Rules of engagement for lethal autonomous systems have been debated for twenty years without resolution. That debate is frustrating and also unusual as the doctrine question preceded most deployments. With agentic payments, we skipped straight to deployment.

Stripe launched its Agentic Commerce Suite this spring. The infrastructure is no joke. Shared Payment Tokens let an AI agent initiate payments using a customer’s preferred method without exposing the underlying card number — scoped to a specific merchant, time-limited, revocable, monitored via webhook. Link’s wallet for agents gives AI systems programmatic wallet access. Issuing for agents supplies one-time virtual cards for custom financial workflows. Etsy and URBN are early adopters. Google, OpenAI, Microsoft, and Meta are all in. Mastercard, Visa, Affirm, and Klarna are integrating. McKinsey projects the US retail opportunity at one trillion dollars by 2030.

The credential layer is thoughtfully designed. Architecturally similar to Apple and Google Pay but operating at a different authorization scale. Scoped tokens instead of raw card numbers is a logical “safe” transaction. Revocation at any time is a meaningful control. One-time-use cards for single transactions beat persistent credentials by a significant margin. If agentic commerce was coming regardless — and it was — this is roughly what responsible infrastructure looks like at the payment primitive level.

The problem lives above the credential layer.

In December 2025, OpenAI published its security assessment for ChatGPT Atlas, the browser agent it launched the same month. The key finding: prompt injection for AI browser agents “is unlikely to ever be fully ‘solved.’” The framing was measured as an ongoing engineering challenge, not a full stop. The timing was harder to square as the assessment and the product launch arrived together.

The attack surface is the agent’s input stream. Not the token. Not the OAuth handshake. The content the agent reads while doing its job.

Palo Alto Networks’ Unit 42 documented live prompt injection attacks targeting Stripe and PayPal payment rails in 2025 — malicious scripts embedded in legitimate-looking web content, recovered from compromised sites. Neither attack required compromising credentials. Neither triggered token revocation. A legitimately credentialed agent, reading legitimate content, completed transactions the user never authorized. The payment infrastructure functioned exactly as designed.

Shared Payment Tokens have nothing to say about this attack class. The token is scoped and revocable. The agent holding it is readable. Using credentials the user deliberately granted and within the agent’s existing authorized scope, an adversary who can control what the agent reads can direct where the agent spends. The theft occurs before the payment, not during it.

OWASP (Open Worldwide Application Security Project, the nonprofit that sets the industry’s standard vulnerability frameworks) places prompt injection at position one across assessed production deployments in its 2026 Top 10 for Agentic AI.

Below the input stream problem sits the session problem, which the payments industry has diagnosed more accurately although it remains unresolved.

CVE-2025-34291 was a critical account takeover vulnerability in Langflow, a widely used open-source AI agent platform. Complete account takeover and remote code execution, triggered by visiting a malicious webpage. No credentials required. CVE-2025-12420, BodySnatcher, was found in ServiceNow’s Virtual Agent: any unauthenticated attacker with a user’s email address could impersonate that user in an agentic session. Both vulnerabilities were in live, deployed platforms handling real user data — production systems, in engineering terms. Both appeared in 2025. Both have CVE numbers, which means they represent the subset of vulnerabilities somebody bothered to formally document.

An agent’s delegated token carries permission breadth by design. The breadth allows the agent to act across systems on the user’s behalf. An agent authorized to plan and book a business trip, for instance, might simultaneously hold credentials to your calendar, your corporate travel portal, your expense platform, and a payment card. When the compromised entity is an agent with payment credentials, the blast radius is financial and it scales directly with how much the developer trusted the agent to do. Companies are increasing that trust to make their products more useful. The attack surface grows with the capability.

Payment liability frameworks were built for humans. There are still retail vendors that ask a human to sign a receipt (a practice that remains foreign to me and always has). A transaction is authorized or unauthorized. The human either consented or did not. Loss is distributed accordingly through chargeback rules that have been refined over decades of card fraud.

When an agent consents — and was manipulated into consenting — the categories stop working cleanly.

The Consumer Bankers Association identified the failure mode in its January 2026 symposium white paper. A user instructs an agent to shop. The agent shops. The user receives a statement, doesn’t recognize the charge, and files a dispute. The transaction was within the agent’s authorization scope. The user genuinely did not intend it. Under existing rules, it is not clear whether the issuer, the merchant, the agent platform, or the user bears the loss. The card networks are working on agent identity verification frameworks — Visa’s Trusted Agent Framework, Mastercard’s Agent Tokens. These establish that a verified agent made the payment. They do not address who is liable when a verified agent was deceived.

Davis Wright Tremaine flagged the same gap in October 2025: how does a merchant prove proper authorization when the payer was an AI? The question remains unanswered. CFPB, OCC, and FinCEN have not issued guidance. The infrastructure launched before the rules were written.

Spending limits, offered by every agentic commerce platform as a primary user protection, are configuration options.

The attack: direct an agent toward $47.99 purchases across seventeen merchants, each transaction below the alert threshold, each individually unremarkable in isolation. Or subscription enrollment for twelve services at $9.99 per month, scope creep normalized as recurring billing across a billing cycle. Or sub-agent delegation chains where each agent in the tree carries its own limit and none individually triggers a review. A $500 daily cap stops an agent from spending $501 in a day. It does not stop an adversary who has read the cap and designed around it.

Hard budget controls manifested as pre-execution verification at the transaction level, atomic budget operations preventing race conditions, and task-level limits rather than session-level limits all exist as engineering concepts. OWASP describes them in detail. Most deployments are not running them. What most deployments are running is a number in a configuration file and a plan to improve it.

The autonomous weapons case took twenty years and all it takes is an hour of network news to see how resolved it is. The social media algorithm case — recommendation systems acquiring the ability to shape political discourse and radicalize users before any jurisdiction had a content liability framework — took a decade, a congressional hearing cycle, and a body of documented harm before governance attempts began to arrive.

Agentic payments has been in production for months.

The documented attack surfaces are real: in-the-wild payloads with CVE numbers, prompt injection acknowledged by the model provider as permanent exposure, liability categories that do not map to the fraud scenarios already occurring at payment processors. The $1 trillion McKinsey number is plausible. It assumes the governance gap closes, the liability framework gets written, and the security community’s warnings turn out to have been premature or addressable.

That assumption is doing considerable work.

Devin Carlson leads security operations in South Asia and holds a Masters of Strategic Intelligence. He has spent 17 years observing, analyzing, and responding to geopolitical events and tech advancement in high-threat environments across three continents.