Editorial
Research Report
The AI Transformation 100: Concrete Ideas for Fixing How We Work
Key Takeaways
- Human approval alone is no longer enough to govern agentic AI.
- AI agents create risk across tools, memory, sessions and workflows.
- Commerce environments raise the stakes because agents may touch live business systems.
- Enterprises need enforceable authorization before expanding agent autonomy.
Human-in-the-loop has become one of the most familiar safety phrases in enterprise AI.
The model is easy to understand: let AI assist, recommend or prepare an action, but require a person to approve the final step. For traditional automation, that checkpoint often made sense. A workflow reached a decision point. A human reviewed the output. The system proceeded or stopped.
Agentic AI breaks that simplicity.
AI Agents Introduce New Risks
An AI agent does not merely produce an answer. It may interpret a goal, retrieve context, call tools, delegate to other agents, update memory, interact with external systems and complete a multi-step task across several applications. In that environment, the risk may not be visible at the final approval screen. It may be distributed across the session.
That is why human approval is useful, but no longer sufficient as the primary safety model.
This matters urgently for digital commerce. Commerce is not a harmless sandbox for agents. It is a dense transaction environment where AI systems may eventually touch pricing, inventory, account access, promotions, product eligibility, refunds, returns, order edits, fulfillment routing, delivery promises and customer communications.
A single bad action can create financial loss, customer harm, compliance exposure or operational failure.
The next maturity layer is not more approval pop-ups. It is enforceable authorization before autonomy.
Related Article: The Blast Radius of Agentic Ops: Why Autonomous AI Needs Zero-Trust Guardrails
Why Human Approval Alone Fails
Microsoft’s AI Red Team recently updated its taxonomy of failure modes in agentic AI systems based on 12 months of red-team engagements against deployed agentic systems. The update adds failure categories including goal hijacking, inter-agent trust escalation, session context contamination, MCP/plugin abuse, capability disclosure and computer-use-agent attacks.
The important lesson for AI leaders, enterprise architects and commerce technology teams is not simply that agents can be attacked. That is expected. The deeper lesson is that agentic risk can unfold across memory, tools, sessions and delegation chains.
The report also identified human-in-the-loop bypass as a consistently exploited failure mode, including zero-click chains that began with external input and reached high-impact outcomes. That finding challenges a common enterprise assumption: that final-step human approval is enough.
In agentic commerce, an approval screen can be misleading. If an agent constructs the approval request, summarizes its own intent or decomposes a risky action into individually reasonable steps, the reviewer may never see the compound risk.
A person may approve a refund, not realizing that earlier context was poisoned. A merchandiser may approve a pricing update, not realizing the agent inferred the wrong eligibility rule from untrusted content. A support supervisor may approve an account change, not realizing the agent has been guided through a goal-hijacking path.
The failure is not that a human was absent. The failure is that the control point was too narrow.
Why Commerce Expands the Blast Radius
Most commerce systems were not designed for autonomous AI actors.
They were designed for humans, APIs, scheduled jobs, role-based admin users and deterministic workflows. Even when automation existed, its behavior was usually bounded by a fixed process. Agentic systems are different because they reason through ambiguity, choose tools dynamically and carry context across steps.
That creates a new class of enterprise risk.
In a support environment, a misdirected agent may produce a bad answer. In an agentic commerce environment, the same agent may take action against live business systems.
A pricing agent may modify discounts or eligibility rules. An inventory agent may expose inaccurate availability. An order agent may cancel, edit or reroute transactions. A fulfillment agent may change delivery commitments. A refund agent may approve exceptions outside policy.
Each action may look small in isolation. Together, they can change revenue, trust and operational execution. That is why agentic commerce requires controls that span the full workflow, not just the final decision.
Adaptive Agents Make Boundaries Non-Negotiable
Recent research from the University of Toronto and its collaborators explores how AI agents can generate tailored strategies for different targets, adapt to changing environments and propagate across systems by reasoning through available vulnerabilities and tools.
