Blits.ai
AI Technology31-03-202611 min read

You Already Know How to Delegate Spending. Now Write the Mandate for an Agent.

Len Debets
Len Debets
CTO & Co-Founder
You Already Know How to Delegate Spending. Now Write the Mandate for an Agent.

You already let people spend your company's money without losing control.

You do it every day, and you barely think about it.

A new hire gets a corporate card with a monthly limit. A procurement manager can raise a purchase order, but anything over a threshold needs a second signature. Travel goes on the card; a new supplier goes through onboarding first. And at the end of the quarter, finance can pull up every line and ask who bought what, why, and under which policy. Nobody calls this "autonomous spend." It's just delegation, and enterprises have been doing it for a century.

An AI agent is a new kind of delegate. That's the whole reframe. Once you stop treating "AI that spends money" as a novel category and start treating it as an unusually fast, unusually literal junior employee, the policy almost writes itself — because you already have the instruments. The interesting part is not inventing new controls. It's mapping the ones you have onto a machine, and being honest about the two or three places where the mapping breaks.

What you're actually handing over

When you give a person a card, you're not giving them your money. You're giving them a bounded claim on it: this much, at these kinds of places, for these purposes, reviewable later. The 2026 payments stack does exactly the same thing for agents, and it's worth understanding the plumbing for one paragraph — not as a tour, just so you know what your policy is riding on.

Every mainstream design deliberately keeps the raw card number away from the agent. Mastercard's Agent Pay and Visa Intelligent Commerce issue a tokenized credential bound to a specific agent and a specific scope. Stripe and OpenAI's Agentic Commerce Protocol uses a Shared Payment Token that's valid for one merchant and one cart, then dies. Google's AP2 represents the whole authorization as three signed mandates — Intent, then Cart, then Payment — each a W3C Verifiable Credential, so there's a non-repudiable record of who authorized what. In April 2026 Google donated AP2 to the FIDO Alliance and Mastercard contributed its Verifiable Intent framework, which is a genuinely encouraging sign that this consolidates into shared standards rather than a dozen walled gardens.

If you want the deeper why-and-what of those protocols, we wrote the primer separately in the moment AI was allowed to spend money by itself. This piece is the operator's job that comes after you've read it: writing the mandate the agent actually carries. So let's map the instruments you already own.

The four instruments, translated

The allow-list of payees — the most important one, and the one nobody leads with. When you onboard a supplier, you're not mostly deciding how much they can be paid. You're deciding that they can be paid at all. That decision — the approved-vendor list, the merchant category, the "we do not send money to counterparties we haven't vetted" rule — is your primary control surface. For an agent it should be the same: an explicit list of merchants or merchant categories it may transact with, and a hard stop plus escalation for anything novel. This is the instrument most teams under-weight, because it feels less like a "spending control" than a number does. It is the spending control.

Per-transaction and cumulative limits — the card limit and the monthly cap, together. A single per-transaction ceiling is easy and half the job. The failures that actually hurt are rarely one big charge; they're a loop of small, individually-plausible ones that add up. So you set both: a cap per purchase and a cap per session or per period. Coinbase's Agentic Wallets, launched in February 2026, ship exactly this pairing — an operator sets a total session cap and a per-transaction limit at wallet creation and can tighten either on the fly. That's the "corporate card with a monthly cap" model rebuilt for a runtime that can fire a hundred requests a second.

Context and approval tiers — the dual sign-off over a threshold. Your expense policy doesn't route everything the same way. Recurring, in-policy spend clears automatically; an exception or an unusual amount goes to a manager or to finance. Encode the same tiering. Low-risk, in-scope, recurring purchases run inside the mandate. Anything anomalous — a new merchant, an amount outside the norm, a request that arrived without the business context that should accompany it — routes to a human. AP2 makes this concrete with its human-present flow, where a person signs the Cart Mandate before money moves.

The replayable audit — the expense report finance can actually reconstruct. The point of an audit trail is not that logs exist. It's that you can replay the decision: which mandate authorized this, under which policy version, triggered by what. The signed-mandate chain gives you cryptographic non-repudiation almost for free, which is a real gain over a screenshot of an approval email. Use it. If you can't reconstruct a purchase end to end, you don't have delegation — you have hope with a receipt.

