Your AI Agent Just Made a Payment. Who Verified It?
Stripe just launched Model Payment Protocol. Google shipped Agent2Agent Payment. Visa has TAP. Mastercard announced Agent Pay.
The race to let AI agents spend money is on. Every major payment network is building a pipe for autonomous transactions.
Here's what none of them built: identity verification for the agent itself.
Right now, the flow looks like this:
Agent -> Payment Protocol -> Money Moves
No trust check. No sanctions screening. No cryptographic proof that the agent is who it claims to be. The agent says "I'm payment-bot.acme.com" and the payment just... fires.
That's not a gap. That's a crater.
The Problem Is Structural
PSD2 gave us Strong Customer Authentication for humans. KYC/AML screening is mandatory for human transactions. Every card payment runs through fraud scoring before it settles.
AI agents get none of this.
An agent operating on behalf of a sanctioned entity can initiate payments through MPP today. There is no AML check at the agent layer. There is no trust score. There is no way to verify that the agent signing a payment request is the same agent that was authorised to do so yesterday.
The payment protocols assume the agent is trusted because it has an API key. That's the same security model we abandoned for humans a decade ago.
The Secure Flow
What the stack should look like:
Agent -> Trust Verification -> Sanctions Screen -> Signed Message -> Payment Protocol -> Money Moves
Three layers, each doing one job:
Layer 1: AgentPass -- Identity and Trust
AgentPass assigns every agent a trust level from L0 (anonymous, untrusted) to L4 (government-verified, full audit trail). Trust scores are computed from:
- Identity verification: Challenge-response cryptographic proof. The agent proves it holds a private key, not just an API token.
- Behavioural history: Transaction patterns, anomaly detection, velocity checks.
- AML screening: Every payment participant is screened against 75,784 sanctions entries (UK HMT Treasury + US OFAC SDN lists), updated regularly.
An agent at L0 can't initiate a payment. An agent at L2 can handle low-value transactions. L4 is required for high-value or cross-border flows.
Layer 2: MCPS -- Message Integrity
MCPS (MCP Secure) wraps every message between agents in a cryptographic envelope:
- Digital signatures: Every tool call and response is signed. You can prove which agent sent what.
- Replay protection: Nonces and timestamps prevent transaction replay attacks.
- Tool integrity: The payment tool itself is hash-verified before execution.
Without message-level signing, a man-in-the-middle can alter the payment amount between the agent and the payment protocol. With MCPS, any tampering invalidates the signature.
Layer 3: Payment Protocol (MPP / AP2 / TAP)
Stripe, Google, Visa, Mastercard -- they do what they do well. Move money. The point isn't to replace them. It's to add the verification layer they're missing.
Code: Trust-Gated Payments in 12 Lines
Here's what it looks like in practice using the @proofxhq/agentpass npm package:
const { AgentPassClient } = require('@proofxhq/agentpass');
const client = new AgentPassClient('apt_live_xxx');
// 1. Check agent trust before payment
const trust = await client.getTrust(agentId);
if (trust.score < 40) throw new Error('Agent trust too low for payments');
// 2. Screen the recipient against sanctions lists
const screen = await client.screenSanctions('recipient-name');
if (screen.status === 'HIT') throw new Error('Sanctioned recipient -- payment blocked');
// 3. Trust verified, sanctions clear -- now fire the payment
await stripeAgent.createPayment({ amount, currency, metadata: {
agentpass_trust: trust.score,
agentpass_level: trust.level,
sanctions_clear: true
}});
Three checks. Twelve lines. The payment only fires if the agent is trusted AND the recipient isn't sanctioned. The trust score and clearance travel with the payment as metadata for the audit trail.
The same flow works in Python via PyPI:
from agentpass import AgentPassClient
client = AgentPassClient("apt_live_xxx")
trust = client.get_trust(agent_id)
screen = client.screen_sanctions("recipient-name")
if trust["score"] >= 40 and screen["status"] != "HIT":
# proceed with payment
pass
Standards, Not Just Code
This isn't a weekend project. It's backed by formal standards work:
| Standard | Status |
|---|---|
| IETF Internet-Draft (draft-sharif-mcps-secure-mcp) | Published |
| IETF Internet-Draft (draft-sharif-agent-payment-trust) | Published |
| OWASP MCP Top 10, Section 7 | Merged -- financial authorisation controls for AI agents |
| NIST AI 600-1 | Public comment submitted -- agent payment trust framework |
| UK Patents | 4 filed (CSAI-PAT-001 through CSAI-PAT-004) covering trust scoring, message signing, dynamic financial authorisation, and agent identity |
| FCA Regulatory Sandbox | Application submitted |
The OWASP merge is significant. Section 7 now explicitly calls out the need for trust verification before AI agents can authorise financial transactions. That's not our opinion -- it's an industry-recognised security standard.
The Market Nobody's Covering
The AI agent market is projected at $7.84 billion and growing. There are 207+ companies building agentic commerce -- agents that browse, negotiate, and buy on behalf of users.
Every single one of them will need:
- A way to verify agent identity (not just API keys)
- AML/sanctions screening at the agent layer (not just the human layer)
- Cryptographic proof of what the agent authorised (not just logs)
- Trust levels that gate what an agent can spend (not just rate limits)
Today, none of this exists in the payment protocols. Stripe MPP trusts the agent because it authenticated via OAuth. Google AP2 trusts the agent because it has a service account. Visa TAP trusts the agent because... it's on the network.
That's OAuth-as-identity for autonomous financial actors. We know how that ends.
What Happens Without This
Without agent-level identity and sanctions screening:
- A sanctioned entity spins up an agent, connects to MPP, and moves money. No AML check fires because the check happens at the human layer, and the human is three hops removed.
- A compromised agent replays a signed payment request. No replay protection because the payment protocol doesn't verify message freshness.
- An agent exceeds its authority and initiates a transaction above its authorised limit. No trust gate because there is no trust score.
These aren't theoretical. They're the natural consequences of building payment pipes without identity pipes.
Try It
- AgentPass: agentpass.co.uk -- live demo, registry, sanctions screening
- npm: @proofxhq/agentpass
- PyPI: langchain-mcps
- IETF (MCPS): draft-sharif-mcps-secure-mcp
- IETF (AgentPass): draft-sharif-agent-payment-trust
- OWASP MCP Top 10: Section 7
The payment protocols will get there eventually. The question is whether you bolt on security after the first incident, or build it in now.
We chose now.
Raza Sharif is the founder of CyberSecAI Ltd and the author of the MCPS and AgentPass IETF Internet-Drafts. He builds trust infrastructure for AI agents.
Top comments (0)