- The FIDO Alliance announced on April 28, 2026 the formation of two working groups to develop authentication and authorization standards for AI agent-initiated transactions.
- Google contributed its Agent Payments Protocol (AP2), which uses cryptographic proofs to verify user intent behind agent-executed actions.
- Mastercard’s Verifiable Intent framework, co-developed with Google, introduces selective disclosure so each party in a payment chain sees only the data relevant to their role.
- Mastercard’s Chief Digital Officer said standards timelines that previously spanned two to three years will need to be compressed given the pace of agentic AI deployment.
What Happened
The FIDO Alliance announced on April 28, 2026 that it will launch two working groups to develop industry standards for authenticating and protecting transactions initiated by AI agents. The effort was seeded with open-source contributions from Google and Mastercard, marking the first coordinated standards initiative specifically targeting agentic AI commerce. The goal is to produce a protective baseline covering authentication, authorization, privacy, and dispute resolution that can be adopted across industries wherever AI agents act autonomously on behalf of users.
Why It Matters
AI agents capable of making autonomous purchases, booking travel, and managing accounts are being deployed commercially without a security framework built for that paradigm. Andrew Shikiar, CEO of the FIDO Alliance, told Wired: “Agents are becoming more and more common, they’re moving into mainstream use, but preexisting models aren’t necessarily designed for this sort of paradigm—they weren’t built to contemplate actions performed on a user’s behalf.”
The gap exposes users to agent hijacking—where a malicious actor intercepts or manipulates an agent’s instructions—as well as phishing attacks that trick agents into executing unauthorized transactions. The FIDO Alliance previously developed the FIDO2/passkeys standard, now supported across Apple, Google, and Microsoft platforms, giving the organization a track record in deploying authentication protocols at industry scale.
Technical Details
Google’s Agent Payments Protocol (AP2) uses cryptographic proofs to verify that a specific user intended a specific agent-initiated transaction, tying each action to a verifiable user authorization. Mastercard’s Verifiable Intent framework, co-developed with Google to integrate directly with AP2, adds selective disclosure: platforms, merchants, payment providers, and card networks each see only the data relevant to their role, while the full authorization proof remains cryptographically intact.
Stavan Parikh, Google’s vice president and general manager of payments, described the design: “We want to provide cryptographic proof that a transaction was authorized by the user themself, but keep it private so there is built-in selective disclosure. Different players in the ecosystem—platforms, merchants, payment providers, networks—only see the information that’s relevant to them, but the right action gets fulfilled at the right time.” Parikh cited a concrete example: a user instructs an agent to purchase a pair of sneakers autonomously if they return to stock at $100 or below, with the eventual transaction cryptographically tied to that original user authorization. The proposed standards also include mechanisms for recourse in the event of a dispute over an agent-executed action.
Who’s Affected
Consumers delegating autonomous purchasing or account management tasks to AI assistants are most directly exposed to the security gaps the standards aim to close. E-commerce platforms, payment processors, card networks, and merchants that accept or plan to accept agent-initiated transactions will need to implement the protocols once finalized. Developers and companies building agentic AI products—including autonomous shopping assistants, travel booking tools, and subscription management agents—will need to engineer their systems against the resulting specifications.
What’s Next
The FIDO Alliance working groups must build out a body of practical use cases and reference implementations before technical specifications can be finalized, after which platforms, merchants, and payment providers will need to adopt the protocols at scale. Pablo Fourez, Mastercard’s chief digital officer, described the pressure: “This tech is evolving very, very fast, so it compresses standards timelines that in the past might have taken two or three years. Regular people just want to know at the end of the day that it will work and they can trust it.”
Both Google and Mastercard have committed their respective open-source tools—AP2 and Verifiable Intent—as the technical starting point. The working groups will still need to verify the protocols perform reliably across real-world deployments before broad adoption becomes feasible.
