What Happened
On June 10, 2026, Mastercard launched Agent Pay for Machines, an open protocol enabling AI agents to make autonomous payments at machine speed. 31 launch partners joined, including Coinbase, Stripe, Adyen, and Cloudflare. Agent credentials are stored on public blockchains including Polygon, Solana, and Base.
Six weeks earlier, Stripe and Cloudflare shipped a protocol that lets AI agents create Cloudflare accounts, register domains, start paid subscriptions, and deploy applications to production without human intervention. Stripe handles identity verification and payment tokenization. The default spending cap is $100 per month per provider.
These are not experimental features. Stripe describes its Machine Payments Protocol as infrastructure for an economy where agents are participants, not just tools. Mastercard calls AP4M the foundation for machine-to-machine commerce at scale. The infrastructure for autonomous agent transactions is being built now, by the same companies whose governance terms ConductAtlas tracks daily.
The Governance Gap
When a human creates a Stripe account, they accept terms of service, agree to acceptable use policies, and submit to dispute resolution mechanisms. Those terms are designed for humans making intentional decisions about their accounts and transactions.
When an AI agent creates a Stripe account, the same terms apply. But the agent did not read them, does not understand them, and cannot exercise judgment about whether a specific transaction complies with acceptable use policies. The human who deployed the agent may not know which specific terms the agent accepted or which transactions it initiated.
ConductAtlas tracks 116 Stripe provisions. Those provisions govern reserve requirements, restricted business categories, fund holds, and dispute resolution. Every one of those provisions now applies to transactions an AI agent initiates autonomously. When Stripe changes its restricted business categories, as it has done multiple times in the past 12 months, agent-initiated transactions in newly restricted categories would violate terms the agent cannot independently evaluate.
Agent-Layer Governance
The zero-click governance pattern ConductAtlas identified in Google AI Search, where platforms govern outcomes through interface design rather than explicit policy, extends to agent commerce. But the governance layer is even thinner.
In human commerce, the user reads a price, makes a decision, and clicks a button. In agent commerce, the agent queries a catalog, receives a price, and initiates payment. The governance mechanisms designed to protect human decision-making, disclosure requirements, cooling-off periods, conspicuous terms, do not map to agent interactions.
Three specific governance gaps emerge:
Terms acceptance. When the Cloudflare/Stripe protocol creates a new account for an agent, the human approves terms of service once. Every subsequent agent action, domain purchases, subscription changes, deployment decisions, operates under those terms without further human review. The agent cannot determine whether a new action falls outside the scope of what the human intended to authorize.
Dispute resolution. ConductAtlas tracks 561 arbitration provisions across 197 platforms. When a human disputes a charge, they can file an arbitration claim. When an agent initiates a transaction that the human later contests, the dispute resolution path is unclear. Did the human authorize the specific transaction? Did the agent act within its intended scope? Platform arbitration clauses do not currently address these questions.
Liability allocation. The agent commerce stack involves multiple parties: the human user, the agent developer, the AI model provider, the payment processor, and the service provider. When an agent overspends, purchases unauthorized services, or violates acceptable use policies, liability is distributed across parties whose terms of service were written for bilateral human-to-platform relationships.
What the Governance Documents Say
ConductAtlas tracks governance documents across the core agent commerce infrastructure:
Stripe maintains 116 provisions across its terms of service, acceptable use policy, and payment processing agreements. Its terms authorize reserve requirements of up to 100% of transaction volume and permit fund holds with no maximum duration. These provisions apply equally to human-initiated and agent-initiated transactions.
Cloudflare maintains 37 provisions governing its infrastructure services. Its terms authorize service modification and account termination at its discretion. When an agent provisions a Cloudflare account and deploys production infrastructure, that infrastructure operates under terms the agent cannot monitor for changes.
Coinbase maintains 163 provisions, the densest provision set of any platform in this analysis. As a launch partner for Mastercard AP4M, its terms will govern agent-to-agent cryptocurrency transactions. Those terms include mandatory arbitration, class action waivers, and extensive data collection authorizations.
Why This Matters Now
Agent commerce is not hypothetical. Stripe Projects is available to all developers. The Cloudflare provisioning protocol is live. Mastercard AP4M launched with 31 partners. AI agents are already creating accounts, buying services, and deploying infrastructure.
The governance terms that apply to these transactions are the same terms ConductAtlas monitors every day. When Stripe updates its acceptable use policy, that change now affects both the millions of human merchants on Stripe and every AI agent transacting through Stripe infrastructure. When Cloudflare modifies its terms of service, every agent-provisioned account is affected.
The difference is that human users can read an email notification about a terms change and decide whether it affects them. Agents cannot. The monitoring layer that ConductAtlas provides, detecting changes, classifying severity, and alerting affected parties, becomes more operationally important as the number of autonomous agent transactions grows.
What Businesses Should Do
Audit agent permissions. If you deploy AI agents that interact with payment or infrastructure APIs, document exactly what those agents are authorized to do. Default spending caps ($100/month on Cloudflare) exist, but acceptable use restrictions are broader than spending limits.
Monitor terms for agent-relevant platforms. Stripe, Cloudflare, and any platform your agents interact with can change their terms at any time. A change to acceptable use policies or restricted categories can make previously compliant agent behavior a terms violation overnight.
Understand dispute resolution. If an agent-initiated transaction is disputed, the resolution process is governed by the platform's arbitration clause. Know what those clauses say before a dispute arises.
Track the governance layer. Agent commerce adds a new dependency layer to your platform stack. The platforms your agents transact through are governance dependencies, just like the platforms you use directly.
Active Monitoring
ConductAtlas tracks governance changes across agent commerce infrastructure:
- Stripe: 116 provisions, 7 governance events detected
- Cloudflare: 37 provisions, 3 governance events detected
- Coinbase: 163 provisions, 23 governance events detected
- Visa: 36 provisions, 2 governance events detected
Primary Sources
Stripe governance documents (116 provisions archived by ConductAtlas)
Cloudflare governance documents (37 provisions archived by ConductAtlas)
Coinbase governance documents (163 provisions archived by ConductAtlas)
The infrastructure for autonomous agent commerce is live. The governance framework for it is not. Every platform terms change now affects two populations: the humans who use the platform and the agents that transact through it. Tracking those changes is no longer optional for anyone deploying agents in production.