Thirty Partners. Seventy-Two Hours. The Machines Got a Wallet.

The Card Networks Just Minted Identity for AI Agents. Europe Still Has Not Decided Who Pays When the Agent Spends Outside Its Mandate.

In seventy-two hours this month the two largest card networks on earth did the thing the agentic-payments debate had been waiting on. On the tenth of June Mastercard launched Agent Pay for Machines, a service that lets AI agents pay one another autonomously — some transactions worth fractions of a cent — with more than thirty partners signed on at launch, among them Stripe, Adyen, Coinbase, Cloudflare, OKX, Ripple, Polygon and Solana. The day after, at its Payments Forum, Visa unveiled the early components of its own agentic-commerce infrastructure: a registry of verified agents and merchants, an agent-scoring capability, a large-transaction model, and stablecoin settlement — followed within forty-eight hours by a partnership with OpenAI to support agent-led payments. The piece everyone said was missing from machine-to-machine commerce — a way to give an autonomous agent a verifiable identity and a bounded mandate on the commit leg — was shipped, by the incumbents, in a single week.

And here is the part the boardroom should read twice. The networks solved identity. They did not solve liability. When an agent carrying a cryptographic mandate spends outside it — misreads its instruction, is hijacked, or simply exceeds the scope a human thought it had granted — the question of who eats the loss is still open in the one jurisdiction where it matters most. PSD3 and the Payment Services Regulation, whose final texts were agreed on the twenty-third of April and which publish to the Official Journal sometime between now and September, do not yet name the party. The mandate is signed in seconds and settled on-chain; the accountability is stuck in a regulation that has not entered into force. This edition introduces PACT-D — the Payment-Agent Commit-leg Trust diagnostic — a five-axis instrument that scores whether an enterprise wiring agentic payments has closed the gap between a mandate a machine can prove and a liability a human still owns.

Identity Was the Hard Part. The Networks Just Solved It.

Mastercard’s design is worth describing precisely, because it is now the reference architecture the market will copy. Each agent receives an Agentic Token bound to a specific consent policy, a merchant scope and a spending limit. The agent never sees a raw card number; the token rides on the same Mastercard Digital Enablement Service tokenization layer that powers Apple Pay and Google Pay. The network enforces the consent policy at authorization, which means out-of-policy spending fails before settlement rather than being clawed back after it. Human-granted permissions are logged across public blockchains — currently Polygon, Solana and Base — so any counterparty can verify that an agent is operating inside its mandate. Settlement runs across cards, bank accounts and stablecoins, which is what makes the fractions-of-a-cent microtransaction economically possible: card minimums and processing costs make streaming micropayments uneconomic, and stablecoin rails do not.

Visa is building the same primitive from the other direction. Its Agentic Registry — a directory of Visa-verified agents and merchants — is an identity and reputation layer; its agent-scoring and large-transaction-model capabilities are an attempt to price the risk of a non-human actor at authorization. Underneath both sits a protocol war that has already chosen its referee: x402, the Coinbase-originated HTTP-native payment standard, passed into the custody of the Linux Foundation in April, giving it a neutral institutional home, while Google and Coinbase’s AP2 provides the agent-to-agent extension. Stripe integrated x402 on Base in February. The plumbing is no longer speculative. Stablecoin transfer volume reached thirty-three trillion dollars in 2025, up seventy-two percent year on year, with supply projected to grow another half again in 2026 — and agentic payments are now cited as a primary driver of that curve. The machines have rails, identity, tokens, registries and settlement. What they do not have, in Europe, is a settled answer to a single question.

The Commit Leg Has a Mandate. It Does Not Have an Owner.

The commit leg — the irreversible moment where value actually moves — is where Edition 48’s ACAM warned the architecture would concentrate its risk, and it is exactly where the new infrastructure is strongest on identity and weakest on accountability. A consent policy enforced at authorization tells you the agent was inside its mandate at the instant of payment. It does not tell you who is liable when the mandate itself was wrong, when the agent was compromised between grant and spend, or when the instruction was interpreted in a way no human intended. If an AI payment agent makes a bad transaction today, the default reading is that the payment service provider enabling the customer to use that agent carries the loss. But the upcoming Payment Services Regulation is explicitly trying to clarify liability for “technical service providers,” and the industry is drifting toward a shared-liability model for autonomous flows built on variable recurring payments and merchant-initiated-transaction frameworks. Drifting is not the same as deciding.

The exposure is not evenly distributed. Merchants continue to bear the financial risk of fraudulent transactions even when they have minimal visibility into how an agentic payment was initiated — responsibility without capability. Layered on top, three EU regimes overlap on the same event: PSD3 and the PSR govern the payment, the AI Act governs the agent that initiated it, and the GDPR governs the data the agent processed to decide. None of them, individually, answers the question of who is accountable when an autonomous agent exceeds the scope of its original mandate. An enterprise can adopt Mastercard’s Agentic Token, log every permission on-chain, and still have no named party to absorb a six-figure out-of-mandate spend on a Friday night. Cryptographic provability and legal accountability are not the same property, and the networks have shipped the first without resolving the second.

PACT-D — The Payment-Agent Commit-leg Trust Diagnostic

PACT-D scores one thing: whether an enterprise deploying agentic payments has closed the distance between a mandate a machine can prove and a liability a human actually owns. It is built for the commit leg, not the discovery or negotiation legs, because the commit leg is where the money is irreversible and where European liability law has not yet caught up. Five axes, each scored one to five.

