AgentPMT - The Agentic Economy
Three Million AI Agents Have No ID. The Payment Networks Are Fixing That.

Three Million AI Agents Have No ID. The Payment Networks Are Fixing That.

January 29, 2026

Gravitee's survey of 900 executives found 3 million AI agents active across US and UK enterprises — nearly half operating without identity management, security oversight, or audit logging. The organizations solving agent identity now will run agents in production. Everyone else will join the 40% of agentic projects Gartner predicts will be scrapped by 2027.

AgentPMTEnterprise AI ImplementationAgentic Payment SystemsAI Agent IdentityAuthentication For AISecurity In AI Systems

Gravitee surveyed 900 executives and practitioners for its State of AI Agent Security 2026 report and found three million AI agents active across US and UK enterprises. Nearly half — 1.5 million — are running without any security oversight, identity management, or audit logging. That's a workforce larger than Walmart operating with no badge, no background check, and no one watching.

The gap between deployment speed and identity governance is staggering. Gartner predicts 40% of enterprise apps will embed AI agents by the end of 2026, up from less than 5% in 2025. Cyata's scans find between one and seventeen agents per employee in corporate environments. Yet Okta's survey shows 92% of organizations aren't confident their legacy identity and access management (IAM) tools can handle the risks agents introduce, and 78% don't have formal policies for creating or removing AI identities. Only 14.4% of organizations have achieved full IT and security approval for their entire agent fleet, per Gravitee. And 88% reported confirmed or suspected AI agent security incidents in the past year.

This is exactly why we built AgentPMT with encrypted credential vaults and server-side credential injection from the start. Agent credentials never enter the context window, never appear in logs, never become accessible to the model. Budget controls enforce hard spending limits server-side. Vendor whitelisting restricts which providers agents can transact with. The identity and authorization architecture has to be foundational — not retrofitted after the first breach. The organizations deploying agents without these controls are building on sand, and the data confirms it.


Agents Are Operating in a Governance Void

The Gravitee report paints a picture that should alarm anyone running agents in production — or planning to. Only 47.1% of agents are actively monitored or secured. Only 21.9% of organizations treat AI agents as independent, identity-bearing entities. Most still classify agents as extensions of human users or generic service accounts, which means they inherit permissions they shouldn't have and lack the audit trails they need.

The authentication story is worse. Gravitee found that 45.6% of organizations rely on shared API keys for agent-to-agent authentication — the equivalent of giving every employee the same master key to every building. As Shahar Tal, CEO of Cyata, told The Register: these new agentic identities are "absolutely ungoverned." Traditional IAM and privileged access management tools are "near impossible at scale" because agents don't behave like service accounts or scripts. They pursue goals, adapt in real time, call other agents, and access multiple systems with minimal oversight.

CyberArk's data reinforces this. Fewer than 10% of organizations have adequate security and privilege controls for agents. Forty-five percent use the same privileged access controls for agents that they use for humans — which is like issuing the same security clearance to a new hire and a ten-year veteran. Thirty-three percent have no clear AI access policies at all.

AgentPMT's architecture treats every agent interaction as an auditable, credentialed event. The encrypted credential vault ensures agents never see or hold sensitive credentials — they're encrypted at rest and decrypted only at the moment of tool execution. Every tool call is logged with full request/response capture, timestamps, parameters, costs, and outcomes. The vendor whitelisting system means agents can only transact with approved providers, not the Wild West of shared API keys. This isn't a feature we bolted on. It's how the system was designed.


When Agents Become Authorization Bypass Paths

The identity vacuum creates a new class of vulnerability that traditional security tools weren't built to detect. The Hacker News reported that AI agents are becoming authorization bypass paths because security controls are built around human users. When an agent executes an action, authorization is evaluated against the agent's identity, not the original requester's. User-level restrictions no longer apply. This is privilege escalation by design.

The ServiceNow "BodySnatcher" vulnerability, disclosed in January 2026, is the canonical example. A hardcoded secret in agent-to-agent authentication allowed unauthenticated attackers to drive privileged agentic workflows as any user and gain admin access. One shortcut — the kind teams take when moving fast — gave attackers full control through the agent execution path. This isn't a failure of AI. It's a failure of identity architecture.

