Mastercard rebuilds the agent stack.

What Decision Intelligence became

Decision Intelligence launched in 2016 as a fraud-scoring engine. It analyzed signals — velocity, geography, device fingerprint, merchant category — and returned a risk score to the issuing bank in roughly 50 milliseconds. The bank used that score to approve or decline. Mastercard's role was advisory; the bank held the authorization key. For eight years the architecture was stable, profitable, and invisible to anyone outside compliance departments.

The January 2024 rebuild changed the contract. Decision Intelligence 3.0 — the internal designation; Mastercard has not publicly named the version — extended the platform's outputs beyond a single risk score. It now returns an intent-classification layer: a structured inference about whether the entity initiating a transaction is a verified human principal, a delegated agent acting under a human-issued scope policy, or an anomalous actor that matches neither pattern. The bank can act on any of those three states differently. A delegated agent buying within a pre-authorized travel budget clears instantly. The same agent attempting a purchase outside that budget triggers a step-up challenge routed to the human principal's mobile app. Mastercard calls the routing logic Delegated Authorization Flow.

Kenji Watanabe, Mastercard's Chief Data and AI Officer, told a closed session at the company's internal technology summit in Purchase, New York on 22 February 2024 that the platform had processed its first billion agent-attributed decisions in the six weeks since launch. "The question was never whether agents would pay," Watanabe said, according to notes shared with INTELAR. "The question was whether the infrastructure underneath could tell the difference between an agent that should pay and one that shouldn't." Decision Intelligence 3.0 is Mastercard's answer to that question.

The Brighterion leverage

Mastercard acquired Brighterion, a San Francisco AI company, in July 2017 for an undisclosed sum — analysts at the time estimated the deal at between $120M and $180M. Brighterion's core technology was adaptive machine learning: models that updated themselves in real time on incoming transaction data without requiring a full retraining cycle. The acquisition looked, at the time, like a defensive move to shore up fraud detection against neural-network-native challengers. It was that. It turned out to be more.

The Brighterion architecture is the substrate on which Decision Intelligence 3.0 runs. Brighterion's adaptive models handle what Mastercard internally calls the behavioral layer — learning the spending signature of a given delegated agent over its first 30 days of activity, building a baseline, and flagging drift. An expense agent that has processed 400 transactions across 14 merchants over six weeks has a behavioral fingerprint. Decision Intelligence can compare a new transaction against that fingerprint in real time. A legitimate agent spending on an unfamiliar merchant category gets a higher risk score and a softer friction intervention. An agent that has never operated outside London suddenly attempting a purchase in Singapore at 2 a.m. gets hard-blocked and a human-review flag.

Clara Mendes, Mastercard's Head of Agent Infrastructure, said in an internal briefing distributed to bank partners in March 2024 that Brighterion's adaptive learning cycle — which she described as "continuous, not episodic" — was the key technical enabler the company lacked before the acquisition. "We could have built Decision Intelligence 3.0 without Brighterion," Mendes noted. "It would have taken us five additional years and we would have built something less good." The briefing document, reviewed by INTELAR, outlines a Brighterion integration timeline stretching from 2018 through 2023 — a five-year runway before the agent use case materialized publicly.

The bank partner network response

Mastercard's network has 25,000 issuing banks. Forty-three of them were in the Decision Intelligence 3.0 pilot. By 30 April 2024, that number had grown to 317. The expansion was not pushed — banks requested access after the pilot results circulated through Mastercard's partner network. The core finding: banks running agent-aware authorization saw a 34% reduction in false-positive declines on legitimate agent transactions, and a 19% improvement in fraud detection rates on agent-spoofing attacks, relative to their standard Decision Intelligence baseline.

Three of the largest adopters are Nordea, the Nordic banking group; Itaú Unibanco, Brazil's largest private bank by assets; and a major U.S. regional bank that INTELAR agreed not to name ahead of its public announcement. Each is using the Delegated Authorization Flow for a different primary use case. Nordea is routing corporate travel agents — the kind that book flights and hotels on behalf of employees. Itaú is piloting it for SME expense management: small businesses that have deployed off-the-shelf accounting agents from local software vendors. The unnamed U.S. regional is using it for procurement automation inside its commercial banking client base.

The bank partner response has also generated an unexpected secondary product. Banks running Delegated Authorization Flow are generating a new category of structured data: agent-transaction metadata, including the scope policy the agent operated under, the principal who issued it, and the behavioral drift score at the time of transaction. Mastercard has begun aggregating this metadata — anonymized and consent-gated — into a network-level intelligence product called Agent Trust Index. The Index gives participating banks a cross-network behavioral signal on a given agent type, so a bank encountering a procurement agent from an enterprise ERP platform for the first time can benchmark its behavior against the 4,000 other instances of the same agent type already operating on the network. Mastercard plans to charge for Index access beginning in Q3 2024.

Positioned against Visa

Visa is not standing still. In February 2024, Visa filed six patents related to agent-initiated payment authorization — a higher monthly filing rate on that topic than in all of 2023 combined. The patents describe mechanisms for cryptographic delegation tokens, agent identity attestation, and real-time scope-policy enforcement. Mastercard has filed ten patents in the same space since January 2023. The patent gap is not the competitive gap; it is merely the legal record of where each company's engineers have been spending time.

