Overview: AP2 as a Foundational Protocol for Trusted AI Commerce

Yesterday, Google announced the Agent Payments Protocol (AP2), a new, open standard designed to solve the fundamental question of trust in AI-driven payments in commerce. Today’s payment systems assume a human is clicking "buy." AP2 creates the framework for a world where autonomous AI agents can securely and verifiably transact on behalf of users and businesses.

It achieves this by introducing a system of Verifiable Credentials called "Mandates," which serve as cryptographically signed, auditable proof of authority and intent for every transaction. AP2 is not a new payment network; it is a data protocol that layers on top of the Agent2Agent (A2A) protocol, ensuring it can work with any payment method—from credit cards to real-time bank transfers. I previously wrote about A2A here in the" Agents Talking to Agents (A2A): Reshaping the Marketplace and Your Power" section.

Deep Dive: The Intent Mandate - The "Digital Power of Attorney"

The Intent Mandate is the most critical innovation for business and legal purposes. It is the core instrument of delegation for any transaction where the user is not present to give final approval (a "Human-Not-Present" scenario).

• What it is: A legally and technically significant "delegation contract" that a user signs to grant an AI agent specific, constrained purchasing authority. It formally translates a user's goal (e.g., "Buy this item if the price drops below $100") into a set of enforceable rules.

• Legal Significance: It serves as non-repudiable proof that the user authorized the agent's action, providing a powerful evidentiary anchor for assigning liability and resolving disputes. It answers the question: "Who told the agent to do that?"

• Business Significance: It unlocks automated and conditional commerce. Businesses can empower agents to execute procurement strategies, manage subscriptions, or react to market opportunities autonomously, all while operating within pre-approved boundaries.

Deep Dive: The Other Mandates - The "Evidentiary Chain"

Two other mandates complete the transaction's auditable trail:

• The Cart Mandate: This is the "notarized purchase order" for Human-Present transactions. The merchant generates it to lock in the final terms (items, price, shipping), and the user signs it on a trusted device surface. It provides definitive proof of what was agreed upon at the moment of purchase.

• The Payment Mandate: This is the "transaction manifest" sent to the payment network (e.g., Visa, Mastercard). Its primary purpose is to signal that an AI agent was involved and whether a human was present. This allows issuers and networks to apply appropriate risk models and provides critical data for the financial ecosystem.

Examples and Use Cases for Consumers and Businesses

AP2 creates powerful new capabilities for both B2C and B2B commerce by providing a secure framework for delegation.

Consumer Use Cases: Convenience and Automation with Guardrails

Deal Hunting
A user wants to buy a specific gaming console but only if it drops below $400 before the holidays.
The user signs an Intent Mandate with the SKU, a price ceiling of $400, and an expiry date. The agent monitors prices and executes the purchase automatically when the condition is met.

Time-Sensitive Purchases
A user wants to buy tickets for a popular concert the moment they go on sale.
The user signs an Intent Mandate specifying the event, a seating preference (e.g., "front section"), and a maximum budget. The agent is pre-authorized to act instantly.

Complex Travel Planning
A user asks their agent: "Book me a round-trip flight and a 4-star hotel in London for the first week of December, total budget $1500."
The agent holds a signed Intent Mandate. It interacts with airline and hotel agents simultaneously. Once it finds a combination that fits the budget and criteria, it can execute both bookings.

Subscription Management
"Renew my streaming subscription, but only if the price doesn't increase by more than 10%."
An Intent Mandate governs the renewal. The agent verifies the price each cycle and either proceeds or pauses for user instruction if the price hike exceeds the limit.

On-the-Go Purchases
While driving, a user tells their voice assistant to order and pay for coffee from a nearby shop.
This is a Human-Present flow. The coffee shop's agent returns a Cart Mandate. The user provides a quick biometric approval on their phone or car's infotainment screen, signing the Cart Mandate to complete the payment.

Business Use Cases: Auditable Automation and Control

AP2 is transformative for B2B transactions, providing the auditable trail necessary for corporate governance and financial controls.

Automated Procurement
A procurement manager authorizes an agent to re-order lab supplies from approved vendors whenever inventory drops below a threshold, provided the price per unit has not increased by more than 5% since the last order.
The manager signs an Intent Mandate that is cryptographically linked to their corporate identity. The mandate specifies the SKUs, the approved vendor list, and the 5% price variance rule. Every purchase is auditable and tied back to this specific, standing authorization.

Contractor & Field Operations
A construction firm authorizes a site foreman's agent to purchase up to $5,000 in materials from Home Depot or Lowe's for a specific project.
The project manager issues a time-bound Intent Mandate linked to the foreman's identity and the project's budget code. The mandate limits the merchant category and total spend. The trail proves the expense was authorized for that project, streamlining reconciliation.

