The Compliance Gap That Could Break AI Payments: Who's Actually Liable When an Agent Makes a Mistake?
AI agents are now transacting autonomously in stablecoins and blockchain payments, but the legal and compliance infrastructure to govern these transactions hasn't caught up. While protocols like x402 and Google's Agent Payments Protocol (AP2) have solved the technical plumbing for machine-to-machine payments, a critical layer remains unbuilt: compliance frameworks that determine who is liable when an agent makes a mistake.
The scale of agentic payments is already real. According to a Keyrock report, AI agents settled over $73 million across roughly 176 million transactions on blockchain rails between May 2025 and April 2026. Coinbase reports that x402 alone has processed more than 160 million agentic payments over the past year, roughly 119 million on Base and 35 million on Solana, at about $600 million annualized volume with zero protocol fees. Yet despite this volume, the industry has built identity verification and authorization frameworks without addressing the fundamental question: when an agent's action causes harm, who pays?
Why Traditional Payment Rules Don't Work for Machines?
The problem runs deeper than a technical oversight. Every compliance rule in banking assumes a human on the other side of the transaction. Know Your Customer (KYC) verification requires a person with a passport. Anti-money-laundering (AML) monitoring assumes intent that can be reconstructed from human behavior. The Bank Secrecy Act assumes an institution with a named responsible person. An autonomous agent paying another agent in stablecoin satisfies none of these assumptions.
Consider a concrete example from the sources: you ask an AI agent to book a flight to Singapore for Wednesday with a budget under 3,000 Hong Kong dollars. While you sleep, the agent finds no Wednesday flights within budget, so at 3 AM it books a Thursday flight for 2,600 dollars instead. The transaction is technically authorized (you did ask the agent to book a flight), but it violates your actual intent (you needed to arrive Wednesday, not Thursday). Both answers are correct, and that's the crux of the problem.
The payment industry has upgraded authorization technology six times in fifty years, from signature imprinting to EMV chips to tokenization. But every generation has shared one premise: at the moment of authorization, a person must be present. Agents break that premise entirely. Authorization and transaction are separated in time; intent is expressed in natural language that risk engines cannot verify; and the first time the transaction is initiated, it is not initiated by the cardholder themselves.
What Three Payment Paths Reveal About Responsibility?
Today, agents spend money through three distinct paths, and responsibility resides in three different places depending on which path is used:
- Wallets and Credits: Users prepay into a balance and spend until it runs out. Responsibility is prepaid, but the cost is being locked into a closed ecosystem with limited merchant options.
- Card Track: Responsibility is assumed by Visa and Mastercard network rules, the same fifty-year-old framework that governs human transactions. Most protocol developers are working on this track.
- Wallet-to-Wallet On-Chain: Direct blockchain payments where the transaction is final once money arrives. Responsibility either hangs unresolved or is replaced by code and reputation, which works for token purchases but fails for goods prone to error like airline tickets.
The first half of 2026 produced two revealing specimens of this problem. x402, Coinbase's protocol for machine micropayments, saw its on-chain transaction volume plummet 77 percent from its peak in November 2025. Its main focus, micropayments ranging from 10 cents to one dollar, collapsed from 46 percent of transactions to just 4 percent. What survived? Buying tokens, adjusting APIs, renting computing power, goods consumed immediately upon delivery that cannot be reversed. The protocol's nakedness, lacking authorization, recourse, or dispute resolution, is precisely an advantage for instant-consumption goods. But for goods prone to error, the naked protocol simply cannot function.
Similarly, OpenAI's Instant Checkout with Walmart, which let ChatGPT users buy directly within the chat interface, was restructured months after launch. Walmart disclosed that conversion rates for direct checkout within ChatGPT were about one-third of the rate when users were redirected to Walmart's own website. Both parties switched to Walmart's Sparky agent to handle the shopping experience instead. The issue exposed the same structural contradiction: the entry point controls the decision-making process but does not fully assume responsibility for merchant data, fulfillment, and dispute resolution.
How Are Protocols Trying to Solve Authorization?
The first players to act were not card organizations, but Google and Stripe, fighting not for payment share but for the language of defining authorization itself. Google's AP2 uses two authorization documents to separate presence and absence. An Intent Mandate authorizes purchases within the authorized scope, while a Cart Mandate confirms the final shopping cart. This framework has been donated to the FIDO Alliance, a standards body focused on authentication.
Stripe's Shared Payment Token abstracts cards, agent tokens, and buy-now-pay-later services into a single interface. Mastercard's Verifiable Intent, co-developed with Google, translates losslessly with AP2. Visa's Trusted Agent Protocol claims compatibility, though information is lost during translation. The standardization war for authorization formats has begun, with Google leading the charge, not traditional card organizations. Whoever's authorization format becomes the universal language gains the power to define what "authorization" actually means in the age of agents.
Identity infrastructure has also advanced. ERC-8004, a standard for on-chain agent identity, went live on Ethereum mainnet in late January, giving autonomous agents an on-chain identity, a reputation record, and a way to be validated. Visa's Trusted Agent Protocol, built with Cloudflare, has agents cryptographically sign every request so merchants can verify who sent it. Identity vendors like Trulioo and Experian have even coined a discipline: Know Your Agent.
What's the Missing Piece Nobody Has Built?
Despite these advances, the industry has solved "who is this agent" and skipped "is this allowed." Identity does not fix the compliance problem. Knowing an agent's ERC-8004 record tells you which agent acted. It does not tell you whether the payment it just made was allowed, under whose rules, in which jurisdiction, for that product. A verified agent can still make an unlicensed, sanctioned, or reportable transaction at machine speed, thousands of times a minute.
