Google Cloud revealed at Consensus Miami on Thursday that its Agentic Payments Protocol already has 120 partners signed on, including PayPal, signaling that two of the world’s largest payment infrastructure providers see crypto rails as the default settlement layer for autonomous AI commerce.
Richard Widmann, global head of Web3 strategy at Google Cloud, put the structural problem plainly during his panel appearance: “An agent cannot get a bank account. It’s not hard, it just is impossible.” The comment captures a reality that has been quietly reshaping how tech giants think about the next generation of internet commerce. Software that operates autonomously cannot satisfy the identity verification, signature requirements, and legal accountability frameworks that traditional financial institutions demand.
The 95% Problem Merchants Face Today
PayPal’s internal research exposed a striking disconnect. May Zabaneh, senior vice president and general manager of crypto at PayPal, shared survey results showing that 95% of merchants now detect AI agent traffic on their websites. The catch: only 20% of those merchants have machine-readable catalogs that agents can actually parse and transact through.
That gap represents a massive infrastructure deficit. Agents are already crawling product pages, comparing prices, and attempting to execute purchases on behalf of users. Without standardized, machine-readable formats, those agents hit dead ends. It mirrors the early days of mobile commerce, when retailers had websites but no mobile-optimized checkout flows. The traffic was there; the infrastructure to capture it was not.
Zabaneh drew the parallel explicitly: “Merchants need to be ready for this next era. The shift mirrors the move from offline to online stores; merchants need to expose their products in agent-readable formats.” PayPal’s PYUSD stablecoin fits into this picture as what Zabaneh called “a very natural programmable layer for payments,” particularly as commerce trends toward globalization, AI-native experiences, and tokenized assets.
Why Crypto Becomes the Default Rail
The logic here is less about crypto ideology and more about basic compatibility. Traditional payment systems were designed for humans operating through web browsers and mobile apps. They require session cookies, CAPTCHAs, manual form fills, and identity documents. AI agents have none of these.
Crypto, by contrast, was built from the ground up as programmable money. Widmann described it as “a fantastic machine readable interface for payments.” A wallet address is just a public key. A transaction is a signed message. An agent with the right cryptographic credentials can compose, sign, and broadcast payments without ever needing to prove it has a Social Security number or pass a “click all the traffic lights” test.
This isn’t speculation about what might happen. Earlier coverage of former Apple engineer Chappy Asel’s Consensus remarks made the same structural argument: autonomous software needs crypto rails for machine-to-machine payments because no alternative exists that agents can actually use.
Inside Google’s AP2 Protocol Architecture
Google’s Agentic Payments Protocol represents the company’s attempt to standardize how agents request, authorize, and settle payments. The protocol has been donated to the FIDO Foundation, the same organization that oversees the passkey authentication standards now built into most smartphones and browsers.
Widmann compared the move to the x402 internet-native payment standard given to the Linux Foundation, positioning AP2 as neutral infrastructure rather than a proprietary Google product. “Open dialogues and open standards are really the foundation you need to build on,” he said.
The 120-partner count is notable. Building payment rails requires network effects. A protocol that only works with a handful of merchants or wallets creates friction that defeats the purpose of standardization. By bringing PayPal into the fold alongside the broader partner ecosystem, Google has assembled critical mass for testing and iteration.
For context on how this fits the broader Consensus theme: Wall Street institutions descended on Miami this week to debate tokenized asset infrastructure, and AP2 represents the agent-facing complement to those settlement discussions.
The Custody Problem Nobody Has Solved Yet
Giving an AI agent a private key is roughly equivalent to giving a toddler a loaded credit card. The agent might execute exactly what you intended. It might also drain your wallet buying 10,000 copies of the same item because of a parsing error in a merchant’s product feed.
Widmann’s answer is multi-party custody. Google has extended its Cloud KMS (Key Management Service) platform to cryptocurrency custody, and the recommended architecture involves splitting keys into shards. An agent would hold one of two or three pieces, unable to sign transactions unilaterally. “It cannot simply unilaterally move funds or take action,” Widmann explained.
This maps to existing MPC (multi-party computation) custody solutions used by institutional crypto holders, but adapted for agent use cases. The human or organization deploying the agent retains a key shard, a recovery custodian holds another, and the agent itself controls only the third piece. Moving funds requires coordination across parties.
The tradeoff is latency. Multi-signature transactions take longer to assemble and broadcast than single-key transactions. For high-frequency agent actions (price comparisons, micro-purchases, API calls with payment components), that friction could become a bottleneck. The infrastructure is still being stress-tested.
Liability Remains an Open Legal Question
If your AI agent buys a non-refundable plane ticket to the wrong city because it misread a calendar entry, who pays? If it purchases a counterfeit product from a fraudulent merchant listing, does the agent’s deployer have recourse?
Zabaneh acknowledged the uncertainty directly: “The question of who’s responsible if an agent makes a bad purchase is definitely something that we have to think through as an industry.” There’s no regulatory framework in any major jurisdiction that assigns clear liability for autonomous software purchasing decisions.
Consumer protection law assumes a human made the purchasing decision. Contract law assumes parties with legal standing agreed to terms. Neither framework contemplates a third category where software acted on imperfect instructions from a principal who may not have reviewed the specific transaction.
This matters for merchants too. A retailer that honors an agent’s purchase might later face a chargeback when the human principal claims they never authorized that specific buy. Without clear rules, merchants may simply refuse to transact with agents, fragmenting the market.
What Keeps the Builders Up at Night
Asked directly about their concerns, both executives gave revealing answers. Widmann focused on integration: “The open question is how do you onboard agents into all of the existing capital markets and infrastructure plumbing that powers payments and trading today.”
That’s not a software problem. It’s a coordination problem across banks, payment processors, clearinghouses, regulators, and compliance teams that have spent decades building systems around human users. Retrofitting for agents requires changes at every layer.
Zabaneh’s answer was shorter: “Trust keeps me up professionally.” She added, somewhat lighter, that personally she “can’t wait for agentic to help make my life easier.”
The trust question cuts both ways. Users need to trust that agents will execute their intentions correctly. Merchants need to trust that agent transactions won’t generate fraud losses. Regulators need to trust that agent commerce won’t become a vector for money laundering or sanctions evasion. Building that trust will take more than protocol specifications. It will take track records.
The FIDO Foundation donation suggests Google is betting that transparent, auditable standards will accelerate trust-building faster than proprietary solutions. Whether 120 partners is enough critical mass to achieve that, or whether a competing standard emerges, remains to be seen when AP2 moves from conference announcements to production traffic.
Related Reading
Sources
Heads up: the above is reporting and analysis, not a buy or sell recommendation. Size your own positions, understand your own risk tolerance.
