Where Agents Make the Deal
Negotiation Protocols for Governable Agentic Commerce
The shift from posted prices to represented negotiation
“Markets are conversations.” cluetrain.com
Most modern commerce is built on posted prices. Prices move over time, but at any given moment, buyers are generally offered the same price for the same product, with limited variation by channel, promotion, or segment. That model scaled for practical reasons: it is easier to run accounting, taxation, and point-of-sale systems when “the price” is a stable field in a table.
Even where pricing is dynamic today, it is usually dynamic within a controlled frame. Travel and hospitality have long used inventory- and time-driven pricing for rivalrous capacity such as airline seats and hotel rooms. The logic is algorithmic, defensible, and designed to avoid unacceptable discrimination.
Agentic commerce changes the mechanism, not just the speed. When buyers are represented by agents and vendors are represented by agents, pricing can move closer to a bazaar-style interaction: terms are determined at the moment of sale through structured concessions on price, refundability, delivery, warranty, service levels, and risk allocation.
If negotiation becomes routine at machine scale, the market needs shared rails for how agents negotiate, how they stop, and how outcomes become binding.
What changes is not only the price, but the conversation structure around the price. In a human bazaar, negotiation works because the parties share unwritten norms: how to make an offer, how to signal seriousness, when a counteroffer is final, and what it means to walk away. Agentic commerce reintroduces that bazaar dynamic at scale, with buyer agents and seller agents each arriving with constraints and concessions, and needing a formal way to converge on mutually acceptable terms.
If “markets are conversations,” then the shift to agent-mediated markets makes one question unavoidable: what is the grammar of that conversation, and how do we trust who is speaking?
What AP2 gives us, and what it does not
AP2 (the Agent Payments Protocol) is an important step toward trusted agentic commerce because it answers a hard, practical question: how can a third party verify that an agent had authority to transact, under explicit constraints, with an auditable trail of evidence?
It does this through a simple but powerful construct: cryptographically signed “Mandates” that create an evidentiary chain from intent to purchase to settlement. In common implementations, an Intent Mandate captures the user’s delegated authority and constraints (including human-not-present scenarios), a Cart Mandate captures the final agreed cart and price (typically human-present), and a Payment Mandate signals agent involvement and user presence context to networks and issuers so they can apply appropriate risk models.
The gap is equally clear. AP2 is optimised for authorising and proving a transaction, not for forming the deal that precedes it. It does not standardise how agents negotiate price and non-price terms, how concessions are exchanged, how negotiations end, or how outcomes are recorded in a way that is explainable, fair, and binding across parties.
The missing layer: a negotiation protocol with explicit outcomes
If AP2 makes it possible to trust that an agent had the authority to transact, the next problem is trusting that two agents formed a deal in a way that is coherent, auditable, and safe. That requires more than “offer and accept.” It requires a shared definition of what negotiation success looks like, how it is measured, and how it ends.
This matters because negotiation success has two dimensions. One is deal quality, the tangible terms secured (price, duration, risk allocation, speed to close). The other is win-win outcomes, where the goal is not only the best terms today, but a durable relationship with fewer disputes and smoother execution. At machine scale, if agents optimise only for the first, they will learn extractive behaviours that degrade trust and invite countermeasures. A negotiation protocol must therefore encode outcomes and records that support both dimensions.
A practical starting point is a standard set of negotiation outcomes that every participant can interpret the same way. There are four core cases:
A deal is struck
Mutual no-deal
Seller walks away while buyer leaves the door open
Buyer walks away while seller leaves the door open
To operate reliably in real systems, additional outcomes are needed:
Timeout / expiry: negotiation ends because a clock ran out (no response or stale context).
Escalate to human: an edge case triggers human review before continuing.
Conditional agreement pending approval: agreement is reached, but dependent on a second signature, credit decision, inventory confirmation, or policy check.
Partial agreement / parked: agreement on some terms, disagreement on others, negotiation paused with a resumable state.
Withdrawn offer: an offer is revoked because conditions changed (inventory, risk score, price floor).
These outcomes are not administrative detail, they are what make negotiation automatable across sectors. They determine when an agent is allowed to proceed to “cart” and “payment,” what evidence must be retained, and how disputes are handled when a customer says, “I did not agree to that,” or a vendor says, “the agent never had standing authority to accept that concession.”
