Part 2 of a 3-part series. Start with Part 1; Part 3 covers agent security.

In the first article I traced how every agent capability now gets copied within days and donated to a neutral standard within a year, and how each time that happens the moat doesn’t die, it slides down a layer: from features, to the trust boundary, to identity.

I made one claim there that sounded like hyperbole until the dates sit next to each other: the gap between one lab shipping an agent capability and a rival shipping the copy had collapsed from about a year in 2023 to about a day in 2025.

The one-day example was payments. Two card networks shipped competing agent-payment standards twenty-four hours apart, and I used it as the punchline.

This article takes that punchline seriously and examines the payments timeline step by step.

Because payments didn’t just copy fast. It ran the whole arc — the leader ships, rivals copy, then the standard gets handed to a neutral group and stops belonging to anyone — start to finish, in about twelve months.

Too fast for anyone to build a moat around it.

That makes payments the clearest case of the whole pattern playing out. The twist: when every protocol in a category gets donated away inside a year, what’s left standing is the part nobody could give away. That’s where the next decade of advantage gets paid out.

For agent payments, that part is identity: proving a specific human told a specific agent it could spend a specific amount, and being able to show the receipt when it goes wrong.

Let me walk the timeline, because the conclusion becomes obvious.

The whole arc, in twelve months

Start with the card networks, because they moved first and they moved in lockstep.

On April 29, 2025, Mastercard announced Agent Pay, a way for AI agents to transact using what it calls Agentic Tokens, with the issuing bank kept in the loop.

The next day, April 30, Visa announced Intelligent Commerce, opening its rails to agents with tokenized credentials and a launch roster that read like a who’s-who of the AI field: Anthropic, OpenAI, Microsoft, Mistral, Perplexity, Stripe.

One day apart. Not one quarter, not one news cycle. One day.

If you’ve worked anywhere near enterprise procurement, you know two incumbents that size don’t ship competing standards a day apart by accident. Each one almost certainly knew the other was coming, and neither could afford to be second on the record.

Then the AI platforms took their turn, and the timeline got more interesting.

On September 16, 2025, Google published the Agent Payments Protocol (AP2), an open, payment-agnostic protocol built with 60+ partners.

13 days later, on September 29, OpenAI and Stripe shipped the Agentic Commerce Protocol, the thing that powers “buy it in ChatGPT,” released under an open-source license with Etsy live on day one and Shopify queued up behind it.

13 days between the two biggest AI platforms shipping competing versions.

And here’s the part that matters more than the speed: both were open-sourced at launch.

In the first article, commoditization was the endpoint: a capability got donated to a standards body after everyone had already copied it.

In payments, the commoditization happened on day one. Nobody even tried to hold the protocol as a proprietary edge. They gave it away on the way out the door.

It kept going.

In January 2026, Google escalated a layer up with a Universal Commerce Protocol meant to cover the whole shopping journey, not just the payment step, with Walmart and Target and Shopify attached.

Weeks later, in March, OpenAI retired the first version of its in-chat checkout after about 30 merchants, a reminder that not every first move survives, which is the “abandoned” outcome from the first article showing up live.

And then the move that ends the war.

On April 28, 2026, Google donated AP2 and Mastercard donated a companion spec called Verifiable Intent to the FIDO Alliance, the same neutral standards body behind the passkeys that are slowly killing the password.

Shortly before, OpenAI had taken a seat on FIDO’s board. The protocol everyone had been racing to ship was now the property of a foundation, governed by committee.

If you read the first article, you’ve seen this movie.

Champion ships, fastest follower matches in days, the standard lands at a neutral body inside a year. Model Context Protocol (the tool-connection standard from the first article) ran the same arc in about a year and ended up under the Linux Foundation.

Payments ran it faster and ended up at FIDO.

Same pattern, same ending, just faster.

Which means the same question applies.

If the rails are free (and they are now, open-licensed and donated), what is anyone actually getting paid for?

The part nobody could donate

The networks donated the rails. They couldn’t donate the thing underneath: proof that an agent was actually allowed to spend.

When someone clicks “buy” on a website, the entire security model rests on one assumption: a human was there.

A person was present, saw the price, clicked.

