Agentic Protocol Rating · Second ACR Score

Google AP2

Agent Payments Protocol — FIDO Alliance governed cryptographic mandate infrastructure. Scored under the LISR Agentic Custody Readiness (ACR) framework. Assessed against Linkmerica's dated monitoring record, June 15 – July 12, 2026.

ACR Score

HIGH RISK
LISR ACR v1.0 · Scored July 13, 2026 · Framework June 25, 2026 · Confidence: HIGH
ACR Score
6.4
/ 10.0 · higher = higher risk
Risk Tier
HIGH
institutional custody risk
Governance
FIDO Alliance
since April 28, 2026
Partners
100+
across payment rails
0.0 LOW RISK 10.0 CRITICAL
ACR CategoryScoreRisk Bar
Session Key Support 5.5
Programmable Guardrails 7.0
Audit Log Generation 5.0
Multi Party Approval 7.5
Protocol Compatibility 6.5
Quantum Resistance Readiness 6.9

Six structural agentic custody properties. Category weights and internal scoring math are proprietary.

Key Risk Flags
  • Demonstrated prompt injection attack (arXiv 2601.22569) produces cryptographically valid mandates for unintended purchases
  • No native mandate revocation mechanism through v0.3.0 RC; non-repudiable authorization creates irrevocable agent authority
  • Service mesh poisoning attack vector identified by Cloud Security Alliance enables Payment Mandate redirection
  • Regulation E consumer protection gap for non-human authorization chains unresolved
  • 49% institutional stablecoin integration creates systemic settlement fragmentation and quantum-vulnerable bridge exposure
  • v0.3.0 delegated sub-mandates enable agent-to-agent authority chains with unclear revocation and approval semantics
Mitigating Factors
  • FIDO Alliance standards-body governance (April 28, 2026) with 40+ member Drafting Group provides multi-stakeholder oversight
  • W3C Verifiable Credentials architecture provides cryptographically verifiable, timestamped audit trail artifacts
  • EU MiCA regulatory sandbox pilot with Adyen and Revolut represents active regulatory engagement and compliance pathway exploration
  • Three production deployments (PayPal, Mastercard, x402) and 100+ partner coalition demonstrate real-world operational validation
  • arXiv 2602.06345 zero-trust runtime verification reference implementation exists as third-party mitigation (July 2026)

Analyst Assessment

This is the second ACR score published under the v1.0 framework (first: Mastercard AP4M, 6.9/HIGH, July 8, 2026). AP2's 6.4/HIGH rating reflects a qualitatively different risk profile than AP4M: where AP4M scored high due to undisclosed controls and proprietary opacity, AP2's risks are visible, documented, and research-validated. The monitoring record (June 15 - July 12, 2026) captured published attack research (prompt injection, service mesh poisoning), three specification versions including the July 3 v0.3.0 RC, and the formation of the FIDO AP2 Drafting Group. AP2's W3C VC architecture provides genuinely superior audit properties and its Intent Mandate scoping offers session-key-like authorization semantics AP4M lacks publicly. However, demonstrated attacks against valid mandate generation (arXiv 2601.22569), absence of native revocation and multi-party approval mechanisms, and the expanded attack surface from v0.3.0's sub-delegation and batch features elevate practical deployment risk. The protocol's open governance and extensive documentation enable risk assessment at higher confidence than AP4M, but the identified gaps—particularly the Regulation E consumer protection void and quantum vulnerability across the mandate signing layer and stablecoin settlement—require institutional mitigation strategies before scaled agentic custody deployment.

← Back to homepage