A Layered Authorization Framework for Autonomous Agent Commerce
The rapid proliferation of autonomous AI agents in financial services creates an unprecedented trust gap: existing authorization infrastructure, designed for human-initiated transactions, cannot verify the identity, intent, or decision quality of machine actors operating at scale. This paper introduces the Decision Trust Protocol (DTP), a four-layer authorization framework purpose-built for agent-to-agent and agent-to-merchant commerce on existing card network rails. DTP provides continuous trust verification through: (1) an Orchestration Guardian managing session integrity and budget enforcement; (2) an Identity and Verification layer leveraging W3C Decentralized Identifiers for agent authentication; (3) a deterministic Authorization Engine implementing a ten-step sequential gate pipeline; and (4) a dual-mode Risk Intelligence layer delivering sub-5ms inline decisions with post-authorization deep analysis. We introduce the Know Your Agent (KYA) composite trust score—a weighted metric incorporating trust level, transaction history, decline patterns, and dispute deflection—that enables progressive trust promotion from unregistered to trusted status. The protocol provides a reference mapping to Mastercard DE 48.75 fraud scoring data elements, designed for compatibility with existing issuer infrastructure (scheme certification pending).
Keywords: agentic commerce, authorization protocol, decision trust, agent identity, Know Your Agent, risk scoring, payment infrastructure, autonomous agents, card network integration
The financial services industry stands at an inflection point. McKinsey estimates that agentic commerce—transactions initiated, negotiated, and executed by autonomous AI agents—will generate $3–5 trillion in economic activity by 2030.1 Bain & Company projects that agent-driven commerce will constitute 15–25% of U.S. digital commerce within the same horizon, representing $300–500 billion in transaction volume.2 Morgan Stanley’s more conservative models estimate $190–385 billion, while the broader agentic AI market is projected to expand from $7.84 billion in 2025 to $52.62 billion by 2030.3,4
Yet the infrastructure that will carry these transactions—the global card networks processing over $40 trillion annually—was designed for a fundamentally different paradigm: one human, one card, one decision. Every authorization message, fraud signal, and dispute mechanism assumes a human cardholder who can be authenticated via knowledge factors (PINs, passwords), possession factors (physical cards, mobile devices), or biometric factors (fingerprints, facial recognition). None of these mechanisms extend naturally to autonomous software agents that transact on behalf of humans, organizations, or other agents.
This creates what we term the Agent Trust Gap—the structural inability of current payment infrastructure to answer three fundamental questions about any agent-initiated transaction:
1. Identity: Is this agent who it claims to be, and is it authorized to act on behalf of its principal?
2. Intent: Does this transaction reflect the genuine intent of the principal, or has the agent’s decision-making been compromised, manipulated, or drifted from its mandate?
3. Decision Quality: Is the agent’s reasoning process sound, consistent, and free from adversarial influence?
As Strange and da Costa argue in their analysis of compliance in the AI era, the challenge is not merely technical but structural: existing regulatory frameworks assume human actors making deliberate choices, and the shift to autonomous agents requires entirely new verification paradigms.5 The National Institute of Standards and Technology (NIST) AI Risk Management Framework acknowledges this gap, calling for “contextual, continuous, and composable” risk assessment—precisely the characteristics absent from batch-oriented fraud detection systems.6
This paper presents the Decision Trust Protocol (DTP), a layered authorization framework that closes the Agent Trust Gap by introducing a dedicated Decision Trust Layer between agent orchestration platforms and payment network infrastructure. DTP is designed to be issuer-agnostic, operating as middleware that any card issuer, program manager, or agent platform can integrate without modifying their existing authorization stack.
