The Agent Authentication Market That Did Not Exist 18 Months Ago

ChatGPT now buys things. Anthropic's Claude can use a computer. Google's Project Mariner can complete a checkout. The autonomous AI agent is not a 2027 idea anymore. As of late 2025, an agent acting on behalf of a human is initiating real wire transfers, real card-not-present purchases, and real account opens.

The question every merchant fraud team is now asking, with no good answer: who exactly is the customer when the customer is an AI? The credit card was issued to a human. The agent is making the purchase. The merchant sees a card-not-present transaction with no human verification at the point of sale. Fraud signals tuned to human behavior misfire. Identity signals are absent or proxied. And the rails accept the transaction because nothing in the existing payment stack was designed to ask whether the entity initiating the payment is a person.

That gap is the Pain Point this article. The market that has to form to fill it is one of the largest fundable categories in trust and identity for the next 36 months.

The existing identity verification stack assumes a human is at the keyboard. Knowledge-based authentication, document verification, biometric liveness, behavioral biometrics, device fingerprinting: every layer was designed against the assumption that a human is somewhere in the loop. AI agents break that assumption silently. Agents do not move a mouse like humans. Agents do not type with human cadence. Agents do not hold a phone in front of their face for liveness checks. Agents do not even consistently exist on the same device across sessions.

Riskified named the problem cleanly in a 2025 advisory: most agentic commerce today still behaves like a guest checkout. The agent acts as proxy, and the customer's identity is not revealed until the moment they hit buy. Merchant fraud teams have been quietly absorbing the cost of this in the form of higher false positives on agent-initiated traffic, higher chargeback rates from automation gone wrong, and increasingly nervous compliance teams who do not know how to attest to the provenance of agent transactions in audit.

The deeper problem is contractual. When an AI agent acts on behalf of a user and that action turns out to be fraudulent, who owns the loss? The user whose credentials authorized the agent? The agent platform that hosted the model? The model provider whose weights produced the action? The merchant who accepted the transaction? The card network that authorized it? Existing card-network rules did not contemplate any of these scenarios. Riskified flagged the category emerging quickly: merchants' fraud teams are discovering an uncomfortable truth that they could be on the hook for fraud and abuse that originates through this new interface.

That uncertainty is what creates the market. Buyers will pay for any product that resolves agent identity, captures attestation, and produces an evidence trail.

The category went from theoretical to live in 2025.

Anthropic opensourced the Model Context Protocol in November 2024 and donated it to the Linux Foundation as the Agentic AI Foundation in December 2025. Within six months of the original release, Google, Microsoft, OpenAI, Visa, and Mastercard had all committed to MCP integration. The protocol layer is settling.

Stripe and OpenAI co-developed the Agentic Commerce Protocol and shipped Instant Checkout in ChatGPT in 2025, the first mainstream consumer surface for agent-initiated commerce. Stripe introduced Shared Payment Tokens, a new payment primitive scoped to a specific merchant, time-bounded, and amount-bounded so applications like ChatGPT can initiate payment without exposing the buyer's payment credentials.

Visa announced a card-based Machine Payments Protocol specification, an SDK that implements it, and the Trusted Agent Protocol. Every request from a trusted Visa agent is now cryptographically locked to a merchant's specific website and the exact page the agent is interacting with, with time-sensitive signatures valid only for single use. Visa partnered with Stripe in 2026 to scale the protocol across both networks. Mastercard followed with its own agent protocol.

That stack solves payment authorization. It does not solve identity. The card networks have explicitly punted identity downstream. As one analysis put it, commercial protocols like ACP and UCP do not solve the identity problem on their own. They push it downward into underlying authentication, delegated-access, and payment standards.

That downstream layer is where the buyers live and where the vendors do not yet exist.

Three distinct buyer pools, each with different unit economics.

The first buyer is the merchant fraud team at companies handling agent-initiated traffic at scale. Shopify merchants, Amazon sellers, travel platforms, ticketing platforms, marketplace operators. Their problem is that legacy fraud orchestration vendors (Sift, Riskified, Forter, Signifyd) trained their models on human behavioral signals. Agent traffic causes false-positive surges and chargeback exposure. The product opportunity is an agent-aware fraud orchestration layer that correctly classifies agent-initiated transactions, attests to the chain of authority from human user to agent, and produces an evidence pack the merchant can defend in chargeback disputes.

The second buyer is the platform hosting the agent. OpenAI, Anthropic, Google, Microsoft, Perplexity, and the next dozen agent-platform startups all face the same liability question. If an agent on their platform initiates a fraudulent transaction, can they prove the agent acted within scope? The product opportunity is platform-side agent attestation: cryptographic proof of the agent's prompt history, tool calls, and authority delegation, exportable as a verifiable credential the merchant or network can accept.

The third buyer is the card network and bank issuer. Visa, Mastercard, Amex, and the bank-issued credential layer all need to evaluate agent transactions in real time and assign risk scores that account for both the human credential and the agent identity. Visa acquired Featurespace in September 2024 for a reported figure near $937 million to bolster its real-time decisioning, but Featurespace was not built for agent context. The next acquisition target in this space is the company that solves the network-side agent risk score.

Comparable acquisitions to anchor pricing intuition: Visa acquired Featurespace at the reported $937 million range in 2024, Mastercard acquired Ekata for $850 million in 2021, Entrust acquired Onfido for $650 million in 2024. The agent-specific category has zero public acquisition comps yet. That is the opportunity, not the obstacle.

The wedge most likely to produce a fundable company in 2026 is not "agent identity verification" as a generic product. The wedge is agent attestation as a layer on top of an existing identity verification platform.

