Stolen AI tokens are already a commodity. On dark-web marketplaces, credentials harvested from coding assistants and chatbot subscriptions are resold at a few dollars each, fueling a multi-account and free-trial abuse industry that Stripe's data lead calls the fastest-growing fraud in the AI economy. The tokens let buyers impersonate paying customers, and they let the people behind them do things the original account holder never authorized.
Emily Glassberg Sands, Stripe's Head of Data & AI, makes that case in a new interview on the MAD Podcast with First Mark Capital. The bottleneck for AI agents buying and selling on their own, she argues, is no longer whether the model is smart enough. It is who is on the hook when the agent spends badly, and whether a stolen token, a confused prompt, or a buggy agent can drain a wallet before anyone notices.
Agentic commerce, in plain terms, is software that transacts without a human clicking "buy." Stripe is one of the more visible builders of the plumbing: a shared payment token model that lets an agent authorize a specific purchase scope without exposing a raw card, a wallet product called Link that adds spend guardrails, and a joint effort with OpenAI to ship Instant Checkout inside ChatGPT using a new Agentic Commerce Protocol, or ACP. The protocol lives on its own open-standard site, where Stripe and OpenAI are listed as founders alongside Shopify and others.
The wider Stripe bet is the Agentic Commerce Suite, a set of primitives for shared tokens, server-side mandates, and real-time usage billing aimed at developers building agent-run businesses. In a separate conversation on Latent Space, Sands described a future in which agents run as end-to-end micro-firms: signing up for APIs, paying per call, hiring other agents, and arbitraging services the way small companies do today. Stripe's 2026 Sessions talk, Indexing the Economy, is the public framing of the same thesis.
The hard part, on Sands's own telling, is what the press releases do not address. Shared payment tokens exist precisely because agents should not be handed raw cards. They are also the exact object being stolen and resold. The faster an agent can act, the less time a human has to intervene, and the more a stolen token is worth. The same rails that make agent spending possible also make agent fraud scale.
If a misbehaving agent runs up a bill, who pays: the user who clicked "allow," the merchant that accepted the token, the wallet provider, or the model vendor? Sands, in the MAD interview, says the question is openly unresolved. No protocol, no card network rule, and no jurisdiction has assigned fault. Stripe's bet is that infrastructure, not statute, will get there first: server-side mandates, narrow-scope tokens, programmable spend limits, and audit trails that make it possible to argue about liability after the fact.
The bet depends on a working open standard. A closed agentic checkout flow would let Stripe alone set the rules; an open one forces the company to negotiate with merchants, wallet providers, and rival model vendors on every primitive. ACP, on the site Stripe co-founded, is currently the second. That makes the next revision the first real test of whether shared-token issuance, scope, and revocation can be standardized faster than resellers can drain them.
The window for that test is now. Adoption is shifting from demos to deployed checkout inside ChatGPT and a small set of merchant integrations. The token-theft economy is shifting in parallel. If the trust layer does not land before the default rules get baked into agent checkout flows, the answer to who pays when the agent goes haywire will be set by whoever shipped the rails last, not by whoever thought about it longest. The next ACP revision, and the first contested fraud case to reach a court or a card network, will set the template.