The payment industry’s approach to transaction security has evolved through three generations: rule-based fraud detection (1990s), machine learning scoring (2000s–present), and real-time behavioral analytics (2015–present). PCI DSS 4.0, mandatory since March 2025, establishes baseline data security requirements but explicitly does not address agent authentication or autonomous transaction verification.9 Mastercard’s DE 48.75 fraud scoring data element provides a standardized mechanism for communicating risk scores within authorization messages, but assumes those scores originate from human-transaction models.10
Kim et al. propose the Agentic Risk Standard (ARS), a framework for quantifying trust in financial AI agents through risk settlement mechanisms.11 While ARS provides a theoretical foundation for agent risk assessment, it operates primarily in cryptocurrency and decentralized finance contexts, requiring blockchain-based settlement that is incompatible with traditional card network infrastructure.
Chen et al.’s TIVA (Transaction Intent Verification for Agents) framework addresses agent payment authentication through blockchain-based verification.13 TIVA introduces important concepts—particularly intent verification and authenticity attestation—but requires fundamental changes to payment infrastructure that limit near-term adoption.
Bholat and Wilkins examine the regulatory implications of agentic AI in finance, arguing that existing supervisory frameworks are “structurally misaligned” with autonomous agent behavior and proposing governance models that emphasize continuous monitoring over point-in-time assessment.12
The NIST AI Risk Management Framework (AI RMF 1.0) and its Generative AI Profile (AI 600-1) establish vocabulary and governance structures for AI risk, organizing risks around the dimensions of governance, mapping, measurement, and management.6,7 Liu et al. propose a layered security assessment model specifically for agentic AI systems, identifying trust boundaries between agent components as critical vulnerability surfaces.14
Park et al. survey decentralized governance approaches for autonomous AI agents, finding that effective governance requires both cryptographic identity (for accountability) and behavioral monitoring (for intent verification)—a dual requirement that informs DTP’s architecture.15
The W3C Decentralized Identifiers (DID) specification provides a standards-based approach to self-sovereign identity that extends naturally to non-human actors.8 DTP adopts the DID:key method with Ed25519 cryptographic keys, enabling agent identity verification without reliance on centralized certificate authorities—a critical property for a protocol intended to operate across multiple issuers and jurisdictions.
Existing approaches address fragments of the agent trust problem: ARS provides risk quantification but requires blockchain settlement; TIVA offers intent verification but demands infrastructure changes; NIST frameworks provide governance vocabulary but not implementation specifics. No existing framework provides a complete, implementable protocol that (a) verifies agent identity, intent, and decision quality; (b) operates on existing card network rails; (c) maps to standard authorization data elements; and (d) supports progressive trust establishment. The Decision Trust Protocol addresses this gap.
DTP implements a four-layer defense-in-depth architecture, where each layer provides independent verification and any layer can halt a transaction. The layers are ordered by evaluation cost, with lightweight checks executing first to minimize latency for legitimate transactions.
| Layer | Name | Function | Latency Budget |
|---|---|---|---|
| 0 | Orchestration Guardian | Session integrity, probing detection, budget enforcement | < 1 ms |
| 1 | Identity & Verification | W3C DID authentication, KYC/KYB passthrough, mandate validation | < 2 ms (cached) |
| 2 | Authorization Engine | 10-step sequential gate pipeline, mandate enforcement, velocity controls | < 5 ms |
| 3 | Risk Intelligence | Dual-mode scoring, signal taxonomy, DE 48.75 mapping | < 5 ms inline |
Table 1. DTP four-layer architecture with latency budgets. Total inline authorization target: < 13 ms end-to-end.
The layered architecture draws on the defense-in-depth principle from information security (ISO/IEC 27001)17 and the layered risk assessment model proposed by Liu et al. for agentic AI systems.14 Each layer maintains independent state and can be upgraded or replaced without affecting adjacent layers—a critical property for a protocol intended to evolve alongside rapidly advancing agent capabilities.
The Orchestration Guardian serves as the outermost defense perimeter, operating at the session level rather than the transaction level. Its purpose is to detect compromised agent sessions before individual transactions are evaluated, thereby preventing entire classes of attacks that transaction-level analysis would miss.
Every agent session is assigned a health grade (HEALTHY, DEGRADED, SUSPICIOUS, COMPROMISED) based on continuous behavioral telemetry. The Guardian monitors three primary signals:
Request cadence analysis detects abnormal timing patterns indicative of automated probing or credential-stuffing attacks. A legitimate agent operating under normal orchestration exhibits predictable request intervals; sudden acceleration or perfectly uniform spacing suggests adversarial control.
Probing detection identifies systematic boundary-testing behavior—for example, an agent methodically incrementing transaction amounts to discover authorization limits, or cycling through merchant category codes to map acceptance policies. The Guardian maintains a sliding window of recent requests and computes a probing likelihood score.
Budget enforcement tracks cumulative session spend against pre-authorized budgets. Unlike transaction-level velocity checks (implemented in Layer 2), session-level budget enforcement catches slow-drip attacks where individual transactions fall below velocity thresholds but aggregate spend exceeds authorization.
The Guardian implements denial pattern tracking that identifies agents exhibiting pathological decline patterns. When an agent’s denial rate exceeds configurable thresholds within a session, the Guardian can downgrade session health, impose additional verification requirements, or terminate the session entirely. This mechanism is particularly important for detecting agents that have been prompt-injected or otherwise manipulated into making transactions the principal did not authorize.
DTP assigns each registered agent a W3C Decentralized Identifier using the DID:key method with Ed25519 public keys encoded in base58btc multicodec format.8 The resulting identifier (e.g., did:key:z6Mk...) is cryptographically bound to the agent’s registration and serves as the canonical identity across all protocol layers.
The choice of DID:key over DID:web or DID:ethr reflects three design priorities: (a) no dependency on DNS or blockchain infrastructure; (b) offline verifiability—any party can verify the DID without network calls; and (c) compatibility with existing PKI practices familiar to financial institutions.
DTP does not perform identity verification directly. Instead, it implements a passthrough model where verification results from licensed KYC/KYB providers are attested and stored as verification credentials linked to the agent’s principal. This approach ensures DTP operates as infrastructure rather than a regulated entity, while still enabling issuers to enforce verification requirements appropriate to their risk appetite.
Each agent is bound to a principal—the human or organization on whose behalf the agent acts. Principals are typed as ORGANIZATION or INDIVIDUAL, with different verification requirements and authorization limits for each. The binding is established at agent registration and cryptographically attested, ensuring that an agent cannot unilaterally reassign itself to a different principal.
The Authorization Engine is the core of DTP, implementing a deterministic ten-step sequential gate pipeline. Each gate evaluates independently and can either approve (pass to next gate), soft-flag (annotate with concern but continue evaluation), or decline (halt pipeline with a specific reason code). The sequential design ensures deterministic, auditable decisions—a critical property for regulatory compliance.
| Step | Gate | Evaluation | Decline Code |
|---|---|---|---|
| 1 | Agent Status | Verify agent is ACTIVE (not suspended/revoked) | AGENT_SUSPENDED |
| 2 | Mandate Validity | Check mandate exists, is active, and not expired | MANDATE_EXPIRED |
| 3 | Amount Limits | Transaction within mandate min/max bounds | AMOUNT_EXCEEDS_LIMIT |
| 4 | MCC Allowlist | Merchant category permitted by mandate | MCC_NOT_ALLOWED |
| 5 | Currency Check | Transaction currency matches mandate allowlist | CURRENCY_MISMATCH |
| 6 | Velocity Controls | Count/amount within time-windowed limits | VELOCITY_EXCEEDED |
| 7 | Cooldown Period | Minimum interval since last transaction | COOLDOWN_ACTIVE |
| 8 | Trust Level Gate | Agent trust level meets mandate minimum | INSUFFICIENT_TRUST |
| 9 | Risk Assessment | Inline risk score below threshold | RISK_SCORE_HIGH |
| 10 | Decision Quality | Intent consistency and reasoning verification | DECISION_QUALITY_LOW |
Table 2. Authorization Engine ten-step gate pipeline with representative decline codes.
