Mehmet Erturk | Agentic Payments: The Fraud Surface Nobody's Talking About

Agentic Payments and Fraud

AI agents are starting to make purchases on behalf of humans. Book a flight. Reorder supplies. Pay an invoice. Subscribe to a service.

Every fraud detection system in production today was built on one assumption: a human initiates the transaction.

That assumption is about to break. And most payment companies aren't ready.

What Changes When an Agent Pays

In a traditional payment flow:

Human → authenticates → initiates payment → fraud check → payment processed

The fraud system asks: "Is this person who they say they are? Is this behavior consistent with their history?"

In an agentic payment flow:

Human → delegates to agent → agent decides to pay → ??? → payment processed

Now the fraud system needs to answer fundamentally different questions:

Traditional question	Agentic equivalent
Is this the real user?	Did the real user authorize this agent?
Is this behavior consistent?	Is this agent's behavior consistent with the user's intent?
Is this device recognized?	Is this agent instance legitimate?
Did the user mean to buy this?	Did the user's instruction imply this purchase?

These aren't incremental changes to existing models. They're a different problem space.

The Authorization Gap

Today, payment authorization is a solved problem. 3D Secure. Biometrics. Device tokens. Strong Customer Authentication (SCA).

With agents, authorization becomes layered:

User authorizes the agent — "You can book flights under $500."
Agent decides to act — "I found a flight for $420. Booking now."
Payment provider processes — sees a transaction from... what, exactly?

The gap is in step 2. The user never explicitly said "buy this specific flight at this specific price from this specific airline." They delegated. The agent interpreted. The payment system sees a transaction it has no way to validate against the user's original intent.

Who is liable when an agent books a $420 flight and the user meant "under $500 domestic only" but the agent booked international?

Current payment fraud systems can't answer this question. They weren't designed to.

Behavioral Baselines Break

I wrote about behavioral fraud detection and the 15-second window. Both rely on one thing: human behavioral patterns are predictable.

Agents have no behavioral baseline.

An agent doesn't browse. It doesn't hesitate. It doesn't have a "usual time of day." It executes. The moment it decides to buy, it buys. The 15-second gap between deposit and action that catches fraudsters? An agent has zero gap — by design.

This means every behavioral fraud signal needs to be re-evaluated:

Transaction velocity: A human making 50 purchases in an hour is suspicious. An agent managing procurement for a company? That's Tuesday.

Geographic signals: A human can't be in London and Tokyo in the same hour. An agent can transact in every market simultaneously.

Amount patterns: A human has spending habits. An agent follows rules. Its "behavior" is whatever its prompt says.

Existing ML models trained on human transaction data will flag every agent transaction as anomalous. The false positive rate will be catastrophic.

The Identity Problem

Fraud detection is fundamentally about identity. Is this person who they claim to be?

With agents, identity fractures:

The human who owns the payment method
The agent executing the transaction
The platform hosting the agent
The service the agent is interacting with

Which identity does the fraud system evaluate? All four have different trust levels and different attack surfaces.

A compromised agent is a new attack vector that doesn't exist today. If someone hijacks an agent's instructions (prompt injection), the agent might make payments the user never intended — using the user's real, authenticated payment method.

This is not hypothetical. Prompt injection is a well-documented vulnerability. The moment agents have payment capabilities, prompt injection becomes financial fraud.

What Needs to Be Built

I don't have all the answers here. But I know what the building blocks look like:

1. Scoped Payment Tokens

Agents should not have access to a user's full payment capability. They need scoped tokens:

AgentPaymentScope:
  max_single_transaction: $500
  max_daily_total: $2000
  allowed_categories: [travel, office_supplies]
  blocked_merchants: [gambling, crypto]
  requires_confirmation_above: $200
  expires: 24h

This is similar to how I think about permissioned tools. The agent doesn't get root access to your wallet. It gets a scoped, budgeted, time-limited capability.

2. Intent Verification

Before processing an agentic payment, the system should verify that the transaction matches the user's original delegation:

User intent: "Book a hotel in Berlin for March 15-17, under €200/night"
Agent action: "Booking Hotel Adlon, €189/night, March 15-17, Berlin"

Intent match score: 0.95 → proceed

User intent: "Book a hotel in Berlin for March 15-17, under €200/night"
Agent action: "Booking Hotel Negresco, €310/night, March 15-17, Nice"

Intent match score: 0.12 → block, request confirmation

This is a new kind of fraud check. Not "is this the right person?" but "is this the right action?"

3. Agent Behavioral Profiles

If agents are going to transact, they need their own behavioral baselines — separate from the human's.

A procurement agent that usually orders office supplies and suddenly buys cryptocurrency is as suspicious as a human doing the same. Build profiles for agents, not just users.

4. Transaction Receipts With Provenance

Every agentic transaction should carry a receipt that traces:

The user's original instruction
The agent's reasoning for this specific transaction
The delegation scope in effect at the time
The agent platform and version

This is the audit trail that makes agentic payments accountable. Without it, disputes become impossible to resolve.

I covered audit trails for agent memory. The same principle applies to agent payments: if you can't explain why the agent did something, you can't trust it with money.

The Regulatory Question

PSD2 in Europe requires Strong Customer Authentication for payments. SCA was designed for humans. A fingerprint. A PIN. A one-time code.

How does an agent satisfy SCA? It can't provide biometrics. It's not the customer.

Regulation hasn't caught up. When it does, the companies that already have scoped tokens, intent verification, and audit trails will be ahead. Everyone else will be retrofitting.

The Window of Opportunity

Right now, agentic payments are early. Most agents browse and recommend but don't actually pay. That's changing fast.

The companies that figure out agentic fraud detection first will have a massive competitive advantage. This is infrastructure-level work — payment rails, fraud models, identity systems — that takes years to build.

Every payment fraud system deployed today was built for a world where humans click "Buy." That world is ending. The next generation of fraud detection needs to answer a question it has never been asked: "Did the human mean for this agent to do this?"

If you're building payment infrastructure and not thinking about agents, you're already behind.