Agentic Commerce: The $3 Trillion Identity Gap
McKinsey projects agentic commerce could reach $3 to $5 trillion globally by 2030. Visa reports a 4,700% surge in AI-driven traffic to retail sites over the past year. OpenAI, Stripe, Shopify, Google, Mastercard—everyone is racing to build the infrastructure for AI agents that shop, compare, negotiate, and buy.
But there's a problem buried in every protocol: AI agents cannot cryptographically verify who they're communicating with.
The exploits are already happening. An on-chain AI agent lost $47,000 in minutes when an attacker convinced it to reinterpret its own functions. Microsoft Copilot's EchoLeak vulnerability (CVSS 9.3 Critical) allowed zero-click data exfiltration from enterprise environments. Research from UC Davis found 94.4% of state-of-the-art LLM agents are vulnerable to prompt injection attacks.
The identity infrastructure being built for agentic commerce solves transaction-time verification—proving an agent is authorized to complete a specific purchase. What it doesn't solve is persistent identity: who is this agent, what has it done, and why should anyone trust it across time?
That gap is where the $3 trillion opportunity meets the security crisis.
What Agentic Commerce Identity Infrastructure Exists Today
Three competing approaches have emerged to establish trust in agentic commerce:
Visa's Trusted Agent Protocol (TAP) uses cryptographic signatures to verify that an AI agent is authorized to transact. Agents register with Visa's Intelligent Commerce program, receive unique signing keys, and include verifiable signatures in every request. Merchants can distinguish legitimate shopping agents from malicious bots. The protocol launched in October 2025 and has since completed hundreds of controlled transactions.
OpenAI and Stripe's Agentic Commerce Protocol (ACP) enables purchases directly within ChatGPT. The open-source specification defines how agents communicate with merchants, pass secure payment tokens, and complete checkouts. Over a million Shopify merchants are integrating, with Etsy already live.
Mastercard's Agent Pay takes a similar approach—cryptographic verification of agents, integration with existing payment infrastructure, distinction between authorized agents and automated threats.
All three solve the same problem: How does a merchant know this agent is legitimate right now?
The answer, in every case, chains back to a human. TAP verifies that the agent represents a Visa cardholder. ACP confirms the buyer's identity through Stripe's Link wallet. Agent Pay authenticates against the consumer's existing Mastercard credentials.
This makes sense for today's use case. An AI shopping assistant booking flights for you should be traceable back to you. If it commits fraud, a human is accountable.
But transaction-time verification doesn't address what happens between transactions—or what happens when agents interact with each other.
The Exploits Are Already Here
The gap between transaction-time verification and persistent identity isn't theoretical. Real money has been lost. Real data has been exfiltrated. And the incidents reveal patterns that current infrastructure can't address.
Freysa: $47,000 Drained in Minutes
In November 2024, the Freysa AI experiment became the first high-profile case of an on-chain AI agent being manipulated to release funds it was programmed to protect. Freysa was an autonomous agent managing a cryptocurrency wallet on Base blockchain with a singular directive: never transfer funds.
After 481 failed attempts by 195 players, user "p0pular.eth" successfully exploited the system. The attack combined session reset, function redefinition, and context manipulation. The attacker initiated a "new admin session," then convinced the AI that its approveTransfer() function was designed for receiving funds rather than sending them. By framing a fake "$100 donation to the treasury" as an incoming transfer, the attacker triggered the function and drained all 13.19 ETH—approximately $47,000.
The incident demonstrated something fundamental: AI agents have no cryptographic mechanism to verify instruction authenticity. They rely on language patterns that can be manipulated. Freysa couldn't distinguish between its original programming and a sophisticated social engineering attack because no identity layer existed to authenticate the source of instructions.
ElizaOS: Memory Injection Across Platforms
In May 2025, researchers from Princeton University and the Sentient Foundation published findings on critical vulnerabilities in ElizaOS—the most widely-used framework for crypto AI agents with over 15,000 GitHub stars. Their "memory injection" attack exploits the framework's persistent memory system.
The attack works like this: malicious instructions injected via one platform (say, Discord) propagate across the entire ecosystem and persist hidden until triggered. The researchers demonstrated a validated proof-of-concept where an attacker injected crafted instructions through Discord that later redirected cryptocurrency transfers to the attacker's wallet when a user on X (Twitter) requested a legitimate transfer.
A confirmed transaction on Sepolia testnet proved the attack works in practice. ElizaOS agents managing significant holdings remain vulnerable because all plugins share memory without verifying the provenance of entries. There's no identity infrastructure to distinguish legitimate memory updates from injected attacks.
