Agentic commerce and identity verification: what changes for IAM teams?

TL;DR: Agentic commerce shifts buying, negotiation, and payment from human users to AI agents, making verified, privacy-preserving, interoperable identity the control plane for trust, payments, and customer experience, according to OneSpan. Passwordless access, machine-readable catalogues, and agent delegation controls become necessary because shared credentials and CAPTCHA do not scale to agent-to-agent commerce.

NHIMG editorial — based on content published by OneSpan: Sécuriser l'identité à l'ère du commerce agentique

By the numbers:

• When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes, and as quickly as 9 minutes in some cases.

Questions worth separating out

Q: How should organisations secure payments when AI agents can buy on behalf of users?

A: They should separate user authentication, agent delegation, and purchase approval into distinct controls.

Q: Why do passwords and shared credentials fail in agentic commerce?

A: Passwords and shared credentials assume a person is present to remember, enter, and control the secret.

Q: What do security teams get wrong about trusted AI agents in commerce flows?

A: They often focus on whether the agent is authenticated and ignore whether its claims, delegation rights, and execution scope are still valid at the point of purchase.

Practitioner guidance

• Phish-proof consumer authentication first Replace password-heavy consumer journeys with passkeys where the remaining human login path still creates friction or phishing exposure.
• Define delegation boundaries for agents Write explicit policy for what an agent may do, what claims it may present, and which approvals are required before payment or purchase completion.
• Publish machine-readable merchant trust signals Expose catalogue, terms, and verification data in formats that software agents can consume directly.

What's in the full article

OneSpan's full article covers the operational detail this post intentionally leaves for the source:

• How the FIDO challenge-response model maps to commerce authentication and why it matters for friction reduction.
• The article's practical examples of passkey adoption in consumer commerce and what they imply for login redesign.
• Details on digital credentials with issuer attributes and how they support agent delegation beyond passwords.
• The vendor's view of how merchants, identity providers, and policy makers should coordinate standards adoption.

👉 Read OneSpan's analysis of identity in agentic commerce →

Agentic commerce and identity verification: what changes for IAM teams?

Explore further

View Full Forum →  |  NHI Foundation Course →