The lesson for enterprise AI architecture is not that a customer-service agent will literally become a worm. That would be the wrong interpretation. The lesson is that autonomous systems can adapt to their environment.
Once an agentic system can reason about targets, synthesize actions and adjust behavior across contexts, enterprises must treat boundaries as first-class architecture. Boundaries between agents. Boundaries between tools. Boundaries between sessions. Boundaries between read-only access and executable actions. Boundaries between recommendation and transaction execution.
A misdirected support agent should not be able to become a pricing agent. A product-discovery agent should not be able to approve a refund. A fulfillment agent should not be able to change account credentials. A recommendation agent should not be able to override eligibility, tax, fraud or compliance controls.
The Hidden Cost of Fragmented Customer Communication
Register
How Modern Marketing Is Exposing the Limits of Legacy CMS
Register
Why Some Dealers Are Pulling Ahead With AI
Register
Content Leaders Collective: Proving Content's Business Impact Starts With the Right CCMS
Register
The enterprise needs an authorization model that makes those boundaries explicit and enforceable.
Related Article: AI Governance Isn’t Slowing You Down — It’s How You Win
The Agentic Commerce Authorization Model
An authorization model defines what agents can access, what they can do, when they must stop, how their behavior is monitored and how their actions can be reviewed or reversed.
For agentic commerce, that model should include five layers.
| Authorization Layer | Core Question | Commerce Example |
|---|---|---|
| 1. Identity and role verification | Which agent, user or sub-agent is acting, and can its identity be independently verified? | A support agent cannot claim pricing-agent authority simply because it is participating in the same workflow. |
| 2. Tool and permission boundaries | Which systems can the agent access, and which actions can it execute? | An agent may read order status but cannot approve refunds, edit payment terms or change delivery commitments without additional controls. |
| 3. Session-level monitoring | Is the overall session becoming risky even if individual steps look normal? | A conversation gradually shifts from order inquiry to account reset to refund exception. |
| 4. Workflow-level evaluation pipelines | Has the full task flow been tested under adversarial, ambiguous and edge-case conditions? | A return workflow is evaluated for eligibility validation, escalation quality and downstream system impact, not just answer accuracy. |
| 5. Rollback, auditability and ownership | Can the enterprise trace, reverse and assign accountability for agent actions? | If an agent changes a delivery promise or approves a refund, the business can reconstruct the reasoning path and correct the outcome. |
This is not a theoretical architecture exercise. It is the minimum operating model for agentic commerce at scale.
From Approval Thinking to Governed Execution
Human-in-the-loop is not obsolete. It is incomplete.
Humans still matter. They should review high-impact exceptions, shape policy, supervise edge cases, evaluate drift and own customer outcomes. But they cannot be the only control in an agentic workflow that spans memory, tools, sessions, APIs and delegated agents.
The enterprise architecture must shift from approval thinking to governed execution.
Approval thinking asks: did a human approve this step?
Governed execution asks:
- Was the agent’s identity verified?
- Were its permissions appropriate?
- Was the tool call allowed?
- Was the session context trustworthy?
- Was the full workflow evaluated?
- Was the action reversible?
- Was the outcome auditable?
- Was ownership clear?
That is the execution model agentic commerce needs.
Related Article: Human-in-the-Loop Isn’t Optional in Agentic AI
The Future Depends on Trustworthy Architecture
AI agents will become part of commerce operations because the economic logic is too strong. They can reduce friction, improve service speed, personalize discovery, optimize workflows and help teams manage operational complexity.
But adoption will stall if enterprises cannot trust what agents do.
The winners will not be the companies that simply connect AI to every workflow first. The winners will be the companies that can safely govern agentic execution across complex transaction environments.
That means building authorization before expanding autonomy.
Human approval is a checkpoint. It is not an architecture. The architecture is identity, permissions, session context, workflow evaluation, auditability and rollback.
The next frontier of agentic commerce is not just smarter agents. It is governed by execution.
Learn how you can join our contributor community.