AI agents can now pay for things: the guardrails to set before you hand one a card

Bottom line. On 10 Jun 2026 both major card networks shipped agent-payment rails: Mastercard Agent Pay for Machines and Visa Intelligent Commerce with OpenAI. If you run a small business, the decision in front of you is no longer whether to let an AI agent transact. It is how to scope it. Set four guardrails first: a tokenised credential, a hard spend cap, merchant-category limits, and human approval by default.

This is the rare AI development with a concrete near-term decision for a five-person business, not a thought-leadership prompt. Two of the companies that move most of the world’s card payments just made it possible for software agents to spend money on your behalf, and they did it on the same day.

Mastercard’s Agent Pay for Machines is infrastructure for agents to buy and sell services from one another, launched with more than 30 partners including Stripe, Coinbase, Checkout.com and Cloudflare. Mastercard’s product chief framed the ambition directly:

“Agent Pay for Machines will create the conditions for a superbloom of AI business models. Machine payments can make it possible for services to be bought and sold among agents at fundamentally different scales than payments today.” — Jorn Lambert, Chief Product Officer, Mastercard

Visa’s Intelligent Commerce, announced with OpenAI, takes the agent-to-merchant side: an agent transacts for a user, but Visa states transactions run “within clearly defined user permissions, policies and controls, such as spending limits, merchant categories or required approvals.” That sentence is the whole operator playbook, because it names the controls you are responsible for setting.

The two rails, side by side

You do not need to pick a rail. Your tooling vendor will pick it for you, and the part you own is the same on either: the limits.

The four guardrails, in the order to set them

1. Tokenised, agent-specific credential. Never give an agent your real card number. Both networks issue tokenised credentials precisely so an agent’s payment instrument can be revoked on its own without reissuing your actual card. If your tool offers a virtual card per agent or per workflow, use one each, so a single misbehaving agent is contained.

2. A hard spend cap per period. Start lower than feels necessary. An agent buying ad top-ups or stock images does not need a four-figure ceiling in week one. Set a weekly cap you would not mind losing to a bug, run it for a real week, and raise it on evidence of correct behaviour rather than on optimism.

3. Merchant-category limits. Scope the agent to the kinds of vendor you actually intend it to use. An agent provisioned to renew hosting and buy domains has no business reaching a category it was never meant to touch, and the category filter is the cheapest way to bound the blast radius.

4. Human approval by default. Turn off approval deliberately, per category, never globally. The right shape for most small businesses is autonomous for small recurring buys you already approve in principle, and human-in-the-loop for anything one-off or above a small threshold.

Why now is the right time to build the habit

Juniper Research projects agentic commerce spend reaching $1.5 trillion globally by 2030, growing from only pilot deployments in 2025 and 2026, with trust named as the single biggest barrier to adoption. The practical reading for an operator is that you are early. Volume is low, the stakes of a mistake are small, and the defaults you set now become the habits you keep when an agent is handling real money on your behalf. Set the cap, scope the categories, keep approval on for anything that matters, and let the agent earn a higher limit by behaving well.