The Shift Has Already Begun
Artificial intelligence is no longer confined to labs, strategy papers, or technology discussions. It is becoming part of everyday life; in meeting rooms, educational institutions, cafes and households. What started out as a tool to help with discovery, analysis, and decision-making is now becoming something that can work on its own, talk to other software, organise tasks, and act as an intelligent assistant. This development is commonly referred to as agentic AI.
This evolution is beginning to take shape in Malaysia’s own digital and financial ecosystem. In March 2026, Mastercard’s pilot with CIMB and RHB demonstrated that AI agents can already initiate and complete authenticated transactions within Malaysia’s financial ecosystem. The pilot involved an AI agent arranging a ride from Kuala Lumpur International Airport to KL Sentral. The transaction was facilitated through CardInfoLink’s AI agent platform using Mastercard Agent Pay, with tokenised credentials authenticated via Mastercard Payment Passkeys to ensure security, transparency, strong customer verification, and consumer control. While the pilot was conducted in a controlled environment, with commercial rollout to follow in phases, and the use case may appear simple on the surface, it signals a much larger shift where autonomous systems are capable of executing real transactions within existing digital and financial ecosystems.
The new phase of digital commerce is called agentic commerce. These systems can autonomously research, compare, find the best price, and complete purchases.! Unlike traditional e-commerce, these systems operate across multiple platforms, executing transactions without direct human intervention and fundamentally streamlining the buying journey.
This phase is not taking place in isolation. Instead, it is unfolding within a digital ecosystem that is already operating at scale. Approximately 74% of the world’s population is connected to the internet, forming the foundation of today’s digital commerce ecosystem. At the same time, the global e-commerce market is valued at more than USD6 trillion, reflecting the extent to which digital transactions have become embedded in daily life.
This trend is just as strong in Malaysia. The Department of Statistics Malaysia (DOSM) reported that e-commerce revenue reached RM937.5 billion in the first nine months of 2025, up 1.9% year-on-year. ICT and e-commerce together contributed 23.4% (RM451.3 billion) of the economy in 2024.
It means agentic commerce is not being introduced into a small or controlled environment. It is emerging within systems that are already operating at very high volumes.
When Transactions Are No Longer Initiated by Users
In a conventional digital journey, users search, compare, decide, and transact. Now, we see these activities are being delegated to autonomous agents that can act on behalf of users.
On the surface, the experience feels seamless. At scale, this improves efficiency, reduces friction, and optimises decision-making across sectors. But it also changes something more fundamental. The decision is no longer made at the point of action. It is made earlier and executed later.
Suppose you have a smart refrigerator that automatically tracks your consumption and replenishes essential items on a weekly basis. It is connected to your digital calendar, and it shows an upcoming “open house” for 50 people this Saturday.
You have been watching Khairul Aming’s YouTube videos and going through recipes for rendang, nasi minyak, kuah kurma, acar, and sirap bandung, indicating that a larger-than-usual meal is being planned.
It is Tuesday, your usual replenishment day. Based on these inputs, your smart refrigerator picks up on the need for additional ingredients and proceeds to place an order in advance.
However, the event has since been cancelled, and you did not remove it from your calendar.
The transaction proceeds. No more confirmation is needed.
The event is no longer happening, but the order shows up as expected.
The decision has been correctly executed from a system perspective based on the information available.
In a practical sense, the outcome does not reflect the intended situation.
This is not a tech failure, but it is context mismatch.
This is where the gap becomes more apparent.
The issue is no longer how the system works, but how the surrounding structures can manage how decisions are made, executed and corrected, when systems operate based on prior inputs without real time validation.
The Shift from Capability to Control
The key challenge is no longer whether agentic systems can function. It is whether policy, security, and governance frameworks are evolving fast enough to manage how these systems make decisions, execute actions, and are held accountable.
Most existing digital systems were designed around a simple assumption that users remain present throughout the transaction process to initiate, review, and approve actions. Agentic commerce operates differently. Decisions may increasingly be initiated, evaluated, and executed with limited direct human visibility.
As a result, the focus of security can no longer rely solely on authenticating users through passwords, one-time codes, or biometric verification. It must evolve towards understanding and monitoring system behaviour, decision logic, and transaction accountability.
In many ways, this also reflects a broader evolution in digital trust models. For decades, financial systems focused heavily on “Know Your Customer” (KYC) frameworks designed to verify human identity and legitimacy. As autonomous systems act on behalf of users, institutions also need to develop stronger capabilities to understand, monitor, and govern the behaviour, authority, and decision boundaries of the agents operating within digital ecosystems. In time, this may gradually introduce the need for a “Know Your Agent” mindset alongside existing customer verification approaches.
This shift is important in Malaysia’s context. According to the Royal Malaysia Police (PDRM), cybercrime and online financial scam cases continue to rise annually, involving billions of ringgits in losses. At the same time, global organisations such as the World Economic Forum and IBM have highlighted growing concerns around AI governance, transparency, explainability, and liability.
