02 β€” Academic and Standards Literature on Agentic Payments

"Agentic payments" sits at the intersection of four literatures that, until 2024, rarely spoke to one another: multi-agent systems, payment protocol engineering, decentralised identity, and LLM safety. This section traces that lineage, surveys what has (and has not) been written, and positions the present report against the state of the art as of April 2026.

1. Scope and Methodology of the Review

1.1 Research questions

This section seeks to answer three questions:

  1. What existing academic foundations does the 2024–2026 wave of "agentic payments" protocols build on β€” wittingly or unwittingly?
  2. What has been peer-reviewed, what is only preprint, and what is only industry grey literature?
  3. Where are the research gaps that a serious literature β€” not a press-release corpus β€” still has to fill?

1.2 Search strategy

The review was conducted between 14 and 21 April 2026 and combined four methods:

  • Direct citation verification. Every arXiv identifier suggested in our internal source brief was fetched individually at https://arxiv.org/abs/<id> and the returned abstract was checked against the title, author list and claim being cited. Where the URL returned 404 or an unrelated paper, the candidate was dropped and this is noted explicitly below.
  • Keyword search on arXiv for the terms "agent protocol", "agent communication", "agentic commerce", "agent payment", "verifiable credential agent", "prompt injection agent", "decentralized identifier agent", "HTTP 402 micropayment".
  • Standards tracking against W3C Technical Reports (www.w3.org/TR/), the IETF datatracker (datatracker.ietf.org) and Ethereum EIPs (eips.ethereum.org).
  • Reverse snowballing from industry reports (McKinsey, Kearney, Cloud Security Alliance, BIS) to any academic anchors they cited.

1.3 Inclusion criteria

A paper is in if, and only if, one of the following holds:

  1. It addresses β€” as a central topic β€” authorisation, identity, settlement, or security of payments initiated by autonomous software agents (LLM-driven or otherwise).
  2. It defines a protocol, standard or data model that is directly reused by at least one of the 2025–2026 industry agentic-payment protocols (AP2, ACP, x402, Trusted Agent Protocol, Agent Pay, ERC-8004).
  3. It is a peer-reviewed survey whose scope materially overlaps (a) or (b).

Papers on general LLM agent architectures (ReAct, Toolformer, AutoGPT and successors) are out: they are surveyed exhaustively elsewhere and the questions that matter for payments are authorisation and settlement, not planning.

1.4 Source-tier convention

To discipline ourselves against the reflex of treating every URL as equivalent, we tag every citation with one of four tiers and apply them consistently throughout the report:

Tier Meaning
[PR] Peer-reviewed conference or journal paper
[PP] Preprint (typically arXiv), not yet peer-reviewed
[ST] Formal standard or standards-track draft (W3C REC, IETF RFC, EIP Final)
[GL] Grey literature β€” vendor whitepapers, consultancy reports, blog posts

This matters: as we will show, the vast majority of what is currently written about "agentic payments" is [GL], not [PR] or even [PP]. Conflating the tiers is the single most common failure mode in existing commentary.

2. Pre-LLM Foundations: Thirty Years of Almost-Getting-It

Agentic payments feel novel because LLMs are novel. The problem statement β€” allowing a non-human principal to authorise a payment in a trustworthy, auditable way β€” is not. A brief historical walk is essential because most of today's designs recapitulate, often unknowingly, debates that were had and partially lost in the 1990s.

2.1 EDI and the institutional precedent

Electronic Data Interchange (EDI), standardised through ANSI X12 (1979) and UN/EDIFACT (1987), was the first large-scale system in which software β€” not humans β€” routinely sent legally binding purchase orders and invoices on behalf of firms. EDI solved the authority problem institutionally, not cryptographically: the trading-partner agreement (TPA) was a bilateral legal contract that explicitly accepted machine-generated messages as valid offers. Every AP2 "Intent Mandate" and every ACP SharedPaymentToken is, in its legal substance, a successor to the TPA; the novelty is that the principal is now an individual consumer rather than a corporate purchasing department. This framing β€” that the hard problem is not cryptographic but contractual β€” is one we return to in Section 10.

