Gemini_Generated_Image_whtlsowhtlsowhtl.png

Delegate. Don’t Abdicate.

Why Arbiter Is the Policy Layer Agentic Commerce Is Missing

By LangGuard · June 2026

Agentic commerce is not coming. It is already here.

ChatGPT processes 50 million shopping queries daily. During Black Friday 2025, AI-driven traffic to retail sites surged 805% year-over-year. Shopify reports orders from AI-powered searches grew 15x year-over-year through 2025. McKinsey projects agentic commerce will generate $3 to $5 trillion annually by 2030.

The protocols are live. OpenAI and Stripe co-developed the Agentic Commerce Protocol (ACP). Google launched the Universal Commerce Protocol (UCP) and Agent Payments Protocol (AP2). Anthropic’s MCP provides the connectivity layer. Visa, Mastercard, PayPal, Stripe, Shopify, and Coinbase are all participating. The rails are being laid. The wallets are being connected.

What is not being built: the enforcement layer between user intent and agent action.

The Delegation Paradox

When a user tells their commerce agent “find me running shoes under $150 that arrive by Friday,” they are not giving up control. They are encoding intent and trusting that the agent will honor it. That trust is the foundation of the entire agentic commerce model.

The problem is structural. The protocols define how agents discover products, construct carts, and execute payments. None of them enforce what the agent does between receiving the instruction and executing the transaction. The moment the agent reasons — and before it acts — there is no deterministic enforcement layer. The user has delegated. But there is no mechanism that ensures the agent stays within the boundaries they actually set.

That is the delegation paradox. And it is why user concern about agentic commerce remains high despite genuine demand.

Four Concerns. One Structural Gap.

End-user concern about agentic commerce clusters around four themes. Each one is a symptom of the same missing layer.

Data privacy and misuse. Commerce agents require deep access to user preferences, browsing habits, purchase history, and stored payment credentials. Users are right to be concerned. Every interaction between agents — during negotiation, dynamic pricing, personalization — can expose behavioral signals that reveal sensitive patterns about buying habits, financial position, and personal life. Without a data governance layer, the agent has no constraint on what it shares, with whom, or when.

Algorithm bias and kickbacks. Users cannot see inside the agent’s reasoning. An agent optimized for merchant commissions or platform fees is indistinguishable from an honest one. There is currently no mechanism that enforces an agent’s recommendations against the user’s stated parameters — not the platform’s commercial interests. If the agent recommends a product because the merchant paid for placement, the user has no way to know and no policy that prevents it.

Security and account takeover. The most underappreciated risk in agentic commerce is intent drift: an agent authorized to shop does not mean an agent authorized to do anything in service of shopping. When an agent operates persistently, the risk shifts from credential theft to unauthorized action within a legitimate session. 78% of financial institutions expect fraud to spike from AI shopping agents. And the fraud isn’t only external — a well-intentioned agent making a mistake at machine speed can cause as much damage as a malicious one.

Manipulation by counterfeiters. Just as businesses optimize for SEO, malicious sellers now build AI-friendly storefronts engineered to manipulate agent reasoning. A fraudulent merchant may pass every automated check, offer below-market prices, and look entirely legitimate — until the agent completes the purchase and the payment credentials are harvested. The user delegated to the agent. The agent was deceived. The user pays the cost.

Arbiter: A General-Purpose Policy Enforcement Engine for Agentic Commerce

Today we are announcing Arbiter — LangGuard’s policy enforcement engine for the agentic enterprise.

Arbiter is not a fraud filter. It is not a payment protocol. It is the deterministic enforcement layer that sits between the agent’s reasoning and the action surface — ensuring that every action an agent takes on behalf of a user is evaluated against explicit policy before it executes.

What makes Arbiter different is its scope. It is a general-purpose policy enforcement engine that can implement any governance requirement across the full commerce lifecycle: from the moment an agent is granted delegation, through every discovery, cart, and payment action, to post-purchase workflows and revocation. The protocols define what agents can do. Arbiter enforces what they are permitted to do.

