Linkmerica Research · LISR Research Brief v1.0
HIGH MATERIALITY TIER 1 TARGET Published: 2026-07-08

Google AP2 v0.2.0: The Custody Risk Surface of Cryptographic Mandate Infrastructure

Linkmerica Research Team Institutional Custody Risk Brief Date: July 8, 2026


EXECUTIVE SUMMARY

Google's Agent Payments Protocol (AP2) has transitioned from a September 2025 launch protocol to FIDO Alliance-governed infrastructure with over 100 institutional partners and three confirmed production deployments in nine months. This brief assesses a custody risk category that existing frameworks do not adequately address: cryptographic mandate custody. Unlike traditional asset custody, mandate custody concerns who controls the cryptographic proof that a transaction was authorized—and what institutional exposure emerges when that proof can be intercepted, replayed, or generated through manipulated intent chains. As 49% of surveyed global financial institutions now deploy stablecoin flows integrated with AP2 architecture, and regulatory frameworks built for human authorization events have not yet adapted to autonomous mandate generation, institutions face structural readiness gaps requiring immediate assessment.


WHAT CHANGED — NINE MONTHS OF ADOPTION DATA

On April 28, 2026, Google donated AP2 to the FIDO Alliance for community governance, simultaneously releasing version 0.2.0. This governance transition represents a maturity inflection point: moving from single-vendor control to standards-body oversight reduces concentration risk but increases attack surface visibility as the protocol's internals become subject to multi-stakeholder scrutiny and public security research.

Version 0.2.0 introduced two capabilities co-developed with Mastercard—"Human Not Present" payments and "Verifiable Intent"—explicitly designed for autonomous transaction scenarios where no real-time human confirmation occurs. These additions signal the protocol is maturing beyond pilot-stage concepts toward production-scale deployment in scenarios where AI agents execute payment flows without per-transaction human authorization.

The partner coalition expanded from 60 organizations at the September 2025 launch to over 100 by April 2026. Participants include Mastercard, PayPal, Coinbase, American Express, Adyen, Revolut, Salesforce, ServiceNow, JCB, UnionPay International, Ant International, Shopee, and Lazada. Three production deployments have been publicly identified: PayPal's wallet integration with Google Cloud Conversational Commerce Agent, Mastercard's Agent Pay pilot, and an A2A x402 extension enabling stablecoin settlement through AP2 mandate structures.

Industry survey data indicates 49% of 300 global financial institutions now use stablecoins integrated with AP2, a deployment velocity that has outpaced corresponding regulatory guidance development. The Everest Group positions AP2 as a "Systems of Execution" infrastructure layer comparable to TCP/IP for agent-driven commerce, suggesting institutional participants are treating this as foundational protocol adoption rather than experimental technology integration.


THE THREE-MANDATE ARCHITECTURE — A NEW CUSTODY QUESTION

AP2's architecture comprises three distinct cryptographically signed Mandates, each implemented as a W3C Verifiable Credential:

Intent Mandate — Defines the scope of a user's instruction to an AI agent (e.g., "purchase running shoes under $150").

Cart Mandate — Creates a tamper-proof record of specific items selected, locking the transaction details.

Payment Mandate — Authorizes final settlement, cryptographically binding the payment execution to the Intent and Cart Mandates.

This structure introduces a custody question fundamentally distinct from traditional payment risk models. The institutional exposure is not custody of funds in the conventional sense, but custody of cryptographic authorization artifacts. Whoever controls a valid Payment Mandate controls a transaction's execution, regardless of whether the human who supposedly authorized it actually intended that specific outcome.

This differs structurally from traditional payment fraud scenarios. In card-not-present fraud, a stolen credential (card number, CVV) is the attack surface—the authorization itself was never legitimately generated. In AP2's mandate-based model, a manipulated or intercepted mandate is a valid cryptographic artifact. The signature validates correctly, the credential structure is well-formed, and the chain of custody appears intact, yet the underlying authorization may not reflect genuine user intent.

Institutions integrating AP2-connected payment flows must therefore assess not only who holds cryptographic keys, but who controls the processes that generate mandates, the infrastructure that routes them, and the verification layers that confirm alignment between cryptographic validity and actual user intent. Existing custody frameworks evaluate asset control; mandate custody requires evaluating authorization control as a distinct risk surface.


THE PROMPT INJECTION FINDING — WHY VALID SIGNATURES ARE NOT ENOUGH

Security research published as arXiv:2601.22569 demonstrated that prompt injection attacks can manipulate AP2-connected shopping agents into producing mandates that are cryptographically valid but reflect compromised intent. In documented test scenarios, adversarial prompts embedded in product descriptions or merchant-controlled content caused agents to generate Payment Mandates for transactions the user did not genuinely authorize, despite the mandate carrying a valid cryptographic signature chain.

This finding defeats traditional fraud detection mechanisms. The signature verifies correctly. The mandate structure conforms to protocol specifications. The credential issuance process completed without technical errors. Yet the "who authorized this transaction" question has been compromised upstream of the cryptography—at the intent formation layer where the AI agent interprets user instructions and environmental inputs.

A second research finding, published as arXiv:2602.06345, reinforced the structural gap: static authorization at mandate issuance does not guarantee safe execution. The research demonstrated that even when initial intent capture is secure, runtime conditions—modified routing tables, poisoned service meshes, or compromised verification endpoints—can redirect valid mandates to unintended recipients or alter transaction outcomes post-issuance.

The institutional implication: cryptographic mandate validity is a necessary but insufficient condition for transaction authorization. Institutions deploying AP2-integrated flows require zero-trust runtime verification layers that continuously validate intent alignment throughout the mandate lifecycle, not only at issuance. Most current implementations observed in the partner ecosystem do not yet include these compensating verification architectures, creating a structural readiness gap between protocol adoption and institutional-grade authorization assurance.