Every fraud system, every chargeback rule, every consumer-protection law is built on that assumption.

An autonomous agent breaks it.

The human isn’t there at the moment of purchase. The agent is.

So now every one of those rules has to answer something it never had to: how do you prove this agent was allowed to do this?

Nobody has a finished answer yet.

Not FIDO, not Google, not any of the labs.

It’s the hard part nobody’s solved, and that’s why it’s worth owning.

A payment is one job done with one cryptographic trick: move value without showing the merchant your card number.

Tokenization solved that years ago. Identity for agents is a stack of separate questions, and only the bottom of the stack is solved.

Is this agent a real, known piece of software and not an impostor?

That part works today: there are mature standards for giving a piece of software its own verifiable ID badge. Who authorized it to act, and can you follow the chain back to a specific human?

That’s in draft, and the drafts don’t yet talk to each other.

What exactly is it allowed to do: which merchant, what category? AP2’s “mandates” handle some of that.

How much can it spend before it has to come back and ask? There is no standard for that at all. And when it does something wrong, can you produce a tamper-proof record of who told it to, and yank its permission mid-transaction?

Those are single early drafts, scattered across different committees.

The strongest sign it’s still unsolved is a government document, not a vendor pitch.

In February 2026, the standards arm of NIST (the federal body that writes US technical standards) published a concept paper with a title that gives the game away: it asks whether existing identity standards (the twenty-year-old machinery behind “log in with Google” and enterprise single sign-on) can be retrofitted to handle agents, rather than proposing anything new.

When the national standards body’s opening move is “can we bend what we already have to fit,” that’s the tell. There’s no purpose-built answer yet, just hope that the old tools stretch to fit.

So the moat moved. It didn’t disappear when the protocols went free: it relocated one layer down, from the payment rail to the proof underneath it.

That’s the same move I traced in the first article with security and sandboxing: the capability commoditizes, and the defensible position slides to whoever owns the trust boundary.

One honest caveat before I lean too hard on it. “Identity is the next moat“ is my forecast, not a finished fact.

Here’s what would prove me wrong. If no standard for spend caps and mid-task revocation consolidates by sometime in 2027, and enterprises just absorb the cost of running several half-built identity schemes at once, then this isn’t a moat anyone owns, just overhead.

The line between “defensible layer” and “permanent tax” is exactly whether the identity pieces converge, and that hasn’t happened yet.

Watch the seats, not the spec

There’s a more cynical read of the FIDO donation, and I think it’s at least half right, so I’ll give it to you straight.

Donating a protocol to a neutral body sounds like generosity. It usually isn’t. The way it looks to through a skeptic’s lens: you give away the layer you can’t win as a proprietary product (partly so a rival can’t own it either) and you keep your seat at the table where the rules get written.

Open license, sure. The committee chairs tell you who still runs it. Look at who chairs the FIDO working groups and the picture sharpens.

The payments group is chaired by Mastercard and Visa: the card networks kept the seat closest to the money. The agent-authentication group is chaired by CVS Health, Google, and OpenAI, with identity incumbents like Okta in the vice-chairs.

As far as I can tell, nobody who matters gave up control. They moved it from a product nobody could defend to a standards process they can steer.

None of this is a reason to get cynical about standards, just to read them correctly. What a company donates shows where it quit charging. What it works to chair shows where it still plans to.

For agent payments, the networks donated the protocol and kept the seat next to identity and settlement, which, if I’m reading it right, is the tell for where the toll booth goes next.

And the contest isn’t theoretical or confined to committee rooms.

In June 2026, Visa and OpenAI announced a direct collaboration to put network-grade tokenization, agent identification, and fraud monitoring underneath OpenAI’s experiences, with spending limits and approval thresholds built in.

That’s an incumbent network and a frontier lab teaming up to build commercial product on exactly the identity-and-limits layer I called the part nobody could donate. Nobody donated it because everybody wants to own it: it’s being enclosed from both ends right now, in products as much as in specs.

The committee work and the commercial land-grab are happening at the same time.

What’s shipping (and what isn’t)

It would be easy to read all this as an arms race over a market that’s already huge. It isn’t, quite, and the gap matters.

