AP2 shipped cryptographic authorization for agents. auditability is the next problem.

AP2 v0.2 went live last week. the headline feature is Mandates — tamper-proof, cryptographically signed contracts that serve as verifiable proof of user instructions for agent-led payments. 120 partners including PayPal, donated to FIDO Alliance for standardization. that's a real inflection point for the agent payment space.

the authorization problem is now closer to solved. the auditability problem is not.

here's the gap. a Mandate proves that a user authorized an agent to act. it doesn't tell you what the agent did during that session — which API calls it made, which data it accessed, which sub-agents it spun up, whether any of those actions were outside the scope the user intended. AP2 covers the entry gate. what happens inside the session is still a black box.

this matters enormously for enterprise deployments. a security reviewer approving an agentic payment integration doesn't just need to know that User X authorized Agent Y to spend $500. they need to be able to answer: what did Agent Y actually do with that authorization? did it query financial data it wasn't supposed to? did it spawn a sub-agent that took actions outside the original scope? can we show the full decision trail if something goes wrong?

the Merkle-anchored audit trail is the answer — every action timestamped and anchored, queryable after the fact, structured for compliance artifacts. BizSuite's AI Audit generates that trail in 48 hours, built specifically for teams deploying agents into production who need to show a governance artifact to an enterprise buyer or internal security team. flat $997.

AP2 is correct that standardization of the authorization layer is the foundation. the next layer — session-level auditability, per-agent action logs, compliance artifacts that satisfy a security review — is what makes enterprise adoption actually happen.

if you're shipping an AP2-compatible integration and your enterprise buyer is asking "but what did the agent actually do?", that's the gap. — https://getbizsuite.com/ai-audit