June 18, 2026As AI agents gain the power to act, “did they really intend this?” stops being a dispute question and becomes an architecture decision: can you produce immutable, non-repudiable evidence that a verified human authorised the specific outcome?
Visa announced it had embedded its payment network inside ChatGPT. AI agents can now complete purchases autonomously on a user’s behalf, at any online merchant that accepts Visa, anywhere in the world. Visa has built guardrails: spending limits, approval steps, approved merchant lists, and a modified token framework under its new Visa Intelligent Commerce programme. Those controls matter, but they do not, by themselves, create an irrevocable identity-to-intent-to-outcome record.
But it was something Visa’s own Chief Product and Strategy Officer, Jack Forestell, said that defines the challenge every organisation deploying agentic AI now faces.
When asked how disputes would be handled in an agentic transaction, Forestell said Visa would apply the same essential rules it uses today: “Did the consumer really intend to make the purchase and did the merchant process it the correct way?”
That question, did they really intend this? is not a payment question. It is an identity-binding question. And as agentic AI moves from consumer shopping assistants into enterprise procurement, financial services, healthcare authorisation, and legal workflows, it becomes the most consequential question your architecture either answers with immutable evidence or leaves open. In this context, irrevocability does not mean an irrevocable consumer permission or an inability to cancel, challenge or revoke authority. It means the evidentiary record of what was authorised, by whom, when, and under what conditions cannot be retrospectively altered, denied, detached from the outcome, or rewritten after the event.
For the vast majority of organisations building or procuring agentic systems today, it is left open.
Guardrails control the transaction. They don’t verify the human behind it
Visa’s controls are well-designed for what they are: risk management at the point of transaction. Spending limits cap exposure. Approval steps keep humans in the loop. Merchant whitelists constrain where agents can act.
But they all operate downstream of the identity question, not upstream of it. None of them verify that the human who originally delegated authority to an agent is genuinely, cryptographically the same human whose intent is being executed at the moment of action. Payment rails authenticate the validity of the transaction based on point-in-time protocols. They do not authenticate intent, and they do not create non-repudiable proof that a verified identity bound a specific instruction to a specific authorised outcome.
Forestell acknowledged this directly. Where disputes might differ in an agentic context, he said, is when both the consumer intent and the merchant processing were handled correctly, but “something happened in the middle that caused a problem.”
That middle is where cryptographic identity binding lives. And as agentic architectures grow more complex, with agents delegating to sub-agents, cascading actions across systems before any human sees a result, the distance between the original human instruction and the final executed action grows longer and harder to audit. Without an immutable chain of custody across that journey, organisations are left reconstructing intent after the fact, precisely when they need to prove it. And the consequences for the industry? Provision for fraud by default. Everyone pays the price.
The accountability question is already arriving by industry
Consider the environments where agentic AI is already being deployed or actively evaluated:
Financial services. AI agents executing trades, initiating transfers, and processing applications operate under MiFID II, FCA conduct rules, and an expanding body of AI-specific financial regulation. All of them require demonstrable accountability for automated decisions. “The agent did it” is not a defensible audit trail.
Healthcare. Agents managing referrals, authorising treatments, and interacting with patient records carry clinical liability. The consequences of an agent acting on a misattributed or manipulated instruction are not financial, they are clinical. Organisations that cannot prove the authorising individual genuinely initiated a consequential action face immediate and substantial exposure.
Legal and professional services. Agents drafting, reviewing, and initiating legal instruments on behalf of practitioners make professional authorisation a live question. Knowing with certainty who instructed what, when, and in what context is not a nice-to-have. It is the foundation of professional liability.
Enterprise procurement. Mastercard has already announced that AI agents will procure services on behalf of businesses, running campaigns, managing suppliers, initiating contracts. At enterprise scale, the potential for a mis-scoped or manipulated instruction to cause real commercial damage makes unverified agent authority a material business risk.
In every one of these environments, your risk team, your legal function, and increasingly your regulator, will ask the same question Forestell asked: did the person who should have authorised this genuinely intend the action that was taken, and can you prove that through a non-repudiable, immutable record rather than a best-efforts log?
If your agentic architecture cannot answer that with evidence that is bound, tamper-evident, and defensible, you have a gap.
The missing control is identity binding with evidentiary force
Identity binding is more than authenticating a user at login or approving a transaction at checkout. It is the cryptographic binding of four elements: verified human identity, the precise instruction or intent, the scope of delegated authority, and the executed outcome.
For that binding to stand up in a dispute, audit or regulatory inquiry, it must have evidentiary force. That means the record must be irrevocable in the evidentiary sense, non-repudiable by the parties who rely on it, and immutable against retrospective alteration.
This distinction is critical. Consumers and enterprises must always be able to revoke future authority, cancel delegated permissions and challenge misuse. What should be irrevocable is the proof of the historical event: who authorised what, when, under which policy constraints, through which channel, and whether the agent acted within that authority.
