What happens to liability when the entity making a purchase is not a human?
That question sits at the center of a conversation that payment networks, legal scholars, fraud teams, and regulators are only beginning to take seriously. As AI agents gain the ability to execute transactions autonomously, the existing frameworks for assigning responsibility, resolving disputes, and protecting consumers were not designed to handle them.
In this session, Przemek Praszczalek, product lead at Invela Network and former nine-year Mastercard veteran, and Ronald Kogens, partner at Swiss law firm MME specializing in technology and financial market law, work through the practical and legal challenges agentic commerce creates. The conversation covers how identity and credential provisioning falls short of what agent transactions require, why agents have no legal standing of their own, what the EU AI Act and UK white paper do (and do not) address, and which fraud vectors get significantly worse when agents are in the loop.
The picture that emerges is not reassuring: most of the foundational questions around intent, delegation, dispute resolution, and merchant verification remain open. But Praszczalek and Kogens also point to where the early solutions are starting to take shape, and what the identity layer needs to provide if agentic commerce is going to scale.
What Makes Agentic Commerce Structurally Different
- Agentic commerce separates the moment of intent from the moment of purchase. A user instructs an agent, but the transaction may execute seconds, days, or weeks later under different circumstances, requiring that context and instructions be preserved across time.
- Traditional e-commerce involves a short, observable chain: user, device, browser, merchant. Agentic commerce introduces a pyramid of actors including the agent itself, orchestration layers, payment credential providers, and multiple merchants, making the liability chain far harder to trace.
- Agents need to be provisioned with payment credentials in advance, rather than the user selecting credentials at checkout. This is closer to delegating a physical payment card to a third party than to a standard online purchase.
- The scope of what agents can do is large enough that users may no longer be able to supervise whether agents are acting within their intent. The gap between what a user wants and what an agent executes is a core legal and product challenge.
Identity and Credential Binding in Agent Transactions
- Current agentic commerce protocols are primarily card-heavy and credential-agnostic. Visa, Mastercard, and American Express each have early protocols (Trusted Agent Protocol, Verifiable Intent Protocol, Agent Purchase Protection) but none have established an agreed-upon standard for identity verification at the point of agent credential provisioning.
- Payment credential binding today is done at the level of a private key, not at the level of verified user identity. There is no agreed standard for how much identity verification should be required when provisioning credentials specifically for agent use.
- Unlinkability is an unresolved problem. If a user changes their email address, their underlying payment credential used in agent protocols is unaffected, potentially allowing unauthorized use to continue undetected. Merchants could also link purchases across multiple merchants even through guest checkout.
- Resolving agent liability ultimately depends on identifying the real resource holder behind the agent. Agents themselves cannot settle liability claims; the impact falls on the bank or the user. Identity linkability from agent to the human principal is therefore foundational.
Legal Frameworks and Who Is Responsible Today
- Under current law, agents have no legal personality. They cannot sue or be sued. Liability flows back to the human: either the user who deployed the agent or the developer or operator who built it.
- If an agent acts outside the scope of its original instructions, the user who deployed it may not be held responsible for those out-of-scope actions, similar to the principle in human delegation of authority. However, with agents there is no intermediary person to absorb liability.
- If a user suffers loss because an agent behaved incorrectly, their recourse is against the developer or operator of the agent, not the agent itself. This creates pressure to establish clear developer liability, which is the direction the EU AI Act is pushing.
- The EU AI Act requires transparency and governance obligations from anyone who deploys or develops AI, but it was not designed with agentic commerce specifically in mind. There is no dedicated regulatory framework for agentic transactions in the EU, the UK, or the US as of the time of this session.
- The UK has a white paper that touches on agents but nothing specific to agentic commerce regulation. Laws consistently lag the technology they are meant to govern.
Fraud Vectors and New Risks
- Traditional fraud vectors do not disappear with agent commerce. Account takeover, private key compromise, and unauthorized device use by a third party all carry over, but now play out across a longer, more complex chain of custody.
- Fraudulent merchants are a specific risk in agentic scenarios. Even if a user's agent has instructions about acceptable merchants and spend limits, a fraudulent merchant can simply ignore those constraints. The agent has no reliable way to verify merchant legitimacy.
- Semantic risk is an underappreciated fraud vector. Agents convert user intent into written instructions. Ambiguity in that language can lead to purchases the user did not intend, disputes over meaning, and arbitration that depends on interpreting natural language. Standardized vocabulary and data schemas for agentic commerce are not yet established.
- The quality and cost of dispute resolution will worsen as chain length increases. Every dispute involves communication between more parties, spread over longer time periods, with more complex audit trails.
Closed vs. Open Ecosystems
- Closed four-party models like American Express give the network far more visibility into transactions, enabling programs like the Agent Purchase Protection. Open ecosystems, which Przemek estimated will account for 80% or more of future agentic commerce, have no equivalent visibility or enforcement mechanism.
- Trust anchors will likely become the organizing principle for safe agentic commerce. Consumers will gravitate toward established companies with strong brands that can offer resolution guarantees, concentrating agentic commerce around a smaller number of trusted platforms.
Open Questions and Long-Range Implications
- Ronald Kogens raised the possibility of agents having a form of legal personhood analogous to a company, capitalized with funds that can cover liability, similar to how DAOs were discussed in the Web3 context. This is speculative but would address the gap between agent action and human responsibility.
- Wealthier consumers with access to better-funded, better-engineered agents will likely have better outcomes in agentic commerce: better deals, better dispute resolution, better protection. The risk of a two-tier market is real.
- Consumer rights frameworks differ sharply between the US and Europe. Any global liability standard for agentic commerce will need to accommodate these differences, rather than defaulting to a US-centric model.
- B2B agentic commerce will likely scale faster than B2C because identity verification is clearer, relationships are pre-established, and the guest-checkout problem does not apply.
