Authorized Delegation, Flawed Execution — Agentic Commerce (2 of 4)
The agent had permission and still got it wrong — a failure mode our rails have no category for.
Second in my four-post series from the agentic commerce research. This is the part I found most interesting.
Fraud has a familiar shape: someone makes a charge you never approved. Decades of card infrastructure — detection models, chargeback rights, liability rules — exist to catch and unwind exactly that.
Agentic commerce introduces a whole category that doesn't fit the shape. I've been calling it authorized delegation, flawed execution: the agent had permission, and still got the purchase wrong. It bought the wrong item. It paid a worse price than it should have. It ordered ten when you meant one. It renewed a subscription you'd have cancelled. Nothing was stolen. No credential was compromised. No spending limit was breached. The delegation was completely real — the execution just wasn't what the human actually intended.
That's the problem. It's not fraud, and it's not a clean merchant dispute either. Our existing categories assume one of two things: an unauthorized actor, or a legitimate transaction that went bad on the merchant's side. An authorized agent making an honest error against a genuine instruction is neither of those. The permission was valid. The outcome was wrong. And there's no established rail to resolve that gap — no clear code for "the agent did what I told it, badly."
It matters because it won't be rare. Agents operate at machine speed and machine scale, and a small error rate across millions of delegated purchases isn't a rounding error — it's a support queue, a wave of dispute volume, and, underneath both, a trust problem. If people can't rely on delegation, they won't delegate.
The first real sign the industry sees this coming is already visible: American Express has committed to Agent Purchase Protection, a forward commitment aimed squarely at this failure mode. The full terms are still to come, but the direction is the tell — the category is real enough that someone is already building protection around it, before the volume has even arrived.
The question I keep landing on is who owns the resolution. When an authorized agent executes badly, whose problem is it — the cardholder's, the issuer's, the network's, or the agent developer's? Today there's no settled answer. And in payments, the settled answer tends to belong to whoever builds it first: the evidence trail, the consent record, the remedy. Whoever defines how this gets resolved defines the standard everyone else ends up adopting.
The full taxonomy — the other error types, and how they map to existing rails — is in the research, on The Payments Corner.
Franco Di Pietro
The Payments Corner
30+ years across payments, fintech, banking, and financial infrastructure. Operator-level perspectives on the systems that move money.
Related Insights
Memory shortage, rising consumer prices, and the issuing stack's modernization imperative
AI-driven memory scarcity is already pushing consumer hardware prices higher—forcing banks and issuers to choose between modernizing their origination and decisioning infrastructure or ceding the financing layer to faster competitors.
Authorization in agentic payments shifts from moment to chain
As AI agents execute transactions on behalf of consumers and businesses, the payment industry must move beyond narrow technical authorization to operationalize legal and regulatory proof of delegated authority. The question of what a user actually authorized an agent to do—and who is liable when outcomes diverge from intent—will determine whether agentic commerce scales.
Visa's Sixty-Year-Old Playbook for Agentic Commerce
Visa's announcements at the Payments Forum apply its sixty-year-old tollbooth playbook to agentic commerce: don't pick the AI winner, become the trust layer every transaction has to clear through. The standards for agent-driven commerce are being written this week — with you at the table or without you.