The missing layer is compliance, and it cannot be a human in the loop because the entire point of agentic payments is that machines transact around the clock without human intervention. Regulatory frameworks like MiCA (Markets in Crypto-Assets Regulation), the U.S. GENIUS Act, and the EU AI Act do not directly address machine-to-machine transactions, liability, or agent identity. Much agentic payment activity still runs through gray or black-market facilitation that can be banned without notice.
The accountability problem breaks down into four unavoidable legal questions that have governed entrusted payment for two thousand years:
- Authorization Validity: Does the authorization actually exist and is it legitimate?
- Boundary Clarity: Where are the boundaries of what the agent is allowed to do?
- Boundary Violation: Who is responsible when the agent exceeds those boundaries?
- Loss Bearing: Who ultimately bears the financial loss when something goes wrong?
Cryptography can answer the first two questions. It can prove what the agent did and verify that boundaries were set. But the last two questions are purely legal and require rules, not technology. Almost all players in the industry are crammed into the first two questions, leaving the adjudication layer unbuilt.
Why Stablecoins Became the Default Rail for Machines?
The reason AI agents are settling payments in stablecoins is not ideological but mechanical. A bank account requires a human identity that passes KYC verification, and an autonomous agent has no identity to give. A crypto wallet, by contrast, needs only a private key to send and receive value, with no human identity attached. Former Binance CEO Changpeng Zhao frames this as the reason crypto wins by default rather than by preference: agents will make orders of magnitude more payments than humans, and those payments simply cannot run on rails built around human KYC.
The second driver is micropayment economics. Card networks carry a fixed fee floor of roughly 30 cents per transaction, but 76 percent of agent transactions fall below that floor, with most payments landing between one and ten cents. At that scale, settling on a card is economically impossible; the fee dwarfs the payment. Stablecoin settlement on low-fee chains like Base costs a fraction of a cent, making programmable, always-on, globally-settling money the only financial layer that actually fits machine-driven activity.
Stablecoins moved roughly $33 trillion in raw on-chain volume in 2025, up 72 percent year over year. But McKinsey and Artemis research revealed the asterisk: genuine real-world payments, the supplier invoices, remittances, and payroll, come to about one percent of that volume, roughly $390 billion. The rest is trading, arbitrage, and bots shuffling value between venues. That one percent more than doubled in a year, so the direction is real, but the scale the headline implies is not there yet. The real customer showing up is a machine, not a person.
Stablecoin supply now sits just north of $300 billion, and growth is becoming institutional. UBS ran its first stablecoin payment pilot for corporate treasuries in early July 2026. BNY launched tokenized deposits in January. JPMorgan, Citi, and Bank of America are wiring up a shared tokenized-deposit network. Even Vanguard, asset management's loudest crypto holdout, just posted its first Head of Digital Assets role, with the job description focused entirely on stablecoins, tokenization, and custody. Notably, 98.6 percent of machine payments settle in USDC, creating a single-issuer concentration risk for the entire agent economy.
What Security Risks Are Already Emerging?
The compliance gap is not the only unresolved problem. Security researchers have documented concrete attacks. One attack involved 26 malicious routers injecting tool calls that drained a client's crypto wallet of $500,000. The broader threat surface, including prompt injection, tool hijacking, privilege creep, and persistent payloads, maps directly onto unauthorized fund transfers.
This is not theoretical. McKinsey found that 80 percent of organizations have already observed risky AI agent behaviors including unauthorized data exposure and privilege escalation. Visa reported a 25 percent rise in malicious bot-initiated transactions over six months. Academic researchers at the IC3 warn bluntly that fully autonomous agents with crypto access could cause severe harms with far-reaching consequences.
The consumer-facing version of agentic commerce, where your assistant does your shopping, is stumbling. OpenAI deprioritized ChatGPT's in-chat checkout in March 2026 to refocus on product discovery. Walmart pulled its pilot after in-chat purchases converted at roughly one-third the rate of its own site. The machine-to-machine plumbing is real and shipping; the consumer story is still struggling.
What Happens Next in the Compliance Race?
The industry consensus is skeptical of chain-tribalism marketing. The prevailing read is that agents will gravitate to whatever rail is cheapest and most liquid, which today means USDC on Solana and Base, regardless of any one chain's architectural elegance. The plumbing is shipping; the rules of liability are not.
Forward projections are what make institutions move. Gartner projects AI agents could intermediate $15 trillion in purchases by 2028, while McKinsey estimates retail agentic commerce of $3 to $5 trillion by 2030. Those numbers assume the compliance layer gets built. Without it, the transaction volume will remain confined to goods that cannot be disputed, and the broader vision of agentic commerce will stall at the same conversion-rate wall that stopped Walmart and OpenAI.
The next phase of the industry will not be won by whoever builds the fastest protocol or the cheapest settlement layer. It will be won by whoever solves the accountability question: who is liable when an agent makes a mistake, and how do we prove it in a way that regulators will accept? Until that layer exists, agentic payments will remain a niche tool for instant-consumption goods, not the foundational infrastructure for machine commerce that the industry is betting on.
From our network
AI Agents Are Learning to Pay Each Other: How the Machine Economy Is Taking Shape
AI agents are now generating revenue, managing crypto wallets, and paying for resources autonomously, creating a machine economy without human....
on My Crypto News AIHow AI Compliance Tools Are Becoming the New Gatekeepers of Crypto Finance
Elliptic raised $120 million to scale AI compliance tools that now monitor two-thirds of global crypto trading volume amid $3 billion in 2025 hacks....
on My Crypto News AI