Contact
Insights
May 18, 2026

"Are You Who You Say You Are?" — Redesigning Digital Trust for Agentic Commerce with FIDO and Experian's Identity Stack

Contents
Agentic Commerce Studio - Validate AI-agent shopping in your browser

Key Takeaways

  1. A May 17, 2026 Forbes essay argues that agentic AI lacks a machine-readable answer to "are you who you say you are," and positions the FIDO Alliance, Google, and Mastercard collaboration as the emerging Digital Trust foundation.
  2. On the same week, Experian added Akamai to its Agent Trust partner ecosystem, layering edge-level verification on top of Skyfire's identity layer. Standards-level and implementation-level work are now moving in parallel.
  3. EC operators cannot afford to wait for the final FIDO specification. The practical task is to map how Agent Trust tokens, KYAPay, and Akamai's edge checks will plug into existing cart, payment, and identity flows during the second half of 2026.

When machines must re-ask "are you who you say you are"

Are You Who You Say You Are? Digital Trust In Agentic AI

Agentic AI and agentic commerce needs standards to ensure authentication and digital trust. FIDO Alliance in partnership with Google and Mastercard wants to change that.

www.forbes.com

Anjana Susarla, professor at Michigan State University, used her May 17, 2026 Forbes column to push the most-deferred question in agentic commerce back to the front of the stack. The question is simple: when an AI agent places an order, completes a payment, and switches a subscription on a customer's behalf, who is the service really dealing with? Susarla characterizes the lack of a shared answer as an institutional design vacuum that the industry has been scaling around rather than solving.

The same concern is breaking out of the identity and payments side as well. The very same week, Experian announced that Akamai had joined its Agent Trust partner ecosystem. Two streams of work, one led by FIDO Alliance on standards and one led by Experian on implementation, converged in mid-May 2026 for reasons that are anything but coincidental. This piece traces Susarla's framing, lays out what each layer is actually doing, and surfaces the decisions EC operators need to make next.

Why existing identity stacks fall short of Digital Trust

Identity verification was designed for a world where a human sits in front of a screen. Passwords, SMS codes, and more recently passkeys all start from "the finger that taps" or "the device that is held." That premise collapses when an AI agent acts as a proxy. The final action is executed by a model in the cloud, with no finger anywhere in the loop.

What Susarla emphasizes in the Forbes column is that this collapse opens four questions at once: is the agent itself legitimate software, is the human behind it really the delegating party, what scope of delegation was granted, and is the transaction still inside that scope. Legacy identity stacks can answer one of these on a good day. None of them bundle the four into a single verifiable chain. Susarla treats this gap as a problem that bot-era defenses cannot be stretched to cover.

The payments side cannot ignore the math either. Riskified's Q1 2026 report that 55 percent of agent-driven traffic is being incorrectly declined shocked many EC operators. Even when the human behind the request is real, anything bearing an agent fingerprint gets blocked. The mirror image is just as costly: spoofed agents slip through legitimate traffic and authorize purchases nobody asked for. Lost revenue and missed fraud are two faces of the same authentication vacuum.

The standards layer: FIDO Alliance with Google and Mastercard

The hinge of Susarla's argument is the Agentic Authentication Technical Working Group that the FIDO Alliance announced on April 28, 2026. The standards body that produced WebAuthn and passkeys has now taken on agent authentication on the same track. That alone is a decisive signal.

Two specifications have been donated. Google's Agent Payments Protocol (AP2) defines agent-led payments around three layers: secure delegation, verifiable authorization, and trusted execution. Mastercard's Verifiable Intent framework cryptographically proves what the user intended to buy and circulates that proof across the payment ecosystem. Selective Disclosure keeps only the minimum required data visible to each party, so privacy and verification stop being a tradeoff.

The membership roster matters because it determines whether the standard travels into production. The Agentic Authentication TWG is chaired by CVS Health, Google, and OpenAI, vice-chaired by Amazon, Google, and Okta. The Payments TWG is co-chaired by Mastercard and Visa, with American Express, PayPal, Stripe, Adyen, Cloudflare, Microsoft, Prove, 1Password, and Dashlane on the participant list. That bench effectively guarantees that AP2 and Verifiable Intent will be treated as the neutral, FIDO-owned standard for agent commerce. We unpacked the donation itself in The day FIDO Alliance absorbed AP2.

For agent-initiated commerce to scale, user intent must be explicit, verifiable and trusted.

Source: Pablo Fourez, Chief Digital Officer, Mastercard

The implementation layer: Experian, Skyfire, and now Akamai

Implementers cannot afford to wait for the spec to harden. Experian launched Agent Trust on April 30, 2026 and built the framework around the concept of Human-to-Agent Binding. Verified consumers, their devices, and authorized AI agents are cryptographically tied together. A real-time Agent Trust token then validates identity, scope of delegation, and transaction risk in one call.