Dynamic Cloud Resource Scaling
An IT department authorizes an agent to scale cloud computing resources based on real-time demand, with a hard budget cap of $10,000/month.
The CIO signs an Intent Mandate allowing the agent to interact with the cloud provider's agent. The mandate contains the budget cap and service-level rules. This prevents runaway costs while enabling automation.

Travel & Expense Management
An employee uses their corporate travel agent to book a trip. The company's policy (e.g., "economy class only, hotel under $300/night") is encoded into the agent's instructions.
The employee's request generates an Intent Mandate that also reflects corporate policy constraints. The auditable trail shows the booking was compliant, simplifying expense reporting. The employee's identity is tied to the authorization.

Structuring the Corresponding Legal Framework: The Letter of Authorization

It stands to reason that the technical IntentMandate must be backed by a formal legal agreement, a Letter of Authorization (LoA) of some kind, between the User (or User Organization) and the AI Agent Provider, unless the user is operating the AI Agent infrastructure themself. This agreement defines the legal rights and responsibilities of each party. Below are three potential models for structuring this relationship.

I am focused primarily on option 1 below as a conceptual approach to such authorization, and also actively developing other options given this early stage of implementation.

OPTION 1: The Principal-Agent Model (User as Authorizer, Provider as Enforcer)

This model establishes a classic principal-agent relationship where the user provides explicit instructions and the provider must execute them faithfully.

• User Responsibilities: The user is the source of authority and is responsible for clearly articulating their intent. Their primary responsibilities include:

  • Delegating Authority: The user initiates the entire process by appointing the provider to operate the agent on their behalf, often memorialized through an agreement like a DocuSign.

  • Defining Authorization (The "What"): The user must specify exactly what the agent is allowed to do. This includes defining the scope (check_balance), the target resource (account GH-1234), and any constraints (data_minimization, purpose_binding).

  • Defining Autonomy (The "How"): The user sets the rules for how the agent carries out its tasks, such as when it can act silently ("auto-ok") versus when it must get explicit, real-time confirmation ("always-ask").

  • Assuming Consequences: The user is ultimately responsible for the consequences of the agent's properly authorized actions.

• AI Agent Provider Responsibilities 🤖: The AI Agent Provider is responsible for the technical and operational infrastructure that brings the user's instructions to life safely and reliably. Their key responsibilities are:

  • Operating Secure Infrastructure: The provider must maintain the underlying service, network, and security controls to run the agent reliably.

  • Enforcing User Grants: The provider's core duty is to honor and strictly enforce the authorization and autonomy rules defined by the user. The agent must not exceed its granted authority.

  • Managing Authentication & Credentials: The provider is responsible for presenting the correct credentials (e.g., short-lived, purpose-bound tokens) to third parties like the bank.

  • Enforcing Revocation: When a user revokes permission, the provider must ensure that access is terminated promptly, meeting the stated Service-Level Objective (SLO) of ≤60 seconds.

  • Providing Evidence: The provider must generate and deliver auditable proof of the agent's actions, such as signed receipts, to create a clear evidence trail for all parties.

  • Upholding a Duty of Care: A central point of the exercise is to determine the nature of the provider's duty—whether they are simply a neutral "tool provider" or hold a higher, fiduciary-like "duty of loyalty" to act in the user's best interest and avoid conflicts.

OPTION 2: The Managed Platform Model (Template-Based Delegation)

This model positions the AI Agent Provider as a platform offering pre-defined, vetted "skills" or "playbooks." The user's role is to configure and authorize these templates rather than defining instructions from scratch. This is analogous to using a marketplace of trusted apps with pre-set permissions.

• User Responsibilities:

  • Selecting and Configuring Templates: The user browses a library of pre-built "Mandate Templates" (e.g., "Auto-Book Travel," "Monitor and Buy Stock") and configures key parameters (e.g., budget, dates, vendors).

  • Authorizing the Configured Template: The user signs the finalized template, which becomes the active Intent Mandate.

  • Monitoring and Revoking: The user is responsible for monitoring the agent's actions against the template's goals and revoking authorization if needed.

• AI Agent Provider Responsibilities 🤖:

  • Curating a Safe and Secure Template Library: The provider is responsible for the safety, security, and clarity of the templates it offers. This includes vetting them for common exploits or ambiguous language.

  • Strict Parameter Enforcement: The provider must ensure the agent operates strictly within the user-configured parameters of the chosen template.

