The autonomous-to-supervised spectrum

*Where European commerce platforms place the boundary between human discretion and machine execution is a regulatory and operational design choice that existing EU law was not written to adjudicate end-to-end.*

Key Points

SPECTRUM STRUCTURE The autonomous-to-supervised spectrum runs from full human execution through AI-assisted decision support, human-supervised agent action, and delegated multi-agent pipelines, to fully machine-autonomous transaction completion, with each position carrying a distinct allocation of discretion and accountability.
REGULATORY GRADIENT EU regulatory sensitivity rises sharply at mid-spectrum positions, where PSD2, GDPR, the AI Act, and the DSA each claim partial jurisdiction but none covers the full transaction chain, producing governance gaps that are structural, not incidental.
EUROPEAN ARCHITECTURES Subscription automation platforms, open-banking payment-initiation bots, and AI-driven cart-and-checkout agents represent the dominant mid-spectrum patterns in European agentic commerce, operating across orchestrator-to-sub-agent chains that fragment accountability [24].
COMPLIANCE BURDEN Platforms at mid-spectrum positions carry the highest per-transaction compliance ambiguity: liability for fraudulent or erroneous transactions cannot be cleanly assigned under any single existing instrument, concentrating unresolved exposure on PSPs and merchants [20][24].

Context

Why the Spectrum Matters

The framing of automation as a binary (human or machine) has persisted long past its analytical usefulness. In European commerce and payments, the operative question concerns the specific decision points at which machines are permitted to act without per-action human confirmation, and which regulatory instrument governs the consequences when they act incorrectly.

This matters because EU regulatory architecture was constructed on an implicit model of identifiable, licensed actors initiating discrete, auditable payment events. PSD2 assigns liability to payment service providers. GDPR assigns data-processing obligations to controllers. The AI Act assigns risk classification to deployers. The DSA assigns platform responsibility to intermediaries. None of these instruments was drafted to handle a payment chain in which an orchestrator AI agent delegates cart optimisation to a sub-agent, which triggers a payment-initiation API call through an open-banking provider, completing a transaction the consumer authorised in general terms weeks earlier [20][24].

Placing a commerce architecture on the spectrum is therefore a design decision with direct consequences for which regulatory instrument applies, which actor bears liability, and how supervisory intervention would reach the architecture in practice [5][12].

How the Spectrum Divides Execution

The spectrum can be divided into five structurally distinct positions, differentiated by where discretion resides and what triggers machine action.

At the fully human pole, every decision (product selection, payment authorisation, timing) is made and confirmed by a natural person. Machines supply information but initiate nothing. Regulatory fit is clean: the human is the accountable actor, and every existing instrument maps onto that actor without ambiguity.

At the AI-assisted position, a model generates recommendations (price optimisation outputs, product rankings, fraud-risk scores), and a human confirms or rejects each one before any external action occurs. Discretion remains with the human; the machine narrows the choice set. Regulatory exposure is limited primarily to GDPR obligations on automated processing and AI Act transparency requirements for high-risk recommendation systems [1][2].

At the human-supervised agent position, a machine executes defined classes of action autonomously, including initiating a subscription renewal or completing a pre-approved cart, but a human supervisor retains the structural capacity to halt, audit, or reverse the agent within a defined window. This is the position occupied by most current European agentic commerce deployments. Discretion is split: the agent holds it during execution; the human holds it at the boundary. PSD2 liability allocation rules were not written for this split, and the Strong Customer Authentication exemption framework does not map cleanly onto multi-agent pipelines. The recurring-transaction exemption under PSD2 RTS Article 14 applies where a payer has authorised a series of transactions to the same payee; the merchant-initiated transaction carve-out operates where the payee, not the payer, triggers execution within a pre-agreed mandate. Neither exemption was designed for a configuration in which an orchestrator agent delegates payment initiation to a sub-agent that then calls a third-party open-banking API, because that configuration distributes the roles of payer, payee, and initiating party across actors the exemption logic treats as unitary [20][24].

