Is Agentic Commerce Safe? What Ecommerce Brands Need to Know Now

Key Takeaways

• Agentic commerce, which is where AI agents research, compare, and purchase products on a consumer’s behalf, is no longer theoretical. HUMAN Security data shows agentic traffic surged more than 6,900% in just eight months of 2025, and Morgan Stanley Research projects agentic shoppers could represent $190 billion to $385 billion in U.S. ecommerce spending by 2030, capturing 10% to 20% of all online retail.
• The primary safety risks are not rogue AI but practical ones: fraudsters exploiting delegated authority to hijack agents, counterfeit storefronts optimized to fool AI buyers, and a widening liability gap where no one is sure who pays when an agent-driven purchase goes wrong. First-party misuse (friendly fraud) jumped from 15% of all fraud in 2023 to 36% in 2024 and agentic commerce will accelerate that trend.
• Only 14% of Americans currently trust AI to place orders on their behalf, even though 65% trust it to compare prices. This trust gap is the biggest obstacle to safe scaling but which is also the biggest opportunity for brands that close it with transparent controls.
• The answer to “Is agentic commerce safe?” is: it can be safe enough to scale if brands adopt emerging frameworks like Know Your Agent (KYA), Mastercard’s Verifiable Intent protocol, and agent-aware fraud models, rather than treating agent orders the same as anonymous one-click checkouts.
• Early movers are already building governance patterns borrowed from regulated industries. The same principles that modernized SEC EDGAR filing, which are individually authenticated identities, role-based permissions, and full audit trails, apply directly to AI agents transacting on behalf of consumers. Brands that implement these guardrails first will be best positioned to win AI-driven shelf space safely.

What Is Agentic Commerce and Why Should Ecommerce Brands Care?

Agentic commerce is what happens when AI agents move beyond answering questions and start acting on a consumer’s behalf such as researching products, comparing options, adding items to carts, and completing purchases, often without the shopper ever visiting your site.

This is not speculative. Major platforms are building the infrastructure right now. Mastercard launched Agent Pay to establish secure payment rails for AI agents. Visa released its Trusted Agent Protocol. Google’s Agent Payments Protocol (AP2), Microsoft’s Copilot Checkout, and Shopify’s multi-protocol infrastructure are all creating the pathways for agents to transact at scale.

The numbers tell the story:

Data Point	Metric	Source
Agentic traffic growth	6,900%+ increase in 8 months of 2025	HUMAN Security
Agent product browsing	87% of all agent-visited pages were product pages	HUMAN Security
U.S. agentic commerce spending by 2030	$190B to $385B (10-20% of online retail)	Morgan Stanley
B2B purchases via AI agents by 2028	90% of all B2B buying, representing $15T+	Gartner
Americans who bought via AI in the past month	23%	Morgan Stanley
Consumers who used GenAI for shopping	38% — and 85% said it improved the experience	Adobe via HUMAN Security
AI shopping agent users projected by 2030	126 million (up from near zero)	Morgan Stanley

For physical product brands, the takeaway is clear: AI agents are becoming your real customers. The question is not whether agentic commerce will reach your category, it is whether your store will be ready when it does.

The Real Safety Risks (They Are Not What You Think)

When people ask “Is agentic commerce safe?”, they often imagine an AI going rogue and buying 500 blenders. The actual risks are more mundane and more dangerous.

Delegated Authority Creates a New Attack Surface

Traditional ecommerce fraud defenses were built around humans on websites such as sessions, devices, cookies, IP addresses, and static rules at checkout. Agentic commerce introduces a fundamentally different layer: delegated authority, where an AI agent transacts with broad, pre-approved permissions.

Signifyd’s research on agentic commerce fraud identifies the shift clearly: bad actors are moving from traditional account takeover (ATO) to what they call “bot takeover” (BTO). Instead of stealing a consumer’s login credentials, attackers compromise the AI agent acting on the consumer’s behalf. Once an agent is hijacked, it can:

• Reroute shipments to new addresses without triggering traditional fraud alerts
• Place rapid-fire orders for high-resale items using valid payment credentials
• Exploit post-purchase policies such as initiating returns and refunds in patterns that technically follow policy rules but drain merchant margins

The key insight from fraud analysts is that agentic fraud often looks like clean, fast, successful transactions, not the noisy, chaotic patterns that legacy detection systems were built to catch.

