Agentic Commerce Is Consent-First, Not a Free-for-All
"Google's CAPSEM and AP2 show how agent-led buying is being secured with isolated runtimes, signed consent, clear offers, and auditable brand governance."
Overview
Agentic commerce forces brands to prove that an AI buyer acted within a customer’s signed spending mandate while presenting prices, restrictions, availability, and refund terms the agent cannot misread. This article explains how Google’s CAPSEM isolates agent execution, how AP2 records consent for authorised sub-$100 purchases, and what marketers must govern before agents reach checkout. At Van Data Team, we approach this work by making brand facts structured, consistent, answer-ready, and auditable.
Agentic commerce is arriving with guardrails. A buyer's AI agent can discover an offer and execute an authorized purchase, but the emerging model separates execution from consent. The agent may act later. The human still defines the permission envelope, and the merchant needs evidence of that authorization.
For marketing, growth, and brand-governance leaders, this changes the funnel. A customer may never open your product page. Their agent may interpret your price, restrictions, availability, and refund policy instead. Vanaxity, Van Data Team's AI content agent for SEO, GEO, and AEO, helps make those brand facts discoverable and answer-ready across search and AI engines. It does not provide payment authorization or runtime security.
The immediate signal is Google's July 14, 2026 India-focused safety announcement. At I/O Connect India, Google open-sourced CAPSEM, a secure runtime that isolates agents inside virtual machines and keeps raw credentials beyond their reach. AP2 predates this announcement, but together they reveal the emerging operating model: contain the agent, verify the mandate, and preserve the record.
Key Takeaways
Brands should treat agent-led buying as a governed transaction channel, not an unrestricted delegation of purchasing power.
- CAPSEM assumes an agent will encounter malicious instructions and contains the resulting damage.
- AP2 uses signed mandates to prove that a person authorized a defined transaction.
- A2A supports agent interaction, but it does not authorize a payment.
- Google's India framing describes authorized transactions under $100, creating a deliberately narrow blast radius while the ecosystem matures.
- Brand readiness depends on consistent offers, connected audit records, workable refunds, and named human owners.
If your product pages, feeds, and checkout terms already disagree, agent traffic will expose the cracks. See how Vanaxity operationalizes SEO, GEO, and AEO content workflows before those inconsistencies become transaction disputes.
Map your SEO, GEO and AEO workflow before you build.
What Google Actually Announced in India
Google's new development at I/O Connect India was CAPSEM and a broader India-focused safety package, not the original launch of AP2.
CAPSEM, built by Google's Privacy and Security Research team, places an AI agent inside an isolated virtual machine. Raw credentials remain outside the agent's reach. If prompt injection compromises the agent, the design limits its ability to steal secrets or move into the host environment.
That is an important security posture. It assumes prevention can fail and makes containment the fallback.
The same Google India safety announcement introduced Sec-Gemini v3, including a cybersecurity deployment with Flipkart; CodeMender, which automates security fixes for open-source projects; and the Device Bound Session Credentials W3C standard. Together, they show a wider effort to secure agents, code, credentials, and sessions.
This was not a global product-launch keynote. It was an India-focused safety announcement about the foundations required for the country's agentic future.
AP2 followed a different timeline. Google originally announced the Agent Payments Protocol on September 16, 2025, with more than 60 launch partners, including Mastercard, PayPal, Coinbase, American Express, and Salesforce. The specification was published under an open license.
The v0.2.0 release in April 2026 added "Human Not Present" payments. That mode still executes against authorization a user signed in advance. It does not grant an agent permissionless access to a wallet.
At Google I/O on May 19, 2026, Google updated AP2 to support autonomous purchases within preset limits and donated the protocol to the FIDO Alliance. The July India post restated AP2 in a local safety context. It did not unveil it.
Google describes the current lane as "authorised, low-value agent-led financial transactions (under $100)".
The capabilities are related, but they solve different trust problems:
| Capability | Primary job | Trust boundary | What it does not solve |
|---|---|---|---|
| CAPSEM | Isolates an agent and withholds raw credentials | Agent versus host and secrets | Payment consent, offer accuracy, refunds |
| A2A protocol | Lets independent agents discover and collaborate | Agent-to-agent interoperability | Proof that a person authorized payment |
| AP2 | Carries cryptographic evidence through signed mandates | User authorization versus transaction execution | Runtime isolation, merchant liability, fulfillment quality |
The Consent-First Stack for Agentic Commerce
The following illustration summarizes execution is autonomous; authorization is not:
Figure 1. CAPSEM contains the agent, A2A carries the interaction, and AP2 proves that a person authorized the transaction conditions in advance.
A trustworthy agent-led purchase needs secure execution, interoperable communication, and verifiable authorization working as separate controls.
Runtime containment with CAPSEM
CAPSEM is the agent sandbox. It treats product pages, reviews, external feeds, documents, and tool responses as potentially hostile inputs.
If malicious content manipulates the agent, virtual-machine isolation protects the host. Keeping raw credentials outside the runtime also removes the easiest secret for a compromised agent to exfiltrate.
