Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Agentic commerce fraud: what does delegated access change for teams?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 10965
Topic starter  

TL;DR: Agentic commerce fraud emerges when attackers abuse the permissions customers give AI shopping agents, producing clean and fast transactions that bypass patterns traditional ecommerce fraud systems were built to detect, according to Signifyd. The control problem is delegated access, not checkout noise, so merchants need behavioral drift and post-purchase signals to govern agent-led buying.

NHIMG editorial — based on content published by Signifyd: What is Agentic Commerce Fraud? Risk, Tactics and Prevention

Questions worth separating out

Q: How should security teams govern delegated access used by AI shopping agents?

A: Treat delegated access as a time-bound, scope-bound authority rather than a permanent convenience feature.

Q: Why does agentic commerce create blind spots for fraud detection?

A: Because the fraud system receives a completed action without the human behavioural trail it was trained to interpret.

Q: What breaks when fraud models rely only on checkout signals?

A: They miss the difference between legitimate agent execution and misuse that happens upstream or downstream of payment approval.

Practitioner guidance

  • Define delegated-access boundaries for AI shopping agents Specify which actions an agent can take, for how long, and which post-purchase actions remain outside its authority.
  • Correlate checkout with post-purchase signals Review orders, cancellations, refunds, disputes, and account changes as one lifecycle rather than scoring checkout alone.
  • Tune detection for behavioral drift instead of human mimicry Use sequence-based baselines for purchase cadence, product type, address changes, and cart progression.

What's in the full article

Signifyd's full research covers the operational detail this post intentionally leaves for the source:

  • Practical examples of agent-led abuse across checkout, returns, refunds, and cancellations.
  • How merchants can separate legitimate automation from bot takeover without blocking good agents.
  • The behavioural patterns that signal delegated-access misuse across the full order lifecycle.
  • Operational guidance on combining fraud signals with account-level and post-purchase context.

👉 Read Signifyd's analysis of agentic commerce fraud and delegated-access abuse →

Agentic commerce fraud: what does delegated access change for teams?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 10520
 

Delegated access is becoming the fraud equivalent of a privileged account. Agentic commerce is not just automation at checkout. It is an identity and authorization problem where a non-human actor inherits customer trust and can act with far more consistency than a human session ever could. That means fraud governance needs lifecycle controls, not only detection tuning. Merchants that still treat the checkout event as the primary security boundary will miss the actual risk surface.

A question worth separating out:

Q: Who is accountable when an authorised AI agent abuses customer permissions?

A: Accountability usually spans the merchant, the platform that enables delegated access, and the control owner responsible for fraud and identity governance. The practical question is not who clicked the button, but which party failed to constrain scope, monitor drift, or revoke authority when behaviour changed. That is where policy, product design, and operational ownership intersect.

👉 Read our full editorial: Agentic commerce fraud exposes the governance gap in delegated access



   
ReplyQuote
Share: