01

Architecture

Separate adaptive planning from deterministic permission

Agentic payments combine probabilistic planning with irreversible or costly effects. The agent may compare options, infer preferences, negotiate an itinerary, or decide which tool can complete a task. Permission requires a different standard. The policy engine evaluates typed facts against explicit rules and returns a reproducible decision. It does not ask the language model whether a transaction feels reasonable, and it does not let the agent reinterpret an inconvenient constraint.

The boundary works only if the policy engine controls the next capability. An `allow` decision must be required before a credential broker signs, a wallet submits, or a processor authorizes. If the agent can call the rail directly, policy becomes advisory. The engine should also fail closed when essential inputs are missing, stale, ambiguously mapped, or unverifiable. An apparently safe default can become unlimited authority when a merchant category, currency conversion, or mandate version is absent.

Policy is not a prompt. It is versioned code and data whose decision can be reproduced from preserved inputs.
02

Evaluate the complete transaction envelope

A decision joins identity, mandate, order, credential, risk, and operational state. Principal and agent identifiers establish who is acting. The mandate supplies delegated limits. The order freezes seller, items, amount, currency, fees, and terms. Historical state supplies cumulative spend and frequency. Risk context can include destination changes, anomalous behavior, sanctions or fraud screening results, and rail-specific irreversibility. Operational state covers revocation, service health, duplicate requests, and emergency freezes.

Policy inputs must be normalized before evaluation. Currency conversions need a named rate source and timestamp. Merchant aliases need an authenticated mapping. Category labels need an issuer and version. Boolean flags such as `trusted=true` are weak unless the decision record says who asserted trust and under which program. The engine should distinguish verified facts, internally calculated facts, and untrusted claims so a tool response cannot quietly promote its own data into an authorization control.

Representative policy inputs and decisions
Input familyExample checksPossible outcome
IdentityPrincipal, agent, operator, merchant, destinationDeny unknown or mismatched actor
MandateScope, amount, cumulative budget, expiry, audienceAllow within the delegated envelope
OrderItems, total, fees, currency, refundabilityStep up when material terms changed
RiskNovel seller, unusual cadence, irreversible railReduce limits or require review
OperationsReplay, freeze, revocation, dependency healthDeny or hold while state is uncertain
03

Return a decision artifact, not a transient boolean

An authorization response should include a decision identifier, outcome, reason codes, policy bundle and version, evaluated mandate and order digests, input references, timestamp, expiry, obligations, and the credential scope it permits. Obligations may require human confirmation, a narrower token, additional screening, delayed execution, or enhanced logging. A short-lived decision prevents an agent from reusing yesterday's approval after the cart, merchant, key status, or budget has changed.

Reason codes serve several audiences. The agent needs safe, actionable information such as “amount exceeds remaining mandate budget.” Operators need the exact failed rule and evidence. Users need an understandable explanation that does not expose fraud logic or secrets. Keep these layers connected through the decision identifier. Free-form model explanations can improve presentation, but they should summarize deterministic reasons rather than inventing why the engine allowed or denied a transaction.

  • Bind every allow decision to the canonical mandate and order digests that were evaluated.
  • Include an expiry and reject attempts to execute a stale decision.
  • Express credential restrictions as enforceable obligations, not prose guidance.
  • Use stable reason codes for analytics and incident review while showing users plain-language summaries.
  • Record the decision before execution so a lost payment response does not erase the authorization trail.
04

Version, test, deploy, and override policy safely

Policy changes are production changes even when no application code moves. Store rules in reviewable form, require peer approval for material limit or destination changes, and deploy with immutable versions. Replay historical and synthetic fixtures against a candidate version to identify decisions that would change. A shadow evaluation can compare old and new outcomes without granting authority, but sensitive inputs and resulting differences still need the same access controls as live decision data.

Overrides should narrow or pause authority more easily than they expand it. Emergency freezes, merchant blocks, credential revocation, and lower limits should be independently operable when the agent or primary application is unhealthy. An override that expands authority needs authenticated approval, scope, expiry, reason, and a review trail. NIST's AI risk-management framing is useful here: governance, measurement, and response must cover the system around the model, including the deterministic components that determine economic impact.

  • Maintain golden fixtures for boundaries, currencies, rounding, time zones, and cumulative budgets.
  • Test missing and contradictory inputs, not only clean allowed and denied transactions.
  • Compare policy versions by changed outcomes and maximum economic impact before rollout.
  • Separate rule authors, approvers, and credential administrators where practical.
  • Retain enough policy and input history to reproduce every consequential decision.

Source discipline

Primary sources

Product status and protocol behavior are checked against maintainer documentation. Company sources establish what their organizations publish; they do not independently prove adoption or performance.

  1. AI Risk Management FrameworkNIST
  2. Announcing Agent Payments Protocol (AP2)Google Cloud
  3. Agent Payments Protocol repositoryGoogle Agentic Commerce
  4. Shared payment tokensStripe Documentation
  5. Payment Card Industry Data Security StandardPCI Security Standards Council
  6. Virtual assetsFinancial Action Task Force