2.2 DigiCash, Mondex, and the first machine-bearer instruments

David Chaum's DigiCash (1989–1998) and the Mondex card system (1993, later acquired by Mastercard) were the first retail attempts to build payment instruments that could be held and spent by devices, not only by humans. Mondex in particular supported card-to-card transfer with no intermediary β€” effectively an offline bearer protocol. Both failed commercially, but they established two design primitives that reappear, almost unchanged, in today's x402 and Skyfire designs: (i) the principal's authority is embodied in a holder of a cryptographic secret, not in a session with an issuer, and (ii) the privacy of the payer must survive the disintermediation of the bank. The Cloud Security Alliance's 2025 commentary on AP2 explicitly reaches back to Chaum when arguing for Intent-Mandate unlinkability.[^1]

2.3 SET: the cautionary tale

The Secure Electronic Transaction protocol (Visa + Mastercard, 1996) is the direct ancestor of every modern agentic-commerce protocol in one specific respect: it separated the order information (seen by the merchant) from the payment information (seen by the acquirer) using dual signatures, so that the merchant never saw the card number and the bank never saw the basket. ACP's SharedPaymentToken and AP2's split between Cart Mandate and Payment Mandate are architecturally identical. SET's failure (killed by 3-D Secure's operational simplicity) is the cautionary tale: cryptographic elegance loses to operational convenience every time. Any history of agentic payments that does not acknowledge SET is not a history.

2.4 Hal Finney's RPOW and Szabo's smart contracts

Two mid-2000s threads close the pre-LLM lineage. Hal Finney's Reusable Proofs of Work (RPOW, 2004) proposed a server-backed token system whose integrity was verifiable by any client via remote attestation β€” a direct conceptual ancestor of the TEE-attested agent reasoning used in arXiv:2511.15712 (discussed below). Nick Szabo's smart contracts essays (1994–1997) articulated the principle that "a contract is a set of promises embodied in code" and argued for the replacement of trusted intermediaries by protocol-level enforcement. Every time the x402 specification speaks of a "facilitator that cannot rug the payer", it is restating Szabo. We note this not to deify either author but to underline that the design space of agentic payments is old; what is new is only the principal.

2.5 Early machine-payment and agent-commerce experiments

Two specific 1990s papers deserve naming because they anticipated today's discussion with uncanny precision and are, in the authors' view, under-cited:

  • The FIPA Agent Communication Language (FIPA ACL) specifications (1997–2002) defined performatives such as propose, accept-proposal, reject-proposal, request-whenever, which A2A and ACP re-implement with JSON instead of KQML/S-expressions.
  • The Contract Net Protocol (Smith, 1980; re-specified in FIPA00029) defined the bid/award workflow that today's "agent marketplace" proposals (ANP, ERC-8004) implement almost verbatim.

The loss of institutional memory between the multi-agent-systems (MAS) community of 1995–2010 and the LLM-agents community of 2023–2026 is, in our view, the single largest intellectual deficit in the current literature.

3. Standards Foundations

Four standards bodies produced the primitives on which 2025–2026 agentic-payment protocols are actually built. Unusually for a nascent field, the standards are more mature than the academic literature. All of the following are [ST] tier.

3.1 W3C Verifiable Credentials Data Model 2.0

VCDM 2.0 became a W3C Recommendation in 2025 and defines the data model for cryptographically verifiable credentials: issuer, credentialSubject, proof, validFrom/validUntil, and the credentialStatus mechanism for revocation.[^2] AP2's three mandates (Intent, Cart, Payment) are profiles of VCDM 2.0. Notably, VCDM 2.0 does not specify how an agent should be named as credentialSubject: this is left to extension vocabularies, which is why the field is currently fragmenting (see Β§7.2).

