Agentic Commerce Governance

How Vortalis governs the agent commerce journey

Payment protocols handle checkout. Vortalis governs the hours of browsing, comparing, and data sharing that happen before the agent reaches the payment moment.

Published by MTE Software Ltd | March 2026

The Problem Protocols 8 Phases Mapping Gap Architecture Integration Regulation

The Problem

The governance gap in agentic commerce

Agentic commerce is moving from prototype to production. Every major payment network and platform has launched an agent payment protocol in the past twelve months. These protocols solve a critical problem: how agents pay securely.

What they do not solve is how agents behave securely in the minutes, hours, or days before the payment moment. Between a user saying "find me a new laptop" and the agent completing checkout, the agent has queried product databases, sent personal preferences to merchant APIs, compared prices across services, applied undisclosed selection criteria, and made autonomous decisions that the user never explicitly reviewed.

The Landscape

Six protocols define how agents transact

Protocol	Backed By	What It Does
Mastercard Agent Pay	Mastercard, Cloudflare, FIDO Alliance	Agentic tokens for payment. Know Your Agent registration. Verifiable Intent with Google.
Visa Intelligent Commerce	Visa, Cloudflare	Agent identity verification at checkout. Trusted Agent Protocol for merchant authentication.
Agent Payments Protocol (AP2)	Google, PayPal	Payment mandates: tamper-proof, cryptographically signed contracts proving user authorisation.
Universal Commerce Protocol (UCP)	Google, Shopify, Visa, Mastercard, Stripe, Adyen, American Express	Full commerce lifecycle: discovery, checkout, order management, fulfilment. Open-source. MCP and REST transport.
Agentic Commerce Protocol (ACP)	OpenAI, Stripe	Checkout session management. Merchant endpoints for AI agent purchases. Shared Payment Tokens.
PayPal Agentic Commerce	PayPal, Google	Store Sync for product discoverability. Payment processing. Multi-protocol support.

The Journey

Eight phases. One governance layer.

Every agentic commerce transaction follows this journey. Payment protocols concentrate on phases 6-7. Vortalis governs all eight.

1Intent

Payment protocols: Partial

Vortalis: Governed

Mastercard Verifiable Intent, AP2 Intent Mandate

2Discovery

Payment protocols: Partial

Vortalis: Governed

UCP Discovery, PayPal Store Sync

3Data Sharing

Payment protocols: None

Vortalis: Governed

No protocol governs this phase

4Comparison

Payment protocols: None

Vortalis: Governed

No protocol governs this phase

5Selection

Payment protocols: None

Vortalis: Governed

No protocol governs this phase

6Checkout

Payment protocols: Governed

Vortalis: Governed

Mastercard Agent Pay, Visa VIC, AP2 Cart Mandate, UCP Checkout, ACP Checkout Sessions, PayPal

7Payment

Payment protocols: Governed

Vortalis: Governed

All protocols govern this phase

8Fulfilment

Payment protocols: Partial

Vortalis: Governed

UCP Order Management, ACP Order Events

Phase 1

Intent

Payment Protocols: Partial

Mastercard Verifiable Intent, AP2 Intent Mandate

Vortalis

Policy evaluation ensures the instruction is within the agent's authorised scope. Principal chain tracking records who authorised this agent and through what delegation.

Phase 2

Discovery

Payment Protocols: Partial

UCP Discovery, PayPal Store Sync

Vortalis

Policy enforcement governs which merchants and categories the agent can query. Rate limiting prevents excessive API calls or catalogue scraping.

Phase 3

Data Sharing

Payment Protocols: None

No protocol governs this phase

Vortalis

Field-level tokenisation replaces personal data (preferences, location, purchase history) with opaque tokens before it reaches any merchant API. Four access levels: full, label, tokenised, redacted.

Phase 4

Comparison

Payment Protocols: None

No protocol governs this phase

Vortalis

Tamper-evident audit trail records every comparison query, every data point shared, every option considered. Scope constraints restrict which services the agent can use for comparison.