Where negotiation parameters live (buyer and seller)
A negotiation protocol only works if it cleanly separates authority from optimisation. Authority answers what an agent is permitted to do,while optimisation answers how an agent should trade one concession for another. Mixing the two creates predictable failure modes: accidental overreach, “dark pattern” strategies, and disputes where neither party can prove what was authorised versus what was merely preferred.
Buyer-side parameters should be split into two layers.
Layer 1: Hard constraints and delegated authority. These belong in a signed authorisation artefact that can be independently verified by other parties. AP2’s Intent Mandate is designed for exactly this role, capturing “rules of engagement” such as price limits, timing, and conditions in human-not-present scenarios. In practice, this layer should include: maximum total cost, permitted categories or merchants, non-negotiables (for example, refundable only), required approvals above thresholds, and expiry windows.
Layer 2: Preferences and negotiation strategy. These belong in a portable Negotiation Profile controlled by the buyer (or the buyer’s principal, such as an employer). This profile can be referenced during negotiation but must be selectively disclosed, versioned, and revocable. A useful precedent is the MyTerms approach of expressing agreements in plain language, legal form, and machine-readable form so systems and agents can evaluate terms consistently. The negotiation profile is not a mandate. It is guidance for optimisation, and it should be treated as sensitive because it can reveal willingness-to-pay, urgency, and trade-off patterns.
Seller-side parameters should be treated as a policy envelope, not an open book. Sellers need a protected policy store that defines floors, allowable concessions, inventory rules, fulfilment constraints, and fairness guardrails. The seller agent should expose only bounded capabilities (what can be negotiated and within what ranges), while signing offers and counteroffers so every step can be audited without disclosing internal logic.
This division creates a stable trust boundary: the other party can verify authority, while each side preserves strategy, privacy, and commercial confidentiality.
Security and integrity: keeping parameters safe, bounded, and explainable
A negotiation protocol becomes dangerous if it turns private intent into a public attack surface. Buyers have preferences they should not leak. Sellers have policies they cannot expose. Agents, meanwhile, operate at a speed and persistence that makes “small” weaknesses exploitable at scale. Trusted negotiation therefore needs security controls that are native to the protocol, not bolted on afterwards.
On the buyer side, the most important control is scoped disclosure. The agent should receive only the minimum set of constraints and preferences required for the current negotiation, with a clear purpose binding and expiry. A portable negotiation profile must be versioned, revocable, and auditable, so a buyer can answer a future dispute with: what was the active version, what was delegated, and what was the agent allowed to accept without re-approval. High-risk concessions should require explicit step-up approval, even in human-not-present flows, using a pre-agreed escalation mechanism.
On the seller side, the equivalent control is bounded capability exposure. The seller agent should reveal only a negotiable envelope (ranges, allowed concessions, and preconditions), while keeping internal pricing logic and segmentation rules private. Every offer and counteroffer should be signed, time-bound, and linked to a policy version, so there is a reliable chain of custody without forcing the seller to disclose proprietary rules.
Both sides also need protections against machine-scale probing and manipulation: strict round limits, timeout rules, rate limits, and anomaly detection for “concession mining” patterns. Finally, the protocol must produce a compact evidence artifact that supports explainability: what was proposed, what changed, what was accepted, and why the agent was allowed to accept it.
The protocol: a simple negotiation lifecycle that can run at machine scale
A practical A2A negotiation protocol should feel less like chat and more like a controlled workflow. The goal is not to simulate haggling. The goal is to make offers, concessions, and decisions explicit, bounded, and auditable so that two systems can converge safely, or stop cleanly.
A minimal lifecycle has six stages.
1) Handshake (who, what, and how).
Each party declares identity, role, and capabilities. This includes supported term types (price, cancellation, delivery window, warranty, service level), supported negotiation patterns (single shot, multi-round, auction-style), and required evidence (signatures, attestations, policy references).
2) Authority and constraints disclosure (what is allowed).
The buyer side provides a verifiable authority reference plus non-negotiables, limits, and expiry. The seller side provides the negotiable envelope and any required preconditions (for example, identity level, payment method class, inventory locks).
3) Offer (a structured term sheet).
The seller returns an offer as a canonical, machine-readable term sheet, signed and time-bound. It includes an offer ID, expiry, and a clear set of terms that can be compared, not interpreted.
4) Counteroffer and concession exchange (bounded iteration).
