For years, agentic commerce and the use of AI agents to automate shopping were a compelling promise, though concerns remain about the mess it would make if shopping agents start hallucinating orders similar to how language models sometimes generate inaccurate information.
In 2025, with Google teasing an end-to-end shopping agent and OpenAI rolling out Instant Checkout for Etsy merchants, agentic commerce has shifted from a hypothetical into a practical use case.
As we are nearing the holiday season, more consumers will start experimenting with AI agents for gift selection and other purchases.
To understand what technologies buyers in the US will be interacting with, we reviewed three popular shopping assistants: OpenAI’s Instant Checkout backed by the Agentic Commerce Protocol, Google’s Shop with AI Mode, and Perplexity’s Buy with Pro.
We dive deeper into the limitations of each to find out if AI labs and retailers are ready for the era of agentic commerce. We also examine the caveats engineering teams should keep in mind before building AI shopping assistants.
OpenAI: Agentic Commerce Protocol and Instant Checkout
In spring 2025, OpenAI reportedly began testing Shopify checkouts internally.
This led the AI community to speculate that a shopping-oriented update to ChatGPT is on the horizon.
In October, OpenAI released Instant Checkout and open-sourced the technology supporting it under the hood: Agentic Commerce Protocol.
Agentic Commerce Protocol
In partnership with Stripe, OpenAI released an open-source Agentic Commerce protocol that is on track to become an industry standard for building AI agents for retail.
The protocol aims to support all types of retail businesses, e-commerce platforms, and payment systems. It integrates into the retailer’s back-end and bridges the gap between a user looking up a product in ChatGPT and making a purchase on the retailer’s platform.
How Agentic Commerce Protocol works
ACP is built on the interaction between shoppers, the AI agent, the retailer, and the payment processing platform.
Shoppers discover products by interacting with an AI, choose what they want to buy, and give the agent permission to complete the checkout.
The AI agent sends a request to the retailer’s back-end to start the checkout on behalf of the buyer.
The retailer’s back-end accepts the checkout request, receives payment details from the AI agent, and runs an internal check to make sure the request is not fraudulent. If no anomalies are detected, the retailer’s system processes the request, creates a payment token, and shares it with the payment provider.
The payment provider processes the token, charges the shopper’s credit card, and reports back to the agent. The agent will inform the shopper that the checkout is complete. All of this happens without the buyer leaving the AI interface.
Security and privacy considerations
To protect shoppers’ financial data and prevent unauthorized purchases, OpenAI built security guardrails into the Agentic Commerce Protocol.
- Each action requires explicit user consent to prevent unwanted purchases.
- All payments are secure and encrypted. Users have full control over the maximum amount they are allowed to spend and can whitelist specific merchants.
- Minimal data sharing: only the data essential for payments is shared with the retailer.
The Agentic Commerce Protocol is the backbone of ChatGPT’s built-in Instant Checkout feature.
Instant Checkout enables seamless shopping in ChatGPT
Instant Checkout now helps shoppers to discover and buy products directly in ChatGPT without redirecting them to the retailer’s website. At the time of writing, the one-click checkout experience is available exclusively for Etsy merchants.
OpenAI is planning to expand Instant Checkout to over 1 million Shopify merchants and is currently accepting applications from retailers interested in joining Instant Checkout.
At the moment, the agent only manages one-item purchases. OpenAI has announced plans to support multi-item shopping experiences in future updates.
How Instant Checkout works
- A user asks ChatGPT a shopping-related question (e.g., ‘best Christmas gift for a dog owner’).
- ChatGPT collects products across the web that best match user preferences. According to OpenAI’s official documentation, product recommendations are unsponsored and based purely on relevance to the shopper. The ranking algorithm considers product availability, price, customer reviews, and whether the merchant is the primary seller.
- Via Instant Checkout, a user completes the purchase without leaving the chat window.
In this interaction, ChatGPT acts like a shopper’s agent while payment processing and order fulfillment are still handled by the merchant.
According to OpenAI’s documentation, Instant Checkout is free for shoppers while merchants pay ‘a small fee’ for each completed purchase.
At the moment, OpenAI has the most advanced end-to-end shopping agent, though other AI frontrunners and retail powerhouse tools are developing similar capabilities.
