My teenage son doesn't have a credit card. But his AI agent does.

That sentence felt absurd when I first typed it for a LinkedIn post this week. Then I sat with it for a moment and realized it is not absurd at all. It is simply the next logical step in a chain of events that has been unfolding in plain sight for the last eighteen months. We have been building the infrastructure for autonomous machine payments, and now that infrastructure is live, issuing cards, processing transactions, and moving money on behalf of agents that answer to no one in real time.

On May 27th, Robinhood launched what it calls Agentic Trading and an Agentic Credit Card. Connect your AI agent to Robinhood's banking MCP server and it can trade stocks and make credit card purchases on your behalf. You set a monthly spending limit. You can require manual approval for each transaction, or you can leave the agent to spend freely up to the cap. The virtual card is isolated from your primary account. You earn 3% cash back. At launch it is available to Robinhood Gold cardholders, with Platinum users to follow (Fortune, May 2026).

That is a thoughtfully designed product. The controls are real. And yet, sitting here with my risk manager's instincts firing on all cylinders, I cannot stop thinking about what comes next. Not with Robinhood specifically. With the broader ecosystem that is forming around it.

How We Got Here: The Rise of Machine-to-Machine Payments

Agentic payments did not begin with Robinhood's announcement. The infrastructure has been building for over a year, largely out of the mainstream financial press's field of vision.

In September 2025, Coinbase and Cloudflare co-founded the x402 Foundation to develop an open standard for internet-native payments. The name comes from HTTP status code 402, "Payment Required," a code that has existed in the internet specification since 1991 but was never formally implemented. The x402 protocol gives it a purpose: when an AI agent requests a resource that costs money, the server responds with a 402 and embeds payment instructions. The agent reads them, signs a stablecoin transaction, and retries. The entire cycle completes in seconds with no login, no human intervention, and on-chain settlement (Coinbase Developer Platform, 2026). As of early 2026, x402 had processed over 119 million transactions on Base and 35 million on Solana, running at roughly $600 million in annualized volume with zero protocol fees.

Then on March 18, 2026, Stripe and Tempo co-launched the Machine Payments Protocol alongside the Tempo mainnet, a payments-focused blockchain built with Paradigm. The Machine Payments Protocol introduces a "sessions" primitive that lets an agent authorize a spending limit upfront and stream micropayments continuously against a stablecoin balance, without a separate on-chain transaction per interaction. Over 100 services adopted it at launch, including Anthropic, OpenAI, Shopify, Alchemy, and Dune Analytics (Fortune, March 2026). Visa and Lightspark subsequently extended the protocol to support card payments and Bitcoin Lightning respectively.

These are not pilot programs. They are production infrastructure, absorbing real transaction volume, and Robinhood's move is the consumer layer sitting on top of them.

I have written before about AI agents already transacting in crypto and what that means for TradFi compliance teams. What has changed since then is the pace. The question is no longer whether agentic payments will become mainstream. It is whether the risk frameworks will be in place before the first major incident.

The Numbers Behind the Ecosystem

A Keyrock report published this month provides the clearest quantitative picture of where agentic payments are right now (CoinDesk, May 2026).

Over the past year, AI agents settled more than $73 million across 176 million on-chain transactions. The average transaction size was between $0.31 and $0.48. More than 104,000 autonomous AI agents had registered across over 15 different directories by Q1 2026.

Crucially, 76% of those transactions fell below the $0.30 fixed-fee floor that card networks apply to every payment. This is not a rounding error. It is a structural incompatibility. The card rails that process most of the world's consumer payments were designed around human purchasing behavior, where a $0.05 fee on a $50 transaction is invisible. When machines pay each other fractions of a cent for API calls, data access, and compute cycles, card economics do not work. Crypto rails do.

That mismatch is exactly why Coinbase, Stripe, Visa, and Google are all building new infrastructure for machine-to-machine payments simultaneously. They can see the volume numbers and they can see what the existing fee structures cannot accommodate.

The concentration figure, however, is the one that should be in every risk committee presentation. 98.6% of all agent payment volume currently settles in USDC, Circle's dollar-pegged stablecoin. One issuer. One redemption desk. One reserve management policy. One regulatory relationship. For now, that reflects Circle's compliance record and its MiCA clearance for EEA distribution. But as I have noted before when examining infrastructure concentration in cross-chain bridges, single points of reliance in payment infrastructure tend to look fine until the day they do not.

