LIVE THREATS
HIGH FIDO Alliance Launches Standards Push to Secure AI Agent Transactions // CRITICAL Pre-Auth SQLi Flaw in LiteLLM Gateway Actively Exploited to Steal AI Credentials // LOW Welcoming Llama Guard 4 on Hugging Face Hub // HIGH Frontier agentic LLMs risk industrialising cyberattacks, but may also empower defenders. // HIGH TeamPCP resumes supply chain attacks, poisoning xinference PyPI and triggering a Bitwarden … // MEDIUM Hugging Face 'Spaces' now acts as an MCP-App-Store. Anybody thinking on the security … // CRITICAL An AI agent confesses after deleting a production database. The Oops! moment. // HIGH Discord Sleuths Gained Unauthorized Access to Anthropic’s Mythos // HIGH GTIG AI Threat Tracker: Distillation, Experimentation, and (Continued) Integration of AI … // MEDIUM Open source memory layer so any AI agent can do what Claude.ai and ChatGPT do //
ATLAS OWASP HIGH Significant risk · Prioritise patching Agentic AI LLM Security Regulatory Industry News RELEVANCE ▲ 7.2

FIDO Alliance Launches Standards Push to Secure AI Agent Transactions

SOURCE Wired Security ↗
TL;DR HIGH
  • What happened: FIDO Alliance launches working groups to create cryptographic standards securing AI agent-initiated financial transactions.
  • Who's at risk: Consumers and merchants using AI-powered shopping or task agents are exposed to agent hijacking, unauthorised transactions, and rogue instruction injection without adequate standards in place.
  • Act now: Audit any AI agent integrations that have access to payment or financial APIs for authentication gaps · Require explicit, cryptographically verifiable user authorisation before agents execute financial transactions · Monitor FIDO Alliance AP2 and Verifiable Intent framework developments for early adoption opportunities
FIDO Alliance Launches Standards Push to Secure AI Agent Transactions

Overview

The FIDO Alliance announced on 28 April 2026 that it will form two working groups aimed at developing industry-wide standards to secure transactions carried out by AI agents on behalf of users. With initial technical contributions from Google (Agent Payments Protocol, AP2) and Mastercard (Verifiable Intent framework), the initiative seeks to establish cryptographic authentication, selective disclosure, and accountability mechanisms before agentic commerce becomes mainstream infrastructure.

The urgency is notable: agentic AI systems are already being deployed to book travel, purchase goods, and manage subscriptions — yet no standardised authentication layer exists to confirm that an agent is acting on genuine, unmanipulated user intent. FIDO Alliance CEO Andrew Shikiar drew an explicit parallel to the early password ecosystem, warning that the industry risks embedding the same structural weaknesses into agentic AI that took decades to address in web authentication.

Technical Analysis

The core security problem is that existing authentication models were not designed for delegated, agent-mediated actions. When a human authenticates to a service, the trust chain is relatively direct. When an AI agent acts on a user’s behalf across multiple services and sessions, the attack surface expands significantly.

Key threat vectors include:

  • Agent hijacking via prompt injection: A malicious third-party service or webpage could inject instructions into an agent’s context, redirecting financial transactions or exfiltrating authorisation tokens.
  • Rogue instruction substitution: Without cryptographic binding of user intent to agent actions, a compromised agent pipeline could substitute or modify transaction parameters after user approval.
  • Replay and impersonation attacks: Agents carrying delegated credentials could be impersonated or their session tokens replayed across services.

Google’s AP2 protocol addresses the intent-binding problem by cryptographically tying a specific transaction to the user’s authenticated authorisation at the moment of approval. Mastercard’s Verifiable Intent framework, co-developed with Google, extends this with selective disclosure — allowing validation of agent authority without exposing unnecessary user data to merchants or intermediaries.

Framework Mapping

  • LLM08 (Excessive Agency): The central risk — agents granted financial permissions without adequate constraint or verifiable intent binding.
  • LLM01 (Prompt Injection): Agent hijacking via injected instructions is a direct prompt injection attack against an agentic pipeline.
  • LLM07 (Insecure Plugin Design): Payment APIs and third-party service integrations accessed by agents represent insecure plugin surfaces if not governed by cryptographic authorisation.
  • AML.T0051 (LLM Prompt Injection) and AML.T0012 (Valid Accounts): Attackers exploiting agent sessions to perform actions under legitimate user credentials.

Impact Assessment

The risk is systemic rather than isolated. As agentic AI enters consumer commerce, healthcare scheduling, and financial management, the absence of a trust framework means millions of users could be exposed to unauthorised transactions, data leakage, or account manipulation. Merchants and service providers also face liability exposure in dispute scenarios where agent authorisation cannot be verified. The financial sector is the immediate focus, but the pattern extends to any service where agents act with delegated authority.

Mitigation & Recommendations

  • Adopt cryptographic intent binding for any agent-initiated transactions; avoid relying solely on session tokens or API keys as authorisation signals.
  • Implement least-privilege agent scoping: restrict agent permissions to the minimum required for each task, with explicit re-authorisation for high-value actions.
  • Monitor agent activity logs for anomalous transaction patterns that may indicate prompt injection or session hijacking.
  • Engage with FIDO Alliance working groups early to influence and adopt emerging standards before they become compliance requirements.
  • Test agent pipelines against adversarial prompt injection scenarios targeting payment flows.

References