Trulioo Bets on a Digital Agent Passport to Keep Bots Honest at Checkout

Watch more: Need to Know: Trulioo

[contact-form-7]

A shopping journey that begins when a consumer hears about a product on a livestream and ends in a completed purchase without ever opening a browser is no longer a futuristic scenario. Agentic artificial intelligence (AI) makes it possible for software agents to fill a shopping cart, transfer funds, approve invoices and complete purchases in milliseconds. The capability is here, but for most merchants, these workflows remain opaque and unauditable.

PYMNTS Intelligence reports that nearly every enterprise‑level merchant is familiar with agentic AI, but just 15% are considering putting it to work. That number will not stay low for long. PYMNTS CEO Karen Webster calls agentic AI “perhaps the most significant change in how consumers and merchants engage in shopping behavior that we’ve seen in a very long time.”

As real‑world use cases emerge, conversations are shifting from what AI agents can do to how they can safely and reliably operate. Standards, interoperability and identity are quickly becoming the building blocks for adoption. Trulioo CEO Vicky Bindra tells Webster that identity is the key, and his company is investing in the technology and standards to support it.

“There’s still a lot of fear in how the system will operate and therefore some resistance to being proactive,” Bindra told Webster. “But we think we’ll reach a tipping point in three or four months as networks become more certain about things like liability shifts. Issuers will be more definite, merchants will be more comfortable.”

 

 

New Passports

Trulioo and PayOS recently published a white paper that advances the concept of Know Your Agent (KYA). Like KYC (Know Your Customer) and KYB (Know Your Business), KYA is designed to verify identities, but instead of vetting individuals or businesses, it applies these checks to AI‑driven software agents.

At the heart of the framework is a “Digital Agent Passport,” a tamper‑proof credential showing who built the agent, who it represents and what permissions it has.

The passport framework includes five key checkpoints: provenance, user binding, permission scope, real‑time behavior telemetry and continuous risk scoring. Together, these elements create a verifiable chain of trust that merchants, issuers and regulators can rely on at machine speed.

Governance at the Center

A critical part of the model is governance. The white paper proposes independent Digital Passport Authorities to issue, sign and revoke passports, just as a secure sockets layer (SSL) certificate authorities verify the authenticity of encrypted websites today. These authorities could be run by regulated identity providers, payment networks or industry consortia. The aim is a federated directory that ensures passports are interoperable across borders and marketplaces while keeping revocation lists current in real time.

Bindra reduced the problem to three simple questions: Is the agent tied to a real consumer? Who created the agent, and is that developer credible? And is the agent behaving as intended?

KYA is designed to answer all three in milliseconds so merchants can approve or reject a transaction with confidence.

In practice, KYA would combine Trulioo’s global identity graph and fraud detection signals with agent behavior monitoring. If an agent tries to exceed its approved spend, route payments through high‑risk geographies or act outside of authorized hours, its passport could be flagged or revoked instantly.

What’s in It for Merchants

For merchants, the payoff is clear. KYA creates tighter audit trails and fewer manual exceptions while protecting revenue. For FinTechs and retailers, it promises higher straight‑through processing without opening the door to fraudsters through an unguarded application programming interface. These controls are the guardrails merchants will need before they let generative AI bots anywhere near the checkout flow.

But adoption will not scale without common standards. Today, every digital passport that attests to an agent’s identity is essentially a one‑off.

“As long as the code is written clearly, and you can audit the trail across the parties, you don’t necessarily need the same standard — but you do need clarity of code,” Bindra said. Still, he conceded that a universal standard does not yet exist.

Trulioo is urging card networks, banks and large LLM providers to support a federated directory of “white‑list agents.” This would function much like SSL certificate authorities, giving merchants and issuers assurance that the agent’s payload was written, signed and last updated by a trusted source. Until that infrastructure exists, liability for fraud and chargebacks will remain a game of hot potato between issuers and merchants.

The Issuer Advantage

Bindra said he believes that banks have a natural advantage because they already enjoy consumer trust. He envisions a lightweight wallet — a thin software layer that travels with a card credential and spins up a bank‑issued agent on demand.

“If I know my card is attached to a really thin wallet, there is no friction,” he said.

Issuers do not have to build their own bots, but they must have confidence that any agent presenting their token has passed a KYA check and that the token itself has been properly vaulted. When these conditions are met, liability can shift cleanly from issuer to merchant without slowing an approval.

Winning over merchants, however, remains the bigger challenge. Bindra acknowledged that many worry about malicious automation and the potential for additional friction at checkout. But he also argued that the upside is real: bots can generate entirely new revenue streams by automating replenishment and acting as always‑on personal shoppers.

His advice is practical. “If I was a merchant, I never want to deny revenue,” he said. “Figure out a way you can do it securely. You don’t need to do it tomorrow. Spend the next 30 to 60 days doing two things: go to your acquirer and ask for a hosted page, or lean on your ISV (independent software vendor). There are many ways you can reduce risk without doing much more yourself.”

Bindra framed the choice as a fear‑of‑missing‑out issue. It is difficult to predict whether agentic commerce will drive 10% of a merchant’s revenue or 25%, but it will not be negligible.

Waiting for perfect standards means ceding sales to faster competitors. In categories like packaged goods and travel, where variables are limited, small businesses may move first by using agents to surface hyper‑local delivery and price transparency. Larger, fashion‑focused merchants may take a different approach, deploying their own branded shopper agents to maintain brand voice while they gain experience with bot‑to‑bot commerce.

Credit Scores for Software

Behind the scenes, KYA scores would function like credit scores for software. Merchants could decide which agents to trust by setting risk thresholds — automatically approving those above a certain score, approving mid‑range scores for low‑ticket transactions and rejecting high‑risk agents altogether. Each passport would carry cryptographic proof of the developer’s identity and a hash of the most recent code commit, giving merchants a real‑time view of the payload they are about to approve.

Monetizing the Point of Intent

Ultimately, Bindra believes the biggest prize is collapsing the gap between intent and purchase. Today, a consumer hears about a product on a livestream or podcast, then restarts the journey on a browser. Agentic commerce removes that friction.

“The point of intent is a very important part … That’s where agent tech commerce can make a dent,” he said. Travel bookings, bill payments and replenishable household goods will likely go first, with more subjective categories to follow as recommendation agents learn individual tastes and preferences.

Standards, liability rules and consumer education are still evolving. But Bindra believes confidence will come faster than most merchants expect.

“There has to be some ownership taken, either by issuers or merchants. The customer has to feel very confident at the start,” he told Webster. Once that confidence arrives, the bots will be ready to buy — and merchants that waited on the sidelines will risk watching their competitors cash in first.

The post Trulioo Bets on a Digital Agent Passport to Keep Bots Honest at Checkout appeared first on PYMNTS.com.