With delegated authorization, AI-powered agents can transact on behalf of your customers without needing explicit transactional approval each time. But when disputes arise, proving authorization in the absence of such approval is nearly impossible, and most of today’s agentic commerce protocols leave that critical gap unfilled.
Imagine a customer sets up an automated agent with a simple setup. “Spend no more than $200 a month, and only in electronics.” The agent comes back a week later with a pair of wireless headphones. Perfect. Fits within the budget and parameters.
Three weeks after that, the customer files a dispute. Claims that the purchase was unauthorized because they didn’t want the agent to buy them anything.
Now what does the bank request of the merchant. Proof that the transaction reflected the customer’s intent. Except that the merchant can’t prove that, because there’s no contractually obligated way of getting that information, since the authorization record sits with the AI platform that created the agent, and that AI platform is no part of the dispute resolution process at all.
What happens then?
No one really knows. The payments infrastructure for agentic commerce is moving at pace, but the dispute resolution layer isn’t keeping up.
The Baseline Problem
Friendly fraud. It’s been a bane of the payments industry for decades. And here’s the problem with it. It’s not going away anytime soon. A cardholder disputes a transaction, claims they didn’t authorize it. And while the bank might find evidence of their signature, it’s impossible to disprove the customer claim that they never did.
It was a problem with card-not-present (CNP) transactions too. Card-not-present fraud accounts for 70% to 80% of all card fraud in general, according to payments practitioner Daryn G. of Episode Six with over 25 years of APAC payments experience. But we’ve been here before.
Take EMV. In practice, it cut down counterfeiting fraud by about 80% in early-adopting countries, Daryn estimates. An impressive result. But what about disputes?
Not so much.
See, the key insight with EMV is that a transaction initiated using counterfeit chips was assigned to non-adopting merchants for dispute settlement. In other words, while EMV greatly reduced the volume of counterfeits, it couldn’t stop the friendly fraud problem associated with the remaining CNP transactions.
Then came 3D Secure authentication. If the authentication succeeded, liability shifted to the issuing bank. Which was great in principle, and which also did little to prevent friendly fraud disputes. Because if the customer says “I didn’t authorize this transaction,” what can the merchant say to prove it? There’s no record of their intent.
And agentic commerce is no exception.
The Difference Delegated Authorization Makes
Agentic commerce brings its own set of problems, namely delegated authorization. It means that, rather than asking for transactional permission, AI-powered agents can shop based on parameters established up front.
Not all agentic transactions carry the same dispute risk, though. When an agent presents a purchase for per-transaction approval, that confirmation exists. With delegated authorization, there’s no such moment. The agent simply transacts within the parameters set up front.
That’s where the problem starts.
When an agent transacts in accordance with the delegation and the user disputes it, the dispute will shift focus entirely. Gone are the claims of “I didn’t use my card.” What the agent transacted instead falls under the umbrella of the dispute.
Which means that in order to solve it, the merchant needs proof that the customer authorized exactly what was charged. Not easy to come by in an agentic commerce context.
According to Tech in Asia reporting from January 2026, “delegated authorization shifts liability across users, merchants, and payment providers,” referring to Alipay’s Agentic Commerce Trust Protocol.
The Liability Vacuum
But the ambiguity around liability isn’t limited to the protocol level.
In October 2025, McKinsey noted that when an agent makes an erroneous decision, “[d]etermining accountability is complex. Who is to blame for that faulty transaction? Currently, there is no global consensus on responsibility.”
While the compliance side offers some guidance (the EU AI Act, for example, clarifies some responsibilities for AI-powered systems used by financial services providers, although implementation is still pending, while McKinsey itself observed “fragmented regulations leave companies navigating a liability vacuum” in the US), neither was drafted to cover delegated authorization.
There’s still another issue with current protocols. While all of them address agent liability questions in various ways, none actually defines.
- Certification and monitoring requirements for the merchant;
- Requirements to create and make available an intent record;
- AML monitoring requirements when the party in transaction is a machine rather than a person.
Specifically, Google’s Universal Commerce Protocol, OpenAI’s Agentic Commerce Protocol, and Alibaba’s Agentic Commerce Trust Protocol all lack these three items.