Ultimately, the defining issue is no longer technology capability alone, but control and trust within an ecosystem where systems are increasingly able to act on behalf of users.
What This Means for Government, Financial Institutions, Businesses and Users
Malaysia is not starting from zero. Current initiatives and regulatory frameworks such as Bank Negara Malaysia’s Risk Management in Technology (RMiT), the Cyber Security Act 2024, AI governance initiatives, and broader digital trust efforts have already enhanced governance, cybersecurity, operational resilience, and technology risk management across the digital and financial ecosystem.
Agentic commerce, however, adds a different level of complexity. As autonomous systems become more common across platforms to make decisions and conduct transactions on behalf of users, the focus will shift from traditional transaction oversight and technology risk management towards broader issues of system behaviour, delegated decision making, accountability, interoperability, and consumer trust across interconnected digital ecosystems.
Against this backdrop, several strategic implications are beginning to emerge for governments, financial institutions, businesses and users. The rapid pace of development in agentic AI also highlights that governance frameworks can no longer remain static documents. In January 2026, Singapore introduced the world’s first Model AI Governance Framework for Agentic AI and described it as a “living document” that will continue to evolve alongside emerging technologies. This reflects a growing recognition that governance approaches for autonomous systems need to evolve continuously alongside the technology itself.
As autonomous systems become more embedded into everyday transactions and decision-making processes, different stakeholders will face various challenges that would require closer attention.
Government
| Strategic Implications for Government | Strategic Response |
| Governments may need to move beyond monitoring transactions alone as autonomous systems make decisions and execute actions across multiple interconnected platforms. | Governments must strengthen their ability to oversee how autonomous systems operate, interact, and influence decisions across the wider digital ecosystem. Greater visibility, accountability, and intervention capabilities will become important as systems begin acting with less direct human involvement. |
| Current policy and legal frameworks may become challenged as questions emerge around consent, accountability, liability, and delegated authority when systems act on behalf of users. | Governments must provide clearer legal certainty, stronger accountability structures, and more effective user protection mechanisms as autonomous systems take on larger decision-making roles. Regulatory and policy frameworks need to remain responsive to complex issues surrounding delegated authority, liability, consent, and dispute resolution. |
| The growing use of autonomous systems may introduce more complex digital, operational, and cybersecurity risks that evolve faster than traditional oversight and response mechanisms. | Governments must strengthen national coordination, cybersecurity readiness, and digital resilience to respond effectively to ever more autonomous and interconnected digital environments. Closer collaboration across regulators, financial institutions, technology providers, and cybersecurity agencies will become critical in managing emerging risks more proactively and cohesively. |
Financial Institutions
| Strategic Implications for Financial Institutions | Strategic Response |
| Financial institutions operating on legacy systems may face increasing pressure as newer generations of users begin expecting faster, more seamless, and AI driven interactions. | Customer expectations shift towards financial institutions that can provide faster, simpler, and more intelligent digital experiences with minimal friction across platforms. Institutions that are unable to keep pace with these expectations risk losing relevance in a digital and automated financial ecosystem. |
| Traditional security approaches centred primarily around user authentication may become insufficient as autonomous systems interact, transact, and make decisions across multiple platforms. | Trust is more dependent on the institution’s ability to monitor, understand and manage the behaviour, interaction and transaction of autonomous systems across digital environments. Security is no longer just about user verification but also about how systems act on behalf of users. |
| Increasing levels of automation and high frequency system driven decision making introduce new operational, governance, and accountability challenges across financial ecosystems. | The ability to intervene quickly, maintain visibility over automated activities, and respond effectively when issues arise becomes important in highly automated financial environments. Institutions will need stronger governance, escalation, and oversight capabilities to maintain confidence and operational stability. |
Businesses
| Strategic Implications for Businesses | Strategic Response |
| Businesses need to adapt to a future where purchasing decisions are influenced or executed by AI driven systems rather than direct human browsing and selection. | Businesses need to understand consumer behaviour, and how autonomous systems search, compare, prioritise, and execute purchasing decisions across digital ecosystems. Competitive advantage may depend on how easily products and services can be identified, interpreted, and prioritised by both users and autonomous systems. This also changes how products may need to be presented digitally. As autonomous systems search based on prompts, intent, and product attributes, businesses may need to ensure product descriptions, specifications, and digital content are structured clearly and consistently for systems to accurately identify, compare, and recommend products. |
| Competition may depend on system interoperability, fulfilment reliability, pricing transparency, and digital responsiveness across interconnected platforms. | Businesses that can respond faster, integrate more seamlessly, and provide more reliable digital experiences become highly competitive in automated environments where speed, responsiveness, and fulfilment reliability directly influence purchasing outcomes. |
| Trust and brand differentiation remain critical as consumers continue expecting transparency, reliability, and clear recourse when automated transactions occur. | Even in highly automated environments, businesses still need to maintain consumer trust by ensuring transactions remain transparent, reliable, and easy to resolve when issues arise. Even in highly automated environments, consumers still expect transparency, reliability, and clear avenues for recourse when issues arise |
Users
| Strategic Implications for Users | Strategic Response |
| Greater reliance on autonomous systems will require better understanding of how personal data, preferences, and permissions are used to make decisions on their behalf. | Users need to become more conscious of the amount of personal information and decision-making authority they are comfortable delegating to autonomous systems. Greater awareness around how systems learn, recommend, and make decisions on behalf of users becomes important in highly automated environments. |
| Users will expect greater visibility and control over automated actions, including the ability to review, intervene, or override decisions when necessary. | Convenience alone is no longer enough, as users value the ability to remain in control when automated systems make decisions affecting their finances, purchases, or daily activities. The ability to intervene, pause, or override automated actions becomes an important part of maintaining user confidence and trust. |
| Trust will ultimately depend on whether users feel protected when outcomes do not align with expectations. | Long term adoption ultimately depends on whether users feel confident that safeguards, accountability, and human support remain available when automated outcomes do not go as expected. Users still expect clear recourse (human intervention), transparency, and reassurance that they remain protected when issues arise. |
Translating Readiness into Implementation
Recognising the shift towards agentic commerce is only one part of the challenge. The greater challenge lies in translating readiness into coordinated implementation across policies, systems, institutions, and users.
