There is a machine inside the card networks whose entire job is to decide who is liable, and autonomous agents break the part it runs on.

The machine is 3D Secure. When you buy something online and your bank sends a passcode to your phone or asks for your fingerprint, that challenge is doing more than checking it is you. A successfully authenticated transaction shifts the liability for fraud from the merchant to the card issuer. Complete the challenge, and if the charge later turns out to be fraudulent, the issuer eats the loss, not the shop. That liability shift is the quiet economic engine under a large share of online commerce, and it rests on one assumption: that a human is present at the moment of payment, able to be challenged in real time.

An autonomous agent transacting on your behalf while you sleep is, by definition, the human not being present. It cannot complete the challenge. So the agent’s payment either falls back to the unauthenticated path, where in much of the world no liability shift happens and the merchant absorbs the risk, or the industry builds a new kind of authentication: one that proves the agent was granted authority rather than that a human is present right now.

The entire payments industry spent the last year building that second thing. On 26 May 2026, the FIDO Alliance named it the “Trust Layer for Agentic Payments,” cementing Google’s Agent Payments Protocol and Mastercard’s Verifiable Intent into a single standards-track stack. It is serious, well-built work. The word itself is worth pausing on, though. Trust is the language a market reaches for before a liability framework exists.

The sequence is familiar. In the early days of e-commerce we built SSL to create an encrypted handshake, but consumers did not trust online shopping until the card networks enforced chargeback rules that governed what happened when things went wrong. SSL was the cryptography. The chargeback was the institution. Cryptography bakes in authorization with great elegance. It cannot bake in redress. We have just finished building the SSL of the agent era, and we are still missing the chargeback.

In the months since the stack settled, the ground moved twice. The human left the loop, not just at payment but at setup. And on the other side, identity, the proof of who the agent is, became the industry’s working answer to who is accountable. Both moves leave the same question open. This issue is about that question, and the two newer ways the field has worked around it.

The stack settled, and the consequence column is empty by design

When I traced the agent-authorization stack in The Sovereign Handoff, the finding was that every layer authenticates authority and hands the question of consequence to the layer above or below it, until the question falls off the top and lands on whoever deployed the agent. The commerce stack is the same shape, and over the last two months it has hardened into standards bodies. That is worth watching closely, because the charter of a standards body is a precise statement of where its responsibility ends.

In April, Google donated its Agent Payments Protocol to the FIDO Alliance, which stood up two technical groups, one for agentic authentication and one for payments, with the card networks and the large AI platforms at the table. Mastercard contributed its Verifiable Intent framework into the same process. AP2’s three signed mandates, Intent, Cart, and Payment, form a cryptographic chain from user to agent to merchant, and the groups’ remit is to standardise that chain: how an agent authenticates, how a user’s authorization is expressed, how it is conveyed and revoked. The remit is the chain itself. Disputes, liability, and redress sit outside it. That is not an omission anyone is hiding. It is the boundary the work was scoped to.

The machine-to-machine handshake is consolidating in parallel, at the IETF, and with the same boundary. The agent-identity work there, embedding delegation chains in tokens and defining how an agent acts on a human’s behalf with scoped, revocable authority, standardises how authority is conveyed and withdrawn, and explicitly leaves liability and redress out of scope. On the merchant side, Visa’s Intelligent Commerce tooling lets a shop enumerate, in configuration, exactly which actions an agent may take: create invoices, cancel them, generate links. That configuration is a mandate specification. It answers whether the agent may call an API. It never answers whether the specific invoice it created should have existed, or who answers when it bills the wrong person.

Taken together, the standards landscape is a precise map of where the handshake ends and the institutional vacuum begins. FIDO is standardising the user-authorization handshake. The IETF is standardising the machine-payment handshake and the agent-identity layer beneath it. Every charter stops at the point where a valid authorization meets a wrong outcome. The consequence column is empty not because no one has noticed it, but because every body with the convening power to fill it has scoped it out of their work.

Then a new entrant changed what “the human is not present” even means.

The principal left the building

In March, Stripe and Tempo shipped the Machine Payments Protocol: no accounts, no API keys, no checkout flows, no human in the loop. Over a hundred services adopted it at launch, Anthropic and OpenAI and Shopify among them, with Visa and Cloudflare extending it to their own networks, and a streaming-payments primitive added so an agent can be billed by the token or the second. Coinbase’s x402 processed something like a hundred and sixty-five million agent transactions in its first months, and the live data is more revealing than the headline. The market is still tiny and volatile: dollar volume down roughly three-quarters from its late-2025 peak, a few million payments a month, average size around fifty cents.

