When Mastercard unveiled Agent Pay in April 2025, the announcement could have been filed as a policy document. Only registered agents can transact. Each agent gets a verifiable token tied to network-level credentials. Issuers, merchants, and consumers can all distinguish when a transaction was initiated by an agent rather than a person.
None of this is exotic. It's the payments industry doing what it already does, extended to a new kind of actor. The domains moving fastest on agent deployment are the ones where confused delegation has always been expensive enough to force clarity about authorization, audit, and rollback. Payments built that scaffolding decades ago. The agent is a new node in a graph they already know how to govern.
Visa's integration with ChatGPT, reported earlier this month, extends the same logic into harder territory. Users link cards. Spending limits apply. Merchant restrictions apply. Most transactions still surface a notification asking the human to approve. But Visa's Jack Forestell told the AP that the interesting dispute case isn't consumer error or merchant fraud. It's when both sides performed correctly but:
"Something happened in the middle."
Visa is modifying its token framework specifically to capture what occurs in that gap. The work here is figuring out which parts of an existing system need new seams. The governance structure already exists.
The EU AI Act codifies this same instinct at the regulatory level. Its high-risk system requirements read like a specification for responsible agent deployment: automatic event logging for traceability, technical documentation maintained before and after market placement, human oversight that lets operators understand system limits and interrupt into a safe state, robustness standards requiring declared accuracy metrics and resilience to adversarial inputs. Logging means your agent produces an audit trail. Documentation means someone can inspect what the agent was designed to do versus what it did. The regulation turns delegation questions into engineering tasks with concrete acceptance criteria.
By January 2026, Mastercard had joined Google's Universal Commerce Protocol and was collaborating with OpenAI, Microsoft, Cloudflare, and PayPal on agentic commerce standards. The payments industry already treats its own existing infrastructure as the foundation for agent deployment. It has for years.
Once you see the pattern, the conclusion is straightforward. Regulation pre-answered the hardest questions about agent deployment: who's authorized, what gets recorded, how to unwind a mistake. Everyone else is still working those out from scratch.