Subscribe to the Non-Human & AI Identity Journal
NHI & Agent Identity in the Broader IAM Ecosystem

Merchant of Record

← Back to Glossary
By NHI Mgmt Group Updated July 6, 2026 Domain: NHI & Agent Identity in the Broader IAM Ecosystem

The Merchant of Record is the party legally and operationally responsible for the sale and payment completion. In agentic commerce, that role matters because identity controls, dispute handling, and payment processing all converge there, even when an AI agent handles discovery or cart assembly.

Expanded Definition

The Merchant of Record, or MoR, is the legal seller of a transaction: it accepts payment, issues receipts, manages tax and chargeback obligations, and remains accountable for the sale even when another system or agent originates the purchase. In agentic commerce, the distinction matters because an AI agent may search, compare, and assemble a cart, but the MoR is still the entity that carries commercial and compliance responsibility.

Definitions vary across vendors when MoR is discussed alongside payment processors, marketplaces, and resellers, so the practical test is whether the entity is the named seller of record and the party that owns the financial and regulatory consequences of the sale. That usually includes payment acceptance, refund handling, tax calculation, and dispute response, while the agent or upstream workflow remains an operational intermediary. For governance context, NHI Management Group treats this as an identity and accountability problem, not only a payments problem, because authority to transact must be tied to the correct legal actor. See the broader NHI lifecycle context in Ultimate Guide to NHIs and the control expectations in NIST Cybersecurity Framework 2.0.

The most common misapplication is treating the AI agent, app platform, or payment gateway as the Merchant of Record when the legal seller has not actually changed.

Examples and Use Cases

Implementing Merchant of Record rigorously often introduces contractual and integration overhead, requiring organisations to weigh faster checkout and simpler tax handling against reduced flexibility in how sales authority is delegated.

  • An AI shopping assistant builds a cart, but the brand’s own subsidiary is the MoR and must own taxes, refunds, and chargebacks.
  • A marketplace uses its platform entity as the MoR while third-party sellers are treated as fulfilled-by participants, not the legal seller.
  • A SaaS vendor sells globally through a reseller, but only the reseller is the MoR because it invoices the customer and remits tax.
  • A procurement bot places repeat purchases through an approved supplier, yet the supplier’s MoR status determines who resolves billing disputes.
  • An agentic checkout flow creates an order from a user prompt, but the MoR controls the transaction record and downstream compliance evidence.

For teams mapping this to identity controls, the operational question is not just who can initiate the purchase, but who is authorised to bear legal liability at the moment of payment. The Ultimate Guide to NHIs is useful for understanding why service accounts, API keys, and delegated workflow identities must be separated from business authority, while NIST Cybersecurity Framework 2.0 helps anchor the governance side of that separation.

Why It Matters in NHI Security

MoR clarity is a security control because ambiguous seller identity creates weak ownership for fraud response, refund approvals, tax records, and dispute evidence. When an AI agent can complete purchases, the risk is not merely accidental overspend; it is that the wrong entity may be bound to a transaction, making incident response slower and legal recovery harder. NHI Management Group notes that 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, which shows how often delegated machine identities become the path into business systems.

That same pattern applies to commerce: if the agent’s credentials, checkout API, or order-routing logic are not cleanly scoped to the MoR, an attacker can turn a routine transaction into unauthorised purchasing or fraudulent refund activity. Strong MoR governance therefore depends on explicit identity boundaries, transaction logging, and delegated authority reviews. Refer back to Ultimate Guide to NHIs for lifecycle and privilege context. Organisations typically encounter the need to define the Merchant of Record only after a chargeback, tax audit, or disputed agent-led purchase exposes that no one can prove who the legal seller was.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-02MoR depends on tightly scoped machine identities and controlled transaction authority.
NIST CSF 2.0PR.AC-4MoR governance aligns with least privilege and accountable access to payment actions.
NIST Zero Trust (SP 800-207)Zero Trust requires explicit verification of the actor before any payment action is trusted.

Limit agent credentials so only the legal seller can complete purchases and own transaction liability.

NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on July 6, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org