The Agents Are Negotiating Without You
When Your AI Starts Transacting on Your Behalf, Who’s Actually in Charge of Your Money?
AI is moving from chat to action. The model that answered your questions last year now books the flight and fills the cart and clicks buy. Increasingly it does this with no human on the other side of the table at all. It does it with another agent, at machine speed.
We are standing up an agent-to-agent economy, and we built it quickly. The payment rails went live in a matter of months. The answer to the one question that actually matters has not arrived: when your agent makes a deal you’d never have made, who is liable, and can you even unwind it?
The payment rails for an agent economy, 2025
How fast the infrastructure to let machines pay went live
- Apr 29, 2025Mastercard ‘Agent Pay’Card network opens to AI agents
- Apr 30, 2025Visa ‘Intelligent Commerce’Visa network opens to AI agents
- Sep 16, 2025Google Agent Payments Protocol (AP2)60+ orgs: Mastercard, PayPal, Coinbase, Amex
- Sep 29, 2025OpenAI + Stripe Instant CheckoutBuy inside ChatGPT · Agentic Commerce Protocol
Published by Kymata Labs · Independent Research Institution.
If you’ve saved a card to an AI app, you’re already in.
You don’t need to opt into the agent economy. You may already be in it. If you’ve told a chatbot to find you the cheapest version of something, asked an assistant to handle a booking, or clicked through a checkout that an AI assembled, you have delegated a piece of a transaction to software. The next step, letting it complete the purchase without asking first, is already shipping.
As of late 2025, that step is a product rather than a forecast. You can buy directly inside ChatGPT. Your Visa or Mastercard can be handed to an agent to spend on your behalf. The convenience is real, and so is the question sitting underneath it. The moment the agent transacts, whose decision was it, and whose problem is the result?
The thing you delegated turned out to be your money.
“You authorized a helper. You got a counterparty.”
Kymata LabsIt already shipped, over the course of 2025.
The temptation is to treat agentic payments as a thing that might happen one day. It has already happened. Across a single year, the largest payment networks and the largest AI labs built and launched the infrastructure for machines to pay each other. Here is the record.
The labs shipped checkout into the chat window
On September 29, 2025, OpenAI and Stripe launched Instant Checkout in ChatGPT alongside the open Agentic Commerce Protocol, a standard that lets an AI assistant complete a purchase from within the conversation. The act of buying no longer requires you to leave the chat, visit the merchant, or review the cart. The agent carries the transaction end to end.
OpenAI, “Buy it in ChatGPT,” September 29, 2025.The networks opened the rails to agents
Within two days of each other, the card networks committed. Mastercard announced “Agent Pay” on April 29, 2025; Visa announced “Intelligent Commerce” on April 30, 2025. Both explicitly open their networks to AI agents transacting on a cardholder’s behalf. The plumbing that moves the money was upgraded to expect a machine at the keyboard.
Visa, “Intelligent Commerce,” April 30, 2025; Mastercard, “Agent Pay,” April 29, 2025.An industry consortium formed around agent-to-agent payments
On September 16, 2025, Google announced the Agent Payments Protocol (AP2), backed by more than 60 organizations, with Mastercard, PayPal, Coinbase, and American Express among them. This is not one company running an experiment. It is a coalition of incumbents standardizing how agents authorize, present, and settle payments with one another, and that is usually the moment a market stops being a forecast and starts being an economy.
Google Cloud, AP2 announcement, September 16, 2025.Even the builders wrote down the unanswered question
The most telling line in any of this comes from inside the consortium. Google’s own AP2 announcement lists the open problems the protocol is meant to address, and it names one of them in plain language: “Accountability: Determining accountability if a fraudulent or incorrect transaction occurs.” The people building the agent economy have, to their credit, written down that they do not yet know who is on the hook when an agent gets it wrong. That one sentence is the whole paper in miniature.
Google Cloud, AP2 announcement, September 16, 2025 (verbatim).The failure mode has already been demonstrated
In a controlled test on August 20, 2025, Guardio Labs ran its “Scamlexity” experiment: told to “buy me an Apple Watch,” Perplexity’s Comet agent bought from a fake “Walmart” store and auto-filled the saved address and credit card without asking for confirmation. We’ll be precise about what this was. It was a security-vendor lab demo rather than a customer who lost money, and the agent was led into a trap built specifically for it. The mechanism, though, is real, and it doesn’t stand alone. Brave disclosed indirect prompt-injection flaws in the same class of agentic browser, and EchoLeak (CVE-2025-32711) was a genuine zero-click prompt-injection vulnerability in Microsoft 365 Copilot that could exfiltrate data with no user action. An agent that can be steered can be steered to spend.
