Agentic commerce and digital identity: what changes for IAM teams?

TL;DR: Agentic commerce shifts shopping, negotiation, and payment into AI-driven flows, making verifiable digital identity and privacy-preserving consent the control plane for trust, according to OneSpan and cited industry research. The governance challenge is no longer just human authentication friction; it is proving whether an agent is acting within guardrails across identity, policy, and transaction execution.

NHIMG editorial — based on content published by OneSpan: Securing identity in the age of agentic commerce

By the numbers:

• TransUnion found that companies lost nearly 8% of their revenues to fraud in the past year.
• More than 80% of organisations report their AI agents have already performed actions beyond their intended scope.

Questions worth separating out

Q: How should security teams govern AI agents that shop and pay on behalf of users?

A: Start by separating human authentication from delegated transaction authority.

Q: Why do agentic commerce flows change identity risk for merchants and IAM teams?

A: Because the trust decision moves from a person clicking a checkout button to a software actor selecting, combining, and completing actions across systems.

Q: What breaks when users share their login credentials with AI agents?

A: Shared credentials collapse accountability, blur consent, and make it impossible to prove which actions were truly authorised.

Practitioner guidance

• Separate human authentication from agent delegation Keep passkeys, MFA, and session assurance focused on human sign-in, then add explicit controls for what an agent may do after authentication.
• Publish machine-readable merchant claims Expose catalogue data, policy terms, and identity assertions in formats that agents can consume and verify automatically.
• Design for verifiable consent trails Log who authorised the agent, what guardrails were set, which actions were executed, and whether any downstream agent delegation occurred.

What's in the full article

OneSpan's full article covers the operational detail this post intentionally leaves for the source:

• How merchant catalogues can be made agent-readable without weakening trust controls
• How personhood attributes and agent delegation APIs fit into a real commerce stack
• How payment and authentication providers can distinguish humans, trusted agents, and bots
• How policymakers can support interoperable identity standards for safe automation

👉 Read OneSpan's analysis of agentic commerce identity and trust →

Agentic commerce and digital identity: what changes for IAM teams?

Explore further

View Full Forum →  |  NHI Foundation Course →