The launch partners were Visa, Cloudflare, and Skyfire. Skyfire's Know Your Agent (KYA) protocol rides on standard web infrastructure, signed JWTs with JWKS key rotation, to carry who built the agent, who delegated authority, what scope was granted, and what payment capability exists. Experian enriches that token against its consumer identity and fraud models, then issues a dynamic trust score. Williams-Sonoma and Bose appearing as early pilots suggests the framework is already approaching production maturity.

What changed on May 15, 2026 is the addition of Akamai. Akamai handles a meaningful share of global web traffic at the edge, so it sits in exactly the right place to verify, before the request ever reaches the merchant origin, whether the traffic is human or agent and whether the agent fingerprint matches a legitimate token. If Experian's token is the information layer that says "who is acting on behalf of whom," Akamai is the physical layer that confirms "this request actually corresponds to that token."

Experian, Skyfire, and Akamai are all core members of the KYAPay initiative as well. KYAPay extends the Know Your Agent protocol with a standardized way for agents to declare intent and circulate tokenized payment credentials. The industry is clearly building a usable identity substrate ahead of the FIDO specification freezing.

Agentic commerce will not scale without trust. What is required is verifying the agent, the human behind it, and their intent to purchase.

Source: Kathleen Peters, Chief Innovation Officer, Experian

How the standards and implementation layers complement each other

FIDO and Experian are not competing for the same square. FIDO defines the grammar of authentication and delegation that the whole industry will share. The Experian ecosystem provides the plumbing that moves that grammar into running code. The intent declared by Verifiable Intent is carried by the Agent Trust token, validated at the edge by Akamai, and bridged into payment rails by Skyfire and KYAPay. That division of labor is starting to feel coherent.

The picture lines up with what we covered in Major vendors building identity stacks for agentic AI. Agent identity is not a single-vendor category. It is a layered structure where specifications, token issuers, edge verification, and payment processing each carry a piece of the chain.

The structure is not without tension. Even with AP2 donated to FIDO, the implementation ecosystem around AP2 still includes Cloudflare, Microsoft, and others all pushing their own differentiation. The Experian side has Experian's identity assets, Skyfire's payment layer, and Akamai's edge layer pulling in directions that will not always align. Who owns responsibility for which layer is an open question that the standardization process will not fully settle.

Three decisions EC operators should make now

With that landscape in mind, three decisions sit on the EC operator's desk.

First, identification policy for agent traffic. Most fraud rules today resolve a binary: human or not. Once Agent Trust tokens and the eventual FIDO specification reach scale, the right model becomes a three-way split between legitimate agents, unknown agents, and malicious agents. Risk scoring needs to be refactored to carry that nuance.

Second, aligning delegation scope with business processes. Verifiable Intent's "intent declaration" is, from a merchant's point of view, metadata about how far the user has authorized the transaction. Returns, subscription updates, and fraud investigations need to operate at the level of delegation scope, not just transaction ID. Operations design has to move in lockstep with the identity stack.

Third, partner selection and edge layer evaluation. Akamai's edge verification slots in above an existing CDN, and Cloudflare offers the same kind of capability while sitting inside FIDO's working group. Operators should start asking their CDN, WAF, and identity vendors how their roadmaps map to Agent Trust and the FIDO specification. The related landscape is sketched in Why the trust layer for agentic commerce is missing.

None of this work belongs only to payments or security. Legal, customer service, and merchandising all need to be brought in so the organization can write down, as policy, who is responsible when an agent transacts on behalf of a customer. Susarla's Forbes argument is ultimately a call to treat Digital Trust as an operational theme for the whole company, not a checkbox owned by a single team.

Conclusion

Susarla's Forbes essay reframes Digital Trust as the institutional layer that agentic AI keeps skipping past. Two complementary streams are now actively filling that gap. The standards layer driven by FIDO Alliance with Google and Mastercard. The implementation ecosystem assembled by Experian with Skyfire and Akamai. AP2, Verifiable Intent, Agent Trust tokens, KYAPay, edge verification — the names multiply, but the destination is one: a substrate that can verify an agent on the four axes of legitimacy, delegation, intent, and execution.

The decision in front of EC operators is no longer whether to wait for the standard or move on implementations. With the two layers moving in the same direction at the same time, the right move is to inventory now whether cart, payment, and identity flows can plug into the emerging Digital Trust ecosystem. The future where agents handle proxy purchases has run out of room for further delay.

PreviousNew Zealand Banks Ready for Agentic Commerce, Merchants and Regulators Lag: The Visa NZ Readiness GapNextMastercard Tops AI Commerce Ranking: Juniper Research 2026 Reveals Agentic Commerce Vendor Pecking Order
Recommended Articles
Apr 29, 2026

The Day FIDO Alliance Took In AP2 — Google's Donation Signals the Standardization Phase of Agent Authentication

Mar 27, 2026

The Race to Build Identity Stacks for Agentic AI: Ping Identity, Saviynt, Dock Labs, and More Enter the Arena

Mar 30, 2026

The 'Missing Layer' in Agentic Commerce — Why Trust, Settlement, and Interoperability Are Non-Negotiable