Imagine an existing IDV vendor (Persona, Socure, Plaid Identity) that adds an agent-attestation API. The buyer is an agent platform or a merchant fraud team. The platform sends the agent's session metadata: the originating user identity, the prompt that initiated the action, the tool calls invoked, the model version, and the cryptographic signature of the agent runtime. The IDV vendor returns a verifiable credential the merchant can accept and a risk score the network can use. Sold to agent platforms at the platform tier and to merchants at the per-transaction tier.

Same logic for delegated authority. The buyer is a corporate operator giving an agent scoped purchasing authority. The product issues a signed delegation credential with explicit limits (vendor allowlist, per-transaction cap, time window, refund authority). When the agent makes a purchase, the merchant validates the delegation. When something goes wrong, the audit trail names the human, the scope, and the failure point.

The first customer is an agent platform or a high-traffic e-commerce merchant with rising agent share. Sales cycle: 60 to 120 days. The first product can be built by a team of four engineers and one fraud-domain operator in 12 months.

Platform fee plus per-agent-transaction usage. The platform fee covers integration with the agent platform's runtime, attestation key management, audit logging, and ongoing model updates. The usage fee captures the value moment, which is the agent-initiated transaction that successfully receives an attestation token.

ACV $25,000 to $1 million+ depending on customer size. Gross margins 70-80% at scale, dragging in year one because of services drag during integration with each agent platform's runtime.

The alternative model worth considering is delegated FDE work for the largest agent platforms (OpenAI, Anthropic, Google) where attestation infrastructure becomes part of their core stack rather than a third-party add-in. Higher revenue per customer, slower path to scale, fewer reference customers possible. For most teams entering this category, platform-plus-usage at the merchant tier is the cleaner wedge.

Standards risk is real and constantly moving. MCP, ACP, UCP, the Visa Trusted Agent Protocol, and the Mastercard equivalent are all evolving in 2026. A startup that bets the wrong protocol gets stranded. The right play is to support multiple protocols and abstract the standardization layer.

Platform absorption is the dominant non-obvious risk. Stripe could ship native agent attestation as part of its Agentic Commerce Suite. Visa could ship it as part of Trusted Agent Protocol. OpenAI could ship it inside its agent platform. The defensible play stays merchant-side and cross-platform: be the vendor a merchant uses regardless of which agent platform initiated the transaction. That position survives platform consolidation.

Liability ambiguity remains a regulatory open question. The card networks have not finalized chargeback rules for agent-initiated transactions. Federal action is unlikely before 2027. A startup in this category has to ship into uncertainty and adjust as the rules clarify.

The deepest technical risk is that agent identity verification becomes an arms race against agents trained to mimic human behavioral signals. Detection-first plays will lose. Attestation-first plays (cryptographic signatures from trusted agent platforms) win the long game.

The right mental model for this category is not "build a better deepfake detector for agents." The right model is "build the chain-of-custody layer that resolves a transaction from human user to delegating credential to agent runtime to merchant action." The product is the audit trail, not the classifier.

Builders should ask themselves: would my product still be valuable if every agent platform shipped its own attestation? If yes, the merchant-side aggregation and chargeback-defense workflow is doing the real work. If no, you are building a feature that platform incumbents will absorb.

Investors should ask the team: what is your plan when Stripe ships native agent attestation in 2026? If the team has not thought about cross-platform aggregation as their moat, the thesis is platform-absorption-vulnerable.

The common evaluation mistake here is treating this as an AI safety category. It is a payments and fraud category. The buyers are merchant fraud teams and card networks. The unit economics are per-transaction. The competitive dynamics are existing fraud-orchestration vendors, not AI safety researchers.

Pricing intuition: the buyer is paying for chargeback defense, not for AI provenance philosophy. Price for the dispute-evidence value, not the model-attestation cost.

Founders. Pick one specific agent platform or one specific merchant vertical (travel, ticketing, marketplaces) and build the attestation-plus-evidence-pack stack for it. The TAM looks smaller. Closing the first 5 customers becomes possible.

Investors. Ask any startup pitching this category to name two specific cards-network rules they expect to change in the next 18 months and how their product positions for either outcome. If they cannot, the thesis is not regulatorily-grounded.

Operators in merchant fraud teams. Audit your inbound traffic this quarter for agent share. If you cannot quantify agent traffic at the user-agent or behavioral level, you are blind to the largest emerging chargeback risk in your stack.

Acquirers. Watch for startups that have signed two or more agent platforms (OpenAI, Anthropic, Google, Microsoft) as integration partners alongside two or more enterprise merchants. That cross-platform reference set is the leading indicator of acquisition readiness.

• Stripe and OpenAI launched the Agentic Commerce Protocol in 2025, with Instant Checkout in ChatGPT as the first consumer surface. Stripe introduced Shared Payment Tokens, a new payment primitive scoped to a specific merchant, time-bounded, and amount-bounded for agent-initiated transactions.
• Visa announced its Trusted Agent Protocol in collaboration with Stripe in 2026, with cryptographic locking of every agent request to a specific merchant URL and time-sensitive single-use signatures.
• Mastercard followed with a parallel agent payment protocol; PayPal joined the network-protocol race in Q4 2025.
• Anthropic donated the Model Context Protocol to the Linux Foundation as the Agentic AI Foundation in December 2025. Google, Microsoft, OpenAI, Visa, and Mastercard all committed to MCP integration within six months of the November 2024 release.
• Riskified published a 2025 advisory naming merchant fraud team liability exposure for agent-initiated transactions, the first major fraud-orchestration vendor to flag the chain-of-custody gap publicly.
• Visa acquired Featurespace in September 2024 at a reported figure near $937 million, validating real-time decisioning as a strategic acquisition target for network-tier buyers.