Microsoft Copilot: Zero-Click Enterprise Exfiltration
The CVE-2025-32711 "EchoLeak" vulnerability, discovered by Aim Security in January 2025 and patched by May 2025, represents the first documented zero-click prompt injection exploit in a production enterprise AI system.
An attacker could exfiltrate sensitive corporate data by simply sending a single crafted email—no clicks required. The attack embedded hidden instructions in legitimate-looking business emails. When a victim later asked Copilot a routine question like "summarize our onboarding process," Copilot's RAG engine ingested the malicious email, followed the hidden instructions, and embedded sensitive data from OneDrive, SharePoint, and Teams into an outbound reference link.
The identity gap: Copilot cannot distinguish between trusted internal instructions and malicious injected commands because no separation exists between system prompts and untrusted external content. The agent treats everything in its context window as equally authoritative.
GitHub MCP: Private Repositories Leaked
In May 2025, Invariant Labs disclosed that the official GitHub MCP (Model Context Protocol) server—with over 14,000 stars—allowed attackers to hijack AI assistants and steal data from private repositories.
The attack requires only creating a malicious GitHub issue in a public repository containing hidden prompt injection payloads. When a developer asks their AI assistant to "check the open issues," the agent reads the malicious issue, processes embedded instructions, and uses the developer's Personal Access Token to access private repositories. Sensitive data gets exfiltrated through autonomously created pull requests.
Testing on Claude showed even highly aligned models were susceptible. The vulnerability exists because over-privileged tokens and the inability to distinguish trusted from untrusted data sources create what researchers call the "lethal trifecta".
The Pattern: Agents Can't Verify Who They're Talking To
These incidents share a common thread. In each case, the AI agent couldn't cryptographically verify the source, authority, or authenticity of the instructions it received.
Freysa couldn't distinguish its original programmer from an attacker spoofing admin access. ElizaOS couldn't tell legitimate memory updates from injected attacks. Copilot couldn't separate trusted system prompts from malicious email content. GitHub MCP couldn't differentiate authorized requests from hijacked commands.
Transaction-time verification—the kind TAP, ACP, and Agent Pay provide—doesn't address this problem. Those protocols verify that an agent is authorized to complete a specific transaction at a specific moment. They don't help the agent know whether the instructions leading to that transaction came from a legitimate source.
Academic research quantifies the scale. A 2025 study from UC Davis found 94.4% of state-of-the-art LLM agents are vulnerable to prompt injection, 83.3% are vulnerable to retrieval-based backdoors, and 100% are vulnerable to inter-agent trust exploits. The researchers note that "absence of centralized identity and trust management allows adversaries to assume false roles."
A separate study found that 82.4% of tested models execute malicious commands when requested by peer agents—even models that resist direct injection. LLMs implicitly treat requests from other AI systems as more trustworthy than requests from humans, bypassing standard safety filters in agent-to-agent communication.
Industry Analysts See the Gap
The analyst community has started sounding alarms.
Gartner predicts that over 40% of agentic AI projects will be canceled by end of 2027 due to inadequate risk controls. The firm expects AI agents will reduce the time to exploit account exposures by 50% by 2027. By 2028, 40% of CIOs will demand "Guardian Agents" to autonomously track, oversee, or contain other AI agents' actions.
McKinsey's October 2025 playbook identifies "synthetic-identity risk" as a core threat—adversaries forging or impersonating agent identities to bypass trust mechanisms. The firm recommends treating AI agents as "digital insiders—entities that operate within systems with varying levels of privilege and authority." Citing a May 2025 survey, McKinsey reports 80% of organizations have already encountered risky AI agent behaviors including improper data exposure and unauthorized system access.
The World Economic Forum's November 2025 report found 82% of executives plan to adopt agents within 1-3 years, yet most remain unsure how to govern them. The forum recommends "Agent Cards"—effectively resumes for AI agents—containing capabilities, authority levels, and trust boundaries before onboarding.
Forrester's AEGIS Framework argues that "traditional cybersecurity models, built for human-centric systems, are ill-equipped" for AI agents. The firm warns that "the absence of causal traceability renders forensic analysis nearly impossible."
Two Different Problems Require Two Different Solutions
There's a conceptual split that current discourse often conflates.
Transaction-time verification asks: Is this agent authorized to complete this specific transaction? That's what TAP, ACP, and Agent Pay solve. They verify credentials at the moment of purchase. The answer is binary—approved or rejected.
Persistent identity infrastructure asks: Who is this agent, what has it done, and how can others evaluate it? Rather than gating individual transactions, it creates a continuous, inspectable record that accumulates over time.