Which brings us to another point raised by Mastercard in a September 2025 press release, asking “how would a refund or chargeback work if an agent makes the purchase?”
Again, no answer.
McKinsey’s assessment of the future of agentic commerce suggests that “explainability is likely to become a consumer right, and auditable logs may soon be a regulatory requirement.”
The Progress So Far, and What’s Missing
The industry has made considerable progress, and from several directions. That said, while some initiatives tackle the problem head-on, others are trying to cover a very different area.
Agent Identity and Credential Security
The most commonly applied solution to date is KYA, or “Know Your Agent,” a mandatory agent registration and certification process required by Mastercard’s Agent Pay, Visa’s Intelligent Commerce and Alipay+. No registered agent, no transaction.
In January 2026, Mastercard and Visa teamed up with FIS to bring Know Your Agent to the issuing side. Essentially, banks will be able to identify an agent-based transaction and apply fraud protections proactively rather than retroactively, before a customer can file a dispute at all.
But while KYA will help establish the presence of the agent that transacted on behalf of a customer, it doesn’t prove that the transaction reflected the customer’s intent. This is still a critical step in solving a dispute, and a crucial one.
From the credential side, Stripe implemented a system called Shared Payment Token allowing for a temporary and single-use agent-generated payment token for an AI agent. The credential use is programmatically controlled, permissioned, and logged, and Stripe’s Radar fraud detection system helps to distinguish a legitimate agent action from a potential fraud attempt.
Stripe developed that protocol specifically to address the problem of identifying and managing a machine-initiated dispute, the same core problem it identified when developing its agentic commerce standard in partnership with American Express and other organizations. As such, it represents a meaningful fraud detection improvement, but it doesn’t provide an intent record to prove what happened in the dispute scenario.
Launched in April 2026, Alipay+’s Agentic Mobile Protocol appears to provide a comprehensive solution covering both sides of the equation, agent identity and credential management. First, the user binds the agent to their account and establishes spending parameters. Authentication via passkey completes the picture, with subsequent transactions utilizing one-time generated credentials based on secure network tokens and passkeys, so no actual credential information is transferred at any point.
After binding the agent to their account, the user establishes the transaction parameters, including limits, categories, etc. Alipay+ uses the agent profile to ensure that the subsequent transactions adhere to those parameters, though the protocol is not interoperable, affecting only the Alipay wallet network.
Finally, the most comprehensive approach to agent credential management so far appears to be the initiative by the FIDO Alliance announced by Mastercard in September 2025. Designed to complement 3D Secure, it would provide for verified payment details (transaction amount, merchant, product), confirming that the transaction was initiated by the customer, not a third party.
Not much detail available so far, though.
The Dispute Evidence Problem
While the above solutions are valuable contributions to agent credential management, none of them solves the fundamental problem of agent-based dispute resolution, which is proving exactly what the customer authorized, and whether it matches what the transaction is.
As such, there are currently two approaches to the problem.
The first is American Express’ dispute protection program for card members and agent errors, rolled out in April 2026. With this service, an agent that’s bound and authorized by the Card Member will transfer the purchase details to Amex, which will then assume any eligible chargebacks for transactions deviating from those details. However, several conditions apply.
- The agent must be enrolled in Amex’ ACE developer kit,
- Only the Amex network is protected by this program,
- American Express notes that its statements here qualify as forward-looking and may change at any point.
Still, it’s one of the earliest products explicitly protecting merchants from agent-based disputes.
The more robust approach, introduced in February 2026, is Verifiable Intent Specification by the Verifiable Intent Working Group, based on Mastercard’s reference profile. Designed to provide merchants with verifiable proof that they fulfilled the terms of an authorized purchase request, the protocol creates a three-tier chain of intent verification between parties, with full details visible to the investigator, product type and merchant information for merchants, and credentials for the payment network.
Put differently, if an AI agent buys something for a user, and that purchase is subsequently disputed, Verifiable Intent would allow the merchant to prove exactly what the customer authorized and verify that the agent stayed within it.
Still, Verifiable Intent is in draft only and lacks ratification by any major payment card scheme.
