AI regulation

Agentic AI in payments: autonomy, agency and risk

By 6th July 2026No Comments11 min read

AI agents are poised to start making payments for people. They could soon be acting as autonomous substitutes for  customers — hunting deals, completing checkout, even switching suppliers — with no one watching. That breaks an assumption fundamental to many payment systems: that a human authorises each transaction. Payments stop being something a person does and become something a person delegates. Firms are weighing whether to let agents initiate or accept payments, and on what terms.

We discuss here what agentic AI changes, what can go wrong, and the controls firms will need to consider as agentic AI impacts the payment sector.

From chatbots to agents: what has changed

Most people met generative AI as a chatbot. The exchange is interactive with strict turn-taking: the user writes a prompt, a large language model generates a response, and the user prompts again. The human always starts the exchange, and nothing happens between turns.

Agents work differently. A chatbot creates content on demand; an agent pursues an objective on its own. Two capacities set an agent apart: autonomy, the ability to act without direct human involvement, and agency, the capacity to change the world it works in.

Autonomy comes in degrees. A chatbot has none — it answers and stops. Agents sit on a range. At one end, a human stays in the loop: the agent recommends an action and waits for consent, or acts unless a person steps in. At the other end, a fully autonomous agent pursues an objective from start to finish with no human input.

Agency means the ability to change an agent’s environment, whether physical or digital. GenAI allows a chatbot to create content; it informs its user but its output does not directly change its environment. Agents do. For example, on an assembly line an agent can inspect a part and decide whether to pass or reject it; online an agent can decide to send an email, complete a form, or make a purchase, actions with the potential to impact a user’s reputation or bank balance.

How does an agent achieve autonomy? Rather than take turns, it runs a loop. Given an objective, it senses or gathers information from its environment, decides the next step towards reaching the objective, and acts. Then it repeats the loop — sense, plan, act — each iteration moving closer to meeting the objective it has been set but with minimal human input. The loop is the source of its autonomy.

Software agents are not new. Historically their objectives were encoded as if-then rules, giving them deterministic behaviour. A given input pattern always produced the same response, and they could handle only the situations their designers had foreseen. What is new in AI-based agents is that the rigid logic is replaced by an AI model. The model gives the agent a broader view of the world and greater flexibility in how it responds.

That flexibility shows up as planning, longer-term reasoning, the use of tools, and the ability to cope with novel situations no one scripted. A user sets the agent’s objective in plain language by giving it a prompt but then leaves the agent to plan and act on its own to achieve it. The agent can break a complex objective into sub-objectives, and act on them over time. Moreover, it can adapt and rethink its plans when an approach fails, being resourceful rather than constrained to follow a preset script.

AI agents can function alone or in teams. In their fullest form, agentic AI systems orchestrate and assign sub-objectives across a set of specialist agents and coordinate their collective activity towards achieving a larger outcome.

Where agentic AI meets payments

Two kinds of use cases are emerging, depending on whom the agent acts for.

An AI agent acting for a payment services provider could:

  • handle customer service requests and disputes;
  • run fraud prevention or “agentic compliance”, building regulatory logic into AI agents handling the payment workflow, replacing periodic batch reviews with continuous, real-time monitoring.

An AI agent acting for a consumer could:

  • act as a deal hunter or personal shopper, finding products and completing checkout on its own;
  • monitor and optimise recurring payments, such as utility bills — one day switching and settling without human input.

It’s foreseeable that agents on both sides will deal with each other: a shopper’s agent transacting with a merchant’s servicing agent. There will be controls on the merchant side and a mandate defining the degree of delegation on the consumer side, but the need for real-time human input could be minimal.

Why agent-led payments are different

AI agent-led payments expose a clash between two world models. AI is probabilistic: it produces a likely answer, not a certain one. Payments demand legal finality: a settled transaction is meant to be irreversible. Marrying a probabilistic AI tool to a financial system that must be exact is not straightforward.

A second assumption also needs unpicking. The mechanics of payments have traditionally assumed there is a person to authenticate, express intent and authorise payments. Strong Customer Authentication emphasizes this human-in-the-loop requirement. Distancing the human from the “click to buy” moment where authorisation occurs breaks the model.

The likely answer is delegated authority: the customer grants an agent a defined mandate to act for them. Firms must then move from “know your customer” to “know your agent” — identifying the agent, the limits of its authority, and the human behind it. International bodies, including the IMF, are working on layered models that keep the AI and payments views distinct while managing the point where they meet.

What can go wrong

The risks around agentic AI fall into two areas.