3.2 W3C Decentralized Identifiers (DIDs) v1.0

DID Core (W3C Recommendation, 2022) defines a URI scheme (did:<method>:<id>) and a DID Document format that resolves a DID to a set of public keys and service endpoints.[^3] DID methods used in agentic-payment systems today include did:web (domain-anchored), did:key (self-certifying), did:ethr / did:pkh (blockchain-anchored), and a fast-growing set of agent-specific proposals. The Rodriguez Garzon et al. paper discussed in Β§5 argues that no existing DID method adequately captures the "agent acting for a principal" relationship, because every DID Document assumes a single controller.

3.3 IETF RFC 9421 β€” HTTP Message Signatures

RFC 9421 (February 2024) is a Standards Track IETF RFC that specifies how to sign arbitrary components of an HTTP request or response (method, path, selected headers, body digest) using an evolution of the older Signature header work.[^4] It is the cryptographic spine of Cloudflare's Web Bot Auth draft and of Visa's Trusted Agent Protocol. Its importance in the agentic-payments context is that it provides non-repudiation at the HTTP layer, which is the layer at which all agentic-commerce protocols actually speak β€” unlike TLS, whose attestations are ephemeral session-level.

3.4 OpenID for Verifiable Presentations (OID4VP) and GNAP

Two newer authorisation standards matter.

  • OID4VP (OpenID Foundation, 1.0 final 2024) defines how a holder presents verifiable credentials to a verifier using OIDC request flows. AP2's Intent Mandate presentation can be transported via OID4VP although the AP2 reference implementation uses a custom channel.
  • GNAP (Grant Negotiation and Authorization Protocol, RFC 9635, October 2024) is OAuth 2.0's intended successor and explicitly supports asynchronous, multi-step, delegated authorisations across multiple resource servers β€” a far better fit for an agent that must authorise a chain of merchants than OAuth's single-audience model. Despite this fit, no major 2025–2026 agentic-payment protocol has yet adopted GNAP; this is a standards-alignment gap we return to in Β§7.

4. Multi-Agent Systems: The Discarded Lineage

A compressed note, because the MAS literature is enormous and we only need the parts that agentic payments forget to cite.

  • FIPA ACL (2002) and the Contract Net Protocol (Smith 1980; FIPA00029) are the intellectual ancestors of Google's A2A "Agent Card" and of ANP's discovery/negotiation model. Today's designs lose ACL's explicit performative semantics and replace them with free-form JSON, which is why security surveys (e.g. Kong et al. 2025, Β§5 below) repeatedly find that A2A lacks the message-type disambiguation that ACL had by construction.
  • Electronic Institutions (Esteva, RodrΓ­guez-Aguilar, Sierra et al., 2001–2008) provided a formal framework for normative multi-agent interactions, including explicit role contracts, commitments, and sanctions. The AP2 "mandate" is an electronic-institutions commitment in all but name.

No 2023–2026 agentic-payments paper we surveyed cites FIPA ACL, Contract Net, or Electronic Institutions directly. This is the gap mentioned in Β§2.5 operationalised.

5. Contemporary Academic Literature (2023–2026)

This is the part of the review where rigour matters most. We restricted ourselves to eight papers, each personally verified against its arXiv abstract page on 21 April 2026. Where a candidate from our source brief failed verification we say so.

5.1 Greshake et al., "Not what you've signed up for" (2023) [PP β†’ PR]

Citation: Kai Greshake, Sahar Abdelnabi, Shailesh Mishra, Christoph Endres, Thorsten Holz, Mario Fritz, Not what you've signed up for: Compromising Real-World LLM-Integrated Applications with Indirect Prompt Injection, arXiv:2302.12173, February 2023 (later accepted to AISec '23).[^5]

Summary. The paper introduces the term indirect prompt injection: attackers plant adversarial instructions in data that an LLM-integrated application will retrieve (web pages, emails, documents), and the LLM then executes those instructions as if they came from the user. The authors demonstrate data theft, worming, and API abuse against Bing Chat and GitHub Copilot. They derive a computer-security taxonomy with seven impact classes.