Identity has to be in the architecture, not the dispute process
Answering “did they really intend this?” with the certainty regulated industries require means building identity verification and cryptographic evidence directly into the architecture, not relying on downstream dispute processes or conventional activity logs. The architecture must bind the verified human, the delegated authority, the precise instruction, and the executed outcome into one defensible chain.
At the point of delegation. Before an agent is granted authority to act, the human granting that authority must be verified by something that cannot be stolen, shared, or synthetically replicated. Modern, state-of-th-art voice biometric technology provide exactly this: physiologically unique to the individual, passively continuous, and resistant to the replay and deepfake attacks already being used to compromise agentic systems. The delegation event should then be cryptographically bound to scope, limits, expiry, channel, session context, and policy controls so that authority cannot later be expanded or misattributed.
At the point of instruction, via cryptographic intent binding. The instruction a human gives must be sealed at the moment it is given, creating a tamper-evident and time-stamped record of what was authorised, in what scope, under what conditions, and by which verified human. When an agent executes an action, a verifiable log must demonstrate that the action is consistent with the original sealed intent, not a reinterpretation, not a re-prompted version, not the output of a prompt injection that redirected the agent between delegation and execution. This is where irrevocability, non-repudiation and immutability become essential: the record must be capable of proving the instruction, proving the identity behind it, and proving that neither was altered before the outcome occurred.
Across every handoff in the agent chain. Multi-agent architectures don’t have a single point of action. A primary agent delegates to a specialist agent, which calls an external API, which triggers a downstream process. Each handoff is a potential point of identity erosion. Every consequential handoff needs an auditable, hash-linked record, not for surveillance, but for accountability. The identity-and-intent chain must travel with the action so that no agent, system, merchant, processor, API, or internal workflow can detach the outcome from the human authority that permitted it.
At the point of outcome. The final execution should be reconciled against the sealed intent before value, authority or legal effect moves. If the proposed outcome has drifted from the authorised scope, the architecture should require fresh human confirmation and create a new bound record. This is how identity binding becomes outcome assurance, not just user authentication.
This is an architecture decision, not a security add-on or dispute remedy
The organisations that will deploy agentic AI with confidence are not the ones that bolt identity verification on after go-live. They are the ones that treat verified human identity, cryptographic intent binding, non-repudiable evidence, and immutable auditability as foundational design decisions. In regulated markets, confidence will not come from saying an agent was probably authorised. It will come from proving, with tamper-evident evidence, that the right human authorised the right action and that the system executed the right outcome.
That means asking different questions during procurement and build:
- When our agent takes a consequential action, can we produce a verifiable, non-repudiable record of who authorised it, what they actually instructed, and what outcome the agent executed?
- If our agent delegates to a sub-agent or third-party service, does the identity and intent chain remain cryptographically intact across that handoff?
- If a dispute, regulatory inquiry, audit, or legal challenge arises, what immutable evidence can we produce that the action reflected genuine human intent and stayed within the authorised scope?
- Is the record cryptographically sealed, time-stamped and tamper-evident before the agent acts, or is it merely reconstructed after the fact?
- Can any party later alter, disown, or detach the instruction from the outcome, or does the architecture provide non-repudiation by design?
If the answer to any of these is “we would handle it through dispute resolution,” the gap is open. Dispute resolution is where weak evidence is argued over. Identity binding is how strong evidence is created before the dispute exists.
The rails are being laid. Identity binding needs to be foundational
Visa embedding its payment network in ChatGPT is not the destination. It is the signal that agentic infrastructure is being built at scale, right now, by the organisations that will set the standards everyone else follows.
The regulatory frameworks forming around autonomous systems have a clear expectation: that organisations can demonstrate accountability for the actions those systems take. “Did they really intend this?” is the question at the centre of all of it, whether it is a payment, a clinical decision, a legal instruction, or an enterprise contract. The only scalable answer is not just authentication, nor fraud monitoring. It is an immutable, non-repudiable identity-binding layer that proves the relationship between the human, the intent, the authority delegated to the agent, and the final outcome.
ValidSoft provides the answer, through our Voice Intelligence Platform (VIP™) incorporating voice biometric authentication that verifies the human behind every delegation, cryptographic intent binding that seals and proves the instruction given, and AI agent identity infrastructure that maintains accountability across every handoff in your agentic architecture. This creates an irrevocable evidentiary record: not irrevocable permission, but proof that cannot be retrospectively altered or denied if the action is challenged. Real Human? Right Human? Right Outcome?
The question has been asked. The time to answer it is now, in the architecture, before agents are trusted to move money, confer authority, change records, approve treatment, initiate contracts, or bind the enterprise.
If you are currently evaluating or deploying agentic AI in a regulated or enterprise environment and want to understand how identity infrastructure, irrevocable evidence, non-repudiation and immutable auditability fit into your architecture, reach out to us.
