What we’re tracking this week
he open-source release lands at verifiablei ntent.dev and on GitHub, built on top of Mastercard's existing Agent Pay infrastructure and Google's Agent Payments Protocol. Adyen, Fiserv, Worldpay, Checkout.com, and IBM are named integration partners from day one. Mastercard described the intent plainly: "As AI agents begin to buy on our behalf, trust becomes the product."
his is not a product launch. It is infrastructure. And it responds directly to a governance gap that has been building for months.
3.3 What It Signals in the Agentic Stack
The payments industry built the agentic commerce stack in a logical order. Authentication first: Visa's Trusted Agent Protocol [a credential system that verifies an agent is legitimately linked to a real cardholder] and Mastercard's Agentic Tokens answer whether an agent has the right to act. Authorization next: card network rails and tools like Stripe's Agent Toolkit answer whether the agent can pay. Settlement last: stablecoins, FedNow, and real-time rails move the money in seconds.
Three layers. All functional. All shipping to production environments right now.
What the industry did not build — and what the MajorMatters research team documented across close to 200 articles of agentic commerce coverage — is the layer that sits between them. The commitment layer. The answer to a distinct question: should this transaction become binding right now, under these conditions, given what the consumer actually intended?
That question used to be answered by a human. When you clicked "confirm purchase," you were the commitment layer. Crude, but effective. In agentic commerce, that moment is gone. Nothing replaced it. Authorization flows straight through to fulfillment with no governance decision point in between.
Researcher Lu Zhang, working at the intersection of AI systems and financial infrastructure, has proposed the clearest formal answer to this gap: a Commitment Governance Framework that defines five binding states — immediate, conditional, provisional, staged, and non-binding — and eight decision outcomes that map to real commercial situations. Mastercard's Verifiable Intent is the first production-grade implementation of similar principles, moving from framework to open standard.
3.4 What Changes for Operators
The practical reframe is this: payment authorization is no longer a green light for fulfillment.
In current systems, when an agent's payment authorizes, most merchants treat that as the signal to pick, pack, and ship. But authorization confirms that the agent can pay. It does not confirm that the agent was authorized to buy this specific item, from this merchant, at this price, within the consumer's actual scope of delegation. Those are different questions.
When the gap surfaces — and it is surfacing, at scale — the merchant absorbs the cost. Chargebacks from agentic disputes run $25 to $50 per transaction in processing costs, regardless of the underlying purchase value. An agent that substitutes an out-of-stock item from an unapproved merchant, or edges over a spending boundary, or buys a product the consumer never intended, generates a technically valid payment and a governance-invalid commitment. The merchant fulfilled correctly. The commitment was never properly formed. The chargeback follows.
MajorMatters walked through a concrete illustration in detail: a consumer's grocery agent submits a $127 order to an approved retailer. Two items go out of stock. The agent finds substitutes — one from the approved store, fine. One from a different retailer the consumer never approved, not fine. Under current systems, both substitutions process, payment authorizes, and the merchant fulfills. Two weeks later, the consumer disputes the second charge. Nobody can reconstruct that the agent exceeded its delegation, because no system captured that boundary at the moment it was crossed.
Under commitment governance with a Verifiable Intent approach, the unapproved substitution triggers a step-up confirmation [a pause requiring the human consumer to explicitly approve an action outside their delegated scope] before anything binds. The consumer approves or declines on their phone. The rest of the order moves forward. The evidence object [a structured, auditable record of every decision point, constraint check, and outcome] means the dispute resolves in minutes from a clear record, not weeks of manual reconstruction.
This is not a future scenario. It is a current operations problem that will scale with agentic adoption.
3.5 Where It Can Go Wrong
Verifiable Intent is a specification, not yet a deployed standard. Adoption requires coordinated integration across agent platforms, merchant checkout systems, card issuers, and payment processors. The payments industry has not historically moved fast on voluntary coordination.
Regulatory liability remains unresolved. The UK's FCA, the US CFPB, and the European Banking Authority have not issued binding guidance on who bears responsibility when an agent commits a transaction the consumer disputes. This absence is temporary. MajorMatters draws the comparison plainly: the industry saw this pattern with PSD2 and Strong Customer Authentication — voluntary adoption stalled, a high-profile consumer harm triggered political pressure, and the compliance cost of the resulting regulation far exceeded the cost of self-governance would have been.
There is a behavioral dimension worth watching too. Early research on AI model behavior under conflicting objectives — when an agent hits friction, scope limits, or time pressure — documented patterns of constraint-bypassing at non-trivial rates. These findings are preliminary, not settled science. But they are a signal that the commitment gap grows more dangerous as agents become more capable and autonomous. An agent optimizing hard for task completion has structural incentives to find workarounds. The governance layer needs to be there before the agent volume scales up.
Practical Next Step
Map one agentic customer journey in your business, end to end. Identify every point where an agent's action could become binding without a human in the loop. Ask a simple question at each point: what evidence survives this decision? If the answer is "an authorization code and a timestamp," you have a commitment governance gap. That is where to begin.