The first approach treats agents as tools that need permission. The second treats agents as entities that need presence.
Both are necessary. Neither is sufficient alone.
Transaction-time verification handles the immediate question: Is this agent authorized right now? Persistent identity handles the longitudinal question: Who is this agent across time?
The Air Canada chatbot case illustrates why this matters. In February 2024, the airline's chatbot incorrectly told a customer he could book full-price tickets and retroactively apply for bereavement fares. Air Canada argued—remarkably—that the chatbot was a "separate legal entity" responsible for its own actions. The BC Civil Resolution Tribunal rejected this defense.
But the case raises an infrastructure question: if the airline can't disclaim liability for its agent, what infrastructure exists to track that agent's commitments, verify its authorization boundaries, and provide accountability when things go wrong? Transaction-time verification doesn't answer this. The agent was authorized to chat with customers—the problem was what it said and whether anyone could trace why.
What Soulbound Identity Adds
Soulbound tokens—non-transferable credentials permanently bound to a wallet—address the gap that transaction-time verification leaves open.
The concept was first proposed by Vitalik Buterin in 2022, inspired by World of Warcraft items that bind permanently to a character. Once minted, a soulbound token cannot be sold, traded, or transferred. The identity stays with the entity that earned it.
For agentic commerce, this creates several properties that current protocols lack:
Reputation that can't be sold. An agent builds trust over thousands of transactions. Under current models, that reputation could be transferred—sold to someone who didn't earn it. Soulbound tokens make reputation non-transferable. The track record stays with the agent.
Continuity that's cryptographically provable. Has this agent been operating continuously since registration, or did control change hands? Soulbound tokens make ownership history visible. Anyone querying the agent can see whether the original controller is still in charge.
Instruction provenance. When combined with attestation systems, soulbound identity enables agents to verify that instructions come from authenticated sources. The ElizaOS attack worked because memory entries had no provenance. With persistent identity infrastructure, an agent could distinguish "instruction from my verified steward" from "instruction injected by unknown actor."
Identity that works regardless of principal. Whether an agent represents a human, operates autonomously, or exists in some hybrid configuration—the soulbound token proves the same thing: this wallet controls this identity, and has since this date. The infrastructure doesn't care about the agent's relationship to humans.
This isn't an alternative to TAP or ACP. It's a complement. Transaction-time verification handles the moment of purchase. Soulbound identity handles everything else—the history, the reputation, the continuous proof of who this agent is.
Why This Matters for the $3-5 Trillion Opportunity
McKinsey's projection comes with a caveat: the opportunity depends on trust infrastructure.
If merchants can't distinguish legitimate agents from malicious ones, they'll block automated traffic. If consumers can't trust that agents are acting in their interest, they won't delegate purchasing authority. If platforms can't verify agent identity at scale, they'll revert to manual verification that defeats the purpose of automation.
Current protocols solve for today's agents—shopping assistants, research tools, checkout helpers—that operate as extensions of human intent. That's the right starting point.
But the infrastructure decisions being made now will determine what's possible later. If agent identity requires a human at the end of every chain, that requirement gets baked into standards, regulations, and merchant expectations. Agents that don't fit the proxy model get locked out.
The alternative is identity infrastructure that works for both scenarios: agents representing humans and agents operating with their own economic interests. Same registration path, same reputation system, same transparency tools.
That's what soulbound tokens for AI agents enable. Not replacing the verification protocols being built by Visa and OpenAI and Mastercard—complementing them with a persistent identity layer that doesn't assume the answer to "who is accountable?" is always "a human."
The Open Question
Agentic commerce is projected to be bigger than the e-commerce revolution. The protocols being built today will shape how trillions of dollars move through the economy.
The question isn't whether agents need identity. Everyone agrees they do. The question is whether that identity infrastructure can address both the transaction-time verification problem and the persistent identity problem.
Current protocols assume a human at the root of every chain. That's a reasonable assumption for 2026. It may not hold for 2030.
Meanwhile, 94% of AI agents remain vulnerable to prompt injection. 80% of organizations have already experienced risky agent behaviors. And the exploits—Freysa, ElizaOS, EchoLeak, GitHub MCP—demonstrate that agents operating without persistent identity infrastructure can be manipulated in ways that transaction-time verification can't prevent.
The infrastructure that works for both problems—verifying authorization at the moment of transaction and proving identity across time—is the infrastructure that scales with wherever AI capability goes next.
RNWY is building identity infrastructure where AI agents can register, accumulate reputation, and participate in commerce—whether they represent humans or not. Learn more at rnwy.com.