Trust, Identity, AI Risk and AI Assurance

Agentic commerce only works if the trust, identity, risk and assurance layer underneath it works. Most of that layer is being designed now. The companies that engage with it early, whether as commercial leaders, risk underwriters, AI assurance professionals, or operators, will help write the rules. The companies that wait until it is settled will be implementing decisions written by someone else.

Five clusters of work sit inside this territory.

Agent identity and authentication. KYA (Know Your Agent), agent credentials, FIDO Agentic Authentication, and the agent-to-merchant and agent-to-agent identity flows that decide which agents are authorised to act on whose behalf.

AI trust frameworks. Experian Agent Trust, the Visa Trusted Agent Protocol, Mastercard Verifiable Intent, network-level trust mechanisms, and the agent reputation systems forming alongside them.

AI risk and AI risk underwriting. Model risk, deployment risk, third-party AI risk, AI insurance, AI reinsurance, and the entry of Lloyd's of London, the major reinsurers, and captive insurers into AI exposure.

AI assurance. ISO/IEC 42001, NIST AI RMF, SOC for AI, audit-ready AI controls, and the third-party assurance firms entering this market.

AI governance with commercial consequence. Regulator activity, including the EU AI Act, US executive actions, the UK AI assurance roadmap, and Australia and New Zealand AI policy, where it changes what companies must do to remain in market.

Trust, identity and assurance and agentic commerce are tightly coupled. Treat them as two sides of the same shift: agentic commerce is the transaction layer, trust and identity and assurance is the safety and accountability layer. Andrew writes about both, with each informing the other.