When an agent reaches a merchant’s checkout carrying a payment token, the merchant has to answer a question no card network was built for: is this a delegated shopping agent acting for a real customer, or a script replaying a stolen credential? The Brand Visibility for Agentic Commerce framework has, until now, treated trust as something a brand emits — the structured reviews, certifications, and authority links an agent can weight when it decides whether a product is credible. That’s one direction. The developments of late 2025 and 2026 have opened a second one, and it runs the other way: the trust a brand must grant to the agent at its own door.
The distinction matters because the two are scored by entirely different work. Emitted trust is a content-and-markup problem, addressed in the product catalog. Granted trust is an infrastructure-and-policy problem, addressed at the edge of the brand’s own systems. A brand can be excellent at the first and quietly failing at the second, and the failure produces the same outcome the framework’s trust floor was built to catch — silent removal from the set — except this time the brand caused it.
The signals the framework already measures
Trust Signal Density measures whether a brand’s trustworthiness is encoded in a form an agent can read: review entities, certification surfaces, links to recognized authorities. The dimension carries a floor because below a minimum of those signals an agent has no structured basis to trust the product at all, and the floor caps the rest of the strategic tier until it’s crossed. None of that changes. What it doesn’t cover is the moment before any of it is read — whether the agent attempting to read the catalog is admitted in the first place.
The question the networks had to answer
The payment networks reached this problem first, because they sit where money moves. Visa’s Trusted Agent Protocol, launched in October 2025, lets a merchant cryptographically verify that an incoming agent is a sanctioned shopping agent with intent to buy, using signed message data the merchant checks before routing the authorization, with minimal change to the existing checkout page (Visa, 2025). Mastercard took a parallel route with Agent Pay, encoding the agent’s identity into the transaction record so an issuer can score risk per agent rather than per anonymous session, and building the verification on Cloudflare’s Web Bot Auth (Mastercard, 2025). Both compose with the card rails rather than replacing them. The shared goal is narrow and consequential: let a merchant tell a legitimate agent apart from a hostile one without blocking the legitimate one in the process.
A shared foundation for proving identity
Underneath both networks sits the same mechanism. Cloudflare’s Web Bot Auth, built on the IETF’s HTTP Message Signatures standard (RFC 9421), lets an agent attach a cryptographic signature to each request so the receiving system can confirm the request is verifiable, time-bound, and not a replay (Cloudflare, 2025). It’s a real shift in posture. For two decades the convention for telling automated traffic what it could touch was robots.txt, which is a request a well-behaved crawler chooses to honor. A signature is proof, checked at the door, that doesn’t depend on the visitor’s good manners.
One thing the signature does not do is worth stating plainly, because brands routinely conflate it with something it isn’t. Proving that an agent is who it claims to be is not the same as deciding whether to let it transact. The cryptography settles identity. The merchant still owns the admission decision, and that decision is a policy the brand writes, not a fact the protocol hands it.
The governance consequence
That policy is where brands are most exposed, and the exposure is self-inflicted. The instinct trained by a decade of bot defense is to block automated traffic by default and make exceptions grudgingly. Carried into the agent era, that instinct rejects the verified shopping agents a brand wants — the ones arriving with a real customer behind them — alongside the scrapers it doesn’t. A brand whose edge layer turns away a signed, verified agent has removed itself from that customer’s consideration before a single product attribute was evaluated. The symptom looks exactly like decision invisibility: no traffic decline, no campaign to diagnose, nothing in the analytics. The cause, this time, is a firewall rule the brand owns.
This is why the second axis of trust is as much a Governance Maturity question as a Trust Signal Density one. Someone has to own the answer to “which agents do we admit, and how do we tell,” and in most organizations that authority is split between a security team optimizing to keep bots out and a commerce team that needs certain bots in. Until that ownership is resolved, the default settles the question by omission, and it usually settles it the wrong way.
Where intent enters
Identity answers who the agent is. It doesn’t answer whether the agent is doing what its principal actually asked. Mastercard and Google addressed that layer in March 2026 with Verifiable Intent, an open, protocol-agnostic framework that binds three things into a single tamper-resistant record — the consumer’s identity, the instruction they gave, and the outcome of the transaction — and uses selective disclosure so each party sees only what its role requires (Mastercard, 2026). For a merchant, this is what turns “an agent transacted here” into “this agent, acting for this person, within this mandate,” which is the difference that makes a disputed agent purchase resolvable instead of a loss. It’s the accountability counterpart to identity, and it’s the piece that lets a brand admit agents at scale without absorbing the dispute risk that would otherwise come with them.
Where to start
Take a brand that has done the emitted-trust work well — Review and AggregateRating schema in place, certifications surfaced, authority links clean — and assume its Trust Signal Density sits comfortably above the floor. Its catalog is ready to be trusted. The question the second axis raises is whether the agents that would trust it can get in. Three checks answer it. Does the edge layer verify agent signatures rather than rejecting automated traffic wholesale? Can it distinguish a Web Bot Auth-signed shopping agent from an unsigned scraper? When a verified agent is admitted, does it reach a clean, machine-readable surface, or the same bot-mitigation friction served to everything else? A brand that fails these has an effective trust score capped by infrastructure the framework’s floor mechanism never inspected, because the floor was looking at the catalog and the cap is sitting at the firewall.
The trust dimension in agentic commerce runs in both directions now. A brand that has worked only the signals it emits has done the half that’s visible in its own catalog and left the half that lives in its own infrastructure to whatever its bot policy happened to be configured for last year.
References
Cloudflare. (2025, November 17). Securing agentic commerce: Helping AI agents transact with Visa and Mastercard. Cloudflare Blog. https://blog.cloudflare.com/secure-agentic-commerce/
Mastercard. (2025, October 14). Agentic token framework: Driving trusted AI transactions. Mastercard. https://www.mastercard.com/global/en/news-and-trends/stories/2025/agentic-commerce-framework.html
Mastercard. (2026, March 5). How Verifiable Intent builds trust in agentic AI commerce. Mastercard. https://www.mastercard.com/us/en/news-and-trends/stories/2026/verifiable-intent.html
Visa. (2025, October 14). Visa unveils Trusted Agent Protocol for AI commerce. Visa. https://corporate.visa.com/en/sites/visa-perspectives/newsroom/visa-unveils-trusted-agent-protocol-for-ai-commerce.html