This containment does not prove that a purchase is appropriate. It simply narrows what a manipulated agent can reach.
Interaction through A2A
The A2A protocol lets agents discover capabilities and collaborate across vendors. A buyer agent could use it to communicate with merchant or service agents without every participant running on the same platform.
A2A answers, "How can these agents interact?" It does not answer, "Who authorized this charge?"
Treating interoperability as authorization would create a dangerous gap. An agent's ability to request a transaction is not proof that a person agreed to it.
Authorization through AP2
AP2 supplies that proof through cryptographically signed mandates. Intent and cart mandates connect the user's approved objective, transaction details, and execution conditions.
The practical distinction is between execution autonomy and authorization autonomy. An agent may decide when to act inside approved conditions. The person still establishes those conditions.
Consider a clearly hypothetical replenishment workflow. A procurement lead authorizes an agent to reorder an approved office supply when inventory returns and the offer satisfies preset terms. The agent completes the purchase later. The user is not present at execution, but the transaction remains tied to the mandate signed in advance.
The operator-level flow is straightforward: the user approves the intent and mandate; an isolated buyer agent evaluates offers; agents interact where necessary; the merchant validates authorization; payment executes; and connected records support fulfillment, disputes, and refunds.
When a Buyer's Agent Enters Your Funnel
When an agent reaches the funnel, machine interpretation becomes as important as human persuasion.
A human buyer can infer that a promotional banner overrides an older product description. An agent needs explicit, consistent facts. At minimum, the offer should expose:
- Product identity and variation
- Price and currency
- Availability and eligibility
- Delivery conditions
- Renewal or subscription terms
- Purchase restrictions
- Cancellation and refund rules
- The authoritative source when records conflict
No universal offer format supplied here solves all of this. Structured data helps, but governance begins by deciding which system owns each fact.
At Van Data Team, we start by tracing claims back to authoritative sources. The mistake we see is treating agent readability as a copy refresh. It is a data-pipeline problem involving product systems, feeds, landing pages, structured content, checkout logic, review gates, and reporting.
A hypothetical price dispute shows why. A growth team ends a promotion, but the product feed still carries the discounted price while checkout uses the new price. A buyer agent selects the product from stale information. Support now has to determine what the agent saw, which terms were authoritative, and whether the final cart remained inside the user's mandate.
The signed mandate proves what the user authorized. It does not prove the merchant presented accurate information.
This is where an AI SEO/GEO/AEO agent can support the content layer. Vanaxity can research, write, illustrate, publish, and syndicate consistent brand information across search and answer surfaces. That improves discoverability and machine comprehension, but payment readiness still requires security, payments, legal, and support controls.
Marketing content becomes a security input
Prompt injection occurs when an agent interprets untrusted content as an instruction. Once agents can spend money, this is no longer only a chatbot-quality problem.
Product descriptions, user reviews, affiliate pages, third-party feeds, and hidden page content can all carry instructions an agent should not obey. A malicious passage might attempt to redirect the agent, change its priorities, or make it reveal credentials.
CAPSEM contains the runtime and keeps raw secrets inaccessible. AP2 restricts payment execution to valid authorization. Neither control guarantees that every offer is truthful or every purchase decision is correct.
Brands should separate trusted transaction data from promotional content, sanitize external inputs, test conflicting instructions, and reject transactions when price or terms cannot be reconciled.
The Brand-Governance Runbook
A brand is ready for agent-led transactions only when it can reconstruct what was offered, what was authorized, what executed, and how the outcome was resolved.
Use this decision table as a cross-functional readiness artifact:
| Governance area | Required decision | Evidence to retain | Failure response |
|---|---|---|---|
| Authorization | Who approved the purchase and under what conditions? | Signed mandate and verification result | Reject or pause the transaction |
| Agent scope | Which merchants, products, prices, and time conditions are allowed? | Scope policy and applied constraints | Request renewed human approval |
| Offer integrity | Which record controls price, availability, and terms? | Versioned offer and checkout snapshot | Stop checkout and reconcile sources |
| Transaction evidence | Can mandate, order, payment, and fulfillment be connected? | Correlated event records | Route to manual investigation |
| Refunds | Can an agent request a refund, and when must a person intervene? | Refund policy, request, approval, and outcome | Escalate exceptions to a human owner |
| Security | Which surfaces can send data or instructions to the agent? | Input inventory and prompt-injection tests | Isolate the source and suspend access |
| Accountability | Who owns policy, exceptions, and customer harm? | Named owners and escalation paths | Activate incident and customer-response workflows |
Production readiness also depends on operational criteria that protocol diagrams often omit.
Cost: Measure the expense of verification, logging, content synchronization, security review, exception handling, and disputes. An inexpensive payment can still create an expensive support case.
Latency: Track delays across agent interaction, mandate validation, inventory confirmation, and payment. Define acceptable thresholds from your checkout experience instead of assuming agents will wait indefinitely.
Token budget: Give agents the smallest trusted context needed to evaluate an offer. Loading entire pages, reviews, and unrelated promotional content increases cost and expands the prompt-injection surface.
Observability: Connect the mandate, agent request, offer version, order, payment, fulfillment, and refund with traceable identifiers. A payment log alone is not an audit trail.
Evaluation: Test expired mandates, changed prices, unavailable products, conflicting feeds, malicious content, duplicate requests, refund attempts, and partial system failures.
Review burden: Assign humans to policy changes and ambiguous exceptions. Automation should reduce routine handling, not hide unresolved responsibility.
Failure recovery: Define how to pause agent-led checkout, revoke access, preserve evidence, restore authoritative offer data, and communicate with affected customers.
A practical Van Data Team engagement can turn the content side into a scoped workflow review: an authoritative-source map, agent-readability gap analysis, review-gate design, reporting specification, and delivery plan. Explore how Vanaxity works to see where that layer fits.
What Remains Unsettled
Agent commerce is moving into limited production, but adoption, identity, liability, and accountability remain immature.
The low-value lane is small. That is better understood as a controlled deployment boundary than proof of broad readiness. It limits potential loss while participants learn how mandates, exceptions, and disputes behave in practice. It should not be treated as a universal payment-network ceiling.
Standards adoption will also be uneven. A signed mandate does not guarantee accurate pricing, correct fulfillment, or a fair refund. Runtime isolation does not remove merchant fraud, data-quality failures, compromised feeds, or customer-service gaps.
Agent identity remains difficult across platforms. Liability may depend on jurisdiction, mandate design, merchant conduct, payment rules, and the specific failure. None of the supplied standards automatically assigns responsibility.
Human accountability therefore remains non-negotiable. Every automated transaction policy needs an owner who can explain it, stop it, and make the customer whole when the system fails.
Tooling And Landscape Fit
CAPSEM and AP2 solve different problems from the frameworks teams use to build agents. An ADK or LangGraph agent workflow can organize planning, tool calls, retries, and human review checkpoints. MCP connects agents to tools, while A2A supports agent-to-agent interaction. None of those layers, by itself, proves that a shopper authorized a charge.
CAPSEM fits at the runtime boundary: virtual-machine isolation and credential separation help contain a compromised agent. Least-privilege tool access, Device Bound Session Credentials, agent observability, and escalation rules remain complementary controls. Sec-Gemini v3 and CodeMender belong to adjacent cybersecurity and remediation workflows, not merchant payment authorization.
AP2 fits at the transaction boundary. Its signed mandates give merchants an authorization record, including for “Human Not Present” purchases approved in advance. The sub-$100 lane limits the blast radius while adoption, agent identity, and liability mature.
For agentic commerce, the production pattern is layered: choose orchestration that fits the workflow, isolate money-capable execution, constrain tools and spending, preserve mandate and refund records, and keep a named human accountable.
How Van Data Team Makes This Operational
At Van Data Team, we make agentic commerce operational by tracing each transaction from offer discovery through purchase, reconciliation, and refund. We map product feeds, price and availability sources, checkout rules, payment handoffs, the AP2 mandate record, any CAPSEM-isolated runtime, and the audit trail. Every decision gets an owner: what the agent may do, when signed consent is sufficient, and when the workflow must stop.
Then we close the gaps that make consent-first commerce brittle: conflicting offer terms, stale inventory, incomplete mandate evidence, unclear refund ownership, and missing recovery paths. Automation stays inside the approved permission envelope. Failed signature checks, price changes, out-of-mandate terms, and policy exceptions route to human review instead of purchase execution.
The scoped delivery plan defines which signals to capture, which handoffs to repair, and which actions remain gated. A dashboard surfaces mandate verification failures, offer mismatches, declined actions, purchase status, and refund exceptions. A runbook tells the team when to halt, retry, escalate, reconcile, or refund, so the authorized under-$100 lane remains auditable and operable.
Frequently asked questions
Is AP2 new?
No. Google announced AP2 on September 16, 2025. Later milestones expanded the specification, introduced production controls, and moved standards governance to the FIDO Alliance. The India announcement restated AP2 alongside new safety work.
Does "Human Not Present" mean payment without human consent?
No. It means execution can occur after the human leaves the immediate interaction. The agent acts against authorization signed in advance. Removing the person from the execution moment does not remove consent from the transaction.
What is the difference between CAPSEM, A2A, and AP2?
CAPSEM secures the runtime. A2A enables communication between agents. AP2 provides verifiable payment authorization. A secure implementation may use all of them, but none substitutes for the others.
Can AP2 mandates eliminate chargebacks?
No. Mandates can strengthen evidence by showing what a user authorized, but they do not automatically decide liability or prevent disputes. Merchants still need accurate offers, fulfillment records, refund processes, and trained support teams.
What should brands make agent-readable?
Make product identity, price, currency, availability, restrictions, renewal terms, delivery conditions, and refund policies explicit and consistent. Also identify the authoritative record and retain the version used during the transaction.
Why is prompt injection a brand-governance issue?
An agent can encounter malicious instructions on merchant-controlled or third-party surfaces. Marketing, ecommerce, and security teams therefore share responsibility for trusted data boundaries, input testing, content provenance, and incident escalation.