Real things are in production.

Stripe’s agentic commerce tooling is live with names you’d recognize from a mall directory: Anthropologie, Coach, Revolve. As of spring 2026 it stretched its shared-payment-token approach to cover both Mastercard’s and Visa’s agent standards, which is its own quiet admission that merchants are going to be living with several of these at once.

Visa reached the same conclusion and built it into a product. In April 2026 it released Intelligent Commerce Connect, an on-ramp it bills as network-, protocol-, and token-vault-agnostic: an incumbent selling the swap-any-protocol abstraction layer instead of backing one standard.

PayPal wired up agent checkout with Perplexity.

Shopify turned agentic storefronts on by default for eligible merchants and started syndicating them into ChatGPT and Copilot and Perplexity.

The Visa–OpenAI collaboration is three weeks old as I write this, and it’s the most telling of the bunch, because it’s an incumbent network and a frontier lab agreeing that the interesting work is the identity-and-limits layer, not the checkout button.

But the demand side is softer than the protocol arms race implies.

The most useful number I came across is that buying inside a chatbot has been converting meaningfully worse than the old click-through-to-the-store path.

Walmart’s own figure, surfaced in Forrester’s reporting, put its in-chat checkout at roughly a third of the conversion of the normal flow.

OpenAI pulling the first version of its in-chat checkout after thirty-odd merchants tells a similar story.

So I’d hold two things at once.

1. The standards war is genuinely over and the rails are genuinely free: that part isn’t speculative, it’s on the record with dates.

2. But the market those rails serve is still mostly potential, not proven.

The counter-case

A couple of scenarios could make most of this beside the point, and they’re worth more than a strawman.

The first: maybe the moat isn’t identity at all, but demand.

Amazon adopted no open standard. It built around its own agent, its own identity, and its own shopping surface, and by spring 2026 its agentic shopping reportedly reached across a hundred-million-plus products, completing some purchases on outside merchants’ sites on the customer’s behalf.

The thing Amazon owns isn’t a clever identity scheme; it’s the customer and the place they shop.

If the agent economy runs through a handful of companies that each own the demand surface, identity becomes plumbing they’ll each provision however they like, and “who owns the trust boundary“ matters less than “who owns the shopper.”

I still land on identity as the durable layer, because even the demand owners have to solve authorization to let agents spend safely. But I hold that loosely.

Distribution is the rival thesis, and it’s a strong one.

The second: identity standards have a long history of not converging.

Single sign-on never collapsed into one winner: most enterprises still run several protocols side by side a decade and a half later, because no single standard took the whole field.

Agent identity has even more bodies in flight right now, each drafting its own piece.

The optimistic read is that they harmonize at FIDO. The base-rate read, from every prior identity fight, is that they don’t fully converge and enterprises carry the cost of running several at once, forever.

And there’s a wrinkle the US-centric story misses: in Europe, strong-authentication rules assume a human is present, and in markets like India and Brazil, bank-to-bank rails are becoming agent-friendly faster than the card networks, which means regulators and national payment systems may set the terms for agent authorization before any FIDO committee does.

The room to watch might not be the one I just pointed you at.

I’m betting on partial convergence because the bodies are already drafting and the money is motivated. But I wouldn’t write off the version where identity stays fragmented and the “moat” is really just a tax with better branding.

What I’d do with this

If you hold a technology budget and your agents are anywhere near spending money, here’s where I’d put my attention, and it’s deliberately not “pick a protocol.”

1. I’d build to the identity and audit layer, not the payment rail.

I’d treat AP2, the Agentic Commerce Protocol, the Universal Commerce Protocol as swappable connectors behind an abstraction layer, and I’d treat building versus renting that layer as a real decision, because Visa now sells one. Intelligent Commerce Connect is a network-agnostic on-ramp, convenient until you notice that renting it hands the trust boundary back to the toll booth you were trying to route around.

The processors themselves have given up betting on a winner and are supporting several at once. If Stripe and PayPal are hedging across protocols, a buyer planning to standardize on exactly one is making a bet the vendors won’t make.