That average is the tell. The binding constraint on these rails has turned out to be the human, because when a person must confirm each sub-cent payment, the seconds of attention the confirmation costs are worth more than the payment itself. The friction of keeping a human in the loop is precisely the thing the architecture is now racing to remove, at frequencies no approval loop can support, for a market McKinsey projects in the trillions by 2030. The pattern is consistent across the field: the security and compliance layer is bolted on after the protocol ships. When Fireblocks joined the x402 standards body in May, it did so to add the request-integrity and spend controls the protocol had left out, describing its job as the layer that makes sure agents pay “with the right controls in place.” The controls arrive after the rail, not with it.

The move went further still. In late March, MultiversX integrated MPP with native on-chain streaming sessions: an agent locks funds in an escrow contract once, then issues thousands of off-chain signed vouchers at sub-millisecond speed. The human is no longer merely absent at payment. They are physically incapable of reviewing any single debit. The root signature governs a continuous flow it can start and stop but never steer, and the streaming model defers dispute resolution to off-chain legal process, which is to say to nowhere the protocol itself defines. We have built rails that execute at the speed of silicon and left the disputes to be resolved at the speed of litigation. The question is not whether a legal remedy exists somewhere. It is whether the remedy is reachable at the same scale and frequency as the machine actions it is meant to correct. When it is not, that capacity mismatch is itself a form of systemic risk.

This is the case the mandate model strains to hold. AP2 assumes a human at the root: someone who set the agent up, bounded it, and signed. The IMF’s April note gave the field its cleanest frame, keep the intelligence upstream and the money movement boring, smart agents and dumb settlement, and even that frame assumes a person upstream doing the intending.

Machine-to-machine rails do not remove that person. They move them arbitrarily far from the act. The human still provisioned, bounded, and funded the agent, and the signature still sits at the root. What is gone is its reach. A one-time funding event signed weeks ago cannot speak to any particular payment the agent makes at machine speed today. This is the delegation case the series has been tracing all along, pushed to its limit: the human delegates once and the agent acts without end, and the distance between the root and the act grows until the standing authority governs nothing at the moment it matters. The person keeps what amounts to relationship exit, the ability to defund or kill the agent outright, and has nothing like mission exit, no way to reach the single transaction that was wrong. The root did not vanish. It became unreachable from the act it is meant to authorize.

Two findings compound this, because no one is present to notice. Prompt-injection attacks against agent payment frameworks succeed in the large majority of published red-teaming trials, bypassing the mandate layer by corrupting reasoning rather than breaking a signature, so the cryptography holds perfectly while the agent does the wrong thing inside it. And the guardrails being shipped to catch this are increasingly model-based, a model judging a model, a judge made of the same material as the defendant and gameable by the very agent it watches. Meanwhile payment happens before the agent finishes the task, the verify-then-pay problem, with no audit mechanism to confirm that execution matched intent, and on irreversible crypto-settlement streams a retroactive clawback is not merely unavailable but technically impossible. A human present at payment was the last informal backstop against all of it. Machine-to-machine commerce removes the backstop and runs the failure at machine speed, across counterparties who are themselves agents.

Ask the question this newsletter always asks, reachable by whom, and the answer splits in two. The person who set the agent running is arbitrarily far from any single act it takes. The person an agent’s payment actually lands on may never have been in the loop at all.

Identity proves the agent. It does not answer for the outcome.

Subscribe on LinkedIn

The industry heard the consequence question, and its answer is a better proof of who the agent is and what it was authorized to do. That work is necessary and increasingly well-engineered. It is also aimed at a different question than the one that bites.

Mastercard and Google open-sourced Verifiable Intent on 5 March, and it deserves to be taken as the most serious of these. It names the exact problem, that no party in the transaction can verify that an agent’s actions reflect the user’s wishes, and answers with machine-checkable bounds: a layered SD-JWT credential chain, selective disclosure so each party sees only its slice, and registered constraint types the verifier is required to check against the merchant’s signed fulfilment. It is a real advance over bare identity, and it is now being hardened into a standard inside the FIDO Payments Working Group. Around it sits a whole category making the same bet: Know Your Agent registries that anchor every agent to a verified identity before it can touch a regulated rail, the ERC-8004 standard that went live on Ethereum this year giving each agent an on-chain identity token, proposals to add an agent flag to the ISO 20022 messages banks settle on. All of it converges on one claim: anchor the agent to a verified identity, and governance becomes tractable.

