When Your Agent Gets the Transaction Wrong, Who Pays?

Tom Williams, Managing Partner

The infrastructure of trust is the defining challenge of the agentic economy, and the time to define it is now.

The conversation about AI agents is almost entirely about capability: what they can do, how fast they act, how much they automate. Every week brings new benchmarks, new products, and new claims about efficiencies unblocked or jobs replaced.

What is being discussed far less is accountability.

When an AI agent acts on your behalf, by booking a flight, placing an order, committing your company to a contract, and something goes wrong, who owns it? The developer who built the agent? The company that deployed it? The platform that processed the payment? The end user whose money was spent without their direct involvement?

This is not a hypothetical question. Agent-initiated transactions are already happening in the real world. And the trust infrastructure to support them (the equivalent of SSL, PCI compliance, and two-factor authentication that underpins every human-to-human digital transaction today) is only just beginning to be built.

The companies that build it will define the agentic economy. The ones that don't will cede ground on the most important architectural decision of the next decade.

This problem has been solved before, just not for agents

The early internet had no such infrastructure of trust, and the consequences were predictable. Fraud was rampant, adoption was slow, and the potential of e-commerce remained largely theoretical until the mid-1990s, when SSL encryption made it possible to transmit payment credentials without them being intercepted. PCI compliance followed. Then two-factor authentication. Then GDPR, (for all its flaws) established clear rules about what data could be collected and how.

None of these were bolted on painlessly. Each required coordination between platforms, regulators, and developers. Each imposed short-term friction in exchange for long-term scale. And each, in retrospect, was the prerequisite for the commerce that followed.

The agentic economy is at the same inflection point. The question is not whether trust infrastructure will need to be built. It is whether it gets built proactively, by the companies with the most to gain from getting it right, or reactively, after a high-profile failure forces the issue.

Three layers of trust, all broken at once

What makes the agentic trust problem genuinely hard is that it operates simultaneously across three distinct relationships, each of which needs to be solved independently and in concert.

1. Platform to agent

   When an AI agent attempts a transaction, how does the merchant or service provider know it is legitimate? How do they distinguish a trusted agent acting on behalf of a genuine customer from a malicious bot attempting fraud? This is the layer that the major payments networks are now racing to address.

   
   

2. Business to agent

   When a company deploys an agent on its own behalf (to manage procurement, book travel, pay invoices) how does it maintain meaningful oversight? What prevents the agent from exceeding its authority? What constitutes an adequate audit trail when an autonomous system makes a decision that turns out to be wrong? This is partly a product design problem and partly a governance one, and most organisations have not yet seriously engaged with it.

   
   

3. End user to agent

   This is the least discussed and most consequential layer. When I use an application powered by an agent, do I understand what it is authorised to do on my behalf? Do I trust it to act in my interest rather than the interest of whoever built it? Can I verify what happened after the fact? This is where accountability becomes genuinely personal, and where the stakes of getting it wrong are highest.

The difficulty is that these three layers are interdependent. Solving the platform-to-agent authentication problem does not resolve the question of who is accountable when the agent that was correctly authenticated makes a bad decision. And establishing internal governance for business-deployed agents does nothing to protect end users who have no visibility into how those agents are instructed to behave.

All three layers need to be addressed. Right now, none of them are solved.

What the industry is building

In October 2025, Visa introduced its Trusted Agent Protocol, an open framework developed with Cloudflare and backed by Stripe, Shopify, Microsoft and Mastercard, designed to help merchants authenticate AI agents and distinguish them from malicious bots. The protocol uses cryptographic signatures to verify agent identity and transmit payment credentials without exposing card numbers. It is already live on Visa's Developer Center.

Mastercard launched Agent Pay the same month, using what it calls "agentic tokens" evolved from its existing tokenisation technology. US rollout to all issuers completed in November 2025, with global expansion planned for early 2026.

Google's Agent Payment Protocol (AP2) takes an open, payment-agnostic approach, allowing agents to transact across cards, bank transfers and stablecoins using cryptographic user mandates to prove consent. Backers include PayPal, American Express, Shopify, Salesforce, Cloudflare, Etsy and Klarna.

All three initiatives share the same core emphasis: verification of identity and proof of consent before the transaction completes. The most sophisticated payments companies in the world have independently reached the same conclusion. Whoever establishes the dominant protocol will occupy a structurally important position in the agentic economy.

