Retailers have spent years building the exact return policies that agentic commerce is using against them
Enterprise retailers have spent years building attribution infrastructure for the front door.
- UTM parameters log every click
- Attribution models tell you where traffic came from
- Policies define exactly what a return requires
That infrastructure was designed for a world where a human makes the purchase and the return.
Retailers are already seeing 15–20% of referral traffic arriving from AI chat interfaces. When that traffic results in a click-through, attribution still works. But when a browser plugin, a voice assistant, or an automated checkout tool executes a purchase on behalf of a shopper, that transaction looks identical to one a human placed. No flag. No different referral signal. As Vishal Patel, Chief Product and AI Officer at Appriss Retail, puts it: “A Claude Chrome plugin would look exactly like my Chrome traffic, these systems can’t tell the difference.”
U.S. B2C agentic commerce is forecast to reach $1 trillion by 2030. That’s the number retailers are investing against when they build out AI Engine Optimization — without accounting for the fraud and returns exposure those same transactions are generating through a channel that wasn’t built to track agent-initiated behavior.
Vishal teaches AI/Deep Learning at the University of Louisville and leads product and AI strategy at Appriss Retail, where he has direct visibility into how fraud and returns patterns are — and aren’t — being traced back to their source across hundreds of enterprise retail customers. The data required to connect AI-driven traffic to downstream fraud and returns already exists at most retailers.
It just doesn’t travel between the teams who need it.
Key Takeaways:
- AI agent transactions are indistinguishable from human purchases at the point of sale since standard attribution tools don’t flag them.
- Precisely written return policies become targeting guides once any AI tool can read them at scale and map approval thresholds.
- The CFO is the logical owner of agentic fraud exposure because growing the channel and defending it are the same capital allocation decision.
When your policies become fraud instructions
Return policies have always been public. Great for consumers, a goldmine for AI. Now, an AI tool can read every policy across every retailer simultaneously, map the approval thresholds, and surface the exact conditions under which a return will be accepted.
“Today AI agents can go review all these policies, summarize what are the loopholes in them, and tell you the exact boundaries you can stay within to not be flagged at a certain retailer,” says Patel.
The same tooling extends to proof of damage. A product manager at Appriss demonstrated this to Patel directly: take a photo of unworn shoes, run it through an image model, produce a picture showing visible wear.
“The AI photo looks like a picture someone actually took, and you could file that as a claim. It’s become that easy.”
A more precisely written policy doesn’t automatically fix this. A lock that publishes its own combination isn’t more secure because the design updates. The defense has to move at the behavioral level — reading identity signals rather than enforcing rules any agent can read at scale.
Controls built for humans fail against tools that aren’t
Let’s look at a limited-edition sneaker to get a picture of what retailers are up against.
Bots buy out entire inventory releases before human shoppers can access them, and whatever they can’t sell in secondary markets comes back as a return. Retailers are going to see bulk buyers and shopping patterns that negatively impact customer experience.
The standard response is a per-email or per-card purchase cap, but that fails because bots can manufacture as many email addresses as needed to route around the cap.
What holds is identity-level linking. With a one email, 10 pairs cap, people are going to use email one, email two, email three, email four, and still buy the 40 pairs that they’re looking for. The linking engine Appriss uses behind the scenes is connecting all of that activity and can still put that not at an individual email address or an individual credit card number, but actually at the identity level.
Account-level controls add friction for real customers and get routed around by anyone who reads how they work. Identity-level controls add friction where the fraud actually lives. Appriss Secure and Engage already operate at the identity level across returns and shrink — and Sidekick enables conversational querying of that cross-channel data once retailers make the decision to route attribution data into it.
An alarm ringing in an empty room
Whether it’s Marketing or eComm that owns acquisition at your org, the data dead zone is the same. When a shopper follows a link from ChatGPT or Gemini, the UTM parameters capture it. What doesn’t exist — at most retailers — is any connection between that attribution data and what those transactions do after checkout. Marketing has the channel data. Asset protection or ecommerce own the return patterns depending on the method of return.. Neither team is sharing with the other, so no one sees the correlation — and no one is calculating what that disconnect is costing the P&L.
“If we got that data from the retailer — if they told us what the marketing channel, where that transaction originated from — then Appriss would be able to run that analysis,” says Patel. “Our platform does allow for all of those types of analytics. We need more of our customers to send us that level of data.”
Those returns land on the P&L as margin loss. That fraud and abuse lands as shrink. Neither gets traced back to the channel that generated them because no one has connected the two data sets. The channel grows. The loss grows with it.
Forrester’s mid-2026 assessment found the biggest barriers to responding to agentic commerce are organizational — silos between digital business, IT, marketing, customer service, and legal. Patel’s observation on ownership maps directly onto those findings:
“Part of the issue or part of the solution is someone actually owning that. Because I think that’s what we see in total retail loss — no one wants to take ownership, and that needs to happen proactively.”
In the latest study from Strategy&, experts project agents will drive 8–15% of European e-commerce spending by 2030 at an adoption pace up to four times faster than traditional e-commerce. Visa and Mastercard CFOs are already describing agentic commerce as a transaction multiplier — more transactions, more fraud surface area.
The logical owner for addressing agentic commerce is the CFO. Agentic fraud touches marketing, ecomm, loss prevention, and ops simultaneously. Without an explicit owner, it falls between departments until the margin impact is already real. At current growth rates, the channel isn’t waiting for an owner. The margin impact won’t either.
Frequently asked questions:
Why are per-email or per-card purchase limits insufficient for stopping bot purchasing?
Account-level controls assume identity is fixed. Bots don’t operate that way — they generate new email addresses and card numbers at whatever scale they need, routing around any per-account limit almost instantly. Identity-level linking connects those manufactured accounts behind the scenes and enforces limits at the person level, not the credential level. The bot still creates the accounts. The purchase cap still holds.
How does AI-enabled fraudulent proof of damage change return authorization?
Consumer-grade image models can produce convincing damage photos in seconds from a picture of an unworn product. Standard authorization that relies on customer-submitted visual evidence is now operating in an environment where that evidence can be manufactured at low cost and at scale. The shift this requires is from evidence-based to behavioral authorization — decisions built on the full pattern of a customer’s identity across return history, purchase behavior, and fraud signals. The image can be fabricated. The behavioral record can’t.
What makes agentic commerce fraud a CFO-level problem rather than an LP or operations problem?
Because it sits at the intersection of a revenue channel investment and a cost line. The same budget funding AI Engine Optimization to capture AI-driven traffic is simultaneously increasing transaction volume through an environment that wasn’t built for agent-initiated behavior. LP and operations teams can flag patterns once they appear. What they can’t do on their own is connect a rising return rate back to a specific traffic channel and redirect attribution data accordingly. That requires authority over both sides of the equation.