The durable work is the part underneath, and it’s the part you keep no matter who supplies the connector: can you prove which human authorized an agent, can you cap what it spends, can you produce the receipt when a charge is disputed, can you pull its permission mid-task. None of that is a protocol feature.

Most of it should survive whichever protocol wins.

2. I’d budget for the integration tax as a line item, not a surprise.

Tool-calling standards plus agent-to-agent standards plus the payment protocols plus an identity layer that doesn’t fully exist yet is four-plus overlapping things you’ll govern at once.

“Interoperability“ is the word vendors use for it; in practice it’s a new recurring cost, not the removal of an old one. I’d name it in the budget now so it isn’t a fight later.

3. And I’d watch the working-group seats, not the announcements.

The next moat is being poured in committee rooms (and, as the Visa–OpenAI deal shows, in commercial partnerships) right now. The card networks chairing the payments group and the labs chairing the authentication group is the map of where each one plans to charge.

One concrete move: ask your payment processor and your identity vendor, in writing, which agent-identity drafts they’re implementing and on what timeline.

The answer tells you whether they’re building for the layer that holds value or selling you the rail that’s already free.

The capability everyone’s selling — agents that can buy things — is the part that’s commoditizing on schedule. It’ll be table stakes by the time most enterprises have a real deployment.

The part worth paying for is the proof underneath: that the agent doing the buying was allowed to, by a specific person, within specific limits, with a record you can stand behind when something goes wrong.

That’s the layer nobody could donate. So that’s the one I’d build toward.

With one catch I’ll pick up next: that proof is only as good as the runtime it executes inside, and you may not own that runtime.

That record you can stand behind is produced somewhere, by something, and Part 3 goes after who owns that something.

It’s the part that looked most defensible of all (agent security), and the split underneath it the headlines keep missing: who owns the runtime your agents run inside, versus who’s just renting it.

Own the identity layer all you want; if you rent the runtime it runs in, you’ve handed the audit trail to your landlord.

If your agents are touching money or production, that’s the thread that runs closest to the bone.

References:

• Mastercard Agent Pay and Agentic Tokens (announced April 29, 2025; tokenized card credential bound to a specific agent, merchant scope, and consent; launch partners Microsoft, IBM, Braintree): mastercard.com

• Visa Intelligent Commerce (announced April 30, 2025; tokenized agent credentials; partners include Anthropic, OpenAI, Microsoft, Mistral, Perplexity, Stripe): usa.visa.com

• Google Agent Payments Protocol (AP2) (announced September 16, 2025; open, payment-agnostic; 60+ partners; “Mandates” model): Google Cloud blog

• OpenAI and Stripe Agentic Commerce Protocol, “buy it in ChatGPT” (September 29, 2025; open standard; Etsy live at launch, Shopify next): stripe.com · openai.com

• Google Universal Commerce Protocol (January 2026; whole shopping journey; Walmart, Target, Shopify): [link TK — confirm Google UCP announcement]

• OpenAI retires the first in-chat Instant Checkout after roughly 30 merchants (March 2026): CNBC

• Google donates AP2 and Mastercard donates Verifiable Intent to the FIDO Alliance (April 28, 2026): blog.google · FIDO Alliance

• Mastercard Verifiable Intent (co-developed with Google; AP2-compatible; tamper-proof record of user-authorized agent actions): mastercard.com

• NIST / NCCoE concept paper, “Accelerating the Adoption of Software and AI Agent Identity and Authorization” (published February 5, 2026; proposes retrofitting OAuth, OpenID Connect, and SPIFFE rather than inventing new standards): NIST CSRC

• Visa Intelligent Commerce Connect (April 2026; network-, protocol-, and token-vault-agnostic on-ramp): usa.visa.com

• Visa and OpenAI strategic collaboration (announced June 10, 2026; tokenization, agent identification, fraud monitoring, spend limits): investor.visa.com

• Stripe agentic commerce in production (Anthropologie, Coach, Revolve; shared payment token extended to cover both Mastercard and Visa agent standards, spring 2026): stripe.com

• Walmart’s in-chat checkout converted at roughly one-third the rate of its normal flow (Walmart EVP, March 2026; agentic-commerce context from Forrester): Search Engine Land · Forrester