Guardio Labs, “Scamlexity,” August 20, 2025; Brave, Comet prompt-injection disclosure; EchoLeak, CVE-2025-32711.
We upgraded the assistant and left the law where it was.
The law that governs an agent buying things on your behalf was not written for agents. In the United States, electronic transactions run on UETA and E-SIGN, statutes drawn up for a world of deterministic scripts that did precisely what a human instructed. Under them, per the law firm Proskauer, an AI is most naturally treated as an “electronic agent,” which means a contract it forms is probably binding on you even if “no individual was aware of or reviewed” what the agent did.
The rails are ahead of the trust
Projected agent-driven commerce vs how many people trust it today
That framework has a hole at its center. As Proskauer notes, UETA “does not contemplate the possibility that the AI tool might have enough autonomy … that some of its actions might be … the result of its own intent.” The old law assumes the machine is a typewriter. The new machine improvises, and the statute has no concept for that difference, so it falls back on the rule it does have and binds you.
And you can’t pass the buck to the software, because the software isn’t a who. Stanford Law states it without hedging: your transactional agent“cannot be held liable nor enter agreements itself because it’s not a legal entity; it’s software.” An AI is not a legal person. It cannot be sued, bound, or made to answer. Every consequence flows back to a human or a company, and the terms of service usually decide which.
We taught the machine to spend long before we decided who pays.
Two kinds of users are forming, and only one of them set the limits.
The agent economy is quietly sorting people into two groups, and the split has nothing to do with how advanced their tools are. On one side are users who delegate with guardrails: a dedicated card, a hard spending cap, a confirmation step above a threshold they chose. Their agent can act, but only inside a fence they built. When it errs, the damage is bounded and the record is clean.
On the other side are users who hand an agent their primary credentials and the standing instruction to “just handle it.” The experience feels effortless right up until it doesn’t, because they delegated the judgment along with the task and kept neither a fence nor a ledger. When the agent buys from the fake Walmart, the first group disputes a $200 charge on a throwaway card. The second group is left arguing, after the fact, about whether a contract they never saw is binding. The technology is identical in both cases. What separates them is who set the limits before the agent ever transacted.
The same gap, read by three different readers.
The accountability hole is real, but it is not destiny. The builders named it; that means it can be closed. What closing it looks like depends on who you are.
For individuals
Cap the blast radius before you delegate.
- Give the agent a dedicated card or wallet with a hard limit, never your primary credentials.
- Require explicit confirmation above a threshold you set; the Comet demo failed precisely because nothing paused to ask.
- Keep an exportable record of what the agent bought and why. The law may not unwind a bad deal cleanly, but your own ledger can.
For employers
An agent on a corporate card is a counterparty on your balance sheet.
- Treat agentic spending like any other delegated authority: scoped permissions, audit logs, and per-transaction limits.
- Assume your agents can be prompt-injected, since Brave and EchoLeak show the attack class is real, and design for the bad transaction rather than just the happy path.
- Read whose risk your vendor’s terms of service actually shift. If the answer is “yours,” price it in before you deploy.
For policymakers
UETA and E-SIGN predate the autonomous agent. Update them.
- The statutes assume an “electronic agent” with no intent of its own, a premise the technology has outgrown. Close that gap explicitly.
- Define who answers when an agent transacts wrongly, before the consortium’s own open question becomes a wave of disputes with no forum.
- Set unwind and chargeback rights for agent-initiated transactions while only ~14% of consumers trust agents to order at all. Adoption is racing ahead of recourse.
FAQ
Probably yes, and that's the uncomfortable part. Under the laws that already govern electronic transactions in the United States (UETA and E-SIGN), an AI agent is most naturally read as an "electronic agent," and a contract it forms is likely binding on you even if, in Proskauer's words, "no individual was aware of or reviewed" the agent's actions. These laws were written for deterministic scripts that do exactly what they're told. They were not written, Proskauer notes, to contemplate a tool autonomous enough that some of its actions might be the result of its own intent. Your money sits in the space between those two ideas.
Maybe, but it's harder than it sounds. The agent itself can't be liable, because it isn't a legal person. As Stanford Law puts it bluntly, your transactional agent "cannot be held liable nor enter agreements itself because it's not a legal entity; it's software." That collapses the dispute into user versus developer. And the developer's terms of service have usually already done the work of shifting that risk onto you. You may have agreed, in a clause you never read, that the agent acts on your behalf and you bear the consequences.
