Google has introduced the Agent Payments Protocol (AP2), an open framework developed with more than 60 payments and technology companies to support secure, agent-led transactions across platforms and payment methods.

Built to be used as an extension to Google’s earlier Agent2Agent (A2A) and Model Context Protocol (MCP) frameworks, AP2 is designed to be payment-agnostic, supporting credit cards, bank transfers, and cryptocurrencies. At its core, the protocol uses cryptographically signed “mandates” to establish trust in every transaction.

[ Related: Agentic AI – Ongoing news and insights ]

In real-time scenarios, users provide an Intent Mandate to guide an agent’s search and then approve a Cart Mandate to confirm the purchase details, Google said. For delegated tasks, a more detailed Intent Mandate allows the agent to act automatically under predefined conditions, ensuring transactions remain secure and auditable even without the user present.

Firms collaborating with Google on this include American Express, Coinbase, Etsy, Intuit, JCB, Mastercard, PayPal, Salesforce, ServiceNow, UnionPay International, etc.

Enterprise adoption hurdles

AP2 may be seen less as a product launch and more as an effort to define the rules for agent-driven commerce. By keeping it open, payment-agnostic, and securing the participation of major institutions, Google is aiming to bring both scale and legitimacy.

However, analysts note that legitimacy does not necessarily guarantee adoption.

“AP2’s promise will only be realized if it matches incumbents in the areas that matter most: compliance strength, dispute resolution, and operational reliability,” said Sanchit Vir Gogia, chief analyst and CEO at Greyhound Research. “Companies like Stripe and PayPal did not build trust on design principles alone but on years of hard-won resilience in production. AP2’s open ethos feels reminiscent of Android’s network play, designed to build momentum through participation rather than enclosure.”

This may generate pull, but boards will ask harder questions: if an agent makes a misjudgment, who pays? Is it the enterprise, the merchant, or the issuer?

Until liability is clarified in regulations and contracts, CIOs may restrict AP2 to low-risk tasks such as renewals and consumables, while larger procurement remains with established providers.

Compliance and risk concerns

AP2’s main innovation is cryptographically signed mandates. By separating Intent, Cart and Payment records, the protocol creates a verifiable chain showing what actions an agent was authorized to take and what a merchant accepted.

“AP2’s dual-step approval flow maps well to SOX and PCI-DSS requirements where explicit user authorization must be provable,” said Pranati Dave, vice president at Everest Group. “Intent mandates reduce unauthorized ‘agent drift’, enabling fraud prevention.”

Still, analysts warn of gaps in dispute handling, jurisdictional compliance, identity fraud, and adversarial AI manipulation, particularly in cases where Google allows for fully automated purchases.

“Different jurisdictions vary in their recognition of digital signatures,” Gogia added. “Credential providers themselves become new points of failure and must be carefully vetted. And mandates, however secure, do not themselves resolve disputes or establish who carries liability when an agent acts outside its scope. For CIOs and CISOs, the best option may be to treat AP2 as an amplifier of existing compliance frameworks.”

Integration challenges also loom. Enterprises will need to translate AP2 events into ERP and procurement workflows and extend governance controls to AI agents.

“Middleware or API orchestration layers will be required to translate AP2 messages into ERP workflows,” Dave said. “Enterprises will need to extend identity governance (IGA) and privileged access frameworks to AI agents, ensuring AP2 mandates align with corporate role-based access controls.”

Enterprises will also need to consider how AP2 adoption affects their broader governance models, from contractual risk scoring to operational overhead.

“CIOs and CISOs should consider how the protocol integrates with legacy systems, key management, data model alignment, exposure of sensitive data to agents, and how the framework creates an audit trail for each transaction, along with the added security and compliance overheads,” said Neil Shah, VP for research at Counterpoint Research.