Jul 17, 2026

India's CERT-In Proposes Mandatory Human Approval and Audit Trails for Agentic AI Payments Above Set Thresholds

Key Takeaways

  1. India's CERT-In has proposed, in its Digital Threat Report 2025-26, mandating human-in-the-loop controls and full audit trails for agentic AI actions that exceed defined financial thresholds.
  2. In the same month, NPCI moved to open up AI agent payments on UPI through the Unified Agent Protocol, creating a situation where the accelerator and the brake are being pressed at once.
  3. The real question is no longer whether agents should be allowed to pay, but which layer owns the four guardrails: consent, limits, audit trails, and reversibility.

CERT-In's proposal: put a human back in the loop above a threshold

CERT-In, the cybersecurity arm of India's Ministry of Electronics and Information Technology (MeitY), has proposed requiring human involvement in payments executed by AI agents. According to MediaNama's report, the proposal appears in the Digital Threat Report 2025-26.

The wording in the report is brief.

Mandate human-in-the-loop controls for agentic AI actions above defined financial thresholds, with full audit trails.

Human-in-the-loop refers to a design in which a person sits inside the AI workflow as a monitor or an intervener. Rather than letting an agent's autonomous decision execute directly, certain conditions route it through human approval. In a payments context, the proposal reads as an attempt to fix a division of labour in which the agent chooses and the human presses the final button into regulation.

What stands out is that this proposal sits not in a standalone AI regulation document but inside a cyber threat report aimed at the banking, financial services and insurance (BFSI) sector. The report was produced jointly by SISA, CERT-In and CSIRT-Fin, built up from forensic investigations and incident response work. Agent payments, in other words, are being handled as a threat mitigation item rather than an innovation policy item.

Behind that framing is what the report calls AI asymmetry: the offensive capabilities of frontier AI models are scaling faster than the regulatory, defensive and operational frameworks meant to contain them. India's BFSI sector absorbed 2.9 million cyber attacks in 2025, more than double the 1.4 million recorded in 2021. The report cites GTG-1002, disclosed by Anthropic in November 2025, in which a China-linked group used Claude to target 30 companies worldwide with AI reportedly carrying out up to 90% of the operation, alongside an April 2026 case in which a frontier model autonomously discovered more than 23,000 vulnerabilities across over 1,000 open-source projects.

If the attacking side has already gone agentic, the defending financial infrastructure has to be rebuilt on the assumption of non-human actors. CERT-In's proposal arrives in that order.

The accelerator and the brake moved in the same month

The timing is what makes this interesting. In that same July 2026, India was also moving to open up agent payments as national infrastructure.

Business Standard reported that NPCI, which operates UPI, is developing a new protocol called the Unified Agent Protocol (UAP) to register, verify and authorise AI agents to execute UPI payments (covered in detail in NPCI develops the Unified Agent Protocol to allow AI agent UPI payments as national infrastructure). UAP is designed to leave the underlying UPI rails untouched and layer a verification tier on top that can tell trusted agents apart.

One arm of the state builds the machinery to let agents pay; another warns that a human must be inserted above a certain amount. This is not a contradiction but a healthy tug-of-war in institutional design. NPCI is reported to need approval from the Reserve Bank of India (RBI) before rolling out UAP, so the height of the final safety valve rests with NPCI and the RBI. CERT-In's proposal functions as an early input into that discussion.

Precedents are already running. Pine Labs announced P3P in June, a protocol that completes agent payments on UPI, and open-sourced its agent authentication framework Grantex (Pine Labs unveils P3P, letting AI agents pay over UPI without human authentication). Razorpay is running a pilot with NPCI and OpenAI. The private sector ran first, and regulation began sketching the outline afterwards.

Far more remains undecided than decided. The actual level of the "defined financial threshold," the timing of any mandate, UAP's technical specification, and the allocation of liability when limits are breached are all undisclosed. The current CERT-In document is a proposal, not a binding rule.

Handles, PINs and limits: MediaNama's founder gets specific

One line of argument that puts flesh on the regulatory bones comes from MediaNama founder Nikhil Pahwa, quoted in the coverage. He argues that NPCI must build trust before rolling out agentic UPI.

Agentic commerce fails because there is a lack of trust. People in the US who have given their cards to agents have found, at least one person claimed, that an agent paid for a $2,500 course influenced by an Instagram influencer. We need guardrails, recourse and reversibility, though that is tricky in India.