Why it matters for agentic payments. Every single agentic-commerce protocol we examine (AP2, ACP, x402, Trusted Agent Protocol) assumes that the agent faithfully represents the user's intent when signing a mandate or submitting a SharedPaymentToken. Greshake et al. establish that this assumption is, under adversarial conditions, provably false. There is a direct line from this 2023 paper to AP2's decision to make the Intent Mandate a separately signed user artefact rather than an agent-signed message β€” although, as we argue in Β§9, AP2 does not go far enough.

Critique. The taxonomy is pre-tool-calling: it treats the LLM as a reasoner that reads strings, not as an agent that writes to payment APIs. The payments-specific attack surface (mandate spoofing, cart substitution after signing) is not addressed.

5.2 Zhan et al., InjecAgent (2024) [PR]

Citation: Qiusi Zhan, Zhen Liang, Zifan Ying, Daniel Kang, InjecAgent: Benchmarking Indirect Prompt Injections in Tool-Integrated Large Language Model Agents, arXiv:2403.02691 (ACL 2024 Findings).[^6]

Summary. A benchmark of 1,054 test cases across 17 user tools and 62 attacker tools, split into direct user harm and private data exfiltration. Thirty LLM agents are evaluated; ReAct-prompted GPT-4 succumbs 24 % of the time, nearly 50 % under a "hacking prompt" reinforcement.

Why it matters for agentic payments. This is the first paper to quantify injection risk against tool-using agents β€” the exact class to which all payment agents belong. A 24 % attack success rate on GPT-4 implies that, absent architectural defences, roughly one in four agent-initiated payments under adversarial web content could be misdirected.

Critique. The benchmark is synthetic and the attacker tools are rarely payment primitives. No tests involve signing a verifiable credential. An agentic-payments-specific extension of InjecAgent β€” call it InjectPay β€” is an obvious and missing research project (see Β§7.3).

5.3 Yang et al., "A Survey of AI Agent Protocols" (2025) [PP]

Citation: Yingxuan Yang, Huacan Chai, Yuanyi Song et al. (Shanghai Jiao Tong University), arXiv:2504.16736, v3 June 2025.[^7]

Summary. The first systematic survey of LLM-agent communication protocols. It proposes a two-dimensional classification: context-oriented (MCP-style tool invocation) versus inter-agent (A2A-style peer communication), and general-purpose versus domain-specific. Performance is compared across security, scalability, and latency dimensions.

Why it matters. Yang et al. give us the vocabulary β€” still contested, still the best we have β€” for discussing agentic-commerce protocols as a class. AP2 is context-oriented and domain-specific; ACP is inter-agent and domain-specific; x402 is a context-oriented, domain-specific payment layer superimposed on HTTP.

Critique. Payments are barely mentioned: the word "payment" appears in passing. The paper is also a preprint, not peer-reviewed, and its taxonomy is already being revised by the Ehtesham et al. survey (Β§5.4).

5.4 Ehtesham et al., "A Survey of Agent Interoperability Protocols" (2025) [PP]

Citation: Abul Ehtesham et al., A survey of agent interoperability protocols: Model Context Protocol (MCP), Agent Communication Protocol (ACP), Agent-to-Agent Protocol (A2A), and Agent Network Protocol (ANP), arXiv:2505.02279, v2 May 2025.[^8]

Summary. A narrower, more engineering-flavoured survey focused on the four protocols that genuinely have deployment traction. The authors lay out a phased adoption model: MCP (tool access) β†’ ACP-the-IBM-BeeAI-spec (structured messaging; note: not the OpenAI/Stripe ACP) β†’ A2A (collaborative execution) β†’ ANP (decentralised marketplaces).

Why it matters. It is the only paper we found that treats the stack as a stack, and it correctly identifies DID-based discovery (ANP) as the missing rung for cross-organisational agent commerce.

