We Gave AI Agents Keys to the House. Visa Wants to Give Them a Credit Card.

Visa is testing systems that let AI agents authorize purchases on your behalf. Authentication, consent, and compliance are the stated focus areas. It’s a reasonable framing — and it understates the problem considerably.

The past year was about giving agents access to your files, calendars, email, and code. That access introduced real risks: prompt injection, tool poisoning, agents with permissions broader than any one task required. The security community is still working through the implications. Most production deployments haven’t solved identity at the tool call layer — we know an agent ran, but the chain of reasoning that led to a specific action is often opaque.

Now add financial transactions to that chain.

The consent question changes shape entirely when the entity making a purchase isn’t a person. A human clicking “buy” is a discrete, observable event. An agent deciding to purchase something may be three tool calls deep into a workflow that started with an innocuous prompt. Where exactly did you consent to that? How do you verify it afterward?

Every MCP security problem gets more dangerous here. A prompt injection that tricks an agent into reading a file is a data problem. A prompt injection that tricks an agent into completing a transaction is a fraud problem — with a paper trail pointing at you.

Visa will build controls for this — they have strong incentives to. But the pattern is familiar: the capability ships, the security model catches up, and the interesting incidents happen in between.

Agents that read files can embarrass you. Agents that spend money can bankrupt you. The threat model isn’t new — it’s the same one, with higher stakes attached.