  • Transparency and Disclosure: The provider must clearly disclose the capabilities and limitations of each template.

  • Liability for Template Flaws: The provider may assume a greater share of liability if a loss occurs due to a flaw or vulnerability in the template itself, rather than user error in configuration.

OPTION 3: The Certified Fiduciary Model (Role-Based Trust & Duty of Care)

This model envisions an ecosystem where AI agents can be independently certified for specific, high-stakes roles (e.g., "Certified Corporate Procurement Agent," "Certified Financial Advisor Agent"). The legal framework is tied to the agent's certified capabilities and implies a higher standard of care.

• User/User Organization Responsibilities:

  • Due Diligence in Agent Selection: The user is responsible for selecting an agent with the appropriate certification for the task at hand. Using a non-certified agent for a high-stakes financial task would place more liability on the user.

  • Providing Clear Objectives: The user must still provide the high-level goals and constraints for the Intent Mandate.

  • Cooperation in Audits: The user must cooperate in providing information if a certified agent's actions are audited.

• AI Agent Provider Responsibilities 🤖:

  • Achieving and Maintaining Certification: The provider must meet the rigorous technical, security, and ethical standards required by a third-party certifying body.

  • Upholding a Fiduciary Duty: For certified financial roles, the agent must legally and technically operate under a fiduciary duty, meaning it must act in the user's absolute best financial interest, avoiding conflicts of interest (e.g., it cannot favor a merchant who pays a higher commission).

  • Proactive Risk Mitigation: A certified agent is expected to go beyond simple instruction-following and proactively identify and flag potential risks to the user (e.g., "Warning: This purchase is non-refundable and the merchant has a poor rating. Do you still wish to proceed?").

  • Submitting to Audits: The provider must agree to be audited by the certifying body to ensure continued compliance.

I’m working on some other potential options as well, but nothing quite ready to share yet. And as always, if you have other ideas about how this could play out, I’m all ears!

Remaining Work and Strategic Next Steps

AP2 provides the technical foundation, but significant work remains to build the business and legal ecosystems around it.

For Businesses and Consumers (as Users):

1. Develop Internal Governance and Delegation Policies: Businesses must create clear policies defining who can authorize agents, for what purposes, and under what financial limits. This includes establishing evaluations for adherence to adopted practices and policies.

2. Integrate with Procurement and ERP Systems: The true power of B2B automation will be realized when agents can read from and write to existing systems of record, like SAP or Oracle, governed by AP2 mandates.

3. User Education and Training: Both consumers and employees will need to be educated on how to safely and effectively delegate authority to AI agents, including how to craft clear, unambiguous intents.

For AI Agent Providers:

1. Build User-Friendly Mandate Creation Tools: The process of creating and signing an Intent Mandate must be simple, transparent, and secure. This is a critical UX/UI challenge.

2. Develop Legal Frameworks and LoAs: Providers must work with their legal teams to develop the "Letter of Authorization" agreements based on one of the models above, clearly defining responsibilities and liabilities.

3. Engage with the Ecosystem on Certification: For the Fiduciary Model to work, providers should begin conversations with industry bodies and regulators to define what "certification" means for different agent roles. Evals and benchmarks developed by users could be a strategic basis for some such certifications or trust marks.

For the AP2 Standard and the Intent Mandate:

1. Evolve the Intent Mandate Schema: The current v0.1 schema is designed for common commerce. Future versions will need to support more complex business logic, such as:

   • Conditional Logic: "Buy item A only if item B is also available."

   • Multi-Party Approvals: Requiring signatures from multiple individuals (e.g., a manager and finance) for high-value corporate purchases.

   • Richer Constraint Language: Moving beyond simple price ceilings to more complex rules (e.g., "quality benchmarks," "ratings and rankings," "total cost of ownership," "vendor performance scores," etc.).

2. Formalize the Cryptographic Profile: As discussed, a formal specification for the signature and verification process is the top technical priority for moving from alpha to a production-ready standard.

AP2 addresses a fundamental challenge that will only grow more pressing as AI agents become routine participants in commerce: establishing verifiable authority and accountability for autonomous transactions. While still in early stages, the protocol provides a practical framework for businesses and developers to begin experimenting with trusted agent delegation. The business, legal and technical foundations outlined here represent necessary infrastructure for scaling AI commerce effectively and responsibly. In future posts, I'll be sharing working examples and implementation patterns for those interested in testing these concepts in practice. For organizations considering how agent-mediated transactions might fit their operations, now is an appropriate time to begin exploring the possibilities.

Reach out to me directly here if you’d like to discuss opportunities to work together on these and related opportunities.