Google's Agent Payments Protocol, now under FIDO Alliance standardization with major card networks, defines 'Human Not Present' as a post transaction labeling scheme rather than a pre authorization enforcement gate—meaning AI spending agents can execute transactions before any…
The standard that Google, Mastercard, Visa, and most of the rest of the payments industry point to as the mechanism for AI spending agents has a gap at its center: it tells you what happened after a transaction, but it does not stop the transaction if authorization is absent or exceeded.
Google's Agent Payments Protocol, version 0.2 — the spec that three of the world's largest payment networks have now donated to the FIDO Alliance for standardization — defines "Human Not Present" authorization as an opt-in labeling scheme, not a protocol-level enforcement mechanism. It is a flag that records an agent-initiated transaction after the money has moved (a post-event label, not a pre-event gate), according to Google's developer blog.
Mastercard's competing framework handles this differently. Its Agent Pay system issues tokens scoped to each AI agent at issuance time, with the scope-violation decision enforced at the Mastercard network layer — not at the issuer, not at the merchant, not at the agent developer. When an agent builds a purchase cart, Mastercard's Verifiable Intent system checks whether the cart contents are semantically consistent with the original stated intent. A luxury watch added to a camping supplies order gets flagged or blocked, according to Stellagent's technical analysis. This is enforcement, not labeling.
The EU AI Act's Article 26 deployer obligations (human oversight, audit logs, continuous monitoring for autonomous AI decisions including spending) take effect August 2, 2026, with fines up to 3% of global turnover, according to Custena's landscape analysis. Any company deploying spending agents in Europe must pick a protocol and demonstrate compliance before the technical landscape has settled on what "secure" actually means at the enforcement layer. The companies that move first on compliance will effectively pick the winners by default.
On April 2, the x402 Foundation launched under the Linux Foundation with Visa, Mastercard, American Express, Stripe, Google, AWS, Microsoft, Cloudflare, Coinbase, and Shopify as founding members. These are the same companies that spent the previous six months launching incompatible payment protocols, each letting AI agents spend money in a different language, none of them talking to each other. Now they are building the interoperability layer that ties those protocols together. The arsonists are offering to sell you a fire truck.
Visa is running a more independent race. Its Trusted Agent Protocol verifies agent identity at the network edge — a different question than either Google or Mastercard is asking. Structurally, Google and Mastercard are closer design cousins: both organize around an intent artifact that the agent commits to before spending, and both have now donated their specs to the same FIDO working groups. Visa's translation gap to that shared layer is wider.
What to watch next is not the technology (the specs exist, the working groups are formed, the founding members of the bridge layer represent most of the capital that matters). What to watch is whether the opt-in labeling in specs like AP2 gets upgraded to hard enforcement before the feral commerce scenario arrives at scale. The EU compliance deadline creates a forcing function the industry has not yet satisfied. The answer to who controls the layer underneath AI spending will be decided by which company successfully argues its protocol meets the August deadline, and by August not by press release.