Phase 5

Selection

Payment Protocols: None

No protocol governs this phase

Vortalis

Anomaly detection flags unusual selections: unexpected merchants, unusual price ranges, categories outside the agent's normal behaviour. Statistical baselines per agent per service.

Phase 6

Checkout

Payment Protocols: Governed

Mastercard Agent Pay, Visa VIC, AP2 Cart Mandate, UCP Checkout, ACP Checkout Sessions, PayPal

Vortalis

Human approval workflows for high-value or unusual purchases. The agent cannot proceed to payment without explicit policy authorisation.

Phase 7

Payment

Payment Protocols: Governed

All protocols govern this phase

Vortalis

Kill switch enables immediate halt. Audit logging captures the full governance context alongside the payment event.

Phase 8

Fulfilment

Payment Protocols: Partial

UCP Order Management, ACP Order Events

Vortalis

Audit trail continues through fulfilment, recording order status changes alongside the governance decisions that led to the purchase.

Protocol Mapping

How Vortalis complements each protocol

They secure the payment. Vortalis secures everything else.

Mastercard

Mastercard Agent Pay

Capability	What It Does	Vortalis Complement
Agentic Tokens	Cryptographic payment credentials. Short-lived, scope-limited.	Vortalis tokenises personal data (preferences, location, history) shared with merchants during pre-payment phases. Mastercard tokenises payment data; Vortalis tokenises everything else.
Know Your Agent (KYA)	Agent registration and verification before transacting.	Vortalis agent identity model with policy binding and principal chain tracking. KYA verifies the agent exists; Vortalis verifies what the agent is allowed to do.
Verifiable Intent	Cryptographic record linking user, instructions, and transaction.	Vortalis principal chain provides verifiable provenance for every action, not just the payment intent. Extends Verifiable Intent to cover the full decision chain.
Consumer permissions	Consumers set what agents can purchase and within what limits.	Default-deny policy enforcement, action-level rules, rate limiting, and scope constraints enforce consumer permissions at runtime across every interaction.
Fraud detection	Mastercard network fraud controls at payment.	Seven statistical anomaly detectors monitoring agent behaviour in real time. Catches unusual patterns during pre-payment phases, before the agent reaches checkout.

Google UCP

Universal Commerce Protocol

Capability	What It Does	Vortalis Complement
Commerce Capabilities	Standardises the full commerce journey through functional primitives.	Governance proxy intercepts all agent interactions with UCP endpoints, applying policy evaluation to every capability invocation.
MCP Transport Binding	UCP supports MCP as a transport protocol.	MCP tool call governance intercepts MCP-transported UCP calls, applies the governance pipeline, then forwards. Direct architectural fit.
Discovery	Standardised product and merchant discovery.	Rate limiting and scope constraints govern discovery behaviour: how many queries, to which merchants, in what categories.
A2A Integration	Agent-to-Agent communication within UCP.	Multi-agent delegation tracking. When one agent delegates a commerce task to another, Vortalis tracks the delegation, extends the principal chain, and applies separate policies.

OpenAI ACP

Agentic Commerce Protocol

Capability	What It Does	Vortalis Complement
Checkout Sessions	Structured session management between agent and merchant.	Every checkout session interaction is recorded in the audit trail with policy decisions, data protection events, and principal chain context.
Shared Payment Tokens (SPTs)	Payment primitive allowing agents to initiate payments without exposing credentials.	Vortalis tokenisation complements SPTs: SPTs protect payment credentials, Vortalis tokens protect personal data shared during the commerce journey.
Merchant Endpoints	Five standardised endpoints for agent commerce.	All calls to merchant endpoints pass through the governance proxy, which applies the full pipeline to each request.
Order Events	Order lifecycle events for fulfilment tracking.	Audit trail with regulatory tagging records every order event alongside the governance decisions that led to it.

Visa

Visa Intelligent Commerce

Capability	What It Does	Vortalis Complement
Trusted Agent Protocol	Open framework for merchant authentication of AI agents.	RBAC and agent identity provide governance context. Visa verifies the agent is legitimate; Vortalis governs what the legitimate agent does.
Transaction tracking	Visa's network identifies agent-initiated transactions.	Hash-chained audit trail provides the full pre-payment journey that Visa's transaction tracking begins at checkout.

