As AI agents make inroads into payments, they’re raising many questions that the industry is rushing to answer. In some cases, the industry isn’t moving fast enough.
Sift’s senior trust and safety architect, Brittany Allen, said AI agents are a popular session topic at conferences. At one recent event, merchants shared their struggles with AI they neither created nor controlled. Others spoke of a system where every AI agent brings a layer of uniqueness that makes it akin to branded credit cards on different rails.
AI agent authentication and verification issues
As the technology proliferates, developers are finding themselves addressing issues in hindsight. In some systems, the agent, and not the store, is listed as the merchant of record. That makes it hard to track purchase legitimacy. Perhaps fraud and payments personnel didn’t get enough design input.
Customer authentication is another huge challenge, as different regions have different philosophies. In the United States, fraud loss prevention is paramount. In the European Union, legislation demands strong customer authentication measures.
The industry has KYC and KYB. Now, it must prepare for KYA – Know Your Agent. Allen said there is a need to ensure an AI agent associated with a consumer is legitimate and not one created with a stolen identity.
There are additional questions about AI agents’ abilities to solve CAPTCHAs and address biometrics. Issues such as whether shoppers will accept substituted items are other concerns.
“Will all of that be set up in advance to the point where the AI agent knows the consumer’s desires well enough that what it does actually represents the approval or authentication of the cardholder?” Allen asked. “There are a lot of challenges there, and I know that from a security angle, the one that would have made cybersecurity’s ears perk up is we don’t want agents getting better at solving biometric checks. We don’t want them using deep fakes or trying to mimic a cardholder’s voice to complete a voice verification of a purchase, because… technology’s moving faster than we can keep up with.”
Two years ago, someone set out to see if an AI system could solve CAPTCHAs on its own. Allen said the system contacted Task Rabbit on its own and found someone who agreed to complete them. That person became suspicious and asked why help was needed to solve the CAPTCHA. The system responded that they were a person with a visual impairment.
“So AI was manipulative enough at that point to get through the CAPTCHA,” Allen said. “We don’t want to put the cart before the horse with security protections, but we’re going to have to find some balance there to strike, because nobody’s going to be able to tell the agent 100% up front every single thing it wants, or you know that you would be willing to agree to but it has to make its independent decision.”
AI Agents: Tokenization and corporate concerns
Does tokenization have a role to play here? Again, Allen said the answer is nuanced, especially given the differences between first- and third-party fraud. Perhaps site-specific tokens can play a role, but a fraudster can also initiate a relationship and create a token to continue illicit activity. Network tokens on card- or browser-specific networks can perhaps be combined with browser-specific agents, but more work needs to be done.
Corporate AI agents also need some tweaks. Allen was recently at a marketplace risk conference where an insurance company described its AI agent, which handles all on-site chat and makes its own decisions.
Every time, the AI agent gave claimants the maximum amount. The company has struggled to alter intent so the agent offers a smaller percentage to see if claimants will accept.
Are consumer AI agents over-hyped?
Some are excited about the potential of individual consumer AI agents that handle basic shopping needs. That, too, comes with a host of issues, including agent verification and negotiations between merchant and agent sites.
Allen said that Sift research suggests that few consumers want to delegate this much to AI agents beyond, maybe, regular repeat purchases. She sees too many variables for more complex decisions like travel. Which airport do you want to fly into? Which seat do you want?
Now, if that agent can successfully parse a decade’s worth of travel data and make more informed suggestions, perhaps its use can be expanded. But, there too, questions arise, such as what happens if someone breaches a travel account and steals points? What if your travel profile and payment methods are used to book flights?
“That’s going to be that interesting third-party fraud angle,” Allen said. “How much more specific can fraud attacks get based on what they know about me and what lives within what centralized area that agent is in?”
Are agents vulnerable to fraud?
Allen also wonders how many AI agents get fooled by scam sites. If an agent is tasked with buying a television online, will they order from the cheapest option? Does the agent understand that if it orders from a scam site that personal information and money can be stolen?
“I haven’t heard anything about whether or not AI agents are trained well enough to avoid scam sites,” Allen said.
History shows that consumers gradually increase their trust in new shopping options, if they ever get there at all. They must link their payment method to this new mechanism. Before they do that, they must see clear benefits in doing so.
“Trust is not a binary thing; it’s not all or nothing,” Allen said.“It’s more of a gray scale. It’s why people took time to warm up to Facebook Marketplace. When payments came on the platform, it was something to add their credit card to. There is that gradation of trust. How much would you trust the agent to do?”
Legislation and the need for human input
Legislators are also coping with a list of AI issues. The European Union has developed an AI Act that comes into effect in 2026. While it seeks to maintain a balance between innovation and protection, Allen said some don’t want to see the EU fall further behind the innovation curve.
Companies creating AI agents to complete internal tasks like testing and interviews must also be careful. Allen said they must keep human review in the loop because AI is trained on human-generated data sets that are bias-prone.
Customer service AI agents must also have their limits before requests are passed to a human. Otherwise, it’s possible that criminals can submit additional code that skips the process and allows them time to siphon funds away.
“It’s pretty similar to what happens today, where when you write into an e-commerce platform trying to change your password,” Allen explained. “You will get information that they received your email with an automated piece of text that says you mentioned your password. If you’re looking to change it. Here’s how to do it. If this solves your problem, click ‘Yes’, and they’ll close your ticket.
“It’s turning that into an agent that, if that doesn’t solve their problem, can get a little more information and keep answering it before a human comes in. So as long as they can’t do any kind of prompt injection or change the narrative of what the agent can do, I think that would be a positive step.”