Counterfeit Storefronts Optimized for AI Buyers

Visa and payment security providers warn that attackers are already building “counterfeit storefronts” and API surfaces specifically designed to look perfect to AI buyers. These fake stores feature clean UX, plausible product catalogs, aggressive pricing, and fast response times, all the signals that early agents optimize for when selecting merchants.

Because many AI agents prioritize utility metrics like price, availability, and shipping speed, they can be steered toward fraudulent merchants unless the underlying platforms adopt more advanced trust signals. For legitimate brands, this means your products compete not just with other real brands but with AI-optimized scam operations that can spin up and disappear faster than traditional takedown processes can act.

The Chargeback and Liability Gap

This is arguably the biggest practical safety concern for physical ecommerce right now. Analysis from Finextra highlights a fundamental problem: the entire chargeback system (dating back to the Consumer Protection Act of 1968) was designed for transactions where a human directly authorizes each purchase.

When an AI agent completes a purchase from a single moment of consent, several new dispute scenarios emerge:

• Legitimate disputes: The agent makes a purchase the consumer genuinely did not sanction
• Grey-area disputes: The consumer approves broadly but does not fully define the scope (the “my agent ordered that, not me” scenario)
• Fraudulent disputes: The consumer knows what happened but uses the agent as cover for buyer’s remorse

LexisNexis data from an analysis of over 104 billion global transactions shows first-party misuse (friendly fraud) jumped from 15% of all fraud in 2023 to 36% in 2024. Agentic commerce creates an even easier cover story for this type of abuse.

Meanwhile, LexisNexis reports that every $1 lost to fraud costs merchants $4.61 in 2025 when the full chain, fees, penalties, operational handling, and lost goods, is factored in. And merchants currently win only about 45% of represented chargebacks, with a net recovery rate after all costs of just 18%.

Global dispute cases are forecast to grow 24% between 2025 and 2028, largely driven by card-not-present transactions. As AI agents become a new checkout interface, that pressure will intensify.

The Consumer Trust Gap

YouGov research from 2025 reveals a clear trust hierarchy: 65% of Americans trust AI to compare prices, 59% trust it to find items, but only 14% trust it to place orders on their behalf. Younger demographics are more open (~20% of Gen Z trust AI to order for them versus just 12% of Boomers) but the gap between “use AI to help me decide” and “let AI buy for me” is still massive across every segment.

Deloitte survey data reinforces this: 56% of consumers plan to use AI chatbots to compare prices and find deals, 47% plan to use AI to summarize reviews, but far fewer are comfortable with AI executing the transaction itself.

This trust gap is actually a safety signal. Consumers are telling us they want AI assistance but are not yet confident that the guardrails exist for AI purchasing. Brands that help close this gap through transparency, clear controls, and visible governance, gain a competitive advantage in an agent-driven marketplace.

What “Safe Enough” Actually Looks Like

Safe agentic commerce is not about preventing AI agents from transacting. It is about building systems that let the right agents transact under the right conditions, with the right accountability. Several frameworks are emerging that translate this principle into practice.

Know Your Agent (KYA): The New KYC

Just as Know Your Customer (KYC) verification transformed financial services, Know Your Agent (KYA) is emerging as the verification standard for agentic commerce. KYA is a risk-based approach to establishing trust in AI agents by verifying their identity, binding them to responsible entities (human or organizational), and enforcing auditability across all autonomous actions.

Sumsub’s framework breaks this into actionable layers:

1. Detect automation: Determine whether an action is being performed by an agent through explicit declaration (verifiable credentials) or implicit detection (behavioral analytics, device intelligence, session monitoring)

2. Assess risk in real time: Aggregate signals continuously to calculate risk based on automation likelihood, behavior, transaction context, and history. When risk exceeds a threshold, trigger a proportional challenge (not a blanket block)

3. Bind automation to a human: Link verified agent activity to a real, verified person. If the verified person is banned, the agent is also banned. This creates a clear chain of responsibility: agent → verified user → identity

Companies like Prove Identity have launched Verified Agent, linking digital identity, intent, and payment credentials. KnowYourAgent.xyz offers an operator registration process that gives agents verified credentials with immutable reputation scoring — every successful transaction builds trust history, and disputes trigger automatic cooling-off periods.

Verifiable Intent: Mastercard and Google’s Trust Layer

Mastercard and Google co-developed Verifiable Intent, a standards-based protocol that creates a tamper-resistant, cryptographic proof of authorization linking identity, intent, and action into a single privacy-preserving record. The protocol confirms who authorized the AI agent, captures the specific instructions given, and records how the agent-merchant interaction unfolded.