Stephanie Cohen, Chief Strategy Officer, Cloudflare

That framing matters, because what Visa, Mastercard and Google are building addresses the platform-to-agent layer. The business-to-agent and end user-to-agent layers remain largely unaddressed. The standards for those layers have not yet been written.

The componentization problem

Underneath the authentication question sits a harder structural one. When an agent makes a decision that causes harm, that decision is the product of multiple components built by multiple parties. The model that powers the agent, the framework that orchestrates it, the API that executed the transaction, the platform that processed the payment. Each operates within its own domain, no single party has visibility of the whole.

This problem predates AI agents. In research I conducted on AI ethics in commercial product development, I found the same dynamic at play in autonomous vehicles: a semiconductor company building the AI chip did not consider itself responsible for the behavior of the vehicle its chip eventually went into. The vehicle manufacturer lacked full visibility of the chip's performance across all conditions. Regulators had no framework for assigning accountability across a supply chain of that complexity.

Agentic commerce has the same architecture, and will produce the same accountability gaps unless the industry deliberately designs against them. Responsible agentic systems scope the agent's authority explicitly, create audit trails that are readable by humans not just machines, and assign accountability clearly at each layer so that when something goes wrong there is no ambiguity about who owns the resolution.

Visa's protocol includes spending limits and merchant restrictions set by users. Mastercard's framework requires agent registration and authentication before any transaction. These are meaningful steps, but they address the payment execution layer, not the broader question of what the agent was instructed to do, by whom, and on whose behalf.

The opportunity for developer tool companies and API providers

The trust infrastructure of the agentic economy will not be built by Visa and Mastercard alone. It will be built by the developers who create agent frameworks, the platforms that host agentic workflows, the API providers whose endpoints agents call, and the companies that build the tools those developers use.

Every one of those companies faces the same strategic question the payments networks have already answered for themselves: is trust a compliance checkbox or a competitive moat?

The more instructive analogy is Stripe rather than SSL. When Stripe launched in 2010, the payment infrastructure it was competing with was technically functional. What Stripe understood was that developer trust (built through documentation quality, API design, and a genuine commitment to making integration easy) was itself a form of infrastructure. Companies adopted Stripe not just because it worked, but because that trust was legible in every interaction they had with the product.

The same dynamic will play out across the agentic stack. The agent framework with clear, auditable permission models will be chosen over the one without. The API provider that surfaces meaningful consent signals will be chosen over the one that treats authorisation as binary. The developer tool company that makes it easy to build accountable agents will capture a disproportionate share of a market that is, by every credible measure, about to grow very quickly.

Generative AI traffic to US retail sites increased 1,300% between November and December 2024, according to Visa. By July 2025, that growth was still accelerating. Millions of consumers are expected to use AI agents to complete purchases during the 2026 holiday season.

The infrastructure race is underway. The question is which companies beyond the payments networks recognise it.

What this means in practice

For companies building developer tools, APIs, or platforms that agents will use, the practical implications are not particularly complicated, but they do require deliberate attention.

Permission models need to be explicit and inspectable. An agent should only be able to do what it has been authorised to do, and that authorisation should be visible to the developer who built it, the business that deployed it, and the end user on whose behalf it acts. Implicit permissions are where accountability goes to die.

Audit trails need to be human-readable. It is not sufficient to log what happened. The log needs to be interpretable by a compliance officer, a customer service representative, or a user who wants to understand why their agent did what it did. This is consistently overlooked.

Consent signals need to travel with the transaction. When an agent calls your API, can you verify that a human authorised the underlying action? Can you surface that to the merchant on the other end? That is precisely what Visa's Trusted Agent Protocol does at the payments layer. The same logic applies to every API that agents will call.

Trust needs to be a product decision, not just an engineering one. The companies that define agentic trust infrastructure will not primarily be those with the best cryptography. They will be the ones that understand what it actually feels like to hand budget authority to an agent, or to authorise a purchase you did not personally make. That understanding needs to live in product decisions, not only in security architecture.

The protocols being established right now, for how agents identify themselves, prove consent, and assign accountability when something goes wrong, will shape the agentic economy for a long time. That is an open design space, actively being contested by some of the most consequential companies in global commerce.

The opportunity is available to any company willing to treat trust as the foundation rather than the afterthought.

When your agent makes a transaction on behalf of your customer, and it turns out to be wrong, what happens next? If you don't have a clear answer to that question, you are not ready for the agentic economy. And neither, frankly, is your product.