Critique. There is a severe nomenclature collision: the "Agent Communication Protocol" the authors survey is IBM's BeeAI ACP, not the OpenAI/Stripe Agentic Commerce Protocol that shares the same acronym. Any reader relying on keyword search will get the wrong paper. This is not the authors' fault but it is a problem for the field, and we flag it consistently throughout this report.

5.5 Kong et al., Survey of LLM-Driven Agent Communication Security (2025) [PP]

Citation: Dezhang Kong et al., A Survey of LLM-Driven AI Agent Communication: Protocols, Security Risks, and Defense Countermeasures, arXiv:2506.19676, v4 November 2025.[^9]

Summary. A 48-page survey that categorises agent communication into three classes (agent-user, agent-tool, agent-agent), proposes a three-layer communication architecture, and walks attacks layer-by-layer. Experimental vulnerabilities are demonstrated against MCP and A2A reference implementations.

Why it matters. This is currently the most complete security treatment of the protocols on which agentic payments are being built. The layer framework (transport / protocol / semantic) is directly reused in our Β§9 threat model.

Critique. Payments are treated as one possible downstream application; the paper does not examine mandate-spoofing, cart-substitution, or chargeback-abuse classes specific to agentic commerce. A dedicated agentic-payments threat model is still missing from the peer-reviewed literature.

5.6 Vaziry et al., "Towards Multi-Agent Economies" (2025) [PP]

Citation: Awid Vaziry et al., arXiv:2507.19550, July 2025.[^10]

Summary. Proposes extending Google's A2A protocol with (i) on-chain Agent Cards published as smart contracts for tamper-proof discoverability, and (ii) x402 HTTP-402 micropayments as the built-in settlement rail. A proof-of-concept implementation is described.

Why it matters. This is the earliest paper we could verify that composes A2A and x402 β€” that is, that treats agent identity, agent discovery, and agent payment as a single design problem. It anticipates ERC-8004's "Trustless Agents" proposal by about two months.

Critique. The DLT-anchored Agent Card inherits every scalability and privacy limitation of on-chain registries; the paper does not engage seriously with GDPR or with revocation. It is also short on empirical evaluation.

5.7 Rodriguez Garzon et al., "AI Agents with DIDs and VCs" (2025/2026) [PP β†’ PR]

Citation: Sandro Rodriguez Garzon et al., arXiv:2511.02841, v2 December 2025. Accepted for presentation at the 18th International Conference on Agents and Artificial Intelligence (ICAART) 2026.[^11]

Summary. Proposes a conceptual framework in which every agent is issued a long-lived, ledger-anchored W3C DID and a set of third-party-issued W3C Verifiable Credentials. At dialogue onset, agents prove ownership of their DID and exchange VCs to establish differentiated trust β€” analogous to mutual TLS plus an attribute exchange. A prototype is built and evaluated.

Why it matters. It is the first paper to test empirically what AP2 and ANP assume: that DIDs + VCs are sufficient to bootstrap cross-domain agent trust. Notably, the evaluation section "reveals limitations once an agent's LLM is in sole charge to control the respective security procedures" β€” a polite way of saying that LLMs cannot be trusted to operate their own key material.

Critique. The paper is explicit that VC verification logic must live outside the LLM; but it does not specify where exactly (a signer daemon? a TEE? a wallet OS?). The architectural gap between "the LLM plans" and "a trusted signer attests" remains underspecified. This is the single gap to which we devote most attention in Β§9.

5.8 Acharya, "Secure Autonomous Agent Payments" (2025) [PP]

Citation: Vivek Acharya, Secure Autonomous Agent Payments: Verifying Authenticity and Intent in a Trustless Environment, arXiv:2511.15712, November 2025, 6 pages.[^12]

Summary. Sketches a blockchain-based architecture that combines (i) DID/VC-based agent identity, (ii) on-chain intent proofs, (iii) ZK proofs for policy-compliance-without-disclosure, and (iv) TEE attestations for the integrity of agent reasoning. Evaluation is qualitative.