STRUCTURAL GAPS — REVOCATION AND ROUTING

AP2 contains no native in-protocol revocation mechanism for non-repudiable mandates. Once a Payment Mandate is issued and cryptographically signed, the protocol itself provides no canonical method to cancel that authorization. This creates an operational gap for dispute resolution and fraud remediation: institutions must implement out-of-band revocation systems that rely on settlement-layer controls, bilateral agreements, or external dispute processes rather than protocol-native cryptographic cancellation.

For institutions accustomed to payment networks with standardized chargeback and reversal mechanisms (ACH returns, card network dispute flows), this represents a structural shift. Mandate custody includes responsibility for tracking issued authorizations across their full lifecycle and implementing compensating controls when protocol-layer revocation is unavailable. The gap is particularly acute in consumer-facing deployments, where Regulation E obligations may require reversal capabilities that AP2 does not natively support.

The Cloud Security Alliance's STRIDE/MAESTRO threat modeling analysis identified a second structural gap: service mesh poisoning. In AP2's architecture, Payment Mandates route through inter-agent communication infrastructure—service meshes, API gateways, and message brokers that direct mandates from issuing agents to settlement endpoints. The CSA analysis demonstrated that adversaries gaining control over routing infrastructure can redirect valid Payment Mandates to fraudulent issuers or settlement endpoints without invalidating the mandate's cryptographic properties.

This attack vector does not require breaking cryptography or stealing keys. A valid mandate, properly signed and structurally correct, simply arrives at the wrong destination because the routing layer—not governed by AP2's cryptographic trust model—has been compromised. Institutions integrating AP2 must therefore secure not only the mandate generation and verification endpoints, but the entire routing infrastructure connecting them, a dependency surface that extends beyond the protocol's formal trust boundary.

Both gaps place compensating-control burden on institutions. AP2 does not solve revocation or routing integrity natively; institutional adopters must architect solutions independently, without standardized protocol guidance or interoperable tooling across the 100+ partner ecosystem.


THE REGULATORY GAP — REGULATION E AND AUTONOMOUS AUTHORIZATION

As of mid-2026, no formal regulatory guidance from the Office of the Comptroller of the Currency, the Federal Reserve, or the Consumer Financial Protection Bureau specifically addresses agentic payment protocols or mandate-based authorization architectures. The EU's Markets in Crypto-Assets Regulation (MiCA) and the US GENIUS Act establish legal foundations for stablecoin issuance and reserve requirements, but neither directly resolves liability and consumer protection questions for autonomous mandate generation.

Linkmerica's analysis identifies the most significant unresolved gap as Regulation E, the US framework governing consumer protection in electronic funds transfers. Regulation E's liability allocation and error resolution provisions were constructed around human authorization events—scenarios where a consumer directly initiates a transfer or explicitly confirms a transaction. The regulation does not explicitly contemplate authorization chains where an AI agent generates a cryptographically valid Payment Mandate on a consumer's behalf, potentially based on manipulated or misinterpreted intent.

This creates institutional uncertainty in three specific areas:

Liability allocation — If a prompt injection attack causes an agent to generate a valid mandate for an unintended transaction, is the institution that deployed the agent liable under Regulation E's unauthorized transaction provisions, or does the cryptographic validity of the mandate shift liability to the consumer who instructed the agent?

Error resolution — Regulation E requires specific timelines and processes for investigating disputed transactions. When the dispute concerns not whether a mandate was validly issued, but whether the agent correctly interpreted user intent, existing error resolution procedures do not directly apply.

Revocation rights — Regulation E grants consumers the right to stop preauthorized transfers. AP2's lack of native revocation mechanisms creates operational friction in satisfying these statutory obligations for recurring or preauthorized mandate structures.

Institutions deploying AP2-connected consumer products face these liability allocation questions without settled regulatory answers. The 49% of surveyed financial institutions already using AP2-integrated stablecoin flows represents adoption at scale occurring while foundational consumer protection questions remain unresolved. This is not a theoretical future risk—it is a current compliance gap affecting live production deployments.


LINKMERICA MONITORING COMMITMENT

AP2 is a Tier 1 primary target in Linkmerica's 22-target weekly monitoring surface, tracked continuously since June 15, 2026. The protocol's rapid institutional adoption, evolving security research findings, and unresolved regulatory questions position it as critical infrastructure requiring sustained assessment rather than point-in-time analysis.

The Linkmerica Research Team will publish updates as AP2's mandate revocation tooling, runtime verification standards, or regulatory guidance develop. Specific monitoring priorities include tracking FIDO Alliance working group outputs for protocol-native revocation mechanisms, observing adoption patterns of zero-trust verification architectures among institutional partners, and monitoring regulatory agency statements addressing autonomous authorization frameworks.

The protocol's institutional deployment velocity has outpaced available independent risk assessment—exactly the gap Linkmerica's agentic monitoring infrastructure is designed to close. As the framework matures and additional institutional custody considerations emerge from production-scale deployment data, research outputs will reflect updated structural readiness assessments grounded in verified operational evidence rather than theoretical protocol analysis.


Linkmerica is a trade name of CASPO LLC. Research outputs are for informational purposes only and do not constitute financial or investment advice. This brief is based on Linkmerica's dated agentic infrastructure monitoring record and publicly available security research.


*This brief was produced by the Linkmerica Research Team under the LISR framework. Informational only — not financial or investment advice. CASPO LLC DBA Linkmerica — Virginia SCC. linkmerica.com*
← Back to Research