The first area is generic to AI. An agent may misread a customer’s intent, act against their interest — nudging them towards a preferred option, say — or drift from its goal as a task unfolds. It may hallucinate, stating something false with confidence. The difference with agentic AI over GenAI is that the results may not just be amusing or confusing; they can have real-world consequences — money spent or emails sent that cannot easily be undone.

Additionally, agents risk widening the attack surface around personal data and payment credentials if they are overly broad in their interactions with the world in pursuit of their objectives. Not everything they encounter may be genuine, and some contacts may be actively hostile looking to trick or manipulate them for gain. There is a broader market risk too: if only a few firms supply the underlying AI models, the market could concentrate dangerously, exposed to a single outage or political intervention.

The second area of risk is around factors specific to payments:

  • user mandates set too broadly, giving an agent more scope or spending power than intended;
  • opaque decisions that are hard to explain if an agent behaves unexpectedly;
  • unclear liability, where delegated action leaves it uncertain whether the customer, the agent, or the model provider answers for a disputed payment;
  • instability and herding, where agents act faster than humans can step in and many reach the same decision at once. Picture a million agents chasing tickets for a concert, or bargain-hunting agents all triggered by the same Black Friday price drop.

Controls that limit harm

The first task is to cap what any single AI agent can do. Start with identity and mandates:

  • PSPs need to identify whether they are dealing with a customer directly or an agent acting on a customer’s behalf. Agents impersonating users may initially be a common but risky scenario (for both parties). Transparency both ways is needed.
  • authenticate agents with short-lived credentials, not a shared human login;
  • customers must set narrow mandates for agents specifying — which merchants they may use, what they may spend, over what period, single-use or standing arrangements;
  • bind every payment to the consent that authorised it, so authority is always traceable.

Once an AI agent is detected, operational controls within firms can govern its behaviour, for example: limits on how fast it transacts; per-transaction and cumulative spend caps; anomaly detection that treats agent-initiated payments as a distinct fraud source; human approval above set value or risk thresholds.

Proving you are in control

Governance counts. A named senior manager should be identified as accountable for a firm’s use of agentic AI; and in the UK, Consumer Duty requires firms serving retail customers to deliver good outcomes. Neither responsibility makes an exception for decisions an AI agent makes. Firms must be ready to demonstrate to regulators that they understand and control the risks posed by deploying and engaging with agentic AI. Three approaches help evidence control.

Governance: Govern the deployments of AI agents across their lifecycle. Name an accountable owner for each agent’s decisions, apply risk controls at every stage — build, test, deployment, and decommission — and sign off changes before they reach production, including adopting changes as new AI models are sourced from third-party suppliers.

Audit: Make decisions by AI agents auditable. Log every customer transaction attributed to an AI agent, and trace it back to the human mandate behind it. Log every decision by an AI agent deployed by a firm that impacts a customer, and be ready to explain how the decision was reached.

Clear accountability: Decide who answers for a mistaken or disputed payment concerning agents, set out how customers seek explanations or redress, and extend the same idea of accountability to external models through contracts and monitoring.

The adoption of agentic AI in payments

AI is underpinning the growth of agentic systems: AI agents that can plan and interact with the world with minimal human input, but to be truly useful, AI agents will need to interact with payment systems.

Two barriers currently limit adoption. First, multiple rival protocols are emerging to govern agent-to-merchant interactions; these will need to converge, or become interoperable, before adoption can scale. Second, legal and regulatory rules need updating, particularly around authentication and how an agent may act on behalf of a consumer.

Unusually, large market players are aggressively driving the adoption of agentic AI, rather than letting it emerge through niche use cases. This will create pressure to overcome these barriers quickly.

As with any disruptive technology, there will be opportunities but also new risks: unclear mandates, unexplainable decisions, and confusion over liability when something goes wrong. Firms do not need to reject agentic AI to manage this. They need to know which agent they are dealing with, limit what it can do, and keep clear records of who authorised what.


Want to comment or have questions? Contact our team to discuss what these changes mean for your firm.

Disclaimer: this blog post is for general information only and does not constitute advice, legal or otherwise.

Further reading

  • Davidovic, S., & Tourpe, H. (2026). How agentic AI will reshape payments (Note/2026/004). International Monetary Fund.
  • Department for Science, Innovation and Technology. (2026, March). AI insights: Agentic AI.
  • Infocomm Media Development Authority. (2026, Updated June). Model AI governance framework for agentic AI (Version 1.5).
  • Institut national de recherche en informatique et en automatique. (2026). Agentic AI: Deployment, adoption and impacts.
  • Organisation for Economic Co-operation and Development. (2026). The agentic AI landscape and its conceptual foundations (OECD Artificial Intelligence Papers No. 56).
  • Russell, S., & Norvig, P. (2020). Artificial intelligence: A modern approach (4th ed.). Pearson.