Axis 1 — Mandate Provenance and Verifiability (MPV)

Can every counterparty cryptographically verify, at and after the moment of payment, that the agent acted inside a human-granted mandate — and is that grant auditable months later when a dispute lands? An Agentic Token logged on a public registry scores well here; an agent acting on an API key with an implicit, unlogged scope does not. Provenance is the floor of trust: if you cannot prove what the agent was permitted to do, every downstream question is unanswerable. Most enterprises piloting agentic payments today are running on the unlogged version and have not noticed.

Axis 2 — Authorization-Scope Enforcement (ASE)

Is out-of-policy spending blocked at authorization, before settlement, by the rail itself — or only detected afterward by the application that issued the agent? The Mastercard design enforces consent policy, merchant scope and spending limit at the network, so the bad transaction fails rather than settles. An enterprise that enforces scope only in its own orchestration layer, above the rail, has built a control that a compromised agent can be steered around. The axis rewards enforcement that lives where the value moves, not where the code happens to run.

Axis 3 — Liability Attribution Ownership (LAO)

Is there a named, contracted party — payment service provider, technical service provider, merchant or principal — who absorbs an out-of-mandate or erroneous agentic payment, and is that attribution reconciled with PSD3, the PSR and strong-customer-authentication rules rather than assumed? This is the axis almost every enterprise fails, because the regulation that would settle it is not yet in force and the contracts were written for human cardholders. A score of five means the loss has an owner before the agent is switched on. A score of one means the organisation has wired autonomous money movement onto a liability nobody has agreed to carry.

Axis 4 — Revocation and Kill-Switch Latency (RKL)

When an agent is compromised or starts behaving outside intent, how fast can its authority be revoked — across every network, token and on-chain registry it touches — and how large is the blast radius in the interval? Identity that is fast to grant and slow to revoke is a liability multiplier. With more than four-fifths of enterprises now reporting at least one AI-agent security incident in the past year, revocation latency is not a tail risk; it is a recurring operational event. The axis measures the window between “this agent has gone wrong” and “this agent can no longer spend,” measured in seconds, not change-control tickets.

Axis 5 — Cross-Network Identity Portability (CIP)

Does the agent’s identity and mandate travel coherently across card tokens, the x402 and AP2 protocol layer, and on-chain registries — or does each network re-establish trust from scratch, opening a seam at every boundary? A single agent transacting across a card rail, a stablecoin rail and an HTTP-native micropayment in one workflow can carry three different identities and three different liability assumptions. Each seam is a place where the mandate can be honoured on one network and meaningless on the next. The axis rewards one provable identity that the whole stack respects, and penalises the federation gaps where accountability quietly evaporates.

How to Read the Composite

Score each axis one to five and add them. Twenty-five is a commit leg you can trust: provable mandates, rail-level enforcement, an owned liability, second-scale revocation, and one identity across networks. Twenty to twenty-four is trustworthy with a single weak axis to close. Thirteen to nineteen is exposed — the agent can pay, but the accountability behind the payment is partial. Below thirteen means the enterprise has connected autonomous agents to real money movement on an architecture where no one has agreed to own the failure, which is the posture most pilots are in right now without having scored themselves. Any single axis below three is a board-level finding, because on the commit leg one broken property invalidates the others: a perfectly provable mandate with no liability owner is just a well-documented loss.

The Leg ACAM Named, the Bridge AGCR-D Built

Edition 48 introduced ACAM — the Agentic Commerce Architecture Model — and argued that the discovery, negotiation and commit legs of agentic commerce carry different risks and demand different controls, with the commit leg as the point of no return. Edition 51 introduced AGCR-D and bridged agentic payments to the governance layer. PACT-D is the instrument those two editions implied: it takes the commit leg ACAM isolated, applies it to the exact infrastructure Mastercard and Visa shipped this month, and scores it against the European liability regime AGCR-D said would arrive late. The card networks have, in effect, validated ACAM’s thesis — they built their entire agent architecture around securing the commit leg — while leaving open precisely the liability question that makes the commit leg dangerous. The framework was waiting for the product. The product just launched.

The Bet on the Commit Leg

Every enterprise exploring agentic payments has made the identity bet — or will, now that the networks have made it cheap and standard. The bet still unmade is the liability bet: whether, before an autonomous agent is allowed to move real money, there is a provable mandate, rail-level enforcement, a named owner of the loss, a fast revocation path, and one identity that survives the journey across networks. The infrastructure to make agentic payments work arrived this month. The framework to make them safe is a separate decision, and it is not the networks’ to make — it is the architect’s.

Thirty partners, seventy-two hours, and a wallet for the machines are not a payments-industry curiosity. They are the moment autonomous money movement became a procurable enterprise capability — and the moment the gap between what an agent can prove and what a human still owns became a live, unhedged exposure on the commit leg. The question on the table is not whether your agents can pay. After this month, they can. It is whether anyone in your organisation has agreed, in writing and in law, to own it when they pay wrong.

Hawk Nest Newsletter is written by Paulo Falcao. For twenty-five years, helping organisations turn complex technology challenges into measurable business outcomes — payments systems, enterprise architecture, AI, technology. The intersection of strategy and architecture, converted into reliable, revenue-generating reality. PACT-D joins the IP portfolio next to SIRM, AVAEM, SHAD, ACAM, SAVED, GAIA-D, AGCR-D, AASI, SSV, ATOM, and PVC.