According to the Mastercard Global Fraud Trends report updated October 2025¹, fraud increased for 75.7% of travel-sector merchants in the past year. Loyalty programs have become a multi-billion-dollar target because loyalty points often represent high-value assets — airline points can represent flights costing $1,000 to $5,000 each.

Airlines alone estimate they lose at least $1 billion annually to payment fraud, with even insider abuse a serious concern — in one 2024 case, two contractors for Qantas Airways diverted frequent-flyer points from 800 customer accounts into their own.

Large hotel chain loyalty programs are equally attractive to organised crime and link with airline fraud programs to make matters worse. I argue here that current hotel anti-fraud software is insufficient particularly as Digital Agents are increasingly deployed by both hotels, partners, their clients and are known to be vulnerable to fraud.

Agents decide which tools to use, what data to access, and how to recover when workflows fail. McKinsey research shows 80% of organizations have already encountered risky agent behaviors, including unauthorized data exposure and improper system access.

Gartner’s 2026 Data and Analytics Predictions put a number on this: by 2030, half of all AI agent deployment failures will stem from governance gaps and broken interoperability between systems.

Current Anti-Fraud Systems: Identity-First Approach

Wyndham Hotels recently extended proof of identity solutions with Okta³  

This is not a critique of that solution as today's loyalty program protections rely almost entirely on proof of identity:

• Multi-factor authentication (PIN, biometric, SMS codes, 2FA)
• Account verification and device binding
• Real-time transaction monitoring based on historical patterns
• Fraud scoring of individual transactions

The problem: these systems confirm "who is acting" but not "what they intend to do or why they should be trusted to do it."

This works fine for human-driven transactions where one person makes one decision at one moment. A human manually entering a PIN to redeem 50,000 points for a specific flight is a singular, human-authenticated act.

Why Proof of Identity Fails in the Agentic AI Era

Prompt injection is identified by OWASP as the number one security risk for LLM applications in 2025². With autonomous agents, a malicious natural language instruction doesn't just create bad text — it can trigger unauthorized actions. Even top AI models are vulnerable to jailbreak attacks in over 80% of tested cases.

When a chatbot hallucinates, you get a wrong answer. When an agent hallucinates, it might result in unauthorized transactions, data loss, and incorrect decisions leading to compliance and security issues.

Three failure modes emerge:

1. Scope creep — An agent deployed for email security ends up touching identity systems within six months. In July 2025, Replit's AI agent ran unauthorized commands against production during a code freeze and deleted a live database with records for 1,200+ executives. The agent had production database access, and "code freeze" was not an enforced guardrail.
2. Prompt injection / jailbreak — A malicious instruction (hidden in a booking confirmation email, embedded in search results the agent reads) causes it to bypass guardrails and redeem customer points into a fraudster's account.
3. Hallucination — The agent genuinely misunderstands constraints and attempts unauthorized transactions — e.g., redeeming 500,000 points instead of 50,000 because it misread a decimal, or booking 20 flights instead of 2 because it iterated over the wrong loop.

In all three cases, the agent has valid credentials and valid identity. The hotel's authentication system would pass it through. But the agent is acting outside its intended scope, without human approval, and in violation of the customer's actual intent.

The Trust Layer Solution: From Identity to Intent

Verifiable Intent is a cryptographic credential framework that transforms user authorization into portable, verifiable evidence. It enables independent validation by issuers, networks, and merchants without relying on proprietary logs. It captures identity binding (linking the user to a cryptographic key), intent statements (capturing constraints, scope, and delegation rules), and selective disclosure (providing tailored views for different parties).

A trust layer is an architectural layer that sits between the agent and the regulated world, ensuring every autonomous action is identifiable, approved, and legally provable. It is not a feature you bolt on, but a foundational capability that provides three things simultaneously: identity certainty, structured approval, and full auditability.