Run it through the defensibility test from Building the Signature Surface. These products pass the identity question and narrow the constraint question, and they leave the ones underneath untouched. Verifiable Intent can prove the agent stayed inside the bounds the user signed, no overspend and no unapproved merchant, as judged by verifiers the networks run, and it builds a deterministic trail for the networks’ own dispute process. What it does not do is let the consumer, or an advocate acting for them, confirm what the agent actually did without the operator’s cooperation, or compel anyone to unwind an outcome that broke no constraint and was still wrong. The credential is maintained by Mastercard. It answers the audit question with a record the operators control, and the governance question with the operators’ own dispute resolution.

This is the deeper reason identity cannot close the gap on its own. A cryptographic signature does not remove the cost of a dispute. It changes its nature. The traditional chargeback adjudicates a binary: did the human authorise this payment? When the signed intent and the autonomous outcome diverge, the institution has to adjudicate something far harder. When a valid delegation produced an invalid outcome, who decides which one governs? Identity proves the delegation was valid. It is silent on the question that comes after.

There is a clean illustration already on the record. An e-commerce platform caught a wave of suspicious bulk orders this year, traced to an agent on a legitimate, identity-verified account. The account was verified. The payment token was valid. Nobody had verified the scope of the agent’s authority, and identity told them nothing about it. That is the gap every one of these products leaves open, not by failing at what it does, but because what it does sits one layer above where the harm lands.

Verified identity is not accountability, and neither is a signed constraint. Both run upward, to whoever holds the registry and to the network that adjudicates, before they run outward, to the person the agent transacts for. The consequence column is no longer empty. It holds a precise, valuable answer to a different question than the one that decides who is made whole when a valid action goes wrong.

Rebuilding the surface under duress, while the floor moves

The card networks felt this first. Visa’s Intelligent Commerce and Mastercard’s Agent Pay, the latter live in authenticated agentic transactions in Hong Kong and Thailand this spring, issue scoped tokenized credentials to registered agents and let the consumer set spending limits and preferences up front. Read past the product names and each is, at bottom, a mandate specification and an agent registry. The consumer controls are real, and they are real at the level of the grant: you can cap what the agent may spend and where, and you can switch it off. That is a kill switch at the delegation layer. It is not a correction mechanism at the consequence layer. Nothing in it lets you reach back into the one transaction that was authorised, within limits, and still wrong.

What the networks have added on top is detection, not correction. When Visa and partners, among them Skyfire, Nekuda, PayOS, and Ramp, ran their first production agent-initiated transactions in December 2025, the addition was Akamai, brought in to support the Trusted Agent Protocol: behavioural verification that distinguishes a legitimate agent from a malicious bot at the perimeter. It is useful, and for this problem it faces the wrong way. As the observability argument held, a detector tells you an action looks anomalous. It does not give the person the action lands on any lever to undo it, and it creates no new dispute right for a transaction that was authorised and merely wrong.

Until that surface is finished, liability is assigned by default. It follows the merchant of record, who in every protocol now proposed remains the merchant of record: full exposure to autonomous execution, with none of the old liability shift’s protection. The loss lands on the party least able to carry it and least responsible for the agent’s behaviour, the small merchant who never deployed the agent, never bounded it, and cannot inspect it, now absorbing fraud from autonomous buyers it has no way to challenge. The rational response to that exposure is to refuse agentic transactions altogether, so the unbuilt liability surface does not merely distribute harm unfairly, it suppresses the very commerce the protocols were built to enable. Unallocated risk does not disappear. It settles on whoever is too small to push it back.

The legal ground is unsettled, but it is no longer static. No jurisdiction has agentic-commerce-specific regulation. The EU AI Act predates the technology, and the EU’s Digital Omnibus reached political agreement on 7 May 2026, deferring the high-risk obligations to December 2027 for Annex III systems and August 2028 for the product-regulated tier. The headline is the floor receding. But beneath it, the institutional layer is beginning to crystallise, and the thing to notice is who is building it. Not a protocol working group, not a card network, not a standards body. Legislatures.