A distinctive feature of the DTP pipeline is the decided_early soft-flag pattern. When a gate identifies a concern that is significant but not dispositive (e.g., an amount approaching but not exceeding the mandate limit, or a marginally elevated risk score), it annotates the transaction with a flag rather than declining. Subsequent gates can incorporate these flags into their own evaluation, enabling nuanced decisions that account for the cumulative risk profile of a transaction.
Mandates are the foundational authorization primitive in DTP. A mandate is a structured permission object that specifies what an agent is allowed to do: permitted merchant categories, amount bounds, velocity limits, currency restrictions, temporal validity, and required trust level. Mandates are immutable once activated—modifications require creating a new mandate and deactivating the previous one, ensuring a complete audit trail.
The mandate model draws on the principle of least privilege: agents receive only the permissions necessary for their intended function, and every transaction is evaluated against these explicit boundaries. This stands in contrast to traditional card authorization, where a cardholder’s spending authority is defined implicitly by credit limits and issuer-side rules.
DTP’s risk engine operates in two modes, reflecting the fundamental tension between authorization latency and analytical depth:
Fast-check (inline): Executes within a 5ms budget during the authorization pipeline. Evaluates pre-computed risk signals, velocity aggregates, and cached trust scores to produce an inline risk score. This mode prioritizes speed and is sufficient for the vast majority of transactions.
Deep-analyze (asynchronous): Triggered post-authorization for flagged transactions or on a sampling basis. Performs comprehensive analysis including cross-session behavioral comparison, network graph analysis, and external data enrichment. Results inform future fast-check evaluations and may trigger retrospective actions.
DTP defines seventeen distinct risk signal types organized into four categories: behavioral signals (velocity anomaly, pattern deviation, session irregularity), identity signals (authentication weakness, identity mismatch), transaction signals (amount anomaly, geographic anomaly, MCC anomaly, merchant risk, temporal anomaly), and decision quality signals (intent drift, reasoning degradation, confidence anomaly). Each signal carries a severity classification and a numeric weight used in composite scoring.
Risk signals are aggregated using a logistic saturation function that prevents score explosion from correlated signals:
where raw_sum is the weighted sum of active risk signals. This produces a score in the range [0, 1) with diminishing marginal sensitivity—a critical property that prevents a cascade of individually minor signals from producing a disproportionately high composite score. The logistic function was selected over linear aggregation after empirical testing showed that linear scoring produced excessive false-positive rates when multiple low-severity signals co-occurred.
A key design decision in DTP is a reference mapping to Mastercard’s Data Element 48.75 fraud scoring specification.10 DTP’s risk reason codes are designed to map to DE 48.75 sub-element structures, with the intent that issuers can incorporate DTP risk assessments into their existing authorization message flows. This reference mapping is intended to reduce integration barriers and enable incremental adoption; scheme certification is pending and is not implied by this design.
The tenth and most novel gate in the DTP authorization pipeline is the Decision Quality Assessment—a mechanism for evaluating whether an agent’s transaction request reflects sound, uncompromised reasoning. This addresses a class of attacks and failure modes unique to AI agents: prompt injection, goal drift, adversarial manipulation of the agent’s decision-making process, and emergent behavioral anomalies.
DTP implements a drift-tolerant intent fingerprinting system. Each agent’s transaction history generates a behavioral fingerprint consisting of an anchor component (70% weight)—the stable, long-term behavioral profile—and a drift component (30% weight)—recent behavioral patterns that capture legitimate evolution in the agent’s usage. This weighted blend allows the system to distinguish between natural behavioral evolution and sudden anomalies indicative of compromise.
| Detector | Detection Target |
|---|---|
| Confidence Inflation | Agent expressing abnormally high certainty, potentially masking compromised reasoning |
| Alternatives Collapse | Agent failing to consider alternatives, suggesting tunnel-vision or manipulation |
| Reasoning Length Anomaly | Significant deviation in reasoning complexity from historical baseline |
| Vocabulary Shift | Sudden changes in decision-description vocabulary, potentially indicating prompt injection |
| Amount Escalation | Gradual or sudden increases in transaction amounts beyond historical patterns |
| MCC Drift | Unexplained shifts in merchant category distribution compared to established profile |
Table 3. Decision quality anomaly detectors and their target failure modes.
