Agentic Commerce, Part 3: Who Do You Trust With Your Wallet, and Who Gets Rich

Olivier
11.07.2026 · 10 min read

Three payment protocols are fighting to become the rails of machine-driven commerce. Underneath the protocol war sit the real questions: whether consumers can trust agents with money, who is liable when it goes wrong, and who captures the value when machines do the shopping. This is the final part of a three-part series.

Part 1 of this series established what agentic commerce is and why the thirty-year-old idea finally works. Part 2 covered the supply side: how brands become visible to agents and how that visibility can be manipulated. This final part follows the money, because everything in the first two parts ultimately depends on a question the industry is racing to answer: how does an AI agent pay for something in a way that consumers, merchants, banks, and eventually courts can trust?


The Delegation Gap

Start with the core problem. When you type your card number into a checkout page, the payment network can reasonably assume a human authorized that specific transaction. When your agent buys something on your behalf, possibly hours after you expressed the intent, possibly choosing a product you never saw, possibly at a price it negotiated, that assumption breaks. The gap between the intent you expressed and the transaction the agent executes is where every hard question in agentic commerce lives. Who is liable if the agent buys the wrong thing? How does a merchant know the agent was authorized? How does a payment network distinguish a legitimate agent purchase from a compromised agent, or from fraud wearing an agent costume?

Before the protocols arrived, the practical answer was ugly: agents shopped with scraped credentials and stored cards, and networks had no way to distinguish a human-driven transaction from an agent-driven one, let alone verify the agent acted within scope. The three protocol efforts that emerged in late 2025 are all, at bottom, attempts to close the delegation gap with cryptography and standards rather than terms-of-service disclaimers.

Three Protocols, Three Theories of Trust

The Agentic Commerce Protocol (ACP), from OpenAI and Stripe, is the pragmatist’s answer. Open-sourced under Apache 2.0 and live inside ChatGPT’s Instant Checkout since September 2025, its design philosophy is to adapt existing e-commerce infrastructure rather than replace it. The merchant remains the merchant of record, keeps its existing payment processor, and controls its catalog and fulfillment; the agent carries a delegated payment credential, such as Stripe’s Shared Payment Token, that is scoped to a specific amount and a specific merchant with the user’s explicit confirmation. ACP’s bet is distribution and simplicity: if a merchant already runs on Stripe, participation is nearly free, and ChatGPT’s user base supplies the demand.

The Agent Payments Protocol (AP2), from Google and a coalition of more than 60 partners including Mastercard, PayPal, and Adyen, is the institutionalist’s answer. Its central invention is the mandate: a digitally signed, portable, verifiable, revocable statement of what an agent is permitted to do, create a cart, complete a purchase up to a limit, manage a subscription. Mandates create an auditable chain from human intent to agent action to settled payment, which is precisely the evidence trail that banks, card networks, and regulators will demand when disputes arrive. AP2 composes with the broader protocol stack, MCP for tools, A2A for agent-to-agent delegation, AP2 for settlement, and its bet is that agentic commerce will be won at the infrastructure layer, by whoever defines how trust is proven.

The third contender, x402 from Coinbase, is the crypto-native answer, reviving the dormant HTTP 402 status code for machine-to-machine micropayments settled in stablecoins. It matters less for consumer shopping today than as infrastructure for the agent-to-agent economy, agents paying other agents for data, verification, or services, where card rails are hopeless.

The academic literature has begun to formalize what separates these designs. A useful comparative study, “Inter-Agent Trust Models”, analyzes protocols including A2A, AP2, and Ethereum’s ERC-8004 across six distinct trust mechanisms: brief, claim, proof, stake, reputation, and constraint. Its core observation is that each protocol encodes assumptions about how trust is established, cryptographic proof of intent in AP2, economic staking in blockchain approaches, reputational feedback elsewhere, and that these assumptions, largely invisible to end users, will shape which failures are possible and who bears them. Research prototypes are pushing further: TessPay proposes a verify-then-pay architecture that locks funds in escrow and releases payment only after cryptographic proof of task execution, inverting today’s pay-then-hope default.

The honest reading of the protocol war is that merchants will not get to choose a side. As one industry analysis put it, enterprises will need to integrate with both major ecosystems, and interoperability will become the competitive baseline. The deeper stakes were captured bluntly in a fintech industry deep-dive: if you delegate your trust to a third-party protocol, you are delegating your revenue; the battle is over who owns the infrastructure layer of the machine economy.

Will Consumers Actually Trust This?

Protocols can prove that an agent was authorized. They cannot prove the agent chose well, and that distinction defines the consumer trust problem.

Part 2 established that agents are manipulable: prompt injection can steer product selection, and agents are hypersensitive to choice architecture. The consumer-facing implication is uncomfortable. A shopper who delegates a purchase cannot easily tell whether the agent’s choice reflected their interests, a manipulated ranking, or the commercial arrangements of whoever operates the agent. The economics literature has started to name this precisely. Alavi and Nozari’s “When Agents Shop for You: Role Coherence in AI-Mediated Markets” examines whether an agent can coherently serve the consumer’s interests when it is built, hosted, and monetized by a platform with its own incentives, the structural conflict at the heart of the entire model. Cao and Hu’s solicit-then-suggest model of agentic purchasing formalizes how the way an agent elicits preferences and then proposes options shapes outcomes, and Zhu et al.’s work on fair agent-to-agent negotiations shows that when consumer agents negotiate against merchant agents, capability asymmetries translate directly into worse deals for the side with the weaker agent, a troubling result for anyone expecting agentic commerce to level the playing field.

