As AI Agents Start Making Purchases, Security Teams Face the New Risk of Intent Drift

Chargebacks911 CTO Warns of Agentic Commerce Security Risks

As AI agents start making purchases, security teams must rethink risk - Help Net Security

Donald Kossmann, CTO at Chargebacks911, talks about the emerging security, fraud, and governance risks of agentic commerce.

On March 5, 2026, Donald Kossmann, CTO of fintech company Chargebacks911, detailed the security, fraud prevention, and governance risks inherent in "agentic commerce" -- where AI agents autonomously make purchases -- in an interview with Help Net Security.

What Kossmann emphasized most was the concept of "intent drift." Even when an AI agent operates under technically legitimate authorization, its outcomes can diverge from what the user actually intended. This is an entirely different risk domain from traditional "credential theft," creating gray zones that existing payment and chargeback management frameworks cannot adequately address.

Industry Trends

The urgency of agentic commerce security stems from rapid market expansion since the start of 2026.

According to Visa research, community posts mentioning "AI agents" on the dark web have surged over 450% in the past six months. Payment attacks by malicious bots have also increased, with a 40% rise in malicious bot-originated transactions in the United States. Criminals are exploiting AI agents to automate everything from building fake e-commerce sites to stealing payment data.

Meanwhile, legitimate agentic commerce is also expanding rapidly. Mastercard has introduced "Agent Pay" and agentic tokens to securely link AI agents with individual users. Major platforms are building agentic commerce infrastructure one after another, including Google's Universal Commerce Protocol (UCP) and OpenAI's in-ChatGPT purchasing features.

As both legitimate use and abuse expand simultaneously, the need for mechanisms to accurately identify and manage "who is executing purchases under what authorization" is being recognized across the industry.

Why Traditional Authentication Models Fall Short

Kossmann points out that the widely used OAuth delegated authentication model has structural limitations in agentic commerce.

OAuth was originally designed for relatively limited actions that users explicitly initiate. However, AI agents operate across multiple merchants and services, running continuously over extended periods. After a user's intent has changed, authorization can remain active and be used in ways the original consent model never anticipated.

To address this issue, Kossmann says "evolution, not complete replacement" is needed. Specifically, this means finer-grained permission settings, revocable mechanisms, context-aware dynamic permission controls, and audit trails that can track agent decision-making processes.

Auth0 has also responded to this challenge by building an agent-oriented authentication framework combining the MCP protocol with OAuth 2.1. The design philosophy uses token exchange to convert long-lived human tokens into narrower-scoped, short-lived tokens limited to specific tasks.

Shopping Agents Become "High-Value Intelligence Targets"

Kossmann particularly sounded the alarm about the risk of shopping agents themselves becoming intelligence-gathering assets for attackers.

Well-trained shopping agents and procurement agents accumulate extremely rich behavioral data, including purchasing preferences, price sensitivity, supplier relationships, and purchase timing. If this data is compromised, the concerns extend beyond fraudulent use to competitive intelligence leaks, social engineering, and targeted manipulation.

Even more serious is "agent-to-agent" transactions where agents interact directly with each other. The checkpoints for intent, consent, and identity verification that naturally exist in human-mediated transactions are compressed or eliminated. Even limited signals exchanged during negotiation and dynamic pricing processes, if repeatedly exchanged, can enable inference of buyers' and organizations' sensitive purchasing patterns.

E-Commerce Times has also reported that checkout automation by AI agents is triggering a "zero-signal fraud crisis." This is because behavioral signals that traditional fraud detection relies on -- device fingerprinting, session tracking, browsing patterns -- either disappear or become misleading in AI agent-mediated transactions.

Impact on E-Commerce Businesses and How to Leverage

The four "non-negotiables" Kossmann presented -- what companies should require before granting AI agents access to procurement systems and corporate credit -- are instructive for e-commerce businesses as well.

AI agents must not be given unlimited purchasing authority. Spending caps, category restrictions, supplier constraints, and expiration conditions must be explicitly configured.

Detailed logs showing why an agent selected a particular supplier and executed a transaction are essential. This is also critical for detecting attacks on the negotiation layer, such as price signal manipulation and exploitation of optimization logic.

A mechanism to immediately suspend or revoke permissions when an agent begins exhibiting unexpected behavior is necessary.

Records that can prove what was authorized for the agent and what it actually did must be maintained for disputes and audits.

Additionally, when evaluating AI vendor security postures, e-commerce businesses should focus on "decision governance" beyond traditional vendor questionnaires. It is important to specifically verify how agent permission scoping is configured, the logging and explainability of decisions, the speed of permission revocation, and the ability to detect anomalous behavior.

Summary

While autonomous purchasing by AI agents brings significant efficiency gains to the e-commerce industry, it fundamentally upends security assumptions. The shift in risk gravity that Kossmann identifies -- from "access security to decision integrity" -- is a structural change that all e-commerce businesses must understand.

Going forward, attention should be paid to how widely industry standards like Visa's "Trusted Agent Protocol" and Mastercard's "Agent Pay" will penetrate, and how open protocols including Google's UCP will integrate authentication and audit frameworks. For e-commerce businesses, advancing their own AI agent readiness while simultaneously building permission management and audit trail infrastructure will form the foundation of trusted commerce experiences.