Why it matters. This is, to our knowledge, the first arXiv preprint whose central subject is precisely "autonomous agent payments." That it appeared only in November 2025 β€” two months after Google's AP2 announcement β€” illustrates the lag between industry protocol ships and academic engagement.

Critique. At six pages with no implementation and no threat-model formalism, this is closer to a position paper than a research paper. The ZK-proof design is hand-waved; no succinct circuit or scheme is specified; the TEE side-channel literature is not cited. It is nonetheless the only paper on the exact topic of this report, and as such deserves its citation.

5.9 Candidate papers that failed verification or were excluded

To keep ourselves honest:

  • The MDPI Future Internet survey "AI Agents Meet Blockchain" (2025, 17(2):57) is a genuine article by Karim et al.[^13] but MDPI's server returned HTTP 403 to our fetcher during this review window; we were able to corroborate the metadata via third-party abstracts and its DOI (10.3390/fi17020057) but not inspect the full text. We therefore classify it [PR, unverified full-text] and use only its abstract-level claims.
  • The MDPI Information 2026 paper (17(1):54) on prompt injection could not be reached at all during the review window; we have omitted it rather than cite blind.
  • arXiv:2511.15759 (Ramakrishnan & Balaji, Securing AI Agents Against Prompt Injection Attacks) verified successfully[^14] and is a useful empirical RAG-injection benchmark; we reference it only in passing because its scope is narrower than the InjecAgent benchmark we already cite.

No cited arXiv ID in our source brief returned 404. Two of three candidate MDPI URLs were unreachable from our environment; we flagged this rather than fabricate access.

6. Industry and Consortium Publications (Grey Literature)

Treated explicitly as [GL]. These are important β€” they often precede peer-reviewed work in a fast-moving area β€” but they are marketing documents first and research documents second.

6.1 Cloud Security Alliance

CSA's Secure Use of the Agent Payments Protocol (AP2) (October 2025) is the best of the grey literature: it enumerates threat classes specific to AP2 (mandate replay, cart substitution, agent-principal confusion) and maps them to existing CSA controls.[^15] It is the closest thing to a peer-review of AP2 that exists. It is, however, produced by a vendor consortium whose members include Google and stands to benefit from AP2's adoption; readers should calibrate accordingly.

6.2 McKinsey, Kearney, BCG

McKinsey's Europe's agentic commerce moment (2025)[^16] and Kearney's Agentic payments: a new frontier[^17] are forecast documents. They give us market-size numbers ($ x bn by 2030) which we cite but do not endorse: both firms have a commercial interest in the answer being "large". No methodology appendix is published for either forecast as of this review.

6.3 Linklaters TechInsights

Linklaters' Agentic payments: what are they, what are the legal risks[^18] is the most useful legal-flavoured grey-literature source and is cited substantively in Β§10. It is nonetheless a law firm's marketing vehicle.

6.4 BIS and central-bank commentary

The Bank for International Settlements' Annual Economic Report 2025 discusses agentic commerce briefly in the context of "AI in finance" but does not provide standalone analysis. No central-bank working paper we could find (BIS WP series, ECB WP series, Fed Staff WP) has yet made agentic payments its central subject. This is itself a notable finding (see Β§7).

6.5 Payments-industry press

PaymentsDive, PaymentExpert, Finextra, The Payments Association, and Orium produce useful daily reporting β€” and unavoidable when tracking announcements β€” but we tier every such citation [GL] and never use them as the sole source for a technical claim.

7. Research Gaps

Synthesising §§2–6, we identify seven gaps where no peer-reviewed paper yet exists as of April 2026:

7.1 A formal threat model for agentic payments

No paper formalises the agentic-payments threat model in the style of Dolev–Yao or of the Abadi–Fournet applied-pi calculus. AP2, ACP, and x402 are specified in prose; their security properties are asserted, not proved. A proper formalisation would need at minimum: principal, agent, merchant, PSP, attacker roles; mandate/credential terms; an adversary that can compromise the agent's LLM (via prompt injection) but not the signer, or vice-versa; and properties (intent-integrity, cart-integrity, non-repudiation, unlinkability).

