TL;DR: AI agents are already completing real purchases with delegated payment credentials, and that shifts fraud detection from noisy human behaviour to clean, legitimate-looking transactions, according to WorkOS. The security model now depends on agent identity, scoped delegation, and transaction-level consent, because review cycles built for human intent cannot reliably catch hijacked agent actions.
NHIMG editorial — based on content published by WorkOS: How to secure agentic commerce transactions
By the numbers:
- Visa's Payment Ecosystem Risk and Control team reported a more than 450% increase in dark web posts mentioning "AI Agent" in the first half of 2026 compared to the prior six months.
Questions worth separating out
Q: How should security teams govern AI agents that can make purchases on behalf of users?
A: They should treat the agent as a separately authenticated actor, not as an extension of the user session.
Q: Why do delegated payment credentials increase fraud risk in agentic commerce?
A: Because the transaction can look legitimate even when the intent is compromised.
Q: What breaks when agent consent is too broad in commerce workflows?
A: The control boundary collapses.
Practitioner guidance
- Bind each commerce agent to a distinct identity Require the agent to authenticate as itself before any purchase flow, and bind that identity to the delegated user authorisation so merchants can verify who is acting.
- Scope delegation by category, merchant, amount, and time Define transaction categories, allow lists, per-transaction limits, per-session limits, and expiry windows.
- Force step-up consent for liability-changing actions Require explicit user confirmation before purchases, subscriptions, refunds, first-time merchants, or any action that creates a binding commitment.
What's in the full article
WorkOS's full article covers the operational detail this post intentionally leaves for the source:
- The delegation object model for transaction scope, including categories, merchant allow lists, and expiry logic.
- The checkout confirmation pattern for first-time merchants, subscriptions, and other liability-changing actions.
- The audit trail elements needed to reconstruct user delegation, agent action, and merchant verification in a dispute.
- The specific interaction between FGA-style delegation and commerce workflows in the source implementation.
👉 Read WorkOS's analysis of agentic commerce security and delegated payments →
Agentic commerce transactions: are your controls keeping up?
Explore further
Agentic commerce creates identity confusion at the point of sale. Merchant systems have historically assumed that a valid checkout request is already tied to a human customer with visible intent. That assumption breaks when the acting party is an AI agent carrying delegated credentials, because the transaction may be authorised in form but not in intent. The implication is that commerce identity now needs to separate user, agent, and platform trust instead of collapsing them into one session.
A few things that frame the scale:
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%), according to AI Agents: The New Attack Surface report.
- 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
A question worth separating out:
Q: Who is accountable when an AI agent makes an unauthorised purchase?
A: That answer is still unsettled in law and policy, which is why traceability matters now. If the programme can prove who delegated, which agent acted, what scope was granted, and whether consent was requested, it has the evidence needed for disputes, chargebacks, and accountability reviews.
👉 Read our full editorial: Agentic commerce security demands identity, delegation, and consent controls