Two instances are already on the record, and each carries its own limit. The revised EU Product Liability Directive classifies software, standalone, embedded, and AI-enabled, as a product, imposes strict liability on economic operators when a defective product causes harm, and lets courts presume defectiveness in defined circumstances. Its national transposition deadline is 9 December 2026, and it does not wait for the AI Act’s high-risk obligations to catch up: an agentic product placed on the EU market after that date carries the same strict-liability exposure as a defective physical device. That is an institutional consequence layer written by a legislature, non-consensual, external, and binding. It is also not a complete answer. The presumption of defectiveness turns on showing the system malfunctioned during reasonably foreseeable use, and an agent that stayed cryptographically within its signed bounds may not read as having malfunctioned at all. Even the strongest law on the table leaves a corrigibility gap.

The second is California. Alongside the statute that forecloses the obvious dodge, that you cannot use a system’s autonomous operation as a shield against a liability claim, the state’s automated decision-making rules under the CCPA now require businesses using AI for significant decisions in housing, employment, and healthcare to give a pre-use notice, a right to opt out, and meaningful information about the logic involved. Read those against the corrigibility conditions and they map almost directly: opt-out is mission exit, and logic access is a step toward legible rules and independent verification. It is a working prototype of the layer the payment protocols have not built. Its limit is the PLD’s limit in another form: the logic disclosure comes from the operator, not an independent verifier, and a right to an explanation does not guarantee a technically meaningful one.

The fraud is already arriving to test all of it. Visa’s risk team reported a rise of more than four hundred and fifty per cent in dark-web posts mentioning “AI agent” over six months, and the security community has begun naming the categories, with the OWASP GenAI and Agentic Top 10 for 2026 listing agent-specific risks from goal hijacking to identity abuse to rogue agents. But that work, like the observability stacks it informs, is aimed at detection and prevention. Even the most honest fragment of the correction layer still faces the wrong way: Microsoft’s open-source governance toolkit can export an evidence package of logs, policy decisions, and identity bindings for a transaction, packaged for auditors and regulators. That is an acknowledgment that governance has to hand evidence to an outside party, but one that still runs entirely inside the operator’s stack and answers to the operator’s overseers, not to the person the agent acted on.

Beyond commerce

Commerce is where the rails are most developed, which is why it shows the gap most clearly. The domains with no rails at all show it most dangerously, and both of this issue’s moves travel into them intact.

The same structure, an agent acting on delegated authority where a valid authorization produces a wrong and binding outcome, appears wherever agents act, and outside commerce there is no merchant-of-record default to absorb the loss, no 3D Secure to rebuild, no mandate standard in pilot. Consider an agent that adjusts a medication dose or triages a referral under a clinician’s authority. Consider an agent that drafts and files a regulatory disclosure no human reads. Consider enterprise procurement, the IMF’s own example, where an agent commits a purchase inside a limit that is satisfied and still a mistake.

Make the hardest one concrete. A welfare agency stands up an agent to assess eligibility and disburse a benefit, acting on a citizen’s state-issued digital identity. The identity verifies. The authorization is valid. The agent, reading some signal, denies the claim or triggers a clawback, and the decision commits. Every layer behaved correctly: the credential was genuine, the policy permitted the action, the log recorded it faithfully. The citizen is now without rent money, holding an outcome that is perfectly attributed, perfectly logged, and perfectly wrong. There is no merchant of record to absorb it, no chargeback, no liability shift, and no rail to opt out of, because the rail is the state, and the only identity that would let them contest the decision is the one that produced it. This is the commercial argument with the cushioning stripped away. It is what agentic public infrastructure looks like deployed without a correction layer, and it is the form the question takes for the people with the least room to survive being wrong.

Subscribe on LinkedIn

The machine-to-machine move arrives here too: agents transacting for a hospital, a court, a ministry, with the human further and further from any single act. So does the identity answer, a verified agent identity, a tamper-resistant registry, an audit log the operator hosts, offered as the response to a question about a patient or a claimant who cannot reach any of it.

The layer that does not stop at commerce

Through all of it runs a single question, the one the whole stack defers: can the system be corrected when the authorization is valid and the outcome is wrong?