For governments, this means ensuring that governance frameworks, regulatory positions, and oversight mechanisms are consistently operationalised across agencies and sectors.
For financial institutions, it requires aligning systems, processes, risk management, and operational capabilities to support autonomous and high-frequency decision-making environments.
For businesses, readiness will depend on how quickly they can adapt their digital capabilities, operational processes, and customer engagement models to AI-driven commerce ecosystems.
For users, trust will depend not only on system capability, but also on how clearly decisions can be understood, monitored, and corrected when necessary.
In this context, implementation capability becomes important. Successfully operationalising agentic commerce will require strong coordination across stakeholders, clear accountability, measurable outcomes, and continuous monitoring as the ecosystem evolves.
This is precisely where delivery discipline becomes the deciding factor. PEMANDU Associates has spent over a decade operationalising exactly this kind of complex, cross-agency transformation, turning ambition into measurable outcomes through clear accountability, rigorous monitoring, and the coordination structures that hold implementation together. As agentic commerce moves from capability to control, that same execution discipline, the ability to align government, institutions, businesses, and users around a common delivery roadmap, will determine whether Malaysia leads this shift or merely absorbs it.
The Next Phase of the Conversation
The foundations for agentic commerce are already in place. Connectivity, digital payment infrastructure, AI capabilities, and interconnected ecosystems are no longer operating at experimental scale but have already become embedded into everyday life and digital transactions.
As such, the question is no longer whether this shift towards more autonomous commerce will happen. The more important question is whether governance, policy, security, and oversight mechanisms are evolving fast enough to support it in a controlled and trusted manner.
This becomes important because as systems begin acting on behalf of users, the issue is no longer only about technological capability. It is also about accountability, visibility, and ultimately, control.
At a policy or system level, these discussions may still appear conceptual. However, their implications are often most visible through everyday situations and consumer behaviour.
Remember the groceries that your refrigerator ordered?
Your groceries arrive before you even realise the order has been executed. Your kitchen is now stocked with ingredients for rendang, nasi minyak, kuah kurma, acar and sirap bandung, enough to feed 50 people who are no longer coming because the event was cancelled earlier in the day.
Perhaps the next evolution is a robotic assistant capable of preparing the meals using what has already been purchased. With advances in robotics becoming accessible, what once felt futuristic no longer seems entirely impossible.
However, this introduces a different set of questions. If systems can decide what to buy, and how to act on those decisions, where does oversight sit as decisions begin compounding across interconnected systems? At what point does convenience begin moving faster than the ability to monitor, intervene, or maintain meaningful human control?
These may be questions for the next phase of the conversation, perhaps over coffee before the systems order it for us.
Several perspectives within this article were informed through engagements with industry practitioners and technology experts.
Author:
Jezamin Razak
Associate Vice President
——-
Let’s transform together. Contact us at: https://pemandu.org/contact-us/
References
- Mastercard conducts first live agentic transaction in Malaysia with CIMB and RHB Pilot, Mastercard, 4 March 2026
- Global number of Internet users increases, but disparities deepen key digital divides, ITU, 17 November 2025
- Malaysia Digital Economy 2025 (e-commerce revenue RM937.5 billion, 9M2025), Department of Statistics Malaysia (DOSM), 26 November 2025
- AI Governance Alliance Briefing Paper, World Economic Forum, 2025
- Research reveals 9 essential plays to govern AI responsibly in a multipolar world, WEF, 23 September 2025
- Cost of a Data Breach Report 2025, IBM Security
- Commercial Crime Investigation Department Annual Statistics, Royal Malaysia Police (PDRM), BERNAMA 2025
- Singapore Launches New Model AI Governance Framework for Agentic AI, 22 January 2026
- Model AI Framework for Agentic AI, INFOCOMM Media Development Authority
- Mastercard Sees Data Moving Payments from KYC to KYA
