Field note

AI can suggest a payment, only the control plane completes it

A payment bot did not go rogue - the architecture did. A timeout produced two valid-looking instructions for the same payout, because a downstream retry never learned the first was already in flight. Mandate-based authorization like AP2 still needs a runtime control plane with real state discipline, not policy in a config file.

Feb 16, 2026 · Navin Agrawal · AI systems · 3 min read

AI can suggest a payment, only the control plane completes it

Visual brief

Visual brief

AI can suggest a payment, only the control plane completes it

As of February 2026

A payment bot did not go rogue. The architecture did. One Friday evening a timeout in the payment service produced two valid-looking instructions for the same supplier payout.

The first was in review. The second was a retry from a downstream worker that had never been told the one click was already in progress. The model did nothing wrong. The runtime control did, because there was none.

Most payment teams optimize where the rules are defined, not where the error actually happens. Policy goes in config files, and everyone hopes retries with no idempotency and rail-specific quirks all behave the same way. In payments they do not. Mandate-based authorization protocols like Google’s AP2 give an agent a signed mandate to act, but a mandate is permission to start, not a guarantee the execution layer will finish it exactly once.

AI can suggest a payment, only the control plane completes it (as of February 2026): use an identity lock so the payment object hash stays immutable once policy evaluation starts; a replay guard that gives each execution path a one-time intent token rather than a reusable request ID; rail-aware policy because ACH, RTP, FedNow, and wire do not share one risk tolerance; and an evidence chain that logs every decision event from API ingress to settlement for audit replay.
A signed mandate is permission to start. An engineered control plane is what makes the payment complete exactly once.

Identity lock

Immutable hash

the payment object hash stays immutable once policy evaluation starts.

Replay guard

One-time token

each execution path gets a one-time intent token, not a reusable request ID.

Rail-aware policy

Per rail

ACH, RTP, FedNow, and wire do not share one risk tolerance.

Where the error really happens

Not in the prompt, and not in the config file. It happens at execution time, when a retry, a worker restart, or a rail-specific quirk turns one intent into two movements.

A runtime control plane with state discipline

Separate execution into explicit checkpoints. An identity lock keeps the payment object hash immutable once policy evaluation begins, so nothing mutates mid-flight. A replay guard issues a one-time intent token per execution path instead of a reusable request ID, so the second instruction has nothing valid to ride. Rail-aware policy applies the right risk tolerance for ACH, RTP, FedNow, or wire rather than one shared rule. And an evidence chain logs every decision from API ingress to settlement outcome, so the whole thing can be replayed for audit.

Was this useful?

Choose once.

Related Posts

View All Posts »
Most AI agents never reach production. Payments is where that gets expensive

Most AI agents never reach production. Payments is where that gets expensive

The widely cited figure is that 88 percent of AI proofs of concept never reach production. Agentic payments inherit that gap, and the teams that cross it are not winning on model selection. They are winning on payments-specific infrastructure that makes an agent idempotent, governable, and rollback-safe at the rail boundary.

AI agents get two payment rails, card and stablecoin

AI agents get two payment rails, card and stablecoin

Visa and Coinbase are building competing payment rails for machines, not people. Coinbase's x402 puts stablecoins on HTTP's long-reserved 402 status code for sub-cent agent payments. Visa keeps the card rails and their dispute resolution. The split is real, because a 10,000-call-an-hour agent and a $4,000 flight want opposite things.

Multi-model is the new multi-rail

Multi-model is the new multi-rail

Every payment system routes across multiple rails - ACH fails, traffic moves to wire, and wire is dear for small amounts so you route to RTP. Most AI systems still call one model and hope it stays up. The LLM gateway is the same routing engine payments has run for decades, and it needs the same three things to count.

Agents do the wiring, architects carry the tradeoffs

Agents do the wiring, architects carry the tradeoffs

AI agents are arriving faster than most banking career ladders can adapt, and the market is already rewarding people who work with them. The career moat was never wiring up another API call. It is the judgment calls agents cannot own - which rail to trust, how much latency to spend, who the regulator will be.