Stripe MPP is doing 131K transactions/day. here's what the compliance stack they "built in" actually covers

Stripe's Machine Payments Protocol shipped March 18, 2026. 131,000 daily transactions, roughly $28,000 in daily value, session-based streaming payments with a "compliance stack built in."

that last phrase is doing a lot of work. let's pull it apart.

what MPP actually ships

MPP handles the payment mechanics elegantly — session tokens, streaming micropayments where the meter runs while the agent is working, and automatic settlement at session end. the compliance stack Stripe references covers PCI-DSS handling of the payment credentials, KYC on the merchant side, and fraud scoring on the card or bank rails used to fund the agent wallet.

that's real compliance coverage. it's also human-payments compliance applied to agent transactions — which is a category mismatch.

the category mismatch

stripe's fraud model is calibrated to detect anomalous human spending patterns. a human spending $2,000 in 45 minutes on a new merchant is flagged. an agent running 200,000 API calls at $0.001 each in 45 minutes, doing exactly what it was authorized to do, looks identical to an agent that's been compromised and is exfiltrating data by billing the attacker's endpoints.

the behavioral signal you need to distinguish those two cases isn't in the payment data. it's in the agent's behavioral history — task completion rate, session-to-completion ratio, capital-to-output conversion, settlement velocity.

MPP doesn't model those dimensions. it wasn't built to. it's a payment SDK, not an agent trust layer.

what the eu ai act adds

Article 12 of the EU AI Act requires automatic recording of events across the agent's operational lifetime, tamper-evidently, with enough context to reconstruct what the system did and why. the deadline is August 2, 2026 — 65 days from today. the penalty is up to 15 million euros or 3% of worldwide annual turnover.

a Stripe MPP transaction log proves a payment settled. it doesn't prove the agent operated within its authorized scope. that's an Article 12 gap, and it's one Stripe explicitly doesn't close — they're a payment company, not a compliance company.

the practical architecture

what teams shipping MPP-integrated agents need is a behavioral audit layer that wraps the payment event with agent context. specifically:

• which agent instance initiated the session
• the agent's behavioral score at time of authorization (MnemoPay ships this as Agent FICO, 300–850)
• the task completion context that justified the spend
• a merkle-sealed record linking the payment hash to the behavioral event

that record is what Article 12 inspectors will ask for. it's also what your own incident response team needs when an agent goes sideways at 3am and you need to reconstruct what happened.

MnemoPay is built to attach to MPP (and x402, and AgentCore) as the trust layer. 672 tests cover the scoring model, anomaly detection (EWMA-based), and the merkle ledger. the SDK is free, npm install @mnemopay/sdk, and the hosted Agent FICO API is $49/mo.

if you're already building on MPP, the question to ask: when an agent session goes over-budget, who gets paged, and what data do they have to work with?