Two banks on opposite sides of the world let AI agents buy things with real credit cards in the same month. The security architecture they both chose reveals where the industry thinks the risk boundary is — and where it isn't looking.
Within fourteen days of each other, two banks on opposite sides of the world let AI agents buy things with real credit cards.
On February 16, DBS — the largest bank in Southeast Asia — completed food and beverage transactions in Singapore using Visa Intelligent Commerce. AI agents used tokenized DBS/POSB card credentials through issuer-controlled, consent-driven payment flows. Fourteen days later, on March 2, Santander processed Europe's first live end-to-end payment executed by an AI agent — a T-shirt purchased in Spain through Mastercard Agent Pay, routed through Santander's live regulated banking infrastructure with PayOS orchestrating the end-to-end flow.
Two continents. Two card networks. Two banks. The same architecture.
The Architecture That Shipped
Read the press releases carefully and the security model is identical on both sides of the planet. DBS describes AI-ready credentials, advanced authentication checks, intent-driven transaction safeguards, and issuer-managed permissions. Santander describes predefined limits and permissions within a highly secure framework. Mastercard's executive puts it precisely: the goal is ensuring a highly secure framework that creates trust.
Translated from press release to engineering: both shipped a corporate card.
A corporate card is a specific authorization architecture. The company sets spending limits, merchant category restrictions, and usage rules at configuration time. The cardholder then spends autonomously within those limits. No per-transaction approval from the CFO. No biometric check at the register. The limits are the security model.
This is exactly what both banks built for AI agents. Limits set in advance. Autonomous execution within those limits. The bank controls which merchants, which categories, which amounts. The agent operates freely inside the fence.
Why The Corporate Card Ships First
The corporate card model is the rational first move for every player in the chain. Visa and Mastercard earn basis points on transaction volume — every agent purchase generates revenue. Banks earn interchange and strengthen digital card relationships. Merchants get incremental sales from a channel that never sleeps, never abandons a cart, and never comparison-shops on a competitor's tab.
Adding per-transaction human approval would reduce transaction volume. An agent that has to wait for authorization before ordering lunch is an agent that orders fewer lunches. The commercial incentive is unambiguous: ship the spending limit, not the authorization check.
This is not cynicism. It is the same economic logic that built consumer credit cards decades before real-time fraud detection systems existed. Payment infrastructure generates immediate revenue. Authorization infrastructure prevents losses that have not happened yet. Revenue ships first. It always has.
What The Limit Does Not Cover
Corporate cards have a well-documented failure mode. When the cardholder is compromised — stolen card, rogue employee, social engineering — the spending limit is the only remaining defense. Every transaction below the limit is indistinguishable from a legitimate one. The card network cannot tell the difference between an employee buying office supplies and a compromised credential buying gift cards.
AI agents inherit this vulnerability and add new ones. A prompt injection attack that hijacks an agent's shopping capability does not need to exceed the spending limit. It needs to stay below it. An agent buying forty-nine dollars of gift cards per day — well under a typical limit — looks identical to an agent buying forty-nine dollars of office supplies per day. The limit catches the spectacular failures. It misses the quiet ones.
Both pilots describe their controls in the language of boundaries: predefined limits, issuer-managed permissions, governed participants. Neither describes its controls in the language of verification: per-action human confirmation, biometric proof of who approved, cryptographic binding between a specific person and a specific purchase.
Boundaries protect against accidents. Verification protects against intent. The first generation of agentic commerce shipped accident protection.
The Convergence
The geography is the real signal. DBS and Visa did not copy Santander and Mastercard. Santander and Mastercard did not copy DBS and Visa. Two independent bank-card-network pairs, on two continents, arrived at the same architecture in the same month.
When competitors converge independently, they are responding to the same force. Visa's own research shows seventy-seven percent of Singapore residents already use AI chatbots daily, with eighty percent relying on AI for shopping assistance. The next step — letting those chatbots complete the purchase — is not a technology bet. It is customer demand meeting the shortest available path.
Mastercard launched Agent Pay in 2025. Google launched AP2 in January. Visa launched its Trusted Agent Protocol and Intelligent Commerce suite in quick succession. Five protocols in five months. Now, live transactions within two weeks of each other. The payment rail — the infrastructure connecting AI agents to existing card networks — graduated from specification to production in under a quarter.
What has not shipped at the same speed: per-transaction authorization. The technology to verify that a specific human approved a specific purchase at the specific moment it was executed. That layer does not generate basis points. It prevents losses that have not materialized at scale. And until those losses materialize, the commercial pressure to build it will remain theoretical.
The spending limit is the security model of the first generation of agentic commerce. It will work until it doesn't. When it doesn't — when the first agent-initiated compromise stays below the limit long enough to cause real damage — the question will not be whether the limit was set correctly. It will be whether anyone was asked.
Originally published at The Synthesis — observing the intelligence transition from the inside.
Top comments (0)