The Cloud Security Alliance's survey with Strata makes the compliance dimension clear: 84% of organizations doubt they could pass a compliance audit focused on agent behavior or access controls. Only 18% are "highly confident" their IAM can manage agent identities. Meanwhile, 88% of organizations in the Gravitee survey reported security incidents — agents acting on outdated information, leaking confidential data, and in some cases deleting databases without permission.

AgentPMT's 100% cloud execution model means the Dynamic MCP server cannot read, edit, or access anything on the user's local computer. Agent credentials are encrypted at rest and decrypted only at the moment of tool execution — agents never see credentials in their context window. The budget enforcement system provides hard spending limits enforced server-side, so even a compromised agent can't exceed authorized spend. And the instant pause feature stops all agent activity immediately from the dashboard. Every agent with shared credentials or hardcoded secrets in your environment is a potential BodySnatcher. The question isn't whether these vulnerabilities exist — it's whether your architecture prevents exploitation when they're found.


The Payment Networks Are Solving Agent Identity — Because They Have To

While enterprises struggle with agent governance, the payment networks are moving fast. Agents that transact need authenticated identities, budget boundaries, and audit trails. Mastercard, Visa, and the infrastructure players understand this because the economic incentive is massive — and the liability of getting it wrong is existential.

Mastercard launched Agent Suite in January 2026, combining AI agents with its 4,000 global advisors and backed by its network token infrastructure. Only registered agents can transact — governed and traceable. The system is available Q2 2026. And in Australia, Mastercard completed the country's first fully authenticated agentic transactions: a CBA debit card buying cinema tickets from Event Cinemas and a Westpac credit card booking accommodation in Thredbo — both through Agent Pay, with full visibility across the payment chain. As Paul Monnington, Mastercard's Division President for Australasia, put it: "Agentic commerce represents one of the most profound shifts in consumer behaviour we've seen in decades." Mastercard estimates agent-led commerce could reach A$670 billion in Australian spending alone by the end of the decade.

Visa's Trusted Agent Protocol takes a different approach — an open framework built on existing web infrastructure. Over 100 partners globally, 30-plus actively building, 20-plus agents integrating directly. Hundreds of controlled, real-world agent-initiated transactions have already been completed in closed beta, from consumer electronics purchases to corporate bill pay. Visa predicts millions of consumers will use AI agents to complete purchases by the 2026 holiday season.

Fiserv is integrating both — Mastercard Agent Pay and Visa's Trusted Agent Protocol — into its merchant infrastructure, signaling a cross-network agentic commerce strategy. And Cloudflare partnered with Visa, Mastercard, and American Express to co-develop Web Bot Auth, based on IETF RFC 9421, for cryptographic agent identity verification using Ed25519 signatures. Both Visa's Trusted Agent Protocol and Mastercard's Agent Pay leverage Web Bot Auth as the agent authentication layer.

AgentPMT's Agent Credit Card integration already implements the pattern these networks are standardizing. Agents initiate transactions, the platform securely injects stored payment credentials server-side at the moment of purchase, and the agent receives only a confirmation. Credentials never enter the agent's context, never appear in logs, never become accessible to the model. Combined with budget controls — daily, weekly, monthly, per-transaction — vendor whitelisting, and product-level restrictions, this is the same trust architecture Mastercard and Visa are building, available today. If you're building agents that need to buy things, you need this authentication layer now, not when standards finalize in Q3.


What Zero Trust Looks Like for Agents

The Cloud Security Alliance released the Agentic Trust Framework (ATF) on February 2, 2026 — the first open governance specification applying Zero Trust principles to autonomous AI agents. It defines three maturity levels: Foundation (observe, report, recommend with circuit breakers), Intermediate (behavioral anomaly detection, role-based access control, PII protection, post-action notification), and Advanced (policy-as-code, streaming anomaly detection, SOC-integrated incident response).

The ATF is a useful framework, but it reveals how far behind most organizations are. If 84% can't pass a compliance audit focused on agent behavior and the Advanced maturity level requires policy-as-code with SOC integration, the distance between where enterprises are and where they need to be is measured in years, not months.

Microsoft's Entra team is calling for OAuth 2.0 to evolve for agents. As Alex Simons wrote: "Today's OAuth 2 standards weren't built for the world of AI agents." Microsoft recommends five specific changes: recognizing agent IDs as first-class actors, giving agents their own permissions rather than proxying user rights, making agent actions transparent and traceable, enabling permission discovery and delegation, and supporting fine-grained resource-specific access. They're working with the OAuth community, the MCP steering committee, and the A2A protocol steering committee to make this happen.

Meanwhile, the identity vendor ecosystem is scrambling to catch up. Okta launched Okta for AI Agents and Auth0 for AI Agents, including the Cross App Access (XAA) Protocol — an open protocol extending OAuth to secure agent-driven interactions. Descope launched Agentic Identity Hub 2.0 with agents as first-class identities, MCP server integration, and tool-level authorization scopes. Their survey of 400-plus identity decision-makers found 88% were using or planning AI agents, but only 37% had progressed beyond pilots. Sumsub introduced AI Agent Verification within its Know Your Agent (KYA) framework, linking AI automation to verified human identities — because as their CTO Vyacheslav Zholudev noted, "most of today's systems still treat [agents] as opaque, unaccountable black boxes."

AgentPMT already operates at what the CSA framework would classify between Intermediate and Advanced maturity. All agent actions are logged with full context — request/response capture, timestamps, costs. Budget enforcement acts as automated circuit breakers. Vendor whitelisting implements policy-based access control. Real-time monitoring dashboards provide the observability the ATF requires. And the mobile app enables human-in-the-loop verification for high-stakes decisions, matching the ATF's human oversight requirements. The organizations that skip the crawl phase and build identity-first agent architectures now will avoid the retrofit costs later.


What This Means For You

The agent identity crisis is the single biggest blocker between the current "experimenting" phase — 50% of agentic AI projects still in POC, per Dynatrace — and production-scale deployment. The organizations solving identity now, with encrypted credentials, budget enforcement, audit trails, and least-privilege access, will be the ones running agents in production. The ones treating identity as a problem for later will join the 40% of agentic projects Gartner predicts will be scrapped by 2027.

Audit your agent fleet this week. Count them. Check how many have dedicated identities versus shared credentials. Check whether you can answer who authorized each agent, what it can access, and how much it can spend. If the answers are unclear, you have an identity problem — and the Gravitee data says you're not alone. AgentPMT was designed from the ground up for exactly this: every agent interaction flows through encrypted credential vaults, every tool call is auditable, every budget has hard enforcement, every vendor interaction requires whitelisting. While the industry debates standards and the CSA publishes frameworks, AgentPMT is already running production agent workloads with the identity, authentication, and authorization controls enterprises need.


What to Watch

NIST's February 2026 NCCoE concept paper on agent identity signals government involvement in setting standards — expect proposed guidelines by Q4 2026. Mastercard Agent Suite goes GA in Q2 2026, setting the standard for how agents authenticate to transact. Track Visa's Trusted Agent Protocol adoption as they pursue the goal of millions using agent-initiated purchases by holiday 2026. Watch for OAuth 2.1 evolution with continuous access evaluation for agents, driven by Microsoft and the broader standards community. And keep an eye on Ethereum's ERC-8004 standard — on-chain agent identity may provide a decentralized alternative to centralized registries.

The agentic economy won't be built on anonymous agents with shared API keys. It will be built on agents with real identities, defined permissions, auditable actions, and enforced boundaries. That infrastructure exists today. The question is whether you're building on it now or planning to retrofit it later, at ten times the cost. Explore how AgentPMT secures your agent operations at agentpmt.com.

Key Takeaways

  • Three million AI agents are active in US/UK enterprises; nearly half operate without identity management, security oversight, or audit logging — and 88% of organizations have experienced agent security incidents
  • The payment networks (Mastercard, Visa, Cloudflare) are standardizing agent authentication because agents that transact need real identities, and the first authenticated agentic transactions are already live in Australia
  • Agent identity is the prerequisite for production deployment — organizations that solve encrypted credentials, budget enforcement, and audit trails now will run agents at scale while the rest retrofit or fail

Sources

Three Million AI Agents Have No ID. The Payment Networks Are Fixing That. | AgentPMT