Adyen's VP of Product, Carlo Bruno, gave one of the more clear-eyed talks we’ve watched at Money20/20 in Amsterdam.
The session was framed around merchant readiness for agentic commerce, but the deeper story that surfaced was about identity: specifically, that the payment infrastructure for autonomous agents is further along than the trust infrastructure that should sit beneath it.
That gap matters for anyone building in digital identity.
The trust problem is not solved at the payment layer
Carlo's three-layer architecture for machine-to-machine payments is technically credible.
Layer one anchors a one-time human Secure Customer Authentication (SCA) validation to a restricted network token. Layer two uses the open-source X402 protocol to translate agent payment requests into card-scheme-readable messages. Layer three aggregates micro-transactions off-chain before settling in fiat.
What this architecture depends on, but does not fully solve, is identity and mandate verification upstream of the transaction.
Carlo was direct about it. Early agentic flows at Adyen are already showing elevated chargeback and refund rates. The reason: the payments industry spent decades building infrastructure to block automated transactions.
Now it needs to welcome legitimate agent activity while distinguishing it from fraud. Behavioural signals, prior purchase history, and approved permissions are part of the current approach, but by Carlo's own account, the trust layer is still evolving.
The hard question he raised was this: how do you verify that an AI agent conducted a legitimate transaction? How do you confirm there was a valid, human-approved mandate behind it?
In our view, portable, verifiable credentials are an answer to exactly that question. A credential issued at the point of mandate creation, cryptographically bound to the user's authenticated session, and presentable by the agent at each downstream touchpoint is the architecture this problem calls for. Carlo did not use that framing, but the structural gap he described is the one verifiable credentials fill.
Mandates are the identity primitive for agentic commerce
The most technically specific part of Carlo's session was his treatment of programmatic mandates as the foundational primitive for agentic payments.
The concept: a user authenticates once using strong customer authentication, sets hard boundaries (spending limits, permitted merchants, allowed outcomes), and the agent executes within that scope without requiring repeated human confirmation. The mandate is the trust anchor. Everything downstream inherits its authority from that single verified moment.
The example he used exposed the limits of current implementations: "Book me a flight from Amsterdam to New York for under 500 euros." An agent books a flight with a layover in Istanbul for 499 euros. The transaction is technically valid. The user's intent was not served. The mandate captured the hard limit but not the nuance.
This is precisely the challenge verifiable credentials are well-positioned to address. A credential encoding structured mandate data, including not just spending thresholds but merchant categories, geographic constraints, and intent scope, gives the agent and the merchant a machine-readable, verifiable representation of what the user actually authorized. It is not a new checkout flow. It is an upgrade to what the mandate carries and how it travels.
Ecosystem fragmentation makes portable identity more valuable, not less
One of Carlo's four strategic tensions for merchants was protocol fragmentation. OpenAI has ACP. Google has UCP. There is also AIP, X402, and others. Every major AI platform is defining its own commerce protocol, and merchants are being asked to make bets before the standards settle.
His advice was architectural reversibility: integrate once, let the infrastructure translate across protocols, and avoid locking into any single ecosystem prematurely.
The same logic applies to identity. An agent identity and mandate layer that is credential-based and protocol-agnostic travels across platforms without requiring re-integration. If a merchant or PSP builds trust verification on top of a single AI platform's identity model, they face the same fragmentation problem at the identity layer that Carlo described at the payment layer.
Portable credentials, by design, are not owned by any platform. They are issued by the entity with authority to issue them (the user, their bank, their wallet provider), verifiable by any relying party, and not dependent on a particular protocol stack surviving the standards race.
The production horizon
Carlo's read on timing was consistent with what others at Money20/20 said:
Wave 1 (human-in-the-loop, AI-assisted discovery with human checkout approval) is the current reality.
Wave 2 (fully autonomous, machine-to-machine transactions) is 12 to 18 months away from meaningful production scale.
That window is the design window. The merchants, PSPs, and identity providers who use it to build mandate and credential infrastructure correctly will not need to retrofit trust onto a system that is already handling real transaction volume. The ones who wait will.
Carlo noted that payment infrastructure readiness is ahead of the AI platforms still figuring out discovery and checkout flows, but real blockers remain: contractual frameworks for liability, data privacy regulation, and product catalog readiness.
The identity infrastructure that should sit beneath all of it is further behind still. That is where the real engineering opportunity is.