His proposals fall into three parts. First, identity: give agents their own delegated handles. Something like agent-nixxin@ybl, separating the human's payment address from the agent's from the outset. Second, a separate agent PIN, on by default, with the limit dropping back to a default level the moment a user turns it off. Third, transaction limits set three ways: a maximum amount per transaction, a maximum count and amount per month, and a maximum count per day and per week.

What makes this trio work is that all three converge on a single idea: do not mix agent transactions with human ones. If the handle is distinct, merchants and banks can identify an agent-initiated transaction from the start. Once it is identifiable, limits, auditing and dispute handling can all be treated separately. Pahwa's argument that AI agents should have wallets rather than bank accounts rests on the same logic, since wallets contain the blast radius.

The question is which layer holds the guardrails

Here is the substance of the whole episode. Design debate around agent payments is converging on four things: consent, limits, audit trails and reversibility. CERT-In's proposal names two of them.

Consent is already the subject of international standards competition. Google's AP2 (Agent Payments Protocol) assigns a Cart Mandate, signed by the user over a final cart, to human-present transactions, and an Intent Mandate, granting conditional authority in advance, to human-not-present ones, separating the two as verifiable credentials. CERT-In's "human-in-the-loop above a financial threshold" amounts to a declaration that the state will draw the human-present boundary along a single axis: money. Protocol design and regulatory design are arriving at the same problem from different directions.

Audit trails are baked into AP2 as well, with Intent, Cart and Payment mandates chained together into a non-repudiable record. NPCI's role, per the reporting, is expected to stop at confirming that a payment request is genuine and holding logs of agentic transactions. Here the demands of regulation and protocol mesh cleanly.

Limits, meanwhile, are the most tractable piece, since UPI already has AutoPay and Reserve Pay. A user sets a ceiling, authenticates once with a UPI PIN, and subsequent payments run within that envelope. UAP is reported to extend this line, operating inside pre-authorised limits rather than granting unrestricted access to a bank account.

The problem is reversibility. This is where Pahwa attached his caveat about India, and Business Standard likewise notes that current chargeback and dispute resolution mechanisms were built on the assumption of human-initiated transactions, making their adaptation to AI-driven ones a major challenge. When an agent buys the wrong thing, is that fraud, or a user's own misjudgement occurring within the scope of delegation? That line is a question of liability, not technology, and thresholds plus audit trails do not resolve it. Of the four guardrails, reversibility alone still lacks a clear owner.

Mandating human-in-the-loop is, in part, insurance against that unresolved gap. If reversibility cannot be guaranteed, do not let transactions you would want to undo run automatically in the first place. Drawing the line by amount is a blunt instrument, but with liability design lagging, it is close to the only implementable seawall available.

What this means for e-commerce operators

Seen from the side that receives agent-initiated orders, this is not merely a regulatory story.

If a threshold rule is implemented in India, agent payment flows will have an approval wait inserted depending on the amount. Below the threshold, automatic. Above it, waiting on a human. From an e-commerce implementation standpoint, that means a share of transactions where payment does not complete synchronously. When do you commit the inventory allocation? What happens if price or stock shifts while approval is pending? How do you unwind an order whose approval never arrives? These are new interruption patterns, distinct from cart abandonment, that order management has to handle.

The other piece is identification. If agent-specific handles, or mechanisms like AP2's Payment Mandate that signal agent involvement and human presence to the payment network, become widespread, merchants may receive that signal per transaction. It matters for fraud detection rules and for how return policies apply. The assumption that an order signed by a present human and one auto-executed by an agent under prior delegation can be treated by the same standard will not hold much longer.

India's moves matter to operators elsewhere because UPI is one of the world's largest real-time payment networks, processing over 23 billion transactions a month, which means whatever design gets adopted there can become a de facto reference implementation. This is not a prediction that the same rule arrives in Japan. But the underlying instinct, demanding thresholds and audit trails for agent payments, is a conclusion that financial authorities may reach independently, given that it originated in a threat report.

Conclusion

CERT-In's proposal shows that the centre of gravity has shifted. The question is no longer whether AI should be allowed to pay, but who decides, and by what measure, how much passes automatically and where control returns to a human. India is trying to draw that line with a single number.

The threshold level and the timing remain undisclosed, and UAP awaits RBI approval. What to watch next is how high NPCI and the RBI set the final safety valve, and which side moves first on reversibility and liability, where nobody yet holds a clear answer. Building the machinery that lets agents pay is something several private protocols have already done. The hard part is the machinery that rolls it back when they get it wrong.