Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

AI agent-led checkout decisions: are your controls keeping up?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 10745
Topic starter  

TL;DR: AI agents are increasingly influencing or placing ecommerce orders, but today’s liability-shift mechanisms still assume a human cardholder and a stable authentication flow, according to Signifyd. That mismatch means merchants need controls that distinguish legitimate agent-led orders from fraud without adding avoidable checkout friction.

NHIMG editorial — based on content published by Signifyd: Payment liability shift: What merchants should know

By the numbers:

Questions worth separating out

Q: How should merchants handle liability shift when AI agents place orders on behalf of customers?

A: Merchants should treat AI agent-led orders as a distinct trust case, not as a routine extension of human checkout.

Q: Why do step-up challenges create so many false declines in ecommerce?

A: Step-up challenges often fail good orders because they rely on narrow signals such as OTPs, device familiarity, or challenge questions.

Q: What breaks when merchants rely only on authentication to approve orders?

A: Authentication alone cannot tell you whether an order is commercially trustworthy.

Practitioner guidance

  • Separate authentication evidence from order approval logic Define which signals establish identity and which signals support commercial decisioning.
  • Measure false declines alongside fraud losses Track how often valid customers are blocked, how often risky orders pass, and how those outcomes affect revenue and retention.
  • Document AI agent order flows in the trust model Identify where an AI agent can initiate, modify, or complete a purchase, and define which identity evidence supports that path before liability is assigned.

What's in the full article

Signifyd's full post covers the operational detail this post intentionally leaves for the source:

  • The distinction between EMV, 3DS, and contractual fraud guarantees in practical checkout terms.
  • The mechanics of how step-up authentication creates false declines and why merchants see conversion loss.
  • The specific order signals used in the vendor's decisioning model, including device, geolocation, and velocity data.
  • The business logic behind liability transfer when a provider guarantees chargeback reimbursement.

👉 Read Signifyd's analysis of payment liability shift and fraud risk →

AI agent-led checkout decisions: are your controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 10300
 

Static fraud logic is now an identity problem, not just a checkout problem. Liability shift depends on whether the merchant can establish enough trust in the actor behind the order. When that actor may be an AI agent, a shopper, or an automated purchase flow, the old assumption that a human is always in the loop stops holding. Practitioners should treat payment decisioning as part of identity governance, not just fraud operations.

A few things that frame the scale:

  • 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to the Ultimate Guide to NHIs.
  • A separate finding from our research shows that 97% of NHIs carry excessive privileges, which broadens the attack surface when access decisions are not tightly scoped.

A question worth separating out:

Q: Who is accountable when a fraud guarantee shifts liability away from the merchant?

A: Accountability still sits with the merchant for selecting the control model, defining review thresholds, and setting escalation rules. A guarantee changes who pays for fraud losses, but it does not remove the merchant’s responsibility to understand what evidence supports approval and where the residual risk now lives.

👉 Read our full editorial: AI agent order approvals expose the limits of static fraud controls



   
ReplyQuote
Share: