Agent-initiated payments look different from user-initiated payments — different timing patterns, no human pauses, higher request rate. Fraud systems need new signals to distinguish legitimate agents from attacks pretending to be agents.
Legitimate agent patterns
Consistent device fingerprint. Predictable timing (no human pauses but no superhuman rate either). Operations within pre-authorized scope. Identity attestable via signed AP2 claims.
Attack patterns
Rapid retries on declined cards. Scope-creep attempts (try operations outside agent's authorization). Stolen agent credentials with abrupt change in usage pattern.
Detection layer
Agent identity carries through to the merchant. Velocity checks per agent identity. Anomaly detection per (user × agent × merchant) tuple. Fraud signals fed back to consent layer (suspend agent's scope until user confirms).