July 10, 2026
The Agent Can Pay Now. Nobody Has Decided Who's Liable.
Sometime this quarter, an AI agent somewhere in India will pay the wrong merchant, or the wrong amount, or at the wrong time, on behalf of a customer who was asleep. This is not a prediction of failure - it’s arithmetic. Agents have been paying on UPI rails since the Razorpay-NPCI pilot put ChatGPT checkout in front of users last October, and Claude joined in February with Zomato, Swiggy, and Zepto in the loop. Volume times error rate equals incident.
Here’s the question I’ve been asking payments people since those pilots launched: when it happens, who eats the loss? The customer who delegated? The AI company whose agent decided? The payment aggregator who executed? The bank that debited?
I have collected four different confident answers from four different institutions. That’s the problem. Not that nobody knows - that everybody “knows” differently, and no rule exists to settle it.
Meanwhile, this week brought news that NPCI is working on a Unified Agent Protocol - a registry and verification layer for AI agents transacting on UPI, pending RBI approval. It’s the right move, and the rest of this post is about what it needs to contain. Because India has spent two years building the mechanics of agentic payments faster than nearly anyone on earth, and roughly zero circulars on the accountability of them.
What AP2 Actually Solved
Start with the protocol everyone benchmarks against. When Google announced the Agent Payments Protocol last September with sixty-plus partners - Mastercard, American Express, PayPal, Adyen, Coinbase - most coverage read it as a shopping feature. It isn’t. AP2 is an accountability architecture that happens to move money.
The core of AP2 is the mandate chain: three cryptographically signed objects that travel with the transaction.
flowchart LR
U["USER"] -->|signs| IM["INTENT MANDATE<br/>What I authorize:<br/>limits, timing,<br/>rules of engagement"]
IM --> AG["AGENT<br/>shops, negotiates,<br/>assembles cart"]
AG --> CM["CART MANDATE<br/>Exactly what will be bought,<br/>at exactly what price -<br/>immutable"]
CM --> PM["PAYMENT MANDATE<br/>Links verified cart to<br/>payment method, visible<br/>to network and issuer"]
PM --> TX["TRANSACTION"]
style IM fill:#dbeafe,stroke:#3b82f6
style CM fill:#dbeafe,stroke:#3b82f6
style PM fill:#dbeafe,stroke:#3b82f6
An intent mandate records what the human actually authorized - price ceilings, categories, timing. A cart mandate freezes exactly what the agent is about to buy. A payment mandate ties the two to the instrument, and the whole chain is built from verifiable credentials, so each link answers a dispute question in advance: Was the agent authorized? Is this what the user agreed to? Who approved what, when? Google’s own framing is that the sequence creates a non-repudiable audit trail. A flight recorder, in other words - designed into the payment instead of bolted on after.
Two things happened since launch that tell you where this is going. In April, AP2’s v0.2 spec added “human not present” flows - protocol-official support for purchases with no human awake at the wheel. And American Express committed to covering erroneous purchases made by registered agents on its network. Read that twice: the liability protection attaches to registration. Identity first, then accountability, then - only then - autonomy. That’s the ordering the mandate chain encodes, and it’s the ordering India’s pilots have been running in reverse.
It’s worth saying that AP2 hasn’t “won” anything yet. Visa launched its Trusted Agent Protocol in October. Mastercard’s Agent Pay predates AP2 entirely. OpenAI and Stripe shipped the Agentic Commerce Protocol powering ChatGPT’s Instant Checkout. Four consortia, four rulebooks, real convergence pressure but no settled standard - which is precisely why the accountability pattern matters more than any single spec. Protocols will merge and die. The question each one exists to answer - who authorized this, who’s liable for it - won’t.
India Built the Rails First. As Usual.
Now the part the “India needs to respond to AP2” takes get wrong: on mechanics, India didn’t respond late. It moved early.
Two Years of Agentic Payments in India
This is the UPI playbook working exactly as designed: ship primitives, let the ecosystem compose them, standardize what sticks. Reserve Pay is arguably a better autonomous-spending primitive than anything in AP2 - the money is bounded before the agent acts, not disputed after.
But look at what’s carrying the load. UPI Circle was designed in 2024 for a human delegating to five other humans she personally knows, with limits sized for a teenager’s monthly spending. It is now the legal scaffolding under autonomous software making purchase decisions at machine speed. The delegation framework knows the instrument is delegated. It has no concept of what the delegate is - no agent identity, no signed intent, no immutable record of what the human actually authorized versus what the agent decided. We took rails built for trust between people and ran software over them, because the software fit the pipe.
The Vacuum, Precisely
I want to be exact about what’s missing, because “India has no agentic payments regulation” is both true and lazy. Here’s the state of play:
RBI’s FREE-AI report - the foundation of the Seven Sutras we’ve written about before - names accountability as a core principle and even flags autonomous agents as an emerging risk. It prescribes nothing about agent-initiated transactions. Payments Vision 2028, published in March, is full of AI for fraud detection and supervision - AI watching payments - and silent on AI making payments. The two-factor authentication regime that anchors Indian payments security assumes a human performing the factor; PIN-less agent checkout via Reserve Pay works around it in pilot, but “works around” is doing quiet, load-bearing work in that sentence. And no circular anywhere allocates liability when an agent errs - among the user, the AI provider, the aggregator, and the bank, every party can currently point at another with a straight face.