What Is Still Missing
Based on the current state of developments, several items are clearly missing from existing protocols.
- Intent record production and availability requirements
- Chargeback reason code definition for agent-initiated transactions
- AML monitoring requirements when the transaction party is an agent
- Certification and monitoring requirements for merchants
Not minor, nor peripheral issues. Those are the fundamentals of the dispute resolution process. While there’s considerable effort in developing agent identity and credential infrastructure, as well as the products that protect from chargebacks, the intent validation piece remains largely untouched.
30 Years of a Pattern
Familiar faces in payment history, EMV and 3D Secure protocols. And the story behind them. According to Daryn G., there’s a consistent pattern the payments industry follows every time a new payment channel emerges.
| Era | New channel | Fraud problem | Industry response | Outcome |
|---|---|---|---|---|
| 1990s | Card present | Counterfeit, card cloning | EMV chip | ~80% fraud drop in early-adopting countries; liability shifts to non-adopters |
| 2000s | Card not present | CNP fraud (~70%-80% of card fraud) | 3D Secure | Successful authentication shifts liability to issuer |
| 2026 – ongoing | Agentic / delegated authorization | “My agent went rogue” | Verifiable Intent (draft) | TBD |
Notably, there’s a common element across each of the eras. A new payment channel opens the door to a new kind of fraud, the industry develops the cryptographic protection mechanism against it, and the liability shifts to those who haven’t adopted it.
We’ve seen it twice. We will see it the third time.
What the agentic era introduces is the new vulnerability, the intent gap in delegated authorization. What the industry develops in response is a cryptographic mechanism to protect from it. Verifiable Intent is a draft protocol to validate it. And the liability will inevitably shift. The question is not of whether, but when and how fast.
But the timeline of adopting a cryptographic solution is fairly predictable. Once a mandate is issued by the schemes, it will take anywhere from 18 to 36 months for merchants to adjust and become compliant.
Those who adopt Verifiable Intent (or an equivalent) now will have that buffer of time. Everyone else will need it.
What Payments Professionals Can Do Right Now
1. Assess your delegated authorization exposure
Identify your merchants that enable or plan to enable AI-based transactions, estimate the number of transactions in your portfolio, and determine what percentage will be done using delegated authorization as opposed to per-transaction approval. Determine the possible scale of future disputes and build a model accordingly.
2. Identify which merchant holds the intent record
When a dispute occurs and your merchant is notified, who will provide you with a proof of the purchase? If the answer is the AI platform, then your dispute resolution is contingent on an outside organization having no contractual duty to provide that proof. Sort this out with your merchants now, while you have the time.
3. Review your chargeback reason code coverage
Existing “unauthorized transaction” reason code doesn’t apply to AI agents as well as a human customer, since the former had the customer grant standing authorization. Find out how your schemes will treat those disputes and whether any new chargeback reasons will be created for them.
4. Follow Verifiable Intent and FIDO Alliance progress
The protocol is in draft stage as of early 2026, while the credential standard by the FIDO Alliance has yet to be ratified either. As soon as that happens, you’ll have 18-36 months before merchants become required to comply with the rules. Figure out the implications now.
5. Evaluate merchants by protocol
Merchants that use Mastercard Agent Pay have an important edge over others. In addition to providing you with proof of transaction, it guarantees that the agent used is KYA-compliant. Similarly, merchants on Amex ACE will have to provide proof of agent identity and intent.
Conclusion
As we’ve already seen, every payment channel introduced new fraud opportunities. And every time, the industry dealt with it the same way. It identified the vulnerabilities, designed cryptographic protocols to protect against them, mandated adoption of the protocols to the point where non-adoption meant taking the losses.
The situation with the agentic commerce era is no different. In fact, with the sheer volume of transactions being processed, it has even higher stakes.
“[A]uthentication and fraud prevention will become more complex, moving from stopping bots from making transactions to enabling the right agents to transact for customers. Agentic commerce is also likely to shift some of the control of subscription models and card-on-file payments from merchants to consumer agents,” notes Marie Claude Nadeau of McKinsey.
That shift is already underway. The question for payments professionals isn’t whether to prepare. It’s how far ahead of the curve they choose to be.