The early product answers to the trust problem are variations on human-in-the-loop: ACP requires explicit user confirmation before purchase steps, AP2’s mandates cap what can be spent where. These are sensible starting constraints, and they also quietly limit the promise: an agent that must ask permission for everything is a fancy checkout button. The trajectory the protocols anticipate, standing mandates, subscriptions, autonomous replenishment, agent-negotiated deals, steadily widens the delegation gap that confirmation was meant to close. Trust, in other words, is not a launch feature. It is the accumulating product of agents choosing well, disputes resolving fairly, and manipulation being detected and punished, none of which has been tested at scale yet.

Who Captures the Value

Step back from the mechanics and the largest question comes into focus: agentic commerce reorganizes market power, and the research suggests the reorganization favors whoever controls the agent.

The logic runs as follows. If a growing share of purchases flows through a handful of agent platforms, then those platforms become the new gatekeepers of demand, replacing search rankings and marketplaces as the chokepoint between brands and customers. Part 2 showed that visibility to agents requires structured legibility, which comoditizes presentation; the model-dependence findings from Allouah et al. mean the agent’s decision function, opaque and platform-controlled, determines winners. Brands face a future as interchangeable suppliers to machine evaluators unless their differentiation survives translation into attributes. Merchants keep the customer relationship on paper, ACP deliberately preserves merchant-of-record status, while the relationship that actually drives repeat purchases, the one with the agent, belongs to the platform.

Every previous chokepoint in digital commerce, search, app stores, marketplaces, eventually monetized its position through some blend of advertising, commissions, and preferential placement. There is no structural reason to expect agent platforms to behave differently, and the role-coherence research gives the concern academic teeth: an agent monetized by placement fees is an agent whose recommendations are, at some margin, for sale. The difference from sponsored search results is that a human could always scroll past the ads. A delegated purchase offers no equivalent moment of skepticism.

Liability, finally, remains the unwritten chapter. When a manipulated agent buys the wrong thing, candidates for responsibility include the consumer who delegated, the platform whose agent was fooled, the merchant who published the injected content, the protocol that carried the payment, and the model provider whose system was susceptible. AP2’s mandates are, among other things, a preemptive evidence architecture for exactly these disputes. But no court has ruled, no regulator has issued guidance specific to agent-initiated transactions, and the consumer protection frameworks that govern card payments, chargebacks, fraud liability, and cooling-off periods were all written on the assumption that a human clicked buy. The gap between that assumption and reality is now widening by the month, and as this blog found repeatedly in other domains, from chatbot child safety to AI’s environmental footprint, governance tends to arrive only after the harm has a name and a face.

Closing the Series

Three parts, one arc. The vision of software that shops for you is old; what is new is that it works, and that the infrastructure to make it work safely is being built in real time by companies with billions at stake in how it is built. The 1995 merchants who blocked BargainFinder understood something that remains true: agent-mediated markets redistribute power. The protocols will decide the mechanics. The research community is mapping the failure modes faster than regulation can follow. And the outcome, whether agentic commerce becomes a machine for consumer welfare or a more efficient extraction engine with less human oversight than ever, is genuinely undecided.

Which makes this a rare moment: the rails are still being laid, the norms are still soft, and the questions raised across this series, verifiability over manipulation, role coherence over conflicted agents, liability assigned before the first landmark case rather than after, are still open. They will not stay open long.


Key sources:

Agentic Commerce Protocol specification, OpenAI and Stripe.

OpenAI. “Buy it in ChatGPT: Instant Checkout and the Agentic Commerce Protocol.” September 29, 2025.

Google Cloud. “Announcing Agent Payments Protocol (AP2).” September 16, 2025.

Orium. “Agentic Payments Explained: ACP, AP2, and x402.”

Grid Dynamics. “Agentic Payments: AP2 vs. ACP and the Future of AI Payment Processing.”

“Inter-Agent Trust Models: A Comparative Study of Brief, Claim, Proof, Stake, Reputation and Constraint in Agentic Web Protocol Design: A2A, AP2, ERC-8004, and Beyond.” arXiv:2511.03434.

“TessPay: Verify-then-Pay Infrastructure for Trusted Agentic Commerce,” as catalogued in the VoltAgent AI agent papers index, 2026.

Alavi, S. and Nozari, S. “When Agents Shop for You: Role Coherence in AI-Mediated Markets.” arXiv:2604.26220, University of Iowa working paper, 2026.

Cao, S. and Hu, M. “A Solicit-then-Suggest Model of Agentic Purchasing.” arXiv:2603.20972, University of Toronto, presented at the Marketplace Innovation Workshop 2026.

Zhu, S., Sun, J., Nian, Y., South, T., Pentland, A., and Pei, J. “Towards Fair and Trustworthy Agent-to-Agent Negotiations in Consumer Settings.” arXiv:2506.00073, 2025.

Allouah, A., Besbes, O., Figueroa, J., Kanoria, Y., and Kumar, A. “What Is Your AI Agent Buying?” Proceedings of the ACM Web Conference (WWW) 2026.

Fintech Wrapup. “Deep Dive: The Hidden Liability of Agentic Commerce.” March 2026.

Eco. “AP2 Protocol Explained: Google’s Agentic Commerce Standard 2026.”

Leave a Comment