The mandate was supposed to be the answer. Sign once, delegate intent, let the agent handle the rest. Clean pitch, but the architecture underneath is fragmented.
A mandate does not dissolve trust. It relocates it. It then parcels trust out across credential providers, registries, issuers, and challenge systems, with each one holding a different slice of the acceptance decision.
The user leaves the foreground. Who decides whether the mandate actually clears is a separate problem the protocol does not answer in one place.
AP2 teaches the market how to think about this.[1] User intent becomes a signed mandate. The mandate travels across merchants and infrastructure. The trust problem starts to look solved. Proof replaces presence. Authority becomes portable.
But a cleaner framing sits underneath. The mandate does not close the trust problem. It repacks it and hands it to a different set of actors.
Some prior system has to make the signer, the credential, and the verification path acceptable before the mandate can matter at all. W3C's credential model says the same thing in more general terms: a verifier needs a reason to trust the issuer, and where that trust does not already exist, it has to come from somewhere else.[2]
Agentic payments inherit that structure. The mandate is valid inside a trust framework. Creating the framework is a separate problem the mandate cannot solve by itself.
Diagram 1: The mandate is the visible proof object, but clearance still depends on the surrounding actors that validate identity, recognition, instrument scope, and fallback authentication.
The first dependency shows up at the user edge. Cart Mandates and Intent Mandates are signed by the user, often with a hardware-backed key on the device.[1] That signature proves approval of a specific transaction object. Commercial acceptance requires more.
Someone still has to decide that the key belongs to a legitimate user, that the surrounding identity stack is credible, and that the signature is enough to act on. AP2 leaves that root open. Issuers, networks, governments, merchants, and third parties can all anchor it.[1]
Merchant signatures follow the same logic. AP2 requires the merchant to sign the cart it creates, binding product, price, and shipping terms into an object the user later approves.[1] Disputes get a cleaner record from that step. Performance risk does not disappear with it. A signed cart does not deliver a package or honor a refund. What it gives the system is a sharper liability object when performance eventually breaks.
Control starts to concentrate around the credential provider. This is where broad user authority gets converted into something the rails may actually clear, and it is the part of the stack that deserves more scrutiny than the mandate format itself.[1]
Delegated intent becomes an executable payment route at that layer, not before it. A user can approve categories, spending limits, or merchant types. The credential provider still shapes which instrument becomes live, how narrowly it is scoped, and whether extra friction appears before authorization completes.
Power sits there because execution sits there.
Registry design pushes this dynamic into market structure. AP2's short-term trust model relies on curated allow lists and trusted registries for shopping agents, credential providers, and merchants.[1] Open discovery is not doing the hard work. Recognition is. Access to the trust perimeter determines who gets treated as a legitimate participant.
The credential format cannot do that job alone. Someone still has to decide whose credentials count, whose keys are accepted, and which software is allowed to appear in the transaction flow as a valid actor.
Institutional infrastructure keeps its veto even after the mandate arrives. AP2 allows the PaymentMandate to move to the network and issuer so they can see that agentic activity is happening.[1] Visibility does not equal discretion surrendered. Issuers still approve, decline, or challenge on their own terms.
The Agentic Commerce Protocol makes the same boundary explicit from a different direction: merchants still bring their own PSP, and settlement, refunds, chargebacks, and compliance remain merchant-side responsibilities.[3] Standardized authority sits on top of those rails. Whether money moves is still an institutional decision.
Challenge flows expose the limit of the whole architecture. AP2 allows parties in the stack to invoke mechanisms like 3DS2 when risk rises.[1] Agentic commerce does not remove fallback authentication. It delays it. The human leaves the foreground until the stack decides it wants the human back.
Diagram 3: Agentic flow can feel autonomous all the way up to the issuer decision point, but the stack can still split into a normal approval path or a human challenge path.
Market power will not come from owning a mandate format. The mandate is table stakes.
Control gathers around the points where acceptance gets decided, where credentials become usable, and where delegated authority converts into a payment instrument the network will honor. Credential-provider distribution sits closest to execution and therefore carries the most pricing power. Registry access matters because it determines who enters the trust perimeter at all. Issuer approval and challenge routing shape the boundary conditions around both.
Clean proof objects help. Clearance is what the whole stack is actually selling, and the layers closest to clearance are where value accumulates.
The interface got abstracted away. The trust stack did not.
A user can now delegate authority upstream and carry it downstream as an attested object. That is real progress on visibility and scope control. But execution still depends on whether the merchant, PSP, or issuer decides that proof is sufficient under its own policy. The mandate travels farther than the old checkout click. Liability does not travel with it.
The market is not moving from trust to trustlessness. It is moving from implicit consent to explicit trust routing. The attestation layer is converging faster than the resolution layer because permission is simpler than liability. And that gap between what standardizes cleanly and what remains institutional is exactly where the next power structure will form.