The 98.6% Problem

The USDC concentration deserves more attention than it is getting.

Circle has earned its dominant position. It completed MiCA licensing in the EU, maintains transparent reserves, and has built the institutional relationships that alternative issuers have not. In that context, 98.6% market share in a nascent payment category is a reasonable outcome of being the most compliant option available.

But Keyrock explicitly flags this as a systemic risk. If Circle faces a regulatory challenge in a major jurisdiction, a de-peg event, or a technical outage, the agent payments ecosystem currently has no functional fallback. The agents themselves cannot switch stablecoins mid-transaction based on a programmatic risk signal. The sessions protocols, the spending limits, the monthly caps: none of them address what happens when the underlying settlement layer is unavailable.

This is a different kind of concentration risk from the ones risk managers are used to modeling. It is not a counterparty credit risk in the traditional sense. It is a critical infrastructure dependency baked into the payment layer of an emerging technology stack, before anyone has formally decided that is acceptable.

The IMF published a note on exactly this category of risk in April 2026. "How Agentic AI Will Reshape Payments" identifies concentration risk as one of three primary concerns, alongside liquidity and volatility effects at scale, and data and operational vulnerabilities (IMF Notes, Vol. 2026, Issue 004). The note uses a three-layer framework of intent, authorization, and settlement to map where agentic capabilities create value and where they introduce systemic exposure. The settlement layer is where the concentration risk sits. The note concludes that outcomes depend on institutional design and governance as much as technology, which is the IMF's measured way of saying: the industry needs to do the work before the regulators are forced to.

The Authorization Gap: Who Is Liable When the Agent Misfires?

Here is the question I keep returning to, and I want to be precise about why it is genuinely hard.

When I authorize Robinhood's agentic card, I am authorizing the agent to act on my behalf within a set of parameters I have defined. Monthly cap, approval requirement: on or off. That is the extent of the control surface at launch.

But authorization in payment law has historically assumed human intent at the point of transaction. The Electronic Funds Transfer Act in the US and PSD2 in the EU both define unauthorized transactions by reference to whether a person approved them. Neither framework was designed for a world where a software agent, acting on a general mandate from a human days or weeks ago, decides autonomously to purchase something the human would not have chosen.

Clifford Chance published an analysis of this gap in February 2026, arguing that existing contracts do not adequately address the liability question for agentic AI. "When an agent exceeds the scope of its initial mandate or interprets its instructions incorrectly, it remains unclear who bears liability," they write (Clifford Chance, February 2026). The deploying organization, meaning the human who set up the agent, generally carries the heaviest load under current frameworks. But that has never been tested in the context of an autonomous agent making purchases on a consumer credit card.

In my earlier career, I sat on bank committees reviewing incidents that happened overnight when no one was watching. The post-mortems were always the same: the system behaved exactly as designed. The design just hadn't anticipated that scenario. The liability question was never really about whether the system malfunctioned. It was about whether the scope of the original authorization covered what the system actually did. Those conversations were hard enough when we were talking about automated trading algorithms operating within tightly defined parameters. Agentic AI operating across arbitrary purchasing categories, with natural language as the instruction interface, is a different order of complexity.

A compliance officer managing KYC-AML obligations would face a genuine problem here: if an agent transacts on behalf of a customer in a pattern that triggers a suspicious activity report, who is the responsible party? The customer who authorized the agent? The platform that issued the wallet? The developer who built the agent? No regulator has answered this yet.

The Card Schemes Are Not Ready to Absorb This

One data point from the industry that I think is underreported: at ChargebackX 2025, a payments industry conference, multiple participants noted that the major card networks have explicitly stated they will not absorb liability for agent-initiated transactions they did not directly authorize. Legal teams at financial institutions are refusing to green-light agent-initiated payments at scale until a liability framework exists.

This is significant. It means that the institutional adoption of agentic payments, which everyone in the industry wants to accelerate, is blocked not by technology readiness but by legal uncertainty. The rails are built. The volumes are growing. The frameworks are not there.

Robinhood's Agentic Credit Card threads this needle for the consumer case by keeping the virtual card completely isolated from the user's primary account, restricting agent access to that card only, and giving users the ability to delete the virtual card at any time. Those controls are sensible. But they transfer the liability question rather than resolve it. They tell you what happens when the agent spends up to the cap. They do not tell you what happens when the agent is compromised, when it is manipulated by a malicious API response, or when it takes a sequence of individually authorized actions that collectively constitute fraud.

