AI shopping agents are moving beyond product research toward browsing merchant sites and preparing purchases for consumers. For ecommerce businesses, that creates a specific problem: how to distinguish an authorized shopping agent from ordinary automation, malicious bots, and fraudulent traffic.
Experian's Agent Trust announcement is one attempt to address that problem. It is not a general governance standard for companies deploying internal or customer-service AI agents. It is part of an emerging, optional trust stack for agentic commerce.
What this means for your operation
Most midsize businesses do not need to adopt an agent identity framework today. Ecommerce operators expecting shopping-agent traffic should map one interaction and run a bounded pilot; everyone else can monitor platform support.
Relevant for- Digital commerce leaders
- Ecommerce technology teams
- Payments and fraud teams
What changed
Experian announced Agent Trust as a platform-agnostic framework for linking a verified consumer, the consumer's device, and an AI agent authorized to act for that person. Its proposed Human-to-Agent Binding capability would issue a trust token carrying identity and transaction-risk signals, while an Agent Registry would evaluate behavior and other risk signals over time.
The announcement names Visa, Cloudflare, and Skyfire as contributors to the broader ecosystem. They address different parts of a transaction rather than supplying one interchangeable product:
- Experian Agent Trust focuses on the connection between a verified consumer and the agent acting for that consumer.
- Skyfire KYA supplies signed identity and payment tokens that participating agents and services can exchange.
- Visa Trusted Agent Protocol helps participating merchants recognize approved commerce agents and understand whether an agent intends to browse or purchase.
- Cloudflare Web Bot Auth provides a signed-request mechanism that can help authenticate agent traffic at the network edge.
Together, these layers address trust in agent-driven shopping. They do not establish a universal identity standard for every AI agent a business might deploy.
The decision this creates
This development is most relevant to merchants, ecommerce platforms, payment providers, agent developers, and site-protection teams. It is not a reason to redesign identity management for every internal AI tool or customer-service assistant.
The immediate question for a merchant is not whether it must adopt Experian Agent Trust. The question is whether agent-driven browsing and purchasing are becoming relevant enough to justify preparation or a controlled pilot.
Earlier evaluation makes more sense when:
- Shopping agents already account for meaningful product, search, or checkout traffic.
- Existing bot controls may block legitimate agents along with unwanted automation.
- Agents need inventory, pricing, shipping, loyalty, or account-specific information.
- The business expects agents to prepare or complete purchases for customers.
- Existing ecommerce, payment, fraud, or edge-security providers are adding support for these protocols.
A business with little exposure to shopping-agent traffic can monitor the market without adopting a new framework today.
What to check next
A useful pilot should answer one narrow question: can the merchant recognize an approved shopping agent and safely permit a defined browsing or payment interaction?
Before testing, digital-commerce leaders should identify:
- Where agent traffic enters. Map whether agents reach public product pages, storefront APIs, inventory services, account data, or checkout.
- Who verifies the request. Decide whether signed requests will be validated in the application, by a CDN or edge provider, or by another site-protection service.
- What recognition permits. A recognized agent should not automatically receive unrestricted access. Separate catalog browsing, personalized information, account activity, and payment permissions.
- How consumer authorization is evaluated. Agent recognition and consumer authorization are related but different questions. Define the evidence needed for each interaction.
- How failure is handled. Decide whether an unverified request is blocked, routed through the normal storefront, or allowed with reduced access.
Trusted-agent signals should complement existing fraud, checkout, and authorization controls rather than automatically replace them.
What to watch
These technologies remain vendor-led and are still evolving. Watch for support from the ecommerce, payment, fraud, and edge-security platforms already in your architecture; clearer interoperability between protocols; and practical guidance about the identity data merchants receive and retain.
Agent identity for commerce is becoming an important capability to watch. It is not yet a universal production requirement, and Experian Agent Trust is one part of the emerging ecosystem—not the framework through which every company must deploy its own AI agents.