A successful transaction record captures timestamps, credential verification, amounts, authorization codes. Whether the person behind the credential actually wanted what they got lives somewhere outside the log.
For most of commercial history, this gap was small enough to ignore. A human clicked "buy." They saw the price. They confirmed the address. If the outcome wasn't what they wanted, the path to contest it was well-worn. When an agent acts on someone's behalf, using their credentials, following their instructions as it understood them, the gap between "valid" and "wanted" becomes structural. A category of outcome that existing systems weren't built to absorb.
Visa's April 2026 agentic commerce rules are worth reading closely here. The operative language assigns the cardholder responsibility for an agentic payment provider's actions:
"as if the Cardholder initiated the Transaction."
That phrase carries a lot of weight. It extends the entire apparatus of card-not-present commerce to cover actions the cardholder didn't perform, didn't see, and may not have specifically intended. The procedural furniture is all there: identity verification, consent, token provisioning, agreement retention, order confirmation.
But the dispute vocabulary hasn't been updated. Visa's public reason codes still route challenges through existing categories: fraud, authorization errors, processing errors, consumer disputes. No agent-specific condition. If a cardholder wants to contest something an agent did on their behalf, the challenge has to fit into language that predates the thing it's describing.
Operating rules have arrived ahead of challenge rules.
Stripe's order-approval hooks show the merchant side of this tension. When an agent initiates a purchase, the seller's service gets an approval request with a four-second window to respond. Miss it, and the payment is declined. Conservative by design. But the approval surface validates the transaction. Whether the purchase reflects what the human actually wanted is someone else's problem.
The same dynamic shows up outside payments.
A Microsoft study of coding agents found that engineers using them merged roughly 24% more pull requests. The authors are careful to note that a merged PR is a proxy for output, not value. Whether the added throughput yields better software is, they write, a question the field lacks agreed-upon measures to answer. CI pipelines, code review, test suites: none of these were designed to distinguish "more" from "better" at this volume. And the problem runs deeper than output metrics. Execution traces and audit logs can look identical for actions taken under entirely different mandates. The record proves something happened. Authority and intent sit somewhere else entirely.
Smoothness and contestability pull against each other here. Infrastructure that makes agent actions seamless also makes them harder to challenge. Most systems optimize for the smooth path because that's what scales. The valid credential, the clean log, the successful completion.
Trust, though, seems to accumulate in the moments when someone can say "that's not what I meant" and the system has a way to hear it. Most agent infrastructure is being built for the smooth path. The middle case, the plausible action with the legitimate grievance, is still largely unaddressed.
-
Traces without delegation context: A June 2026 preprint argues that ordinary audit logs can look identical under incompatible delegation assignments, meaning execution traces alone can't reconstruct which mandate authorized an action.
-
Task success masking data mishandling: A joint evaluation by the Singapore and Korea AI Safety Institutes found that successful task completion often coincided with unnecessary data access or disclosure across realistic, non-adversarial agent scenarios.
-
MCP's spec-to-deployment gap: The MCP authorization spec requires audience-bound tokens and PKCE, but a May 2026 measurement study found roughly 41% of remote MCP servers exposed tools without authentication and at least one OAuth flaw in every authenticated server tested.
-
Recognizing agents on the web: Two recent preprints found that while web agents can sometimes bypass anti-bot mechanisms, behavioral fingerprints like typing and scrolling patterns still distinguish them from humans, raising the question of how sites separate legitimate delegation from abuse.