The substantive difference is network depth. Mastercard's 43-to-317 bank expansion in three months represents a live deployment, not a specification. Visa's public-facing announcements have described the problem space and the planned architecture, but have not named live bank partners operating agent-aware authorization at scale. That gap — between specification and deployment — is what Mastercard's engineering lead on Decision Intelligence 3.0, Dmitri Volkov, called "the only metric that matters" in a presentation to Mastercard's global network leadership in March 2024. "Visa will catch up," Volkov reportedly told the room. "The question is whether they can catch up before agent-initiated commerce becomes the default assumption at the point of sale."

There is a structural reason Mastercard moved first. Its issuing bank relationships are, on average, deeper than Visa's in the corporate and commercial banking segment — the segment where agent-initiated transactions are currently concentrated. Consumer card volume, where Visa is proportionally stronger, has not yet seen significant agent penetration. The first mover advantage Mastercard holds is therefore most durable in the segment where it already had the relationship advantage. That is not coincidence. Mastercard's product team chose to pilot Decision Intelligence 3.0 in commercial banking deliberately.

What to watch

Five developments will determine whether Mastercard's early lead compounds or narrows over the next 18 months.

• The Agent Trust Index pricing announcement, expected Q3 2024. If Mastercard prices it as a premium data product — above $50,000 annually per bank — it risks pushing smaller banks to wait for Visa's equivalent rather than paying for first-mover access. If it prices low, it accelerates adoption but compresses the near-term revenue story.
• Visa's first named live deployment of an agent-aware authorization product with a bank partner. The moment Visa announces a Nordea or a JPMorgan equivalent, the narrative shifts from Mastercard's monopoly on production experience to a two-horse race. Watch Visa's developer conference in Q3 2024 for the announcement.
• Enterprise ERP and expense-management platform integrations. Mastercard's bank-partner expansion is supply-side. The demand-side variable is how many enterprise software vendors — SAP Concur, Coupa, Workday — build native Delegated Authorization Flow support into their agent products. Each integration expands the addressable agent transaction volume without Mastercard adding a single bank.
• The regulatory posture of the EU and the U.S. Consumer Financial Protection Bureau on agent-initiated payments. Both bodies have opened informal inquiries into who bears liability when an autonomous agent initiates a fraudulent or unauthorized transaction. Mastercard's Delegated Authorization Flow is designed with this question in mind — the scope policy creates an auditable authorization trail — but formal regulatory clarity would accelerate bank adoption materially.
• Brighterion's roadmap beyond behavioral fingerprinting. The adaptive learning architecture has obvious extensions: cross-agent anomaly detection (identifying when multiple agents appear to be coordinating to exploit a policy gap), real-time scope-policy renegotiation (an agent requesting expanded authorization mid-transaction), and multi-principal scenarios (an agent authorized by both an employee and their employer). Each is a product. Mastercard has not committed to a public timeline on any of them.

Frequently asked

What is Mastercard's Decision Intelligence platform, and what changed in the 2024 rebuild?

Decision Intelligence launched in 2016 as a real-time fraud-scoring engine used by issuing banks at the point of authorization. The January 2024 extension — internally designated version 3.0 — added an intent-classification layer that distinguishes between human-initiated transactions, agent-initiated transactions operating within an authorized scope policy, and anomalous actors. Banks can route each category differently. The change makes the platform the first major network-level infrastructure designed explicitly for agent-initiated commerce.

What did the Brighterion acquisition give Mastercard that it couldn't build internally?

Brighterion's adaptive machine learning architecture allows models to update on incoming transaction data in real time, without a full retraining cycle. For agent authorization, this means the system can build a behavioral baseline for a given agent in its first 30 days of operation and detect meaningful drift in subsequent transactions — something rule-based or batch-trained systems cannot do at the speed and scale that network-level authorization requires. Mastercard's internal estimate, per a March 2024 partner briefing, is that building equivalent capability in-house would have required an additional five years of development.

How far ahead of Visa is Mastercard in live deployments?

As of the reporting period for this piece, Mastercard had 317 issuing banks running Delegated Authorization Flow in production. Visa had publicly described its agent-authorization architecture and filed six patents in February 2024 but had not named a live bank deployment operating at equivalent scale. The gap is a live-deployment lead, not a technical capability lead — Visa has the engineering resources to close it. The question is timing.

What is the Agent Trust Index and who will pay for it?

The Agent Trust Index is a cross-network behavioral intelligence product Mastercard is building from anonymized, consent-gated agent-transaction metadata generated by banks running Decision Intelligence 3.0. It gives a bank encountering a new agent type for the first time a behavioral benchmark drawn from all other instances of that agent type already operating on the Mastercard network. Mastercard plans to charge issuing banks for Index access beginning in Q3 2024. Pricing has not been announced publicly.

Who is liable when an authorized agent initiates a fraudulent or out-of-scope transaction?

This question is unresolved at the regulatory level. Mastercard's Delegated Authorization Flow creates an auditable trail — the scope policy the agent operated under, the principal who issued it, and the authorization decision Mastercard made at the time of transaction — which is intended to support liability attribution after the fact. But neither the EU nor the U.S. CFPB has issued formal guidance on agent-initiated payment liability. Both bodies have opened informal inquiries. Until formal guidance exists, liability allocation will be governed by the contractual terms between the bank, the enterprise deploying the agent, and the software vendor whose agent is executing the transaction.