This matters for merchants because it provides:

• Proof of authorization that can be used in dispute resolution
• Selective disclosure so only minimum necessary transaction information is shared during fraud mitigation
• Protocol-agnostic design that works across agentic protocols, devices, wallets, and payment networks

Verifiable Intent is being integrated into Mastercard Agent Pay’s intent APIs in the coming months, and the specification has been open-sourced on GitHub. This is not a proprietary lock-in play, it is infrastructure that the entire ecosystem can build on.

The EDGAR Governance Blueprint

While agentic commerce is new, the governance pattern it needs is not. When the SEC modernized its EDGAR filing system, it moved away from shared credentials and anonymous activity toward individually authenticated identities, role-based access, and full audit trails for every action taken by filers and their agents.

The same principles map directly to AI agents in commerce:

• Strong identity: Every agent should have a verifiable digital identity tied to a user or organization and not just a user-agent string
• Role-based permissions: Define what each agent is allowed to do such as browse, quote, place orders, modify subscriptions, initiate returns, and enforce boundaries
• Full auditability: Log every step from product selection to cart edits to payment with enough granularity to support disputes and investigations

This is not theoretical governance. Chargebacks911’s CTO notes that enterprises should demand four non-negotiables before allowing AI agents to connect to procurement or payment systems: tightly scoped and time-bound permissions, full decision transparency, real-time human override capability, and strong post-transaction evidence capture.

How Physical Ecommerce Brands Should Prepare

Which metrics should brands track to measure the impact of LLMO?

The brands that will thrive in an agent-driven marketplace are not waiting for perfect regulation or finished standards. They are building agent-readiness now, layer by layer.

Make Your Catalog and Policies Agent-Readable

HUMAN Security’s nine-step adoption guide starts here for good reason: agents will increasingly favor merchants whose data is easy to ingest and whose policies are predictable. Practical steps include:

• Structured product data: Implement JSON-LD schema.org markup with stable identifiers (SKU, GTIN, MPN), accurate specs, real-time pricing, and availability
• Transparent policies: Express returns, warranties, shipping SLAs, and restrictions in machine-readable formats that agents can parse and compare
• Trust signals: Display verified merchant credentials, security certifications, and compliance marks that agents can treat as risk-reducing features
• Performance optimization: Agents operate in milliseconds, not minutes. Optimize API response times, use CDNs and caching (ETag/Last-Modified), and build load resilience for agent traffic spikes

This is where agentic commerce and LLMO intersect directly. You are no longer just optimizing for human shoppers and search engines, you are optimizing for agent interpreters that sit between the shopper and your product detail page.

Upgrade Fraud and Security to Be Agent-Aware

Security specialists consistently emphasize that existing bot and fraud stacks cannot simply be “turned up” to handle legitimate AI traffic. They must be redesigned to distinguish good agents from bad ones. Priority actions:

• Implement agent verification: Require standardized ways for recognized agents to identify themselves. Treat unknown automation as higher risk, but do not block all automated traffic.  HUMAN Security data shows that blocking agents turns away potential customers, since most are acting on behalf of real users
• Deploy behavioral analytics: Track normalized agent profiles over time (preferred categories, order ranges, typical merchants) and flag behavioral drift such as changes in purchasing patterns, sudden spikes, new geographies, or vendor changes
• Monitor delegated access: Treat any flow where a human grants long-lived permissions to an agent as a privileged channel with its own monitoring and spending limits
• Build post-purchase intelligence: Agent-era disputes will require evidence spanning multiple platforms. Start capturing consent signals, agent decision paths, and delegation records now

Negotiate Clear Contracts with AI Platforms

Because liability and dispute frameworks are still evolving, legal and fraud experts strongly recommend formalizing responsibilities in contracts with AI platforms, payment providers, and commerce intermediaries. Priority clauses include:

• Who bears responsibility for unauthorized purchases initiated by a compromised agent
• Minimum authentication and logging requirements on the platform side
• Data-sharing terms so merchants can access agent-level context needed to fight chargebacks
• Requirements for prompt notification when the platform changes agent behavior or capabilities
• Adoption commitments for emerging protocols like TAP (Trusted Agent Protocol) and AP2 (Agent Payments Protocol)

Forward-leaning companies are treating this as critical risk architecture, not a nice-to-have indemnity add-on.

Prepare for Regulatory Requirements

The EU AI Act becomes fully applicable on August 2, 2026, with transparency rules taking effect that same month. While the Act focuses primarily on high-risk AI system providers and deployers, its principles around human oversight, auditability, and risk management are directly relevant to any brand participating in agentic commerce.

