Jeff Highman is CTO of Trua, building trust and safety infrastructure for identity, delegation and agent-driven systems.
For decades, every digital system behind online transactions rested on one basic assumption: a real human being is sitting there, paying attention and making the decision. That assumption shaped almost everything we built online. Logins required passwords or phone approvals because a person was expected to be at the controls. Fraud checks looked for human-like mouse movements or typing patterns. Even the “I Agree” button assumed someone had at least the opportunity to read the terms.
That era is ending.
Autonomous agents are now executing these actions independently. They open accounts, shop, accept terms and transfer money with no human in the loop. They can open accounts, shop, accept terms and transfer money without any human watching the screen. The software simply acts.
Yet most digital infrastructure was never built for this. It still assumes a human is present to confirm or catch errors. The mismatch is widening. Pricing models tied to “per user” may no longer match actual usage. Authentication confirms that a credential is valid but can’t reliably determine whether a human or a system is behind it. Fraud tools trained on human behavior might miss signals or raise too many false alarms. Click-to-accept agreements grow harder to defend when no person actually reviewed them.
I’ve spent much of my career on digital trust—modernizing identity systems for government agencies and, more recently, working with CISOs, HR leaders and financial institutions. On the surface, these seem like very different worlds. The government worries about public trust. Security teams worry about risk. HR worries about hiring. Financial institutions worry about fraud and compliance.
Yet they all eventually arrive at the same question: How do you know that the person, action or decision on the other side of a transaction can be trusted?
The Moment Of Delegation
For years, the industry assumed that successful login plus completed steps meant the action was intended. Human hesitation served as a natural safety net. Agents remove that net. Actions now happen instantly at massive scale with no pause for review. Systems must answer a question they were never built for: “Was this action actually intended?”
Some industries have faced this for a long time. Background screening doesn’t proceed on login alone. It requires clear, documented consent and a reviewable record because the cost of error is too high. That same discipline is now spreading into everyday commerce.
The payments and commerce industry is responding first, from the bottom up. Card networks and processors are seeing the cracks earliest and adding practical fixes rather than waiting for a full top-down solution. Having implemented several of these standards, I’ve compared them directly. Mastercard’s Verifiable Intent creates a tamper-resistant record of agent authorizations. Visa’s Trusted Agent Protocol and similar efforts from others address the same core problem: proving intent when no human is directly involved.
Smart wallet concepts are emerging as a dynamic application of verified credentials, participating in trust architectures that enforce delegation rules. Smart wallets can carry privacy-preserving credentials across platforms, enforce bounded delegation and give verifiers needed evidence without constant re-verification.
This is why the “moment of delegation” matters. If these fixes apply after the system has already verified the human and if that identity foundation is shallow, even strong transaction records rest on unstable ground. They can prove something was authorized, but not always that a fully accountable human authorized it. Instead of assuming human presence, systems must capture a deliberate act of authorization: a person grants an agent permission within defined limits of scope, time and purpose. It replaces assumed presence with documented, scoped delegation.
Anchoring Delegation in Verified Human Identity
The moment of delegation becomes truly robust only when anchored to something deeper: a verified human identity that exists independently of any single transaction, one screened, attributable and portable across contexts. The structural challenge is the trust architecture that links the authorized action, the conditions under which it occurs and who remains accountable when something goes wrong with autonomous behavior. Leaders need to ensure and understand that a trust architecture should minimally:
Define how strong human identity is established once and reused responsibly.
You need to develop an identity-proofing systems that can verify the presence and participation of a human actor—and if needed, flag when a human in the loop is needed. The next challenge is how often the human needs to be in the loop. High-assurance trust requires higher friction when the context, threshold or policy requires it.
Set clear rules for delegating authority to agents—including scope, duration, purpose and revocation.
Agentic systems require a digital equivalent. What is the agent authorized to do? How much money can it spend? What data can it access? When does that authority expire? How can it be revoked? Without explicit delegation frameworks, autonomy quickly becomes ambiguity.
Ensure accountability flows back to a real person and supports ongoing risk monitoring instead of static proofs.
Trust is not a point-in-time event, since risk, authorities and context all change over time. Trustworthy systems need mechanisms that maintain a verifiable chain linking actions, agents and accountable humans while continuously evaluating whether that trust relationship remains valid.
Leadership Imperative
Payment networks are hardening the transaction layer. Broader trust systems are strengthening the human foundation. Both are essential and complementary. Once human presence disappears from the critical moment, trust can no longer be inferred afterward.
Digital leaders should conceive trust architectures that link verified humans, scoped delegation and continuous accountability before agentic commerce scales beyond our ability to govern it.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
