Fraudsters may target AI mandates as agentic commerce takes off
6 min read
As AI agents begin to transact on behalf of customers, anxiety among financial institutions is mounting. But banking and payment authentication company Entersekt says the industry already has the right foundations to manage the rapid growth of agentic commerce and the fraud risks that come with it.
Agentic commerce offers an enticing growth opportunity for banks and global retail through agent-driven payment capabilities. By 2030, Mckinsey research predicts the “US B2C retail market alone will realise up to $1 trillion in orchestrated revenue from agentic commerce, with global projections reaching as high as $3 trillion to $5 trillion.”
But, while the analysts may be bullish about an agentic future, others are warning that global fraudsters are just as invested in the opportunities the new technology is offering.
Visa PERC has identified a more than 450% increase in dark web community posts in underground channels mentioning “AI agent” over the past six months compared to the prior period. However, the company says it has taken pre-emptive action, investing more than $13 billion in technology and security to stay ahead of evolving threats.
“Properly designed agentic commerce is not a free-for-all. It is a structured payments framework in which AI agents execute tightly defined, cryptographically proven mandates from customers. Far from tearing up the rulebook, it builds on rails financial institutions already know, including EMV 3-D Secure, delegated authentication and tokenisation,” says Dewald Nolte, co-founder and chief strategy officer at Entersekt.
Moving to mandate-driven payments
Current risk controls are geared toward human interaction and lean heavily on device fingerprinting, behavioural biometrics, and the patterns of a user clicking through a website or app. Agentic commerce, however, changes that surface.
“Agentic commerce will allow a consumer to instruct an AI agent to act on their behalf. An example would be an agent monitoring someone’s coffee supply and ordering more when stock runs low and the price point is acceptable. The agent would then call the merchant API directly via, for example, model context protocol. There may be no browser, no app user interface and no traditional signals to watch,” Nolte explains.
He says with agentic commerce, control shifts upstream into mandates.
- Intent mandates cover set-and-forget tasks where the human will not be present when the transaction eventually happens.
- Cart mandates apply when the agent helps discover options and assemble a basket, but the customer still approves the final purchase in real time.
- Payment mandates label transactions as agent-initiated so that issuers and schemes know an AI agent is in the loop and operating within an approved framework.
Nolte says that in all three cases, the customer authenticates the mandate rather than each individual transaction, and the agent later presents cryptographic proof that it is acting within that mandate when it spends.
Familiar threats, just in new places
He says the mandate model doesn’t eliminate fraud risk, it simply relocates it. “The most credible threats in agentic commerce are extensions of patterns banks already understand. Social engineering remains central, but the objective changes. Instead of pushing a customer to authorise a one-off payment or load a card into a rogue wallet, a fraudster will try to walk them through setting up an agent and quietly granting a powerful mandate to it.”
Other threats include weak Know Your Agent (KYA) and mandate checks, if issuers or merchants fail to verify that an agent is legitimately registered to a customer, or that a transaction fits within the approved scope.
However, not everything will be clear cut, and Nolte cautions that grey-area failures will appear where the agent does exactly what the system allows, but not what the customer reasonably meant. This could raise questions about whether the incident represents fraud, error or misconfiguration, he adds.
Evolving not reinventing
The encouraging message for security leaders, per Nolte, is that the security stack for agentic commerce largely already exists.
The core controls of KYA, delegated authentication and tokenisation can be delivered by extending the same EMV 3-D Secure, Know Your Customer and token frameworks already running in today’s production payment systems.
Nolte says that preparing for agentic commerce means upgrading payment and risk systems to ingest agentic protocol data (agents, mandates, cryptographic proofs), modernising authentication so journeys are mandate-centric with passkeys and in-app signing, and redesigning fraud strategy, UX and education around agent registration and mandate approval as the new high-risk targets for social engineers.
“Agentic commerce is coming, but it is arriving on rails the industry already understands. Banks and issuers that take early action – shaping how agents, mandates and tokens are combined – will contain risk and also have a powerful new channel for always-on customer service,” Nolte says.
