When an AI agent shops on your behalf, pays on your behalf, and negotiates on your behalf — who’s actually in charge? And when something goes wrong, who carries the liability?

In the debut episode of The Control Layer, Amer Altaf sits down with Andrew Dunbar, Chief Information Security Officer at Shopify, to unpack the security architecture behind agentic commerce — a world where autonomous AI agents act as buyers, and traditional checkout flows no longer apply.

Andrew reveals how Shopify is building the Universal Commerce Protocol (UCP), a framework designed to let AI agents transact securely across any merchant without screen-scraping or fragile browser automation. The conversation covers how cryptographic credential chains prevent compromised agents from completing unauthorised transactions, why the four-persona model (buyer, business, platform, credential provider) changes the trust equation entirely, and what happens when 875 million buyers start operating through autonomous intermediaries.

They also discuss why the CISO’s role is shifting from gatekeeper to architect, how bug bounty programmes stress-test agentic infrastructure before it ships, and what sovereign AI strategy means for businesses operating across borders.

Whether you’re a security leader, a founder building on AI, or simply someone who wants to understand the system that’s about to handle your money — this is where it starts.

Get full access to The Control Layer at thecontrollayer.arkava.ai/subscribe