At the delegated multi-agent position, an orchestrator agent decomposes a commercial task and assigns sub-tasks to specialised sub-agents, which execute concurrently or sequentially. No human touches the execution chain between the initial instruction and the completed transaction. Discretion has been wholly pre-delegated. Accountability nodes are distributed across orchestrator, sub-agents, API providers, and PSPs, a configuration that existing EU instruments address in fragments [17][24].

At the fully autonomous pole, machines select products, negotiate terms, initiate payment, and handle post-transaction exceptions without any human-defined execution boundary. Discretion is fully machine-held. This position has no stable regulatory home under current EU law and is the theoretical endpoint that cost and latency pressures push architectures toward [6][11].

Sources Worth Examining

Ferrari (2022) [24]: the primary source for understanding how EU FinTech policy constructs consumer interest in ways that understate platformisation and automation risks at mid-spectrum positions.
Borgogno and Colangelo (2019) [20]: grounds the open-banking infrastructure layer that enables mid-spectrum agentic architectures and identifies where standardisation gaps create supervisory blind spots.
Garibay et al. (2023) [17]: provides the accountability and transparency framework most relevant to evaluating how discretion is distributed across automated pipelines.
Davenport et al. (2019) [5]: articulates the augmentation-versus-replacement distinction that sits at the structural core of every spectrum-position design decision.

Regulatory and Market Consequences

Movement along the spectrum produces three distinct, traceable consequences: liability allocation, supervisory reach, and consumer recourse.

On liability allocation, the mid-spectrum positions generate the most ambiguous exposure. When a human-supervised agent or delegated pipeline initiates a payment that results in fraud or an erroneous transaction, the question of which actor bears the PSD2 liability (the payment service provider, the merchant deploying the agent, the open-banking API provider, or the orchestrator-agent operator) cannot be resolved by reading any single instrument. The AI Act's risk classification for high-risk AI systems adds a compliance layer but does not assign payment liability. GDPR's data-processing obligations apply to the personal data consumed by the agent but do not govern the commercial outcome. This fragmentation means that unresolved fraud liability at mid-spectrum positions is structurally absorbed by PSPs and merchants as a cost of operating without a clear adjudication mechanism [20][24].

On supervisory reach, national competent authorities retain meaningful intervention capacity at the fully human and AI-assisted positions, where transaction trails are legible and actors are identifiable. At the delegated multi-agent position, the transaction trail passes through multiple API layers, potentially across several EU jurisdictions, before completing. Real-time supervisory visibility requires standardised API reporting that EU frameworks have not consistently mandated [20][25]. The experimentalist governance architecture underlying EU FinTech regulation, which centres on framework goals, peer review, and periodic reporting, was designed for licensed institutions with stable organisational boundaries, not for agent pipelines that may instantiate dynamically per transaction.

On consumer recourse, platforms operating at the human-supervised agent position retain a structural mechanism for consumer recourse: the human supervisor can reverse an action within the oversight window. Platforms that migrate toward delegated multi-agent execution remove that mechanism, transferring recourse responsibility to post-transaction dispute processes that were designed for simpler actor configurations [7][23]. Consumer vulnerability to opaque, data-intensive platforms is a documented concern in the EU FinTech policy literature [24], and the recourse deficit widens as the execution boundary moves further from human confirmation.

The binding design question for European agentic commerce platforms concerns precisely where to locate the decision boundary at which human confirmation is required, because that boundary determines which regulatory instrument applies, which actor absorbs unresolved liability, and whether any supervisory authority can reach the transaction chain before the harm is complete.

Counterpoint

The Case for Full Autonomy

The strongest operational argument for pushing toward the fully autonomous end of the spectrum is competitive and structural in character. Non-EU platforms (operating under lighter or less fragmented regulatory regimes) can complete agentic commerce transactions at latencies that human-supervised architectures cannot match. Each human-confirmation checkpoint adds dwell time to a pipeline; in high-frequency contexts such as dynamic pricing, subscription management, and personalised offer delivery, that dwell time is a measurable cost and a conversion-rate disadvantage [6][11].

