Get the latest on AI, LLMs & developer tools
New MCP servers, model updates, and guides like this one — delivered weekly.
Who Secures an Agent's Money
An agent's payments are secured by a “trust layer”: the software that verifies the agent, enforces what it can spend and who it can pay, demands authorization for each payment, and logs the result. Three kinds of company are building that layer right now, and they are not really competing for the same job: payment protocols, card networks, and dedicated control planes.
This piece is about that third group, because it is where the interesting startup story is. For the protocols and rails underneath it, the agentic payments explainer is the wider map; here we stay on the question of trust.
Why Trust Is the Hard Part
A card network already knows how to move money safely between known parties. An agent breaks that assumption, because it is non-deterministic: the same prompt can produce different actions, and a hijacked prompt can produce malicious ones. Google's AP2 names the three questions any agent payment has to answer, and they double as a checklist for judging any product in this space:
- Authorization: did the user actually grant this specific purchase?
- Authenticity: does the agent's request reflect the user's true intent?
- Accountability: if it goes wrong, who is responsible?
No payment rail answers those on its own. Something has to sit in front of the rail and do it. That something is the trust layer.
Three Ways to Build Trust
The market has split into three approaches. They stack rather than cancel each other out, which is why a real deployment often uses more than one.
| Approach | Who | What it secures | Best for |
|---|---|---|---|
| Protocol mandates | Google AP2, with 60 launch partners | Cryptographic proof of what the user authorized, via signed Intent, Cart, and Payment Mandates. | Interoperable authorization across many merchants and rails. |
| Network controls | Visa Intelligent Commerce, Mastercard Agent Pay | Tokenization, agent identification, fraud monitoring, and consumer-set spend and approval limits. | Consumer purchases that ride existing card rails. |
| Dedicated control plane | PayPal ("trust layer for the agentic web"), startups like Ralio | Agent identity, per-workflow spend limits, payee allowlists, approvals, and a full audit trail. | Businesses governing exactly what an agent may spend, and proving it later. |
Where Ralio Fits
Ralio is a London startup that calls itself “the trust layer for agentic business payments.” It raised a reported €2.1M in April 2026. Its pitch is narrow on purpose: instead of consumer checkout, it targets the back office, where a company might want an agent to handle payroll, pay invoices, or manage subscriptions.
Mechanically, Ralio sits between a business's agents and its accounts. The agent gets a key that works only through Ralio's guardrails: verified identity, per-workflow spend limits rather than one blanket key, transaction rate caps, an allowlist of approved payees, and an audit trail that ties every payment back to the agent, the prompt, and the policy that triggered it. Co-founder Ghali Bennani Laafiret frames the problem as one of trust, not plumbing: how do you trust a non-deterministic system to run actions inside your systems?
Here is the telling detail. PayPal, with its scale and its 2026 acquisitions, describes itself as the “trust layer for the agentic web.” Ralio, a seed-stage company, uses almost the identical phrase for business payments. When a giant and a startup reach for the same words, it usually means the category is real and not yet won.
Which Trust Layer You Actually Need
- Selling to consumers through agents? Lean on the networks and PayPal, with AP2 mandates for portable authorization. The heavy lifting is done for you.
- Letting your own agents move company money? You want a control plane built for business spend governance, the lane Ralio is targeting. Blanket API keys are the thing to avoid.
- Paying for APIs and compute, machine to machine? Use x402 or MPP for the rail, and put your own policy gate in front of it. We walk through that in how to give your AI coding agent a budget.
What Is Still Unsettled
Three things will decide how this shakes out. Liability is unresolved: dispute rules built for humans do not map cleanly onto autonomous purchases. Identity standards are still converging, with AP2 mandates, Visa's agent identification, and Mastercard's Agent Pay each proposing a path. And bundling is the startup risk: if the networks fold strong business controls into their own products, the room for an independent control plane narrows. A startup's bet is that businesses want a neutral layer that is not tied to one network.
For builders, the practical takeaway does not depend on who wins. Whatever you ship, put identity, limits, allowlists, and audit in front of the money. That is the trust layer, whether you buy it or build it.
FAQ
What is the trust layer in agent payments?
It is the governance layer between an AI agent and the payment rails. It verifies the agent's identity, enforces spend limits and allowed payees, requires authorization for each payment, and records an audit trail. The rails move the money; the trust layer decides whether the money should move at all.
How is Ralio different from Visa or Mastercard's agent products?
Visa and Mastercard secure consumer purchases on their card networks, with identity, tokenization, fraud monitoring, and shopper-set limits. Ralio targets business finance operations: it sits between a company's agents and its accounts, scoping per-workflow spend limits, payee allowlists, and an audit trail that ties each payment to the agent, prompt, and policy behind it.
What does Google's AP2 actually secure?
Authorization. AP2 uses cryptographically signed mandates to prove a user gave an agent specific authority, that an agent's request reflects the user's intent, and who is accountable if something goes wrong. It does not, by itself, enforce a company's spend policy; that is what a control plane adds on top.
Do I need a startup like Ralio, or is PayPal or Visa enough?
If you are taking consumer payments through agents, the networks and PayPal cover most of it. If you are letting your own agents move company money — paying invoices, payroll, subscriptions — you want a control plane built for business spend governance, which is the gap startups like Ralio target.
Who is liable if an agent pays the wrong person?
Unsettled as of 2026. Signed mandates create a record of authorization that helps assign accountability, but chargeback and dispute rules were written for humans, and how they apply to autonomous purchases is still being worked out across the industry.
Is "trust layer for agentic payments" just marketing?
The phrase is marketing, but the function is real and necessary. Both PayPal and a seed-stage startup use almost the same words because the same gap exists: agents are non-deterministic, and money requires determinism, identity, and audit. Something has to bridge that.