RBI Deputy Governor T. Rabi Sankar put the principle perfectly at GFF last October: “AI can inform decisions, but it cannot own them.” Correct - and incomplete. If the AI cannot own the decision, someone must. Two years into live pilots, no rule in India says who.
The Dispute Test
An agent buys the wrong thing. Which questions can each stack answer with evidence?
Notice the last row is amber even for AP2. Cryptographic non-repudiation is not liability allocation - a perfect audit trail tells you exactly what happened while the lawyers still argue about who pays. The protocols solved evidence. Nobody has fully solved consequences. Which means India isn’t actually behind a settled standard; it’s behind on a question the whole world is still answering. That’s a very different position. That’s a leapfrog position.
What UAP Has to Be
This is why the Unified Agent Protocol report is the most important payments news of the year, and why the details matter more than the announcement. A registry of verified agents is - regular readers will recognize this - Know Your Agent, implemented at network scale. It’s the identity layer we argued every enterprise needs, built into the rails themselves. NPCI is uniquely positioned to do this: the same central-network leverage that made UPI interoperable by fiat can make agent identity mandatory by fiat, something no Western consortium of competing card networks can impose.
But a registry alone is a phone book. For UAP to be India’s actual answer to AP2, it needs the rest of the accountability stack:
Signed intent, not just verified identity. Knowing which agent paid doesn’t establish what the human authorized. UAP needs a mandate equivalent - a durable, signed record of the delegation’s scope that travels with each transaction. Reserve Pay already bounds amounts; bind intent the same way.
Autonomy tiers with different rules. An agent reordering groceries under a standing instruction and an agent negotiating a purchase it conceived are different risk classes. Registration should carry an autonomy level, and limits, review requirements, and liability defaults should scale with it - graded obligations, exactly the philosophy FREE-AI already endorses for AI more broadly.
Revocation at network speed. When a user withdraws delegation, or an agent’s provider ships a bad update, the kill has to propagate in seconds, network-wide - not per-app, not per-aggregator.
Decision evidence for disputes. UPI’s dispute resolution works because transactions are legible. Agent transactions are only legible if the reasoning is captured - what the agent was asked, what it saw, why it chose. The flight-recorder argument, now with money attached. Sahamati’s draft framework already asks for cryptographic audit records in the account aggregator context; UAP should demand no less.
Default liability allocation. The hard one, and the one that makes everything else worth doing. Follow the Amex signal: protection attaches to registration. Registered agent operating inside its mandate - provider and network absorb errors. Outside its mandate - the party that let it out. Unregistered agent - whoever deployed it, full stop. Write the defaults now, while volumes are small enough that nobody’s lobbying from a loss position.
And one thing UAP should not do: adopt a foreign consortium’s rulebook wholesale. Interoperate with AP2’s mandate structures at the edges - Indian users will transact with global agents, and Juspay already sits inside the AP2 tent - but the accountability rules for India’s payment rails should be written where the rails are governed. We’ve made the sovereignty argument before about models and data. It applies at least as strongly to the layer that decides who pays for software’s mistakes.
If You’re Piloting This, Don’t Wait for the Circular
A closing word for the banks, aggregators, and platforms already running agent-initiated payments: the absence of rules is not the absence of accountability. It’s uncollected accountability, and post-incident, it tends to get collected from whoever kept the worst records - “graded and tolerant supervision” under FREE-AI is explicitly reserved for institutions that can show their controls in good faith.
So build the evidence now. Register every agent that can move money, with an owner and an autonomy tier - don’t wait for UAP to make it mandatory. Capture every payment decision with its full reasoning context, because the first disputed agent transaction that reaches a regulator will be decided on whose records are better. And bound autonomy like you mean it: Reserve Pay bounds the rupees; your governance has to bound the intent.
Readers of this blog will recognize that as the same three-layer stack we’ve been arguing for all year - identity, evidence, oversight - pointed at the highest-stakes action an agent can take. This is what AgentOps and Orchestrate were built for, and why Vidhi tracks the regulatory surface as it moves: when the agent can spend, the registry, the flight recorder, and the autonomy envelope stop being governance hygiene and become the difference between a refunded customer and a supervisory finding.
India built the rails for agent payments in two years. The accountability layer is one protocol away - and it’s the layer that decides whether “the agent did it” ends in a refund or a courtroom.
Are agents already moving money in your stack? Let’s talk. AgentOps registers and bounds every agent before it spends; Orchestrate captures every decision it makes on the way. If you’re in BFSI, start with how we approach agent governance for financial services. When the rules arrive, you’ll already be compliant with them.