The cost argument runs in parallel. Human-supervised agent architectures require staffing the oversight function: trained personnel who can interpret agent outputs, intervene in execution windows, and bear accountability for reversals. As transaction volumes scale, that staffing cost does not compress proportionally. Fully automated pipelines, by contrast, reduce marginal transaction cost toward the infrastructure floor.

Proponents of full autonomy also note that the regulatory fragmentation cited as a risk at mid-spectrum positions is left unresolved by maintaining human supervision; it is merely deferred. If the EU has not assigned clear liability for multi-agent payment chains, a human supervisor sitting above that chain leaves legal assignment uncreated, producing an actor who can be named in a dispute but whose actual legal standing remains as ambiguous as the pipeline beneath them. On this reading, the compliance overhead of mid-spectrum positions purchases process legitimacy without purchasing legal clarity, and full autonomy combined with aggressive post-transaction dispute infrastructure produces the same unresolved liability exposure at lower operational cost.

Unresolved Tensions

The precise location of current European agentic commerce deployments on the spectrum remains unresolved; no empirical mapping of specific architectures to spectrum positions exists in regulatory or industry records.
The interaction between PSD2 Strong Customer Authentication exemptions and multi-agent payment initiation is unresolved, particularly the question of which exemption category applies when no single actor occupies the roles of payer, payee, and payment initiator simultaneously.
GDPR Article 22 applies only where a decision is based exclusively on automated processing and produces legal or similarly significant effects on the data subject. Whether that trigger condition is satisfied across multi-step agentic pipelines, where intermediate agent outputs may not individually constitute qualifying decisions, has not been established by regulatory guidance or case law.
Whether EU experimentalist governance mechanisms extend to private agentic commerce platforms remains unclear; they may be structurally limited to licensed financial institutions, with mid-tier automation architectures falling outside their scope entirely.
The empirical distribution of post-transaction dispute outcomes across spectrum positions in live European deployments is not yet documented, and it is therefore untested whether that distribution supports the hypothesis that mid-spectrum positions accumulate unresolved fraud liability disproportionately.

Sources

[1] Dwivedi, Y. K., Hughes, L., Ismagilova, E., Aarts, G., Coombs, C., & Crick, T. (2019). Artificial Intelligence (AI): Multidisciplinary perspectives on emerging challenges, opportunities, and agenda for research, practice and policy. Elsevier BV.

[2] Floridi, L., Cowls, J., Beltrametti, M., Chatila, R., Chazerand, P., & Dignum, V. (2018). AI4People: An Ethical Framework for a Good AI Society: Opportunities, Risks, Principles, and Recommendations. Springer Science+Business Media.

[5] Davenport, T. H., Guha, A., Grewal, D., & Bressogott, T. (2019). How artificial intelligence will change the future of marketing. Springer Science+Business Media.

[6] Goldfarb, A., & Tucker, C. E. (2019). Digital Economics. American Economic Association.

[7] Wirtz, J., Patterson, P. G., Kunz, W. H., Gruber, T., Lu, V. N., & Paluch, S. (2018). Brave new world: service robots in the frontline. Emerald Publishing Limited.

[11] Huang, M.-H., & Rust, R. T. (2020). A strategic framework for artificial intelligence in marketing. Springer Science+Business Media.

[17] Garibay, O. O., Winslow, B., Andolina, S., Antona, M., Bodenschatz, A., & Coursaris, C. K. (2023). Six Human-Centered Artificial Intelligence Grand Challenges. Taylor & Francis.

[20] Borgogno, O., & Colangelo, G. (2019). Data sharing and interoperability: Fostering innovation and competition through APIs. Computer Law & Security Review.

[23] Omarini, A. (2018). Fintech and the Future of the Payment Landscape: The Mobile Wallet Ecosystem, A Challenge for Retail Banks. Sciedu Press.

[24] Ferrari, V. (2022). The platformisation of digital payments: The fabrication of consumer interest in the EU FinTech agenda. Computer Law & Security Review.

[25] Osório, A., Camarinha-Matos, L., Afsarmanesh, H., & Belloum, A. (2019). Towards a Mobility Payment Service Based on Collaborative Open Systems. Working Conference on Virtual Enterprises.