The composite decision quality score maps to four trust zones, each applying a multiplier to the agent’s effective trust level:
| Zone | Multiplier | Score Range | Action |
|---|---|---|---|
| GREEN | 1.00 | Quality score ≥ 0.75 | Full authorization |
| AMBER | 0.75 | 0.50 ≤ score < 0.75 | Enhanced monitoring |
| RED | 0.50 | 0.25 ≤ score < 0.50 | Reduced limits; deep analysis |
| CRITICAL | 0.25 | Score < 0.25 | Session suspension |
Table 4. Decision quality trust zones with effective multipliers and recommended actions.
DTP introduces the Know Your Agent (KYA) framework as a complement to traditional Know Your Customer (KYC) requirements. While KYC verifies the identity of the human or organizational principal, KYA establishes and continuously updates a trust profile for the agent itself—an entity that has no inherent identity, no credit history, and no reputation prior to registration.
The KYA composite trust score is a weighted metric computed as:
| Symbol | Component | Description |
|---|---|---|
| T | Trust Level (40%) | Ordinal encoding of current trust tier: UNREGISTERED (0.0), REGISTERED (0.33), VERIFIED (0.67), TRUSTED (1.0) |
| H | Transaction History (25%) | Normalized measure of successful transaction volume, subject to logarithmic scaling to prevent gaming through high-frequency low-value transactions |
| D | Decline Rate (20%) | Inverse of the agent’s decline-to-attempt ratio; lower decline rates yield higher scores |
| F | Dispute Deflection (15%) | Ratio of transactions completing without cardholder dispute; reflects alignment with principal intent |
Table 5. KYA composite trust score components and weights.
Agents progress through four trust tiers via a promotion mechanism that requires sustained good behavior across all score components:
UNREGISTERED → REGISTERED: Achieved upon valid agent registration with a verified principal.
REGISTERED → VERIFIED: Requires successful KYC/KYB verification of the principal entity, plus a minimum transaction history demonstrating consistent, low-risk behavior.
VERIFIED → TRUSTED: Requires an extended track record with a decline rate below configurable thresholds and a dispute rate below issuer-defined limits. TRUSTED status unlocks the highest authorization limits and lowest monitoring intensity.
Importantly, trust promotion is non-monotonic: agents can be demoted based on behavioral degradation, elevated dispute rates, or decision quality zone transitions. This dynamic trust model reflects the reality that agent behavior is not static and that continued trust must be earned through continued good performance.
The reference implementation is built as a stateless API service with the following design choices:
Stateless authorization path: All data required for the ten-step pipeline is retrieved at the start of each authorization request. This enables horizontal scaling without session affinity and ensures that any instance can handle any request.
Environment isolation: Production and sandbox environments are fully isolated at the database level, with API key prefixes determining routing. This enables agent developers to test integrations without risk of affecting production data.
Deterministic ID generation: All protocol entities use a structured ID format that encodes entity type, creation time, and uniqueness, eliminating collision risk while enabling efficient time-range queries without secondary indexes.
| Metric | Target | Measured (p99) |
|---|---|---|
| End-to-end authorization latency | < 15 ms | < 13 ms |
| Inline risk scoring | < 5 ms | < 4 ms |
| Agent registration | < 100 ms | < 80 ms |
| Deep risk analysis (async) | < 500 ms | < 350 ms |
| Sanctions/PEP screening (flagged only) | < 200 ms | < 150 ms |
Table 6. Performance targets and measured latencies. Sanctions/PEP screening is invoked only for flagged cases, not per-transaction.