Delegation was never about trust. It's trust with a boundary written down. The agent just makes you write it down more precisely than you ever did for a person.

Four instruments, and you already run all four for humans. If this were the whole story, you'd copy your expense policy into a config file and go home.

Where the analogy quietly breaks

It isn't the whole story, and the gaps are where the real work lives.

"The agent never touches the raw card number" protects the credential, not the decision. This is the line every vendor deck leads with, and it's true and it matters — a scoped token can't be replayed at a random merchant the way a stolen PAN can. But read it carefully. Tokenization secures how the money moves. It says nothing about whether the purchase was the right one. When a hallucinating agent buys the wrong thing inside its limits, from an allowed merchant, the token was used exactly as designed. The security control did its job perfectly and you still bought the wrong thing. Protecting the credential is not the same as governing the decision, and conflating the two is the most expensive misread in this space.

Spend caps are a speed limit with no steering. A per-transaction and session cap stops a runaway loop — genuinely useful, keep it. But it does nothing against a prompt-injected agent that spends right up to the limit on an attacker's merchant. And prompt injection is not a solved problem you can design around; it's still number one on the OWASP LLM Top 10 in 2026, with the same report citing a sharp year-on-year surge in attacks. With a spending agent, a successful injection isn't a bad answer anymore. It's a fraudulent transaction. This is why the allow-list of payees, not the amount cap, is your real steering wheel — a poisoned web page can convince an agent to spend, but it can't add a new payee to a list only you control.

An amount limit is a speed limit. It slows the crash. The allow-list is the steering. Most policies over-invest in the first and forget the second.

Human-not-present spend is a service account, not a shopping cart. Here's the part the demos avoid looking at. The genuine value of an agent is pre-authorized autonomy — buy the tickets the instant they drop, auto-scale the licenses at 3 a.m., no human awake to confirm. AP2's v0.2, added when it moved to FIDO, formalizes exactly this "Human Not Present" flow, where the agent generates the Cart Mandate itself once the signed Intent Mandate's conditions are precisely met. That's powerful, and it removes the one checkpoint every governance slide leans on: the human tap. The right mental model for that authority is not "a customer with a shopping cart." It's a service account with production database credentials. You already know how to govern one of those — narrow scope, short-lived tokens, tight logging, alerting on anomalies, and a very short list of people who can grant it. Apply that discipline, not the retail-checkout discipline, the moment you remove the human.

The reality check nobody puts on the slide

Before you architect a governance cathedral, one sobering data point. OpenAI quietly killed its flagship Instant Checkout in ChatGPT in March 2026, roughly five months after launching it. Reporting suggests only about a dozen Shopify merchants ever went live and sales were near zero — users happily researched in ChatGPT and then bought on the storefronts they already trusted. The Agentic Commerce Protocol underneath survives; the consumer product did not.

The lesson isn't that agentic payments are vapor — Mastercard shipped Agent Pay for Machines for autonomous machine-to-machine spend in June 2026, and this is clearly where enterprise operations are heading. The lesson is about sequencing. The cryptographic trust layer got built faster than the demand, the tax and fraud plumbing, and the inventory sync that make a working buyer. Governance shipped ahead of the use case. So design your mandate seriously, but scope your first agent to a real, bounded job with an obvious ROI — a known set of suppliers, a capped budget, a process you already understand — rather than a general-purpose spender chasing a market that isn't there yet.

A policy you can actually write down

Here's the checklist we hand teams. It's deliberately boring, which is the point.

Before an agent moves a cent, the mandate must answer:

  WHO can it pay      -> explicit merchant / category allow-list;
                         novel payee = hard stop + human escalation
  HOW MUCH            -> per-transaction cap AND session/period cap,
                         both, always
  UNDER WHAT CONTEXT  -> required trigger, cost center, budget owner;
                         missing context = no transaction (fail safe)
  WHO CONFIRMS        -> tiered: in-policy auto, exceptions to a human;
                         human-not-present = treat as a service account
  CAN YOU REPLAY IT   -> mandate + policy version reconstructable
                         end to end, or it doesn't ship
  WHAT'S THE BLAST    -> assume prompt injection succeeds; the allow-list,
    RADIUS               not the amount cap, is what contains it

If you can't fill in all six for a given agent, it isn't ready to hold a payment credential. That's not caution for its own sake — it's the same bar you'd hold a new hire to before handing over the card, just made explicit because the delegate is software.

