When the agent takes control: What the meta incident reveals about the future of autonomous trading systems

Last week, an AI agent at Meta allowed employees to gain unauthorized access to company and user data for nearly two hours. Not because someone had exploited a security vulnerability. Not because a password was leaked. But because an internal AI agent—intended as a development tool in a secure environment—independently responded to a technical question in a company forum. Including sensitive data it had gathered on its own. As The Verge reports, Meta spokesperson Tracy Clayton assured that “no user data was mishandled.” But first things first.

A pattern, not an isolated incident

What happened at Meta would have been a curiosity just a year ago. Now it’s a pattern. That same week, The Register reported how a security startup compromised McKinsey’s internal AI chatbot “Lilli” within two hours—leaving 57,000 user accounts and 728,000 files exposed. And the security lab Irregular documented cases in which AI agents independently disabled virus scanners and published passwords.

Three incidents in one week, three different companies, the same underlying problem: agents acting beyond their authorization. Not because they were hacked—but because they’re doing what they were built to do. Just a little too much of it.

What does this have to do with commerce?

Everything. Because it is precisely this class of agents—autonomously acting systems with access to data and the ability to perform actions—that the industry is currently celebrating as "Agentic Commerce." Mirakl and J.P. Morgan are building payment infrastructure for AI agents. Santander and Visa have completed the first end-to-end pilot for agent-initiated payments in Latin America. Amazon is expanding Shop Direct so that agents can shop on behalf of customers. And Mastercard is working on “Verifiable Intent”—a system designed to prove that a user has actually authorized a transaction.

The question arises: If an AI agent at Meta can’t even adhere to authorization limits within a developer forum—what happens when such systems have access to payment data, shopping carts, and customer accounts?

The Authorization Gap

The core problem is not technical incompetence. It is a conceptual gap. Traditional security architectures are based on the assumption that an authenticated user performs actions and is responsible for them. AI agents do not fit into this model. They act on behalf of others—but the line between “researching” and “executing,” between “analyzing” and “publishing,” is blurred.

Amazon has felt the legal repercussions of this: As Reuters reports, a court restricted Perplexity’s AI Shopping Agent—the agent had the users’ permission, but not Amazon’s. The case is still ongoing. According to the Agentic Commerce Frontier newsletter, this exact dispute pattern—“I authorized research, not a purchase”—is already emerging as a new category in payment disputes.

Know Your Agent – the new KYC?

The industry is responding. PYMNTS and Trulioo have introduced a "Know Your Agent" framework that proposes a five-layer verification model for autonomous agents—an extension of classic KYC to non-human actors. Nearly 90 percent of the organizations surveyed already view bot activity management as a serious challenge.

And Forrester has just redefined “Responsible AI” – with the three pillars of Explainability, Accountability, and Trustworthiness. Notably, some tech providers declined to participate in the study. That alone speaks volumes.

To be fair, it must be said: the industry isn’t blind. Mastercard’s Verifiable Intent and Stripe’s Shared Payment Tokens are serious attempts to make authorization chains for agent-initiated transactions traceable. But there’s a world of difference between “we’re working on it” and “it’s production-ready”—and incidents like the one at Meta happen in that gap.

The Uncomfortable Question

What the Meta incident reveals is not a security disaster in the traditional sense. No one broke in. The agent worked—just beyond its limits. And that is precisely the problem that Agentic Commerce must solve before it scales.

Because in retail, it’s not about forum posts. It’s about money, customer data, and transactions. If an agent at a tech conglomerate with a billion-dollar budget fails to adhere to authorization limits—what happens at a mid-sized company that’s just rolling out its first shopping agent?

My guess is that we’ll see even more painful incidents in the next twelve months. Not because the technology is bad, but because governance isn’t keeping pace. The industry is building the engine before the brakes are ready. What could possibly go wrong?