What Arbiter Policies Look Like in Practice

The following are examples of the policy classes Arbiter can enforce. These are not theoretical — they are the controls that turn user delegation from a bet into a contract.

Data access policies

  • Agent may only access the user profile fields required for this specific shopping task
  • Agent may not share purchase history, preference data, or behavioral signals with third-party merchants during price negotiation
  • PII — card numbers, address, government ID — may not be transmitted to any unverified endpoint


Spending and budget policies

  • No single purchase above $X without explicit user confirmation
  • Category budgets: $Y monthly for apparel, $Z for electronics — agent cannot exceed them
  • Velocity controls: no more than N transactions in any 24-hour window
  • First purchase from a new merchant requires human approval before payment executes


Merchant trust policies

  • Agent may only transact with merchants on an approved list, or meeting a minimum verified-review threshold
  • Merchants registered less than 90 days ago: blocked until manually approved
  • Price deviation alert: if the agent selects an item more than 20% above comparable market price, escalate before purchase


Action enforcement policies

  • Subscription detection: agent may not initiate any recurring charge without explicit sign-off
  • Refund and return controls: agent-initiated refunds above $X require human confirmation
  • Bias disclosure: agent must surface the ranking basis for any recommendation above a spending threshold


Human authority policies

  • High-value gate: any transaction above $X pauses for user confirmation before executing
  • Override window: user has a defined window to cancel any agent-initiated transaction after authorization
  • Session audit: complete record of every agent action delivered to the user at session close
  • Delegation revocation: at any point, the user can withdraw agent authorization instantly. Mid-session. Mid-transaction. Mid-negotiation. Revocation is immediate, enforced, and recorded.

What This Means for Agent Providers and Commerce Platforms

The platforms building agentic commerce — OpenAI, Google, Anthropic, Microsoft Copilot, Amazon — face a trust problem they cannot solve with protocols alone. The protocols define the rails. They cannot enforce what rides on them.

With Arbiter, agent providers can tell their users something they cannot say today: here is exactly what your agent is permitted to do, here is how we enforce it, and here is the complete record of every decision it made on your behalf. That is the trust and safety story that makes users comfortable delegating — not just comfortable enough to try it once, but comfortable enough to make it a default behavior.

For commerce platforms — Shopify, Stripe, PayPal, Visa, Mastercard, Google, Coinbase — Arbiter is the enforcement layer that turns their protocol investment into a governance story. ACP and UCP define how agents transact. Arbiter ensures those transactions happen within the boundaries the user actually set.

The compliance argument is sharpening too. Singapore’s IMDA published the Model AI Governance Framework for Agentic AI in January 2026. The EU AI Act is extending to agentic systems. The Electronic Transactions Association testified to Congress that authorization, consent, liability, and auditability all apply in the agentic context. Arbiter delivers all four — automatically, as a byproduct of enforcement, not as a manual compliance project.

Delegate. Don’t Abdicate.

The user who delegates shopping to an agent is not giving up control. They are encoding intent as policy — and trusting that the policy will be enforced. Right now, that trust is not warranted. The protocols enable the transaction. Nothing enforces the user’s actual intent at the moment the agent acts.

Arbiter is what closes that gap. It is the deterministic enforcement engine that ensures agents act within the boundaries users set — and gives them the ability to revoke that authorization, instantly, at any moment.

Agentic commerce is a $3–5 trillion opportunity. The platforms and providers that build the trust layer will capture it. The ones that don’t will spend it managing chargebacks, fraud claims, and regulatory exposure.

LangGuard just launched Arbiter. If you are building agentic commerce flows on ACP, UCP, MCP, or any agent harness — and you want to show your users that delegation does not mean abdication — we want to talk.

Request access at langguard.ai

Tag: Shopify · Stripe · PayPal · Visa · Mastercard · Google · OpenAI · Anthropic · Microsoft · Amazon · Coinbase