The question none of this answers yet

There's one gap the instruments don't close, and it's honest to name it. When an agent makes a bad purchase — wrong thing, right limits, valid mandate — who eats the loss?

Under EU PSD2, the payment service provider is generally on the hook to reimburse "unauthorized" transactions. But a signed mandate proves an instruction existed; it doesn't prove the instruction was reasonable, or that the agent understood it, or that consent was informed. Lawyers are already describing genuine "blackbox moments" where nobody can cleanly say whether a bad agent payment was unauthorized or user negligence — and Strong Customer Authentication still assumes a human is present to authenticate, which is precisely what a human-not-present mandate removes. The EU AI Act becomes fully applicable on 2 August 2026 and doesn't squarely resolve payment liability either; if you're mapping your broader obligations, our EU AI Act readiness checklist is the place to start.

Auditability is being quietly oversold as accountability. A non-repudiable JWT will not, on its own, win a chargeback dispute in front of a regulator who wants to know why the decision was reasonable. That's not an argument against agentic spend. It's an argument for keeping a human in the loop wherever the amount, the merchant, or the consequences are novel — and for reading the emerging economic language these agents actually transact in before you wire one into your finance stack.

Onboard it like a new hire

The instruments aren't the hard part. You already own the card limit, the approved-vendor list, the dual sign-off, and the quarterly audit — and they translate to an agent almost line for line.

The hard part is remembering which instrument does which job. The amount cap slows a crash; the allow-list steers. The token protects the credential; only a human tier protects the decision. And the moment you remove the human, you're not running a shopping cart — you're running a service account with your money behind it.

Write the mandate like you'd onboard a new employee you don't fully know yet. Narrow scope, a real budget, a short leash, and receipts you can actually read. Get that right and an agent becomes one of the most useful hires you'll make this year. Get it wrong and it's the one who quietly maxed the card while everyone admired how it never saw the number.

If you're figuring out where the human line should sit for your own agents, that's a conversation we have most weeks. Bring your messiest use case.

Updated on 15 July 2026.

Len Debets
Len Debets
CTO & Co-Founder
Published on 31-03-2026

Related Articles

9 Things I Really Hate About AI
AI Technology12-05-2025

9 Things I Really Hate About AI

Read More →
Agentic AI Languages and Dialects: Why Voice Quality Is Still the Hard Part
AI Technology10-04-2026

Agentic AI Languages and Dialects: Why Voice Quality Is Still the Hard Part

Read More →
Introducing the Agentic AI Studio for Enterprises
AI Technology17-02-2026

Introducing the Agentic AI Studio for Enterprises

Read More →

Stay Updated

Get the latest insights on conversational AI, enterprise automation, and customer experience delivered to your inbox

No spam, unsubscribe at any time

Blits.ai offers tailored services, support and an enterprise platform to create GenAI conversation Digital Humans, agentic AI, voice-bots, agents, custom GPTs and chatbots at scale. Stay ahead of the competition by automatically equipping your agents with the most effective combination of AI technologies for your specific use case. Deploy any use-case and gain full control over quality, enterprise security and AI data processing. Blits.ai combines the AI power of Google, Microsoft, OpenAI, IBM, Anthropic, ElevenLabs, and many others in one orchestration platform. We build, train and deploy LLM based agentic solution using techniques like Conversational AI controlled elements, augmented with deep aspects of GenAI at scale, for any type of use-case and can deploy in the cloud, or on-premise for any enterprise architecture. We create 100% custom tailored AI solutions in the cloud or local for your brand and multi language/country/brand interactive communication for your channels (Mobile app, Website, Kiosks and IVR systems) and we connect your backends to build smart agents (ERP, CRM, Helpdesk tool, etc).