The deployment of autonomous AI agents capable of executing commercial transactions has motivated the adoption of mandate-based payment authorization protocols, including the Universal Commerce Protocol (UCP) and the Agent Payments Protocol (AP2). These protocols replace interactive, session-based authorization with cryptographically issued mandates, enabling asynchronous and autonomous execution. While AP2 provides specification-level guarantees through signature verification, explicit binding, and expiration semantics, real-world agentic execution introduces runtime behaviors such as retries, concurrency, and orchestration that challenge implicit assumptions about mandate usage. In this work, we present a security analysis of the AP2 mandate lifecycle and identify enforcement gaps that arise during runtime in agent-based payment systems. We propose a zero-trust runtime verification framework that enforces explicit context binding and consume-once mandate semantics using dynamically generated, time-bound nonces, ensuring that authorization decisions are evaluated at execution time rather than assumed from static issuance properties. Through simulation-based evaluation under high concurrency, we show that context-aware binding and consume-once enforcement address distinct and complementary attack classes, and that both are required to prevent replay and context-redirect attacks. The proposed framework mitigates all evaluated attacks while maintaining stable verification latency of approximately 3.8~ms at throughput levels up to 10{,}000 transactions per second. We further demonstrate that the required runtime state is bounded by peak concurrency rather than cumulative transaction history, indicating that robust runtime security for agentic payment execution can be achieved with minimal and predictable overhead.

翻译：能够执行商业交易的自主AI智能体的部署，推动了基于授权凭证的支付授权协议的采用，包括通用商务协议（UCP）和智能体支付协议（AP2）。这些协议以密码学方式签发的授权凭证取代了交互式、基于会话的授权，实现了异步和自主执行。虽然AP2通过签名验证、显式绑定和过期语义提供了规范层面的保证，但现实世界中的智能体执行会引入重试、并发和编排等运行时行为，这些行为对授权凭证使用的隐含假设构成了挑战。本文对AP2授权凭证的生命周期进行了安全分析，并识别了在基于智能体的支付系统运行时出现的执行漏洞。我们提出了一种零信任运行时验证框架，该框架利用动态生成的、有时限的随机数来强制执行显式上下文绑定和“一次性消耗”的授权凭证语义，确保授权决策在运行时进行评估，而非依赖于静态签发属性的假设。通过在高并发场景下的模拟评估，我们证明了上下文感知绑定和“一次性消耗”执行机制分别应对了不同且互补的攻击类型，并且两者都是防止重放攻击和上下文重定向攻击所必需的。所提出的框架能够缓解所有评估的攻击，同时在高达每秒10,000笔交易的吞吐量水平下，保持约3.8毫秒的稳定验证延迟。我们进一步证明，所需的运行时状态受峰值并发量而非累积交易历史的限制，这表明为智能体支付执行提供鲁棒的运行时安全性，只需最小且可预测的开销即可实现。