A shopper asks their agent to book the 7.30 train to Manchester. The agent books the 7.30 to Birmingham. The card clears in under a second. Fraud scoring returns clean. The bot signal is human-shaped. The shopper opens the confirmation an hour before the trip and finds tickets they cannot use, paid for from their account, with no obvious party to call. Authority to Act in agentic commerce, the thing that would prove a human meant this transaction, did not travel with the agent.
Bot detection tells you who to block. Identity infrastructure tells you who to trust. The transaction that just happened answered the wrong question. The rail confirmed that a card was charged. None of the layers on the way to the merchant confirmed that the action carried Authority to Act on behalf of a real person, within limits they had set, for a purpose they had consented to.
That gap is what merchants, acquirers and payment networks now have to close. It sits one layer above payment authorisation, and it does not appear in any agent protocol, payment standard or fraud signal currently in production.
A valid payment is not Authority to Act in agentic commerce
Agentic commerce is on a trajectory that makes the gap commercially material. McKinsey QuantumBlack research forecasts $3 trillion to $5 trillion in global agentic commerce by 2030. Morgan Stanley Research projects up to 20% of US e-commerce could be agent-mediated by 2030 in its bull case. UK consumers can already complete purchases via ChatGPT, Microsoft Copilot Checkout and Google's AI Mode where retailers have adopted the relevant protocols.
The agent presents a signed instruction. The card network authorises the payment. The merchant ships the goods. Each layer does the job it was built for. None of them speaks to whether the human behind the agent meant any of this to happen.
The four risks the rails do not address
Four operational risks sit on the merchant's side of every agent-initiated transaction, and the current stack has no native answer to any of them.
- The first is Rogue Agents. A misconfigured or compromised agent acts outside what the user actually meant to authorise. The agent's signature is valid. The user did not intend the outcome.
- The second is No Non-repudiation. The user disputes a transaction they say they never authorised. The merchant cannot point to an independent, cryptographic record proving the human signed off on the action. Internal logs from the agent provider are not impartial evidence.
- The third is Invalid Privacy Consent. The merchant infers consent from the agent's behaviour. Under UK GDPR and the Data (Use and Access) Act 2025, consent must be captured directly from the individual, with a clear purpose and an auditable trail. Inferred consent is not consent.
- The fourth is Merchant Liability. The Merchant Advisory Group's 2 February 2026 guidance was direct: merchants "remain responsible for fraud, chargebacks, and compliance, even if an agent initiates the payment". The Financial Conduct Authority's published approach is that AI use is assessed against existing frameworks, including the Consumer Duty and the Senior Managers and Certification Regime; delegation to an automated system does not dilute regulatory liability.
Luke Gebb, EVP Global Innovation at American Express, framed the accountability question plainly: "To date there have probably been as many press releases [on agentic commerce] as transactions, but no doubt it will happen". The transactions are coming. The question is what proof travels with them when they do.
Payment authorisation answers a different question
The honest reading of the current stack is that each layer is doing what it was designed to do. Payment networks authenticate the payment instrument. Agent protocols sign the agent action. Bot detection flags traffic that looks anomalous. The thing none of those layers were designed to do is bind an action to a verified human with an enforceable record of permission and purpose.
That binding is a distinct layer. Stephanie O'Connor of Wind River Payments described the operational consequence in FinTech Weekly: "AI agents can be trained to mimic human patterns closely enough that those signals become harder to distinguish from human shoppers", and small merchants will "absorb the financial impact first". Anomaly detection thins out as agent traffic becomes a normal part of checkout. The merchant is left holding the risk without the artefact that would resolve it.
The Authority Layer is where the answer sits
The market is settling on a name for the layer this work belongs to. The Authority Layer sits above payment execution and below the user. It binds a verified human to an agent action, captures explicit consent for that action, enforces the limits the user set, and produces an audit trail that holds up when challenged. Payment authorisation answers a question about the instrument. Authority answers a question about the person.
OneID is the Authority Layer for Agentic Commerce. The mechanics are covered in the next piece in this series; the relevant point here is that this is not a feature that bolts onto a payment protocol. It is a separate layer with its own standards, its own statutory anchor in the UK under Part 2 of the Data (Use and Access) Act 2025, and its own evidence model.
The next question the market has to answer
The agentic commerce stack is being built in real time. Knowing where the Authority Layer fits inside it, and what it has to do that no payment-rail layer can deliver, is the practical question every commercial decision-maker now needs an answer to. The next piece in this series maps the stack and shows where the gap sits.
.png)
