When Your Next Customer Is an AI Agent
I've spent a good part of the last year building systems where AI agents pay for things. Not hypothetically: agents that discover a priced API, negotiate access, settle payment, and consume the resource, all without a human touching the flow. I've demoed this on stage, published reference code for it, and helped clients think through what it means for their platforms. So I'll say this with some confidence: agentic commerce is further along than most engineering and product teams realize, and most commerce infrastructure is not ready for it.
The short version of the thesis: for thirty years, every layer of online commerce has assumed a human at the point of purchase. The browser session, the checkout form, the CAPTCHA, the 3-D Secure challenge, the fraud model, the chargeback process. All of it encodes the assumption that a person is present. Agents break that assumption at every layer simultaneously, and the fixes are not cosmetic.
Two kinds of agentic commerce
It helps to separate the space into two patterns, because they stress different parts of the stack.
The first is agents as shoppers: a consumer or business delegates a purchase to an assistant. Book the flight, reorder the parts, find and buy the cheapest compliant option. This is the version that gets the headlines, and it mostly stresses the merchant-facing layers: discovery, checkout, and fraud.
The second is machine-to-machine payments: agents paying other services directly for API calls, data, compute, or content, often in amounts too small for card economics to make sense. This is the version I've spent the most time building. Protocols like x402 revive an old idea (HTTP status 402, Payment Required) and make it practical: a service quotes a price in a response header, the agent pays, usually in stablecoins, and retries the request with proof of payment. No account creation, no API key provisioning, no invoice. The transaction takes place at machine speed because both sides are machines.
The card networks and the major AI platforms are converging on the shopper pattern with delegated payment credentials and checkout protocols. The crypto rails are converging on the machine-to-machine pattern because sub-cent settlement is what they're actually good at. Both are real, both are moving fast, and most companies need a point of view on each.
And this has stopped being a pattern you have to assemble yourself. In the last few months, AWS shipped two x402-native services: Amazon Bedrock AgentCore Payments, a managed payment capability that lets agents transact against a wallet with spending governance built in, and AI traffic monetization for AWS WAF, which lets any site or API return a machine-readable price to AI crawlers and agents at the edge and collect payment instead of serving a block page. When the largest cloud provider ships agentic payment infrastructure on both sides of the transaction, buyer and seller, in one quarter, that tells you where this is heading.
Why your current stack fights agents
Here's the uncomfortable irony I see in almost every assessment: companies spend heavily on two things that now directly conflict. Their growth team wants to be present wherever customers buy. Their security team runs bot detection that treats every non-human client as an attack. When the customer is a bot, those investments collide.
- Bot detection blocks buyers. An agent with a valid payment credential and delegated authority to spend looks, to most anti-bot tooling, identical to a scraper. Merchants are currently turning away paying traffic and calling it security.
- Authentication assumes a phone in a pocket. Step-up auth that sends a one-time code to a human breaks the agent flow entirely. Delegation needs to be a first-class concept: this agent may spend up to this amount, in these categories, until this date, and can prove it cryptographically.
- Fraud models have no priors. Risk systems are trained on decades of human behavior: dwell time, device fingerprints, typing cadence. Agents have none of these signals, and the signals they do have (attestation of which model, which operator, which mandate) aren't consumed by today's models.
- Disputes get philosophically weird. When an agent buys the wrong thing, who erred: the consumer who gave vague instructions, the agent operator whose model hallucinated, or the merchant whose product data was ambiguous? Chargeback frameworks have no box to tick for that, which is exactly why the emerging protocols put signed mandates and audit trails at the center.
If you sell things: become legible to machines
For merchants and platforms, the strategic frame I use with clients is that agents are a channel, the way mobile was a channel in 2010. You don't have to bet the company on it this quarter. You do have to stop being accidentally hostile to it.
- Make your catalog machine-readable. Clean structured data, accurate availability, explicit pricing, real APIs. An agent can't develop brand affinity from your hero image. It buys from whoever answers its questions precisely and fast.
- Distinguish good bots from bad ones. Move from "is this a human?" to "is this request authorized?" Agent attestation and signed payment mandates give you far stronger signals than a CAPTCHA ever did. And the third option beyond allow-or-block now exists at the infrastructure layer: with WAF's AI traffic monetization, the answer to an unverified agent can be a 402 with your price on it. Design the risk model around delegation, not around humanity.
- Start with bounded inventory. Digital goods, reorders, commodity SKUs with clear return policies. Learn what agent traffic looks like where the blast radius is small, before it shows up uninvited everywhere else.
- Instrument everything. You'll want to know your agent conversion rate, dispute rate, and basket profile separately from human traffic. Teams that can't segment this will make bad decisions in both directions.
If you deploy agents: treasury rules apply
On the buying side, the moment an agent can spend money, you have a treasury problem, and treasury problems have well-understood answers that most agent deployments skip. Spending policy belongs in code, not in the prompt: per-transaction caps, category restrictions, velocity limits, and human approval thresholds enforced by the payment layer itself, so that no amount of clever prompt injection can talk the agent past them. Every transaction needs an audit trail linking the purchase to the instruction that authorized it. And credentials must be scoped per agent, revocable in one action, and never shared across a fleet.
The managed offerings are encoding these rules directly into the rails, which is the right place for them. AgentCore Payments, for example, scopes every transaction to a payment session with an explicit spend cap and expiry, requires the user's authorization before an agent can touch a wallet at all, and keeps credentials vaulted so the agent only ever sees short-lived tokens. That architecture is worth studying even if you build your own, because it puts every catastrophic failure mode behind a deterministic control rather than a prompt.
If that paragraph sounded like the guardrails conversation from my agentic sprawl post, that's because it is the same conversation. An agent that can spend is just an agent whose failure modes have a currency symbol attached.
Where this is actually headed
I'll offer the honest caveats: the protocol landscape is still consolidating, fraud patterns for delegated purchasing are barely a year old, and regulators have not yet said much of anything about liability when an autonomous system transacts. Anyone selling certainty here is selling something else too.
But the direction is not in doubt. Payments infrastructure has spent seventy years progressively removing friction: cards removed cash, e-commerce removed the store, one-click removed the form, and agents remove the session itself. Companies in financial services and commerce that treat this as a 2027 problem will discover their competitors treated it as a 2026 one.
This sits at the intersection of everything we work on at Gradient Methods: agents, payments, and infrastructure that has to be trustworthy at machine speed. If you're figuring out what agentic commerce means for your platform, whether you're accepting the payments or dispatching the agents, I'd genuinely enjoy the conversation.