Field note

Spend limits are not delegated payment authority

An invoice agent hits a transient timeout, retries, and two payments clear to the same vendor. The model calls it success. Ops calls it a week of cleanup. Spend limits and roles are a speed bump. Real delegated authority is a delegation object, policy on every attempt, ledger-bound idempotency, and an instant kill switch.

Feb 9, 2026 · Navin Agrawal · Payments · 2 min read

Spend limits are not delegated payment authority

Visual brief

Visual brief

Spend limits are not delegated payment authority

As of February 2026

The agent did not get hacked. It paid twice. An invoice agent spotted an overdue bill, initiated a payment, hit a transient timeout, and retried - and two payments cleared to the same vendor.

The model called it success. Ops called it a week of cleanup. This is the trap with AI agents in treasury: most designs stop at spend limits and roles. That is necessary, and it is not delegated payment authority. It is a speed bump.

Delegation object

Not a credential

who delegated, what purpose, which counterparties and rails, and when it expires.

Policy per attempt

Evaluated live

limits are a result of policy and context on every attempt, not a number stored in a UI.

Idempotency

Ledger-bound

bind the key to delegation, invoice, and amount so a retry cannot create a second payment.

The blueprint that holds up

Start with a delegation object, not a shared credential: who delegated, for what purpose, to which counterparties and rails, and when it expires. Evaluate policy on every attempt, so a limit is the output of policy and context rather than a number sitting in a settings screen. Then bind idempotency to the ledger - key it to the delegation ID, the invoice ID, and the amount - so a retry cannot mint a second payment.

What makes it defensible

Sign every intent with a nonce and a short expiry, so a replayed request dies at the edge instead of clearing. Keep a kill switch and an audit trail that reads like a case file: if you cannot reconstruct why an action was allowed, you cannot defend it after the fact. Delegating payments to software is old. Delegating them to autonomous software is what changes the governance bar.

Spend limits are not delegated payment authority (as of February 2026): use a delegation object that records who delegated, what purpose, which counterparties and rails, and when it expires, rather than a shared credential; evaluate policy on every attempt so limits result from policy and context, not a number in a UI; bind idempotency to the ledger by keying it to delegation, invoice, and amount so a retry cannot create a second payment; and keep a kill switch, because if you cannot revoke an agent instantly you are delegating liability, not authority.
A delegation object, live policy, ledger-bound idempotency, and an instant kill switch - the difference between authority and liability.
If your platform cannot revoke an agent instantly, you are not delegating authority. You are delegating liability.

Was this useful?

Choose once.

Related Posts

View All Posts »
The hard part of payments is access, not the API

The hard part of payments is access, not the API

A payroll rollout taught me the friction is never the integration. It is funding caps, routing permissions, and what can clear directly versus what has to detour through a sponsor bank. That is why the Fed's new payment-account RFI matters - access is becoming a design decision, not just a policy one.

Under a second is the right answer to the wrong question

Under a second is the right answer to the wrong question

At an AWS Bedrock AgentCore Payments session the question was what happens at a thousand transactions a second, and the answer was settlement in under a second. Both are true and they answer different questions. The right frame for one payment crossing a trust boundary is the wrong frame for a million events a day inside one agent fleet, where the chain fee stacks up before anything else does.

ACH's most boring 10 characters just became policy

ACH's most boring 10 characters just became policy

From March 2026, Nacha standardizes the ACH Company Entry Description as PAYROLL or PURCHASE for those payment types. It sounds trivial, but a free-text field becoming a dependable category is what finally lets reconciliation automation stick on a rail that still moves tens of billions of payments a year.

Pay-by-bank's 3% savings hides a reconciliation bill

Pay-by-bank's 3% savings hides a reconciliation bill

The CFO sees "save 3 percent on transactions" and the math looks obvious. Treasury sees continuous settlement at 3 AM and a reconciliation process built for batch. Before you switch to account-to-account, count the operating cost the savings slide leaves out.