The buyer can accept, counter, or request clarification. Counteroffers must be structured as deltas against the previous offer so the protocol can enforce round limits, concession limits, and timeouts. Optional rationale fields can support win-win outcomes (for example, “can accept price if refundable”).
5) Convergence rules (when to stop).
The protocol enforces maximum rounds, maximum wall-clock time, and a terminal decision at expiry. It also supports escalation to a human approval path when a threshold is crossed or ambiguity is detected.
6) Close (explicit outcome codes + evidence).
Every negotiation ends with a standard outcome code (deal, no-deal, walk-away, timeout, escalate, conditional, parked) and an evidence package. That package should be compact: final term sheet, signatures, applied constraint references, and a transcript hash. It becomes the bridge into cart formation and payment authorisation without replaying the negotiation.
Recording the outcome: explainable, fair, and binding
Negotiation at machine speed only becomes operational when the outcome can be treated as a reliable artefact, not a fragile chat transcript. The protocol therefore needs a standard “Outcome Record” that is compact, verifiable, and durable enough to survive disputes, audits, and downstream payment flows.
At minimum, an Outcome Record should include:
A unique Deal ID and timestamped expiry.
The terminal outcome code (deal, no-deal, walk-away, timeout, escalate, conditional, parked).
The final canonical term sheet (or, for non-deals, the last best offer and the walk-away reason code).
Cryptographic signatures from both sides on the canonical representation.
References to the active buyer authority (for example, an Intent Mandate identifier and version) and the seller policy version that governed the negotiable envelope. AP2’s model of signed mandates is a useful precedent for producing independently verifiable proof of authority and intent.
A transcript hash (and optionally a storage pointer) so the full exchange can be preserved without forcing broad disclosure.
Explainability comes from making the “why” legible without leaking strategy. The Outcome Record should carry a small set of structured fields such as: which constraints were binding, which concessions were made, and which preconditions were satisfied (inventory hold, identity assurance level, payment method class). This is also where fairness becomes enforceable. If negotiation is allowed to vary terms, the system needs an auditable indication that guardrails were applied (for example, “policy constraints enforced; prohibited attributes not used”), plus reason codes for adverse decisions. The goal is not perfect transparency; it is defensible accountability.
Binding force comes from the handoff to transaction authorisation. One pragmatic approach is to treat the Outcome Record as a “deal artefact” that downstream steps can reference. In AP2 terms, the deal artefact becomes the evidence that allows a cart to be formed and, where permitted, paid for. AP2 explicitly supports an Intent Mandate authorising an agent to proceed when conditions are met, and the chain from intent to cart to payment is designed to be auditable. The payment context should remain minimal (as AP2 intends with the Payment Mandate) while still enabling networks and issuers to assess agent involvement and allocate risk appropriately.
8) Implications by sector and a call to action
Agent-mediated negotiation changes where trust is created and where value accrues. As buyers and sellers increasingly delegate work to software representatives, the organisations that win will be the ones that can prove authority, keep negotiations bounded, and turn outcomes into evidence that downstream systems can rely on.
Identity verification providers have an opportunity to extend identity from “who is the human” to “who is the agent, who does it represent, and what is it allowed to do.” That means delegation chains, continuous authorisation, and audit-grade evidence, not just login assurance.
In the travel industry GDSs, OTAs, airlines, and hospitality operators face a shift from distributing rates to participating in structured negotiation envelopes, where inventory, policies, and terms are exchanged between agents with explicit outcomes and clean handoffs into booking and payment.
Retailers can move from static catalog and promotions to machine-scale deal formation across price and non-price terms, while preserving fairness guardrails and preventing adversarial optimisation that erodes trust.
Credit card networks and issuers will need consistent signals for agent involvement, authority scope, and dispute-ready evidence, so risk models and liability frameworks keep pace with “human-not-present” decisions made by delegated systems.
The practical next step is straightforward: define a shared negotiation lifecycle, standard outcome codes, and a compact, signed outcome record that can be referenced by transaction authorisation. Do that, and agentic commerce becomes governable. Leave it undefined, and negotiation becomes an unbounded attack surface disguised as convenience.
This piece is a preview of what’s next for us. Jamie Smith and I are launching a focused agentic commerce advisory venture to help organisations rethink how they design, govern, and negotiate with agents – moving beyond human-centred workflows to agent-native processes and business models. If you’re wrestling with what agentic AI means for your products, operations, and customers, watch this space.