Most weeks in this brief have been about launches: a network shipping a new rail, a stablecoin picking up another partner. This week the more useful story was three separate parties, none of them coordinating, all landing on the same admission. A congressional hearing named the liability gap out loud. A payments executive put a number on how far along this actually is. And a Know Your Agent framework started forming across three different institutions at once. None of it is a product announcement. All of it is the ground truth under every product announcement so far.
A hearing room said the quiet part
The House Financial Services Committee held a hearing on 24 June titled "Future of Payments: Promoting Innovation and Fair Markets," and while most of it concerned bank charters for payments firms, Rep. Bill Foster pushed the panel on what happens when an AI agent initiates a transaction it was not authorised to make [1]. Stripe's vice chair, Eileen O'Mara, argued the risk is contained today because a human still has to authorise the agent, so "it would be impossible for an agent to go rogue." The Bank Policy Institute's Paige Pidano Paridon was less settled, naming the open questions directly: who bears fiduciary responsibility when an autonomous system participates in commerce, and what happens when it executes a payment outside its mandate [1]. Both things can be true. The safeguard exists today because volume is still low. The question does not go away just because it has not been tested yet.
A number for how early this is
Adyen's global head of agentic commerce, Karan Katyal, was asked directly where agentic commerce sits on a scale of zero to five, with five meaning as ordinary as tapping a card. His answer was 0.5 [2]. Asked where it lands in a year, he said 1.5, which triples the current state and still leaves it well short of the midpoint. His diagnosis of what is actually slow: not the model, the plumbing underneath it. Product catalogues built for a webpage do not carry the detail an agent needs to tell two similar items apart, and every checkout still runs into unresolved questions of trust, fraud and who is liable when the agent misreads what it was asked to buy [2].
Know Your Agent, forming in three places at once
The proposed fix is converging on a shared name even though nobody is coordinating it. NIST's AI Agent Standards Initiative, opened in February, is building out agent identity and authorisation work through its National Cybersecurity Center of Excellence [3]. Identity company Socure framed the same gap for the World Economic Forum as a Know Your Agent model built on four capabilities: establishing what an agent is, confirming what it is permitted to do, holding it accountable for every action, and monitoring its behaviour against approved limits [3]. The IMF went further and named the mechanics regulators will likely require: verifiable agent identities tied to legal entities, tokenised authorisation so an agent can spend against a preapproved method without touching the underlying credential, and cryptographic mandates that bind every action to a verifiable scope and limit [3].
The demand did not wait for any of this
Meanwhile the consumer side is already through the door Adyen says is not built yet. Prime Day 2026 pulled in 26.4 billion dollars, up 9.3 percent year over year, and shoppers who arrived via an AI chatbot were 40 percent more likely to complete a purchase than those coming from search, email or social [4]. That is the tension in one line: the conversion advantage for agent-driven traffic is real and measured, while the identity and liability layer underneath it is still, by the industry's own account, at 0.5 out of 5.
Read from the rails
The reason this matters more than another protocol launch is that it is the sequencing question, and payments operations lives or dies on sequencing. You do not get to build the identity layer after volume arrives. Ten years in operations taught me that the control you add after a loss is always more expensive, and more resented, than the one you built before anyone needed it. KYA is being described, correctly, as the KYC of this cycle: a verification standard nobody wants to pay for until the fraud shows up, at which point everybody wishes they had paid for it already.
What I would watch next is not whether a KYA standard gets ratified. It is whether it gets ratified before or after the first agent misfire big enough to force the question in public. Congress named the liability gap this week without closing it. Adyen named the maturity number without hiding it. Neither is a fix. Both are useful, because an operator can only build controls for a gap once someone has agreed the gap exists and said so on the record.
Nobody has closed the liability gap. What changed this week is that a congressional hearing, a payments executive and three standards bodies all named it on the record, in public, in the same fortnight. That is what precedes a fix, not the fix itself.
Sources
- Stripe, Banks Tell Congress Payment Rules No Longer Fit Modern Commerce · PYMNTS (25 Jun 2026)
- Adyen on Agentic Commerce: The AI Was Never the Hard Part · PYMNTS (29 Jun 2026)
- Why It's Time to Know Your Agent · PYMNTS (29 Jun 2026)
- Prime Day Sales Climb 9% as Fatigued Consumers Seek Deals · PYMNTS (28 Jun 2026)
Building in agentic commerce or payments?
This is the intersection I work in. Book thirty minutes and we will scope the build worth doing.
Book an AI consultation