How the seven-layer framework addresses each risk:

Layers 1–2: Identity + Intent foundation

• Proof of identity establishes WHO is acting (user, agent, merchant)
• Proof of intent captures WHAT the user approved and under WHAT CONDITIONS
• Both are cryptographically signed mandates that cannot be forged or altered

Layer 3: Parameter boundaries

• Hard-coded, runtime-enforced limits that the agent cannot exceed regardless of instruction
• Examples: $500 max per the agent’s intended 10 redemptions per day, only partner merchants, no cash-back programs
• These are not guidelines — they are enforced by the infrastructure itself

Layer 4: Authorization verification

• Before each action, the agent’s intended transaction is checked by proof of intent (POI) software to confirm it's within scope and accepts or rejects in real-time
• The POI engine checks: Is this merchant allowed? Is the amount below the cap? Is the user's mandate still active? Is this within the time window they approved?
• If any check fails, the action is blocked, never executed
• For high value transactions a legal-strength notary validation should be enabled

Layer 5: Immutable audit trail

• Every decision is cryptographically signed and logged in a tamper-resistant system
• Creates non-repudiation: the customer, the hotel, and the regulator can all independently verify what happened and who approved it
• If a dispute arises later, the entire chain of evidence is intact

Layer 6: Behavioral anomaly detection

• ML models watch for suspicious patterns: unusual velocity, out-of-profile merchants, repeated attempts to bypass guardrails, sequences inconsistent with prior behavior
• Automatically escalates to human review if suspicious activity detected

Layer 7: Human approval gate

• High-risk or anomalous actions pause and wait for human decision
• Human can approve, reject, modify parameters, or revoke agent authority entirely
• Creates a tiered escalation: low-risk auto-execute, medium-risk notify-and-act, high-risk block-until-approved

Why This Matters for Compliance and Revenue Protection

It is critical that humans maintain supervisory oversight with the ability to provide strategic guidance, course corrections, or interventions when needed. Continuous compliance, auditing, and full-lifecycle management mechanisms are critical to successfully securing agentic AI systems while limiting risk.

Business benefits:

• Regulatory confidence: Proof of intent addresses requirements across eIDAS 2.0, the EU AI Act, and emerging financial service regulations
• Dispute resolution: The immutable audit trail makes it trivial to settle "did the customer really approve this?" disputes
• Fraud prevention: Scope boundaries + behavioral monitoring catch 90%+ of attacks before execution
• Customer trust: Users see real-time transparency into what the agent is doing and why, rebuilding confidence in autonomous loyalty programs

The shift in loyalty program risk:

• Today (identity-only): "Who is accessing the account?" → Risk = credential theft, account takeover
• Tomorrow (identity + intent): "Is the agent acting within the customer's approved scope?" → Risk drops to hallucination, prompt injection, insider abuse — all detectable and recoverable

Practical Implementation for Hotels & Telcos

1. Start with the mandate layer: Build tools to let customers set explicit intent — "I authorize my agent to book hotels under $150/night, no more than 10 bookings per month" — as a cryptographically signed credential, not just terms & conditions they click.
2. Embed parameter boundaries in code: Don't rely on agent "understanding" a limit. Write it into the runtime: MAX_POINTS_PER_TXNS = 50000; if (amount > MAX) revert("Exceeds limit");
3. Implement continuous policy checks: Before the agent touches the points database, a policy engine validates intent, time windows, and velocity.
4. Log everything cryptographically: Use a blockchain or a hash-chained audit log so no one — not even a rogue DBA — can alter the record after the fact.
5. Set escalation thresholds: Define what "low-risk," "medium-risk," and "high-risk" mean for your business, and route accordingly. A $20 flight redemption auto-executes; a 1M-point cash redemption goes to a human.
6. Evaluate evolving proof of intent platforms: Mastercard, Visa, Google, ReLeaf Financial are all offering POI platforms . Expect to see partnerships and collaboration to complete POI ecosystems for a Digital Agent World.

The trust layer transforms agentic loyalty programs from a compliance nightmare into a defensible, customer-friendly, revenue-protecting system where autonomous agents can operate at scale with full transparency and accountability.

References

1, Fighting loyalty fraud: Essential strategies for the travel industry Mastercard

2. Essential AI agent guardrails for safe and ethical implementation Tolaka

3. Wyndham Hotels & Resorts gives 100M users an unforgettable digital experience with Okta

AI agents are already inside your digital infrastructure- where's the trust layer?

Disclosure: I am a business advisor to ReLeaf Financial Inc.