Penalties under the AI Act can reach up to EUR 35 million or 7% of annual worldwide turnover, exceeding even GDPR fines. Brands selling into European markets should assess whether their AI-related commerce interactions fall under high-risk classification and implement appropriate documentation and governance now.

How Agentic Commerce Connects to LLMO

If agentic commerce is the transaction layer, LLMO (Large Language Model Optimization) is the discovery layer. An AI agent cannot buy from you if it does not know you exist.

LLMO determines whether your products are even considered by AI agents when they research options for consumers. Agentic security determines whether those orders are safe and profitable once they appear. The two are inseparable:

• Structured product data serves both discoverability (agents find you) and governance (agents can verify your policies and trust signals)
• Brand authority signals that help you rank in LLM responses also help agent verification systems classify you as a trusted merchant
• Content that answers common purchasing questions does not just improve AI citation — it gives agents the context they need to accurately represent your products to consumers

Brands that invest in both structured product data (for discoverability) and agent-aware risk controls (for safe fulfillment) are best positioned to become default suppliers for recurring, AI-driven demand.

Frequently Asked Questions

Is agentic commerce safe for typical DTC and marketplace brands?

Agentic commerce is conditionally safe for DTC and marketplace brands that implement agent-aware security, governance, and contracts. It is far riskier for merchants who treat agent orders as indistinguishable from standard bot traffic or anonymous one-click checkouts. Industry research emphasizes that most fraud risk arises from poorly governed delegated authority and counterfeit storefronts, not from well-designed agents operating on reputable platforms.

Will agentic commerce increase my fraud and chargeback rates?

In the short term, multiple analyses expect an uptick in disputes and fraud attempts as criminals weaponize AI agents and liability rules remain unsettled. Global dispute volumes are forecast to grow 24% between 2025 and 2028. Over time, however, merchants that adopt behavioral analytics, networked intelligence, and strong agent verification can actually lower effective fraud loss per dollar of GMV by catching sophisticated automation earlier than legacy systems can.

What is Know Your Agent (KYA) and do I need it?

Know Your Agent is the agentic commerce equivalent of Know Your Customer (KYC) in financial services. It is a framework for verifying AI agent identity, binding agents to responsible humans or organizations, and enforcing policy across autonomous actions. If your brand sells physical products online, KYA readiness will increasingly determine whether your store is included in agent-driven purchasing flows or bypassed for competitors with stronger trust signals.

How does this affect my existing fraud prevention tools?

Most fraud and chargeback tools were built for human commerce and rely on device fingerprints, IP reputation, household data, and cardholder history. These signals are often weak or missing when traffic comes through AI agents operating from data center IPs. Merchants should assess whether their current systems can distinguish between trusted agents and malicious bots, and adapt models to incorporate agent identity, cryptographic signatures, and machine-specific behavioral baselines.

What protocols should I watch for?

The key emerging protocols are Mastercard’s Verifiable Intent (co-developed with Google), Visa’s Trusted Agent Protocol (TAP), Google’s Agent Payments Protocol (AP2), and the Web Bot Auth standard. These protocols create a trust layer for agentic commerce by clarifying who is acting, what they have been authorized to do, and how that authority was granted. Early adoption gives merchants stronger evidence trails for dispute resolution.

How does the EU AI Act affect agentic commerce?

The EU AI Act becomes fully applicable in August 2026 with provisions covering transparency, human oversight, and risk management for AI systems. Brands selling into European markets should begin classifying their AI-related commerce interactions, implementing documentation requirements, and building governance processes. Penalties can reach EUR 35 million or 7% of worldwide annual turnover.

Conclusion: Safety Is a Design Choice, Not a Waiting Game

Agentic commerce is not inherently safe or unsafe; it is a design decision spanning product data, security, contracts, analytics, and governance. The payments networks, fraud platforms, and compliance experts we reviewed for this piece are aligned on one core point: AI agents will buy more and more physical goods, and the threat landscape will intensify as fraudsters adopt the same tools consumers do.

The brands that win will not be those that wait for perfect regulation or finished standards. They will be the ones that implement EDGAR-style governance, adopt Know Your Agent frameworks, build agent-readable catalogs, and negotiate clear rules of engagement for AI shoppers, starting now.

Safe agentic commerce is not a destination. It is a practice. And the earlier you start, the stronger your position when agent-driven demand goes from niche to normal.