Google AP2
Agent Payments Protocol — FIDO Alliance governed cryptographic mandate infrastructure. Scored under the LISR Agentic Custody Readiness (ACR) framework. Assessed against Linkmerica's dated monitoring record, June 15 – July 12, 2026.
ACR Score
HIGH RISK| ACR Category | Score | Risk Bar |
|---|---|---|
| Session Key Support | 5.5 | |
| Programmable Guardrails | 7.0 | |
| Audit Log Generation | 5.0 | |
| Multi Party Approval | 7.5 | |
| Protocol Compatibility | 6.5 | |
| Quantum Resistance Readiness | 6.9 |
Six structural agentic custody properties. Category weights and internal scoring math are proprietary.
- Demonstrated prompt injection attack (arXiv 2601.22569) produces cryptographically valid mandates for unintended purchases
- No native mandate revocation mechanism through v0.3.0 RC; non-repudiable authorization creates irrevocable agent authority
- Service mesh poisoning attack vector identified by Cloud Security Alliance enables Payment Mandate redirection
- Regulation E consumer protection gap for non-human authorization chains unresolved
- 49% institutional stablecoin integration creates systemic settlement fragmentation and quantum-vulnerable bridge exposure
- v0.3.0 delegated sub-mandates enable agent-to-agent authority chains with unclear revocation and approval semantics
- FIDO Alliance standards-body governance (April 28, 2026) with 40+ member Drafting Group provides multi-stakeholder oversight
- W3C Verifiable Credentials architecture provides cryptographically verifiable, timestamped audit trail artifacts
- EU MiCA regulatory sandbox pilot with Adyen and Revolut represents active regulatory engagement and compliance pathway exploration
- Three production deployments (PayPal, Mastercard, x402) and 100+ partner coalition demonstrate real-world operational validation
- arXiv 2602.06345 zero-trust runtime verification reference implementation exists as third-party mitigation (July 2026)
Analyst Assessment
This is the second ACR score published under the v1.0 framework (first: Mastercard AP4M, 6.9/HIGH, July 8, 2026). AP2's 6.4/HIGH rating reflects a qualitatively different risk profile than AP4M: where AP4M scored high due to undisclosed controls and proprietary opacity, AP2's risks are visible, documented, and research-validated. The monitoring record (June 15 - July 12, 2026) captured published attack research (prompt injection, service mesh poisoning), three specification versions including the July 3 v0.3.0 RC, and the formation of the FIDO AP2 Drafting Group. AP2's W3C VC architecture provides genuinely superior audit properties and its Intent Mandate scoping offers session-key-like authorization semantics AP4M lacks publicly. However, demonstrated attacks against valid mandate generation (arXiv 2601.22569), absence of native revocation and multi-party approval mechanisms, and the expanded attack surface from v0.3.0's sub-delegation and batch features elevate practical deployment risk. The protocol's open governance and extensive documentation enable risk assessment at higher confidence than AP4M, but the identified gaps—particularly the Regulation E consumer protection void and quantum vulnerability across the mandate signing layer and stablecoin settlement—require institutional mitigation strategies before scaled agentic custody deployment.