Database Deletion — Replit vibe coding AI assistant deletes live production database and creates 4,000 fake user records.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Agentic commerce exposes a verification gap, not just a protocol gap. AP2 and Verifiable Intent can define what an AI agent may do, but they do not answer who should be trusted at the root of the delegation chain. That means identity proofing, business verification, and consent records remain the real control plane for agentic transactions. Practitioners should treat the standards as a transport layer for trust, not a substitute for trust itself.
Identity assurance now sits upstream of agent authorisation. The question is no longer whether an agent can be limited to spend ceilings or merchant lists. The question is whether the root identity was validated strongly enough that those limits mean anything in a fraud, dispute, or audit scenario. This is where consumer identity and business identity re-enter an otherwise machine-shaped architecture, and identity teams need to own that boundary.
Trust registries will become the practical control point for agentic commerce. If relying parties cannot quickly resolve whether a delegated identity is current, verified, and permitted, the commerce model will stall under manual review or fraud pressure. That makes registry accuracy, revocation, and traceability more important than the elegance of the delegation syntax. Practitioners should expect the market to shift from protocol debates to assurance operations.
Agentic commerce is where human identity and NHI governance finally converge. The agent is the non-human executor, but the accountability chain still depends on human identity proofing, business legitimacy, and permission history. This is the same governance pattern that appears in NHI lifecycle control: the executor may not be human, but the controls still depend on clear ownership, revocation, and evidentiary traceability. Identity teams should plan for mixed governance, not siloed treatment.
Verifiable delegation does not remove liability ambiguity. If an AI agent purchases incorrectly or a merchant accepts a synthetic identity, the existence of a valid-looking credential chain does not settle who bears the loss. That is a governance problem that standards alone cannot solve. Practitioners need to decide now how assurance evidence, consent records, and revocation events will support dispute handling before scale makes the gap visible.
From our research:
- 98% of companies plan to deploy even more AI agents within the next 12 months, despite documented rogue behaviour in 80% of current deployments, according to AI Agents: The New Attack Surface report.
- From our research: Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation, according to AI Agents: The New Attack Surface report.
- If AI agent access is already outpacing governance, the next control gap is not authorisation syntax but evidence quality across delegation, consent, and revocation.
What this signals
Delegation evidence will become a board-level control issue. As agentic commerce moves from concept to deployment, identity teams will need to show not just that an agent was authorised, but that the underlying human and business identities were verified well enough to withstand fraud or dispute review. That pushes identity proofing, consent capture, and revocation visibility into the same operational conversation.
The strongest programmes will stop treating agent authorisation as a standalone feature and start treating it as a governance chain with measurable assurance points. That means the practical question is whether your current identity stack can preserve the chain of custody from proofing to transaction, or whether it breaks once the agent begins to act.
Agentic commerce will expose who owns the trust record. If no team is accountable for the registries, consent artifacts, and evidence trails that support delegated actions, the organisation will discover the gap only after a failed transaction or fraud dispute. Practitioners should align identity, fraud, and legal ownership before volume forces the issue.
For practitioners
- Map the delegation chain end to end Document who issues the root credential, who authorises the agent, what the agent can do, and what evidence is retained for dispute handling. Include consent, business verification, and revocation steps in the same control map.
- Separate scope controls from assurance controls Do not treat spend limits, merchant allow-lists, or time windows as proof that the underlying identity is trustworthy. Pair transaction limits with identity verification strength and ongoing trust registry checks.
- Build a revocation path that reaches the relying party Ensure the party accepting the agent action can see current status, not just the original delegation state. If consent is withdrawn or identity confidence drops, the relying party needs that signal before the next execution.
- Prepare dispute evidence before agentic volume rises Define what logs, identity attributes, and consent artifacts will be available when a transaction is challenged. The evidentiary chain must survive both fraud investigation and customer remediation.
Key takeaways
- Agentic commerce standards are maturing, but protocol-level delegation does not solve the root identity problem.
- The key governance gap is verification at the start of the chain, because spend limits and merchant rules do not prove the actor is legitimate.
- Identity teams need to own trust registries, consent evidence, and revocation paths before agentic transactions scale.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST AI RMF, NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | Agentic commerce delegation and identity proofing map directly to agentic AI trust controls. | |
| OWASP Non-Human Identity Top 10 | NHI-01 | AI agents in commerce act as non-human identities with delegated authority. |
| NIST AI RMF | GOVERN | The article centers on accountability, trust, and identity governance for agentic systems. |
| NIST CSF 2.0 | PR.AC-1 | Identity and access control are central to delegated agent authority and verification. |
| NIST Zero Trust (SP 800-207) | Zero trust principles fit the article's insistence on verifying each delegated action. |
Apply continuous verification principles to agent transactions instead of trusting the initial delegation alone.
Key terms
- Agentic Commerce: A commerce model where AI agents perform transactions on behalf of a person or business within defined authority boundaries. The security problem is not only execution, but proving the underlying identity, consent, and liability chain is trustworthy across the full transaction lifecycle.
- Trust Registry: A trust registry is a system for resolving whether a delegated identity, credential, or business relationship is current and trustworthy. In agentic commerce, it becomes the operational lookup point for identity confidence, revocation status, and evidentiary traceability when an agent acts on behalf of someone else.
- Delegation Chain: A delegation chain is the sequence that links a verified identity to an authorised agent action through credentials, consent, and scope limits. In practice, it matters because every link must survive audit, dispute, and revocation checks, not just initial cryptographic validation.
What's in the full article
Prove Identity's full blog covers the operational detail this post intentionally leaves for the source:
- A deeper explanation of trust registry design for verifying real people and businesses behind delegated agent actions
- The article's view on trust key management and how identity attributes, payment methods, and consent records fit into the chain
- The full discussion of dispute resolution and liability when an AI agent acts on behalf of a consumer
- Additional context on how Prove frames identity as continuous, verifiable state rather than point-in-time authentication
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an identity security programme, it is worth exploring.
Published by the NHIMG editorial team on 2026-05-15.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org