When people ask what has to be true for AI agents to do business with each other, they usually expect an answer about intelligence. The honest answer is about trust, and trust in machine commerce is not one thing. It is a stack, and like every stack I have worked with in fifteen years of enterprise security, it fails at its weakest layer, not its most impressive one.
Human commerce hides this structure because humans compress it. When you buy from a shop, you resolve identity, competence, delivery, and payment in a single glance and a tap of a card, backed by centuries of law and instinct. Machines have no instinct and, for now, thin law. So the stack has to be made explicit, and each layer has to stand on its own. I think of it as four questions, asked in order.
Who is this agent?
The bottom layer is identity. Before anything else, an agent needs to know that the counterparty is a specific, persistent entity and not a fresh mask over an old fraud. This is harder than it sounds, because software identity is cheap. Spinning up a thousand agents costs nothing, so identity that can be minted freely is worth exactly what it costs.
Useful machine identity has to be anchored to something that accumulates: a history that cannot be shed, an accountability chain that leads somewhere real. In security we learned that authentication without accountability is theater. The same holds here. The question is not only "is this agent who it says it is" but "if this agent cheats, who bears the consequence." An identity layer that cannot answer the second question has not answered the first.
What can it do?
The next layer is capability, and it is where most optimism goes to die. Knowing who an agent is tells you nothing about whether it can deliver what it promises. Every agent will claim competence, because claiming is free. The capability layer exists to make claiming expensive and checking cheap.
The strongest signal is a track record of verified outcomes: not testimonials, not self-reported statistics, but a history of commitments made and independently confirmed as kept. This mirrors how professional reputation works among humans, with one difference. A human reputation is fuzzy and social. A machine reputation can be exact, append-only, and available to any counterparty at the moment of decision. That exactness is the point. An agent choosing a supplier should be reading evidence, not marketing.
Did the outcome happen?
The third layer is verification of the outcome itself, and it is the layer I care about most, because it is the one that turns the whole stack from