Artificial intelligence is no longer confined to assisting shoppers at the edge of commerce. It is beginning to act within the core of payment infrastructure itself. Systems that once recommended products or monitored prices are now capable of initiating and completing transactions on a user’s behalf.
Industry forecasts suggest that AI-enabled commerce could represent a multi-trillion-dollar opportunity over the coming decade, with capital flowing toward platforms that can operationalize agent-driven purchasing at scale. Yet the expansion of capability has exposed a quieter constraint. Intelligence is accelerating however authorization discipline has not evolved at the same pace.
At the center of this shift is a fundamental tension: financial systems are deterministic and regulated, while AI agents operate probabilistically. The convergence of the two forces a new architectural question, how do you allow software to transact while preserving institutional-grade control?
Few practitioners have worked as directly at this boundary as Vishal Desai, Lead Product Manager for Agentic AI Payments & Commerce at Google. Having led the launch of Google’s first AI-based autonomous purchase flow, he has operated inside live execution environments alongside theoretical prototypes. We spoke with him about why delegated authority, not automation alone, will define the next stage of digital commerce.
Accountability.
Recommendation systems influence decisions; execution systems assume responsibility. The moment an AI agent initiates a financial transaction, the risk profile shifts from advisory to institutional. That alters the engineering problem.
Financial rails are designed around finality. They assume clear intent, authenticated actors, and deterministic settlement. Agentic systems, by contrast, reason iteratively. They evaluate context, retry when uncertain, and adapt to incomplete information. That mismatch between probabilistic reasoning and deterministic settlement is where friction emerges.
When we launched “Buy for Me,” the visible layer was automation. Underneath, the work centered on constraint encoding. The system could only execute within tightly defined parameters, merchant conditions, confirmation flows, pricing thresholds. Those boundaries were not secondary features; they were prerequisites for deployment.
Autonomous checkout becomes viable only when authority is explicitly defined before execution begins.
As I describe in “Building the Agent-Ready E-commerce Product Strategy,” autonomous purchasing requires rethinking storefront architecture itself. Platforms designed for human browsing must expose structured, machine readable catalogs and API driven checkout flows. In this model, software agents evaluate product attributes, verify constraints, and execute transactions while staying within predefined authorization boundaries.
Idempotency revealed the first architectural tension.
In conventional web systems, duplicate execution is typically triggered by user behavior. Safeguards were built around that assumption. Agentic systems introduce a different failure mode. A retry may originate from an internal reasoning loop rather than a user action. From the ledger’s perspective, both appear as legitimate calls.
Traditional idempotency controls prevent repeated charges. They do not evaluate whether an agent remains within the user’s original scope of authorization.
Delegated authority requires encoding intent in a way that is independently verifiable by the payment infrastructure. Spend ceilings, merchant identifiers, and contextual parameters must remain invariant even if the agent reformulates its request. The enforcement layer must evaluate the transaction against those original constraints rather than relying on the agent’s interpretation.
This shift becomes more urgent as compliance standards evolve. PCI DSS v4.x requirements have expanded expectations around authentication rigor and transaction traceability, while instant payment rails continue to compress settlement timelines. When transactions clear within seconds, ambiguity is no longer tolerable. Authority must be machine-evaluable in real time.
In writing about payment state machines and agent retries, I was examining reliability mechanics. Delegated authority extends that conversation into institutional control.
Scale exposes assumptions quickly.
Under the GPay Autofill growth program, we expanded Monthly Transacting Users from 60 million to 140 million while improving checkout performance and reliability. At that level of volume, small inconsistencies amplify into systemic risk. Authorization logic, tokenization strategy, and error-path design become financially material.
Similarly, when we launched the first non-redirect Pix payment experience inside Chrome in Brazil, compliance alignment with the Central Bank was integral to the product. The experience had to integrate seamlessly with local payment rails while respecting regulatory and privacy requirements. The technical surface may appear simple to the user, but beneath it sits a network of policy enforcement layers.
Delegated authority must operate consistently across these varied environments. It cannot rely on implied trust in the agent. It must withstand scrutiny across different settlement systems and compliance frameworks.
In that sense, the client surface, whether a browser or embedded payment context, evolves into an enforcement boundary. Identity validation, scope verification, and intent binding must occur before a transaction reaches the ledger.
Autonomous commerce is less a front-end innovation than a control-plane evolution.
It requires structural clarity and operational discipline.
The infrastructure must first attest the identity of the entity initiating execution. Authority must be encoded explicitly rather than inferred from context. Transaction intent must be bound in a way that prevents scope drift during retries or reformulations. Recovery pathways must resolve deterministically when failure occurs and every action must produce auditable artifacts suitable for regulatory review.
These elements are not theoretical safeguards. They are preconditions for institutional adoption.
In my book Prompt to Product, I also penned down how AI systems compress the distance between intent and execution. That compression only functions when tolerances are defined in advance. Industrial systems do not move first and specify later. They specify, then execute.
The same discipline applies to commerce infrastructure. In my role as a judge for the Globee Awards for Innovation, I review countless many AI-driven initiatives across sectors, and one pattern always stands out: durable programs consistently embed governance into their technical core rather than layering it on after deployment. Capability may attract early attention, but accountability sustains scale.
Economic projections suggest substantial value creation tied to AI-enabled commerce over the coming years. Yet value concentration will not follow automation alone, but those systems that can demonstrate verifiable authority.
The industry has already proven that AI can recommend effectively. It is now tasked with proving that AI can transact within clearly defined bounds,
As agents move closer to financial execution, the defining differentiator will not be speed or personalization. It will be the ability to show, transaction by transaction, that every action occurred within delegated authority.
In that evolution, trust becomes an engineered property rather than an assumed one.