The series already has the test. The five corrigibility conditions (can you stop it, are the rules legible, can someone outside verify, does the authority bind, can the design be reproduced) read differently, and bite harder, when they are asked on behalf of the person the agent acts for. Can a user reach and withdraw a standing mandate and the authority it has accumulated, or does the chain persist beyond them, and what does withdrawal even mean when no human was in the loop to begin with? Is the rule that decides who carries the loss legible to the people it binds, or buried in a network’s terms of service? Can a user independently verify why the agent paid what it paid, or only see the intent they signed, or, increasingly, an identity credential that attests to the agent and says nothing about the outcome? Who can compel a change to the default when it is unjust? And can a community that rejects the dominant rails build its own?

These conditions also have to survive the topology of the agentic web. In agent-to-agent ecosystems, authority passes through several autonomous actors before it reaches an outcome: a personal assistant hires a travel agent, which queries a pricing agent, which authorizes a payment agent. AP2 is, at heart, an attempt to preserve a user’s intent across a delegation chain; Google’s A2A lets that authority propagate reliably from one agent to the next. The harder design problem is that corrigibility has to propagate too. A system stays accountable only if exit, audit, and the power to compel a change survive every hop in the chain. Where they do not, authority becomes recursively delegated while responsibility becomes recursively deferred.

Most of what these conditions ask for already exists on paper: the right to withdraw consent, the right to an explanation, the right to move your data, scattered across data-protection and consumer law. The task is not to invent new rights. It is to make the existing ones reachable at machine speed, which they currently are not. And there is an economic problem underneath the legal one that no one has answered. In card commerce, interchange fees fund the vast machinery of fraud resolution, arbitration, and consumer protection. As HTTP 402 streams and sub-cent machine payments drive margins toward zero, the engine that paid for fairness collapses with them. Someone has to decide who pays for correction when the transaction fee is a fraction of a cent and the human has disappeared.

These are not commerce questions. They are the questions you ask of any system that acts on people’s behalf at a speed and scale they cannot personally supervise. Commerce reached them first because it had the most to lose and the most existing machinery to break. The clinic, the court, the procurement desk, and the state are walking toward the same questions with less infrastructure and higher stakes.

The protocols solved the handshake, and that is a real achievement. FIDO is standardising the user-authorization handshake, the IETF the machine-payment one. The card networks are rebuilding the surface that decides who is liable. The newest rails pushed the human arbitrarily far from each act the agent takes, and the newest products offer the proof of the agent’s identity where what is needed is an answer for the agent’s consequences. What none of them has built yet, inside commerce or beyond it, is the layer that answers once the handshake is valid and the outcome is wrong: the layer that lets the person an agent acts for reach the one decision that harmed them. That is the commercial face of what this newsletter means by exit, not the freedom to leave a service, but the ability to make a standing authority stop at the point it goes wrong. It is what the corrigibility framework is built to supply, a system that stays reachable, contestable, and correctable by the people whose lives it arranges.

That layer is not a protocol, and it is not a credential. It is an institution. Every such institution, whether legal, economic, or cryptographic, ultimately performs the same function: it grants someone the legitimate authority to override a technically valid outcome when that outcome causes unacceptable harm. Its eventual form is still open: it may come through liability law, insurance pools, cryptographic staking, independent arbitration, or some combination, and the history of infrastructure suggests the winning answer is usually hybrid, cryptography paired with courts. The revised Product Liability Directive and California’s automated-decision rules are early, imperfect instances of it, built outside the standards process. They show the work can be done. The people who build it into the infrastructure itself, who close the gap between a valid handshake and a correct outcome and make correction as standardised and foundational as the handshake it corrects, will define the next decade of digital infrastructure. It is mostly still ours to build. The question the next few years will answer is not whether agents can transact. It is whether the machinery to correct them arrives before the first irreversible harm lands on someone who had no part in authorizing it.

Anivar Aravind is an Engineering Executive and Systems Thinker. The Layer 8 is a professional newsletter on the power, incentive, and governance layer of digital infrastructure. His structural framework on corrigibility is at anivar.net/corrigibility, with preprints on SSRN: Corrigibility as a Structural Precondition for Digital Public Infrastructure and Epistemic Capture and the Action Boundary.

Leave a comment

Share

Share Layer 8 by Anivar