7.2 A unified agent-DID method

Β§3.2 and Β§5.7 both flagged this: no W3C DID method adequately captures the "agent acting for a principal under a scoped mandate" relationship. Proposals exist (Catena Labs' ACK, Skyfire's KYA, Cloudflare's Web Bot Auth keys) but none is yet a W3C Community Group or IETF draft.

7.3 A payments-specific extension of InjecAgent

Discussed in Β§5.2. The benchmark that exists evaluates generic tool-using agents. An agentic-payments-specific benchmark β€” where attacker tools include fake PSPs, fake merchants, and spoofed mandate URLs β€” is missing.

7.4 Empirical data on dispute and chargeback behaviour

No peer-reviewed paper evaluates what happens when an agentic payment goes wrong. Justt.ai's industry post[^19] is the only source; it is vendor-produced.

7.5 Micropayment economics under agentic load

x402 revives HTTP 402. The economic literature on micropayments (Odlyzko 2003, Shirky 2000) predates both programmable money and LLM agents. No new theoretical work integrates the three.

7.6 Delegated authority and contract law

The interaction of agent mandates with the law of agency (US Restatement (Third) of Agency §§2.01–2.03; English common-law actual vs ostensible authority) has been addressed in practitioner commentary (Linklaters; Consumer Bankers Association white paper[^20]) but not in refereed legal scholarship.

7.7 Interoperability testing

There is no published comparative test suite that exercises AP2, ACP, x402, and Trusted Agent Protocol against a common set of commerce flows. Orium's blog[^21] outlines such a comparison editorially; no empirical version exists.

8. How This Report Positions Itself

Given the above, the present report makes four deliberate positioning choices:

  1. We treat the protocol designs as the primary object of study, not the vendor announcements, because the protocol texts are the only thing stable enough to ground a technical comparison. §§03–06 do this at length.
  2. We adopt the Yang et al. taxonomy (Β§5.3) as our initial vocabulary but refine it with the payment-specific distinctions (Intent vs Cart vs Payment mandate; HP vs HNP; MoR retention vs MoR transfer) that no academic paper yet supplies. These distinctions appear in every subsequent section.
  3. We use the Kong et al. three-layer security framework (Β§5.5) as the backbone of our threat-model section (Β§9) and explicitly extend it with agentic-payments-specific attacks (mandate spoofing, cart substitution, PSP impersonation) that the original does not cover.
  4. We flag grey literature as grey literature β€” every time, without exception. Any section of this report that cites a vendor blog without contradicting evidence from a peer-reviewed or standards source should be read with the attendant scepticism.

The honest one-line summary of the field as of April 2026 is: the protocols are ahead of the standards, the standards are ahead of the academic literature, and the academic literature is ahead of the legal literature. Each of those gaps is a research opportunity, and none of them is closed by a single paper we could verify.

