Old fraud models break when they assume a human is always the actor behind the session. In agentic commerce, those models can misread legitimate automated purchases as suspicious or miss hostile automation that looks normal at the checkout layer. Merchants need controls that evaluate delegated intent, not just visible user behaviour.
Why This Matters for Security Teams
Old fraud models tend to fail at the point where session behaviour is treated as proof of human intent. In agentic commerce, an authorised agent may browse, compare, negotiate, and complete a purchase without a person touching every screen, while hostile automation may mimic those same signals well enough to pass legacy scoring. The result is a control gap: false declines on legitimate agent activity and false confidence when an adversary uses automation to blend in.
This matters because fraud tooling, identity governance, and payment controls are usually built on assumptions about user continuity, device consistency, and interaction patterns. Those assumptions are weaker when a delegated agent is acting across APIs, browsers, or embedded workflows. Guidance from the NIST AI Risk Management Framework is useful here because it pushes teams to assess model and system risk, not just output accuracy. In practice, many security teams discover the mismatch only after legitimate automated purchases are blocked or abuse has already moved through the checkout path.
How It Works in Practice
Merchants need to think in terms of delegated intent, transaction context, and agent identity rather than raw behavioural similarity. A modern control stack should evaluate whether the automation is authorised to act, whether the action matches the expected scope, and whether the request chain is trustworthy from initiation to payment authorisation. That is where agentic ai guidance such as the OWASP Top 10 for Agentic Applications 2026 becomes relevant, especially around tool abuse, prompt injection, and over-privileged agents.
Operationally, that means layering controls instead of relying on one score. Useful checks include:
- Authorisation evidence for the agent, including which human or system delegated the task.
- Scope validation so the agent can only buy within price, category, and merchant limits.
- Risk scoring that includes tool use, API patterns, and request provenance, not just clicks.
- Step-up verification when the agent’s behaviour changes materially from its baseline.
- Post-transaction telemetry that links the order to a verifiable identity chain for review.
Merchants should also distinguish between legitimate automation and adversarial automation. Frameworks such as the MITRE ATLAS adversarial AI threat matrix help teams reason about abuse patterns, while CSA MAESTRO agentic AI threat modeling framework is useful for mapping agent permissions, trust boundaries, and failure modes. These controls tend to break down when merchants only see the checkout layer and cannot inspect delegated authority, upstream tool calls, or session handoff context.
Common Variations and Edge Cases
Tighter fraud controls often increase friction, requiring merchants to balance loss prevention against conversion, support burden, and customer trust. That tradeoff is especially sharp in agentic commerce because the same signals that reduce risk can also suppress legitimate high-frequency automation used by procurement teams, travel assistants, or repeat buyers.
There is no universal standard for how merchant risk engines should treat agent actions yet, so current guidance suggests treating this as a trust and governance problem as much as a fraud problem. Some environments can lean on stronger identity assurance and signed delegation; others need more adaptive monitoring and human-in-the-loop review for higher-value purchases. The key is to avoid assuming that a clean device fingerprint or familiar checkout path proves benign intent.
This is also where identity intersects with payment security. When an agent can hold credentials, use stored payment methods, or invoke purchase APIs, the merchant must know whether the action came from a legitimate delegation chain or from a compromised automation stack. Relevant control thinking from NIST SP 800-53 Rev 5 Security and Privacy Controls supports stronger logging, access restriction, and continuous monitoring, but best practice is still evolving for agent-native checkout environments.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and MITRE ATLAS address the attack and risk surface, while NIST AI RMF, NIST CSF 2.0 and NIST SP 800-63 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST AI RMF | Frames risk management for AI-driven decisioning and delegated automation. | |
| OWASP Agentic AI Top 10 | Covers agent misuse, tool abuse, and weak trust boundaries in agentic apps. | |
| MITRE ATLAS | Maps adversarial AI tactics that can hide hostile automation inside normal activity. | |
| NIST CSF 2.0 | DE.CM-1 | Continuous monitoring is needed to spot anomalous agent and checkout behaviour. |
| NIST SP 800-63 | Digital identity assurance helps verify who authorised the agent action. |
Use AI RMF to govern delegated intent, monitoring, and human oversight for agentic checkout flows.
Related resources from NHI Mgmt Group
- What breaks when merchants rely only on CVV and two-factor authentication to stop friendly fraud?
- What breaks when fraud models rely only on checkout signals?
- What breaks when fraud systems lose interaction data in agentic commerce?
- Why do agentic commerce flows change identity risk for merchants and IAM teams?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org