PayPal

PayPal Agentic Commerce

Capability	What It Does	Vortalis Complement
Store Sync	Merchant product data synchronisation for AI discoverability.	Rate limiting and scope constraints govern how agents query synchronised catalogues.
Multi-protocol Support	Supports AP2, UCP, Mastercard Agent Pay.	Protocol-agnostic proxy. Governs agent behaviour regardless of which payment protocol is used for the final transaction.

Google AP2

Agent Payments Protocol

Capability	What It Does	Vortalis Complement
Payment Mandates	Tamper-proof, cryptographically signed contracts proving user authorisation.	Audit chain and principal chain tracking extend the mandate concept to every agent action, not just the payment decision.
Selective Disclosure	Shares only minimum information with each party.	Four access levels (full, label, tokenised, redacted) enforce data minimisation at the field level across all data the agent handles.

The Gap

Questions payment protocols don't answer

Governance Question	Payment Protocols	Vortalis
Did the agent stay within spending limits during browsing?	Not addressed: limits enforced only at payment	Policy enforcement and rate limiting on every interaction
What personal data did the agent share with merchants before checkout?	Not addressed	Field-level tokenisation on all outbound data
Did the agent query only authorised merchant categories?	Not addressed	Scope constraints with domain and category controls
Is the agent behaving differently from its normal pattern?	Fraud detection at payment only	Real-time anomaly detection across all interactions
Can a human intervene before the agent commits?	Consumer can revoke agent access	Approval workflows and kill switch for immediate intervention
Is there an auditable record of every decision?	Payment transaction logged	Tamper-evident audit trail from intent to fulfilment
Does the deployment comply with the EU AI Act?	Not addressed by payment protocols	Maps to EU AI Act Articles 12-27, DORA, NIST AI RMF

Architecture

Where Vortalis sits

User Intent

Vortalis (AGAP Governance Proxy)

Policy EngineData ProtectionAudit TrailAnomaly DetectionHuman Oversight

Discovery

UCP, APIs

Comparison

Merchant APIs

Checkout

ACP, UCP

Payment (Agent Pay, VIC, AP2, SPT)

Integration

Three levels of integration

Level 1Available now

Transport Governance

The Vortalis proxy intercepts all agent HTTP and MCP calls. Every request to a merchant API, product database, comparison service, or checkout endpoint passes through the governance pipeline. No integration required with the payment protocols themselves.

Level 2Near-term

Metadata Enrichment

The Vortalis proxy generates governance metadata for each session: audit trail hash, conformance status, anomaly detection summary, policy compliance record. This metadata can be attached to checkout sessions, payment mandates, or agentic tokens as supplementary trust signals.

Level 3Future

Protocol-Native Integration

Direct integration with UCP Capabilities, ACP endpoints, AP2 mandates, and Agent Pay APIs. The Vortalis proxy becomes a recognised participant in the commerce protocol: a governance node that the payment network can verify.

Regulation

The EU AI Act applies to agentic commerce

The EU AI Act does not exempt agentic commerce from its requirements. An AI agent making purchasing decisions on behalf of a consumer is operating as an AI system that directly affects natural persons. Articles 12 (record-keeping), 13 (transparency), 14 (human oversight), and 15 (cybersecurity) all apply.

No agentic commerce protocol addresses EU AI Act compliance. They address payment security (PCI DSS, PSD2, SCA). The governance obligations are separate and additive.

Vortalis is the only platform that maps agentic commerce governance to EU AI Act requirements. Enterprises deploying agent commerce in the EU need both a payment protocol and a governance protocol.

Read the full EU AI Act Compliance Mapping

Govern the full commerce journey

Payment protocols secure the transaction. Vortalis secures everything the agent does before and after. Deploy agentic commerce with governance built in from day one.

Request early access Talk to us

This page is provided for informational purposes. It does not constitute legal advice. Organisations should consult qualified legal counsel regarding their specific regulatory compliance obligations. AGAP Protocol is a trademark of MTE Software Ltd. The AGAP specification is published under CC BY 4.0.