The protocol is designed to scale from single-instance deployments to distributed architectures supporting thousands of transactions per second. Key scaling mechanisms include Redis-backed session state for cross-instance consistency, read-replica database topology for authorization lookups, and an event-driven architecture that decouples synchronous authorization from asynchronous risk analysis.
DTP offers card issuers a path to participate in agentic commerce without building proprietary agent authorization infrastructure. By integrating DTP as middleware, issuers gain agent identity verification, intent validation, and risk scoring capabilities that map directly to their existing authorization message flows. The protocol’s issuer-agnostic design means that competitive advantage shifts from proprietary technology to operational excellence in risk calibration and agent ecosystem management.
The protocol’s deterministic pipeline, comprehensive audit trail, and structured decline codes provide regulators with the transparency required to supervise agent-initiated transactions. Every authorization decision is traceable to specific gate evaluations, risk signals, and trust scores—a level of explainability that contrasts with the opacity of traditional ML-based fraud detection. As Bholat and Wilkins argue, effective regulation of agentic AI in finance requires continuous, contextual monitoring rather than point-in-time assessment12—precisely the model DTP implements.
For developers building commercial AI agents, DTP provides a standardized path to payment capability. The trust ladder model incentivizes good behavior—agents that transact responsibly earn higher trust levels and broader authorization limits—creating a positive feedback loop between agent quality and commercial capability. The sandbox environment enables risk-free integration testing, and the structured API eliminates the need for each agent developer to negotiate bespoke arrangements with payment providers.
Several limitations merit acknowledgment. First, the decision quality anomaly detectors rely on behavioral baselines that require sufficient transaction history to calibrate—newly registered agents operate with reduced sensitivity until their behavioral profiles mature. Second, the protocol currently addresses card-present and card-not-present transactions on Mastercard rails; extension to additional networks and payment modalities represents important future work. Third, the KYA trust score weights were determined through expert judgment and limited empirical testing; large-scale validation across diverse agent populations remains necessary.
Future research directions include: (a) federated trust, where agents’ trust scores are portable across issuers; (b) multi-agent transaction verification, where agent-to-agent commerce requires bilateral trust assessment; (c) adaptive anomaly detection thresholds that self-calibrate based on ecosystem-wide behavioral distributions; and (d) formal verification of the authorization pipeline’s safety properties.
The emergence of autonomous AI agents as economic actors represents the most significant shift in payment infrastructure since the introduction of e-commerce. The Agent Trust Gap—the inability of human-centric authorization systems to verify machine identity, intent, and decision quality—poses a systemic risk to the $3–5 trillion agentic commerce market projected for 2030.
The Decision Trust Protocol addresses this gap through a layered, defense-in-depth architecture that provides continuous trust verification across four complementary dimensions: session integrity, cryptographic identity, deterministic authorization, and adaptive risk intelligence. The protocol’s Know Your Agent framework establishes a new paradigm for agent trust—one based on progressive verification, behavioral consistency, and decision quality rather than static credentials.
Critically, DTP achieves this without requiring modifications to existing card network infrastructure. By providing a reference mapping to Mastercard DE 48.75 data elements and operating as issuer-agnostic middleware, the protocol is designed for incremental adoption—issuers can integrate DTP alongside their existing authorization stacks, gaining agent trust capabilities without disrupting established processes.
As AI agents become ubiquitous participants in commerce, the question is not whether agent-specific authorization infrastructure will be built, but whether it will emerge as fragmented, issuer-specific implementations or as a shared protocol that enables interoperability and consistent trust standards. The Decision Trust Protocol is our contribution toward the latter outcome.
Mandate Labs. "The Decision Trust Protocol: A Layered Authorization Framework for Autonomous Agent Commerce." Version 1.0, May 2026. https://mandatelabs.ai/research/decision-trust-protocol