Here’s how these alternatives compare and what they offer shoppers during the upcoming holiday season.
Google: Shop with AI Mode
In May 2025, Google released agentic commerce capabilities for AI Mode, an expanded version of AI Overviews that introduces advanced reasoning, multi-modal answers, and the ability to ask nuanced follow-up questions.
AI Mode’s shopping features are similar to OpenAI’s agentic commerce capabilities.
- If a user makes a detailed shopping query like ‘a powerbank compatible with 2023 MacBook Pro’, a Gemini-powered agent will collect specific and highly relevant product results.
- A user can ask an agent to track prices for a selected product and find better deals.
- Shoppers can also explore virtual try-on capabilities, allowing them to visualize clothing items before purchasing.
- The “Buy for me” feature will have AI agents complete the check-out on a shopper’s behalf.
Note that, although Google showed a demo of the agentic checkout at Google I/O 2025, it’s not officially out yet and will first be available only for US-based product listings and require merchants to accept payments via Google Pay.
AI enthusiasts noticed that Google was making changes to product cards and started speculating that the rollout of ‘Buy for me’ is ‘imminent’.
Considering how tight the AI race is, it’s likely that OpenAI’s release of Instant Checkout will push ‘the big G’ to speed up the rollout of the agentic checkout.
Perplexity: Buy with Pro
Perplexity debuted its e-commerce solution, Buy with Pro, back in 2024. It is part of the company’s suite of shopping tools that comprises:
- Snap to Shop: a tool that identifies products from photos and matches shoppers with available offers and similar items.
- Discover Products: a service, integrated with Shopify, that helps buyers find products that match their highly specific queries.
Buy with Pro closes this loop with one-click purchases inside the Perplexity website or app. It is currently supported for a select number of US-based merchants, with the launch outside of the US reportedly in the works.
The Xenoss take: Has the era of agentic commerce started?
Shopping experiences mature and evolve constantly.
The switch from shopping malls to online platforms is not even 30 years old, and the rise of mobile shopping has only fully matured in the 2010s.
But, although they are very recent, these shifts have become closely embedded in consumer behavior and our daily routines.
So it’s not too far-fetched to imagine AI agents catching on as the next shift of ‘where’ we do our shopping. 71% of e-commerce customers claim they want AI capabilities integrated into their buyer journeys.
Key sources of value that AI shopping agents bring to the table.
- Minimizing cognitive load. Large language models can help users find products that match highly specific queries and, over time, uncover personal preferences shoppers may not even realize they have by analyzing a closet photo or past chat history. This reduces decision fatigue and makes it easier for shoppers to choose items they’ll enjoy using.
- Reducing time spent shopping. Rex Woodbury, in his blog on agentic commerce, divides shopping into two categories: utility shopping and emotional shopping.
Emotional shopping, like picking gifts or finding clothes that fit your style, is about the experience as much as the result, and people often want to savor it.
Utility shopping, like restocking groceries or household supplies, is repetitive and time-consuming, and something most people would gladly hand off. That’s where e-commerce agents can take over the routine tasks and help people focus on fulfilling tasks.
- Finding the deal that delivers the most value. Beyond matching an item to a shopper’s exact needs, AI agents can also track price changes, compare offers across merchants, and highlight options with faster delivery or easier returns to get buyers both the right product and the best overall deal.
The potential of AI agents to make online shopping even more frictionless and hands-off is undeniable, but there are caveats.
Two critical issues warrant examination: the infrastructure requirements for widespread deployment and security vulnerabilities like prompt injection attacks.
Do we have the infrastructure to sustain agentic commerce?
All the use cases we looked into have limitations in the range of supported merchants and payment options. These constraints come from the fact that, due to the high fragmentation of online retail, making a universal agent that supports all merchants and payment processors is nearly impossible.
If an engineering team were to try doing that, here’s where they would likely stumble.
- All existing shopping workflows are built with human users in mind, which means they still lack a unified back-end to support agentic interactions.
- Retailers use proprietary APIs with varying formats and rate limits, so each integration becomes a custom, merchant-specific effort rather than a plug-and-play connection.
- There’s no shared checkout and payment logic across retailers.