Steelmanning the Guardrails

It is worth pausing to take the opposing view seriously, because the case for optimism is not trivial.

The spending caps, manual approval toggles, and virtual card isolation that Robinhood has built are meaningfully more restrictive than the controls most people apply to their physical cards. The average consumer has no per-transaction approval requirement on their credit card. They have a credit limit they often cannot recite from memory. They receive a fraud alert after the fact, not before.

Robinhood's agentic card requires a monthly limit to be set. It can require human approval for every transaction. It is isolated from the primary account. From a pure control architecture perspective, this is arguably better than the status quo for many consumer payment credentials.

The x402 and MPP protocols are also more sophisticated than first-generation blockchain payment systems. The Machine Payments Protocol is lifecycle-aware: subscriptions, streaming charges, cancellations, and balance reconciliation are first-class primitives. Stripe's existing merchant fraud and dispute machinery sits behind MPP endpoints. These are not unguarded pipes.

The honest uncertainty, which I am sitting with rather than resolving, is whether these controls will scale to a world where millions of agents are making millions of transactions per hour across dozens of protocols. The controls work well when a human checks in regularly and the agent operates within a predictable domain. They have not been stress-tested against a well-funded adversary specifically targeting the authorization gap.

What Risk Managers, Compliance Teams, and Institutions Need to Watch

For practitioners in financial services, here is my read on what matters over the next 12 to 18 months.

For risk managers, the immediate priority is the USDC concentration question. Any institution that is building agentic payment capabilities needs a documented contingency for what happens if Circle faces a material disruption. That is not a prediction that Circle will fail. It is the same kind of scenario planning that any responsible treasury function would do for a counterparty of this systemic importance. The fact that most agentic payment roadmaps I have reviewed do not include this contingency is a gap.

The second priority is the authorization scope definition. Before any agentic payment capability goes live at an institution, the legal and compliance teams need a written answer to the question: "What transactions are within scope of this agent's authorization, and who bears liability for transactions outside that scope?" That answer does not currently exist in regulation. It needs to exist in contract before the product launches.

For compliance teams, the KYC-AML dimension of agentic payments is arriving faster than the guidance. When an AI agent transacts on a customer's behalf, the customer's AML obligations do not disappear. But the surveillance and monitoring systems that compliance teams use were designed to detect patterns in human-initiated transactions. A compliance officer managing cross-border flows would find that the transaction velocity, size distribution, and counterparty profiles of agentic payments look nothing like the behavioral baselines their systems were trained on. Updating those baselines is not a small project.

For institutional investors and treasury functions considering agentic payment capabilities, the questions I would want answered before sign-off are: What is the settlement finality guarantee? What is the dispute resolution mechanism for agent-initiated transactions? How does the institution's cyber insurance policy treat losses from autonomous agent activity? None of these have standard market answers yet.

For policy makers, the clock is running. The EU AI Act, the GENIUS Act in the US, and MiCA's ongoing review process all touch adjacent territory without directly addressing machine-to-machine payment liability. The IMF note from April is a useful reference point: the Fund is already treating this as a financial stability question, not just a technology governance question. Regulators who want to set frameworks rather than respond to incidents have a narrow window.

The Honest Bottom Line

We are, as I said in my original post, shipping the wallets first and asking the legal questions later. That is not unique to this technology. It is how most consumer technology adoption has worked for the last thirty years. The internet did not wait for a comprehensive cyber liability framework before going mainstream. Neither did mobile payments.

But the financial system is different in one important respect. It is deeply interconnected, and failures in payment infrastructure do not stay contained. The 2008 crisis was partly a story about how risk was distributed through the financial system in ways that nobody had fully mapped. I am not drawing a direct parallel. I am noting that "we built the thing before we fully understood the failure modes" is a sentence with a mixed track record in finance.

My son will eventually get a credit card. When he does, I will have a conversation with him about what authorization means. About the difference between "I said you could spend money at the grocery store" and "I said you could spend money," and why that distinction matters at 3am when nobody is watching.

That conversation is exactly what the agentic payments industry needs to have right now, at scale, before the first major incident forces it.

Are spending caps enough? I genuinely do not know. But I am watching the authorization layer more carefully than anything else.

Further Reading