Merchants should treat shopping agents as delegated identities with narrow, explicit permissions. That means separating browsing, carting, payment, and repeat-purchase rights, then enforcing policy at each stage. Customer trust improves when the system can prove which actions were authorised, which were blocked, and which require step-up review before the purchase completes.
Why This Matters for Security Teams
AI shopping agents turn a routine purchase flow into a delegated decision problem. The merchant is no longer just protecting a checkout page; it is governing an identity that can search, compare, add items, store preferences, and sometimes complete a purchase on the customer’s behalf. That raises questions about authorisation, fraud, explainability, dispute handling, and how much autonomy is acceptable before trust erodes.
Current guidance suggests treating agent activity as a form of high-risk delegation, not a generic chatbot interaction. The practical challenge is that customers expect convenience, but security teams need strong controls over intent, consent, and transaction scope. A useful starting point is the NIST AI Risk Management Framework, which helps teams organise governance, map risks, and define accountability for AI-enabled decisions.
The biggest mistake is assuming trust comes from a friendly interface. In practice, trust comes from visible guardrails, predictable escalation, and a clear record of what the agent was allowed to do. In practice, many security teams encounter trust loss only after a high-value order is disputed, rather than through intentional policy design.
How It Works in Practice
Governance works best when the merchant treats the agent as a constrained delegate with explicit policy boundaries. That means separating browsing, carting, payment initiation, subscription renewal, and repeat-purchase authority into distinct permission tiers. Each tier should have a defined approval rule, a session lifetime, and a logging requirement. The system should also record whether the agent acted under customer instruction, merchant policy, or a step-up confirmation flow.
Security teams should anchor the design to least privilege and transaction integrity. The OWASP Top 10 for Agentic Applications 2026 is useful for thinking about prompt injection, tool misuse, and overbroad autonomy. For merchants, those concerns translate into practical controls such as scoped tool access, approval checkpoints for risky actions, and hard limits on inventory, payment, and account management functions.
- Bind the agent to a customer-specific policy profile, not a global default.
- Require step-up review for new shipping addresses, high-value items, and first-time merchants.
- Use signed transaction summaries so the customer can verify what the agent intended to buy.
- Separate search and recommendation rights from payment execution rights.
- Log every blocked action, escalation, and override for dispute review and fraud analysis.
Merchant controls should also align with broader security programmes. A mature implementation will map runtime enforcement and audit logging to NIST Cybersecurity Framework 2.0 and apply relevant control families from NIST SP 800-53 Rev 5 Security and Privacy Controls. That is especially important when payment instruments, personal data, and loyalty accounts are in scope. These controls tend to break down when the merchant lets the agent reuse broad session authority across multiple sites because the original customer consent cannot be reliably revalidated.
Common Variations and Edge Cases
Tighter agent controls often increase friction, requiring organisations to balance convenience against fraud reduction and dispute resilience. That tradeoff is unavoidable when the agent is allowed to act with real purchasing authority. Best practice is evolving, but there is no universal standard yet for how much autonomy a shopping agent should have before the customer must re-authenticate or re-confirm intent.
One edge case is repeat purchasing. A merchant may want an agent to reorder low-risk consumables without interaction, but the same rule can create problems if prices change, product substitutes appear, or a subscription is quietly modified. Another is household or shared-account shopping, where customer identity, payment ownership, and delivery recipient are not the same person. In those cases, the policy should separate who can instruct the agent from who can authorise payment.
For threat modeling, the MITRE ATLAS adversarial AI threat matrix helps teams think about prompt manipulation and adversarial influence, while the CSA MAESTRO agentic AI threat modeling framework is useful where multiple tools, workflows, and approvals intersect. Merchants should also watch for trust damage that is not strictly technical, such as opaque substitutions or hidden upsells. In practice, the model fails fastest in high-velocity marketplaces where inventory, pricing, and fulfilment change faster than the policy engine can re-evaluate intent.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and MITRE ATLAS address the attack and risk surface, while NIST AI RMF, NIST CSF 2.0 and NIST SP 800-53 Rev 5 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST AI RMF | AI governance and accountability are central to merchant-managed shopping agents. | |
| OWASP Agentic AI Top 10 | Agentic risks like tool misuse and prompt injection map directly to shopping agents. | |
| NIST CSF 2.0 | GV.OV, PR.AC, DE.CM | Merchant controls need governance, access control, and monitoring for delegated agents. |
| NIST SP 800-53 Rev 5 | AC-3 | Least privilege is needed to separate browsing, carting, and payment rights. |
| MITRE ATLAS | AML.T0020 | Adversarial manipulation of model behavior is a realistic threat to shopping agents. |
Establish governance, risk ownership, and review gates for agent decisions and customer-facing actions.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org