- Merchants do not have unified product taxonomy standards.
This fragmentation is the likely reason why OpenAI had to limit its rollout to Etsy merchants only and why Google’s agentic checkout has restrictions on retailer eligibility.
While agentic capabilities can fairly reliably execute an end-to-end purchase, the infrastructure to deploy agentic commerce is not yet in place and may take up to a year to fully mature.
Agentic commerce: Security risks and operational challenges
Right now, AI labs are implementing agentic commerce with caution: on one-item purchases, for a limited number of merchants, with location and payment method restrictions. This helps prevent challenges with cross-border item returns or the aftermath of an agent bulk-ordering multiple items.
But, when these restrictions are lifted and agentic commerce goes global, what should teams behind retail agents consider?
Here are the risks Xenoss engineers suggest keeping in mind.
Skyrocketing return rates with no accountability
In pre-agentic e-commerce, Shopify reports average return rates of 16.9% of all orders. For product categories that require a higher personalization level, like apparel, over 20% of all items are returned.
At least before AI assistants are fully immersed in a shopper’s life, delegating shopping to an agent increases the risk of poor choices and can increase the return rate.
This is a lose-lose for buyers and retailers alike: the former consider item returns the biggest pain point of online shopping, while the latter struggle to turn a profit due to the economic impact of return policies.
Prompt injection risks
AI agents are riddled with security vulnerabilities.
On social media, users share stories of prompt-injecting LLMs to bypass security guardrails.
In one example of a United Airlines customer tricking the company’s chatbot into connecting him with a human customer support agent by mimicking system instructions.
For a chatbot, the consequences of prompt injection are limited, but for an e-commerce agent authorized to make purchases and carrying sensitive information, the stakes are much higher.
Here are the security risks engineering teams will have to address before shipping market-ready shopping agents.
| Risk type | Description | Impact |
|---|---|---|
| Financial fraud | Unauthorized purchases using stored payment credentials | Direct monetary losses: $50K-$5M+ per incident |
| Data breaches | Exposure of payment info, addresses, purchase history, saved cards via prompt injection | PII + PCI-DSS violations, identity theft, competitive intelligence loss |
| Compliance violations | Unauthorized access to regulated customer data (GDPR, HIPAA, PCI-DSS) | Regulatory fines up to 4% of global revenue, loss of payment processing ability |
| Account takeover | Complete control over purchasing power and user credentials | Full account compromise, unauthorized transactions, credential theft |
| Supply chain manipulation | Fraudulent orders to vendors, procurement fraud through agent compromise | Disrupted B2B relationships, inventory chaos, supplier fraud |
| Multi-agent deception | Disrupted B2B relationships, inventory chaos, supplier fraud | Fraudulent transaction approvals across interconnected systems |
| Subscription fraud | Establishment of recurring unauthorized charges through compromised agents | Long-term financial drain, persistent backdoors |
| Legal liability | AI agent makes unauthorized contractual commitments on behalf of organization | Lawsuit damages, breach of contract claims, fiduciary violations |
| Operational disruption | Fraudulent orders, inventory manipulation, order cancellations | Business continuity failure, customer trust erosion, service outages |
Beyond the listed risks, shopping agents also introduce reputational damage from public incidents, insurance premium hikes, and chargeback ratios that can threaten payment processor relationships.
Hidden costs appear as monitoring debt, incident-response overhead, and model drift that degrades safeguards over time. Regional constraints (KYC/AML, age-restricted goods), accessibility/UX trade-offs from added friction, and weak auditability further complicate recovery, investigations, and executive accountability.
Market outlook: Agentic commerce potential and near-term constraints
The era of agentic commerce has arrived. OpenAI’s Instant Checkout, Google’s “Buy for me,” and Perplexity’s Buy with Pro are transforming online shopping. AI agents automate purchases, reduce decision fatigue, and surface better deals.
But the technology faces major constraints. Infrastructure fragmentation limits which merchant agents can work with. Security vulnerabilities like prompt injections also put shoppers at risk of unauthorized purchases and data breaches.
That’s why we expect the holiday season 2025 to see cautious rollouts. The real test of the agentic e-commerce will probably come next year, once it integrates major merchants and scales beyond the US.