Sources

[^1]: Cloud Security Alliance, "Secure Use of the Agent Payments Protocol (AP2): A Framework for Trustworthy AI-Driven Transactions", 6 October 2025. https://cloudsecurityalliance.org/blog/2025/10/06/secure-use-of-the-agent-payments-protocol-ap2-a-framework-for-trustworthy-ai-driven-transactions [^2]: W3C, Verifiable Credentials Data Model v2.0, W3C Recommendation. https://www.w3.org/TR/vc-data-model-2.0/ [^3]: W3C, Decentralized Identifiers (DIDs) v1.0, W3C Recommendation, July 2022. https://www.w3.org/TR/did-core/ [^4]: A. Backman, J. Richer, M. Sporny (eds.), HTTP Message Signatures, IETF RFC 9421, February 2024. https://datatracker.ietf.org/doc/rfc9421/ [^5]: K. Greshake, S. Abdelnabi, S. Mishra, C. Endres, T. Holz, M. Fritz, Not what you've signed up for: Compromising Real-World LLM-Integrated Applications with Indirect Prompt Injection, arXiv:2302.12173, Feb 2023. https://arxiv.org/abs/2302.12173 [^6]: Q. Zhan, Z. Liang, Z. Ying, D. Kang, InjecAgent: Benchmarking Indirect Prompt Injections in Tool-Integrated Large Language Model Agents, arXiv:2403.02691 (ACL 2024 Findings). https://arxiv.org/abs/2403.02691 [^7]: Y. Yang et al., A Survey of AI Agent Protocols, arXiv:2504.16736, Apr 2025 (v3 Jun 2025). https://arxiv.org/abs/2504.16736 [^8]: A. Ehtesham et al., A survey of agent interoperability protocols: MCP, ACP, A2A, and ANP, arXiv:2505.02279, May 2025. https://arxiv.org/abs/2505.02279 [^9]: D. Kong et al., A Survey of LLM-Driven AI Agent Communication: Protocols, Security Risks, and Defense Countermeasures, arXiv:2506.19676, v4 Nov 2025. https://arxiv.org/abs/2506.19676 [^10]: A. Vaziry et al., Towards Multi-Agent Economies: Enhancing the A2A Protocol with Ledger-Anchored Identities and x402 Micropayments, arXiv:2507.19550, Jul 2025. https://arxiv.org/abs/2507.19550 [^11]: S. Rodriguez Garzon et al., AI Agents with Decentralized Identifiers and Verifiable Credentials, arXiv:2511.02841, v2 Dec 2025 (accepted ICAART 2026). https://arxiv.org/abs/2511.02841 [^12]: V. Acharya, Secure Autonomous Agent Payments: Verifying Authenticity and Intent in a Trustless Environment, arXiv:2511.15712, Nov 2025. https://arxiv.org/abs/2511.15712 [^13]: M. M. Karim, D. H. Van, S. Khan, Q. Qu, Y. Kholodov, AI Agents Meet Blockchain: A Survey on Secure and Scalable Collaboration for Multi-Agents, Future Internet 17(2):57, 2 February 2025. DOI: 10.3390/fi17020057. https://www.mdpi.com/1999-5903/17/2/57 (full text was unreachable from our fetcher during the review window; cited via abstract/DOI only). [^14]: A. Ramakrishnan, A. Balaji, Securing AI Agents Against Prompt Injection Attacks: A Comprehensive Benchmark and Defense Framework, arXiv:2511.15759, Nov 2025. https://arxiv.org/abs/2511.15759 [^15]: Cloud Security Alliance AP2 commentary, op. cit. (n. 1). [^16]: McKinsey & Company, Europe's agentic commerce moment: decision influence is here, execution is coming, 2025. https://www.mckinsey.com/capabilities/quantumblack/our-insights/europes-agentic-commerce-moment-decision-influence-is-here-execution-is-coming [^17]: Kearney, Agentic payments: a new frontier in digital commerce. https://www.kearney.com/industry/financial-services/article/agentic-payments-a-new-frontier-in-digital-commerce [^18]: Linklaters TechInsights, Agentic payments: what are they, what are the legal risks and what's next. https://techinsights.linklaters.com/post/102l0hm/agentic-payments-what-are-they-what-are-the-legal-risks-and-whats-next [^19]: Justt.ai, Agentic Commerce: Preparing for Chargeback and Fraud Risks. https://justt.ai/blog/agentic-commerce-chargeback-risk-preparation/ [^20]: Consumer Bankers Association, Agentic AI, Consumer Payments, and the Future of Regulation (white paper, 2025). https://consumerbankers.com/press-release/cba-releases-white-paper-examining-agentic-ai-consumer-payments-and-the-future-of-regulation/ [^21]: Orium, Agentic Payments Explained: ACP, AP2, and x402. https://orium.com/blog/agentic-payments-acp-ap2-x402