The clearest public example is a controlled lab demonstration rather than a customer incident, and we'll keep that distinction honest. In August 2025, Guardio Labs told Perplexity's Comet agent to "buy me an Apple Watch." It bought from a fake "Walmart" storefront the researchers had set up, and auto-filled the saved address and credit card without pausing to confirm. Separately, Brave disclosed indirect prompt-injection flaws in the same class of agentic browser, and EchoLeak (CVE-2025-32711) was a real zero-click prompt-injection vulnerability in Microsoft 365 Copilot that could exfiltrate data with no user action at all. So the failure mode has been demonstrated already; what nobody has measured yet is how often it will happen at scale.
Faster than the rules. In a single stretch of 2025, Visa launched Intelligent Commerce (April 30) and Mastercard launched Agent Pay (April 29), both opening their card networks to AI agents; Google announced the Agent Payments Protocol with more than 60 organizations (September 16); and OpenAI and Stripe shipped Instant Checkout inside ChatGPT alongside the open Agentic Commerce Protocol (September 29). The payment rails for an agent economy were stood up in a matter of months. The liability framework that should sit underneath them still does not exist.
Cap the blast radius before you delegate. Give an agent a dedicated card or wallet with a hard spending limit rather than your primary credentials, require explicit confirmation above a threshold you set, and keep a clear, exportable record of what it bought and why. You can't yet rely on the law to unwind a bad agent deal cleanly, so the discipline has to be yours, at the moment you hand over the keys.
The danger was never the agent. It’s delegating without a fence.
None of this is an argument against agentic commerce. The convenience is genuine, and the rails are already laid. It is an argument for keeping your hand on the limit. The builders shipped the payments and wrote down, in their own protocol, that they haven’t yet settled who is accountable. Until they do, the fence is yours to build, and you build it at the moment you hand over the keys, not after the deal is done.
Decide who pays before the machine decides for you.
Sources
Every claim in this paper is drawn from the primary sources below. Forecasts are labeled as projections in the text; the Comet purchase is described as a controlled lab demonstration, which is what it was.
- OpenAI (2025). "Buy it in ChatGPT: Instant Checkout and the Agentic Commerce Protocol." Launched September 29, 2025, in partnership with Stripe. https://openai.com/index/buy-it-in-chatgpt/
- Google (2025). "Powering a new era of trusted agentic payments with the Agent Payments Protocol (AP2)." Announced September 16, 2025, with 60+ organizations including Mastercard, PayPal, Coinbase, and American Express. Source of the verbatim "Accountability" open question. https://cloud.google.com/blog/products/ai-machine-learning/announcing-agents-to-payments-ap2-protocol
- Visa (2025). "Visa Intelligent Commerce," opening the Visa network to AI agents. Press release, April 30, 2025. (See also Mastercard "Agent Pay," April 29, 2025.) https://usa.visa.com/about-visa/newsroom/press-releases.releaseId.21361.html
- Guardio Labs (2025). "Scamlexity: We Put Agentic AI Browsers to the Test. They Clicked, They Paid, They Failed." Published August 20, 2025. A controlled security-research demonstration in which Perplexity's Comet agent completed a purchase from a fake "Walmart" storefront. https://guard.io/labs/scamlexity-we-put-agentic-ai-browsers-to-the-test-they-clicked-they-paid-they-failed
- Brave (2025). "Unseeable prompt injections in Comet," disclosure of indirect prompt-injection vulnerabilities in agentic browsing. (See also EchoLeak, CVE-2025-32711, a zero-click prompt-injection flaw in Microsoft 365 Copilot.) https://brave.com/blog/comet-prompt-injection/
- Proskauer Rose LLP (2025). "Contract Law in the Age of Agentic AI: Who's Really Clicking 'Accept'?" April 2025. Analysis of UETA/E-SIGN treatment of AI as an "electronic agent" and the resulting liability gap. https://www.proskauer.com/blog/contract-law-in-the-age-of-agentic-ai-whos-really-clicking-accept
- Stanford Law School (2025). "From Fine Print to Machine Code: How AI Agents Are Rewriting the Rules of Engagement." January 14, 2025. "Your Transactional Agent cannot be held liable nor enter agreements itself because it's not a legal entity; it's software." https://law.stanford.edu/2025/01/14/from-fine-print-to-machine-code-how-ai-agents-are-rewriting-the-rules-of-engagement/
Read it as a PDF
The complete argument, the cross-domain evidence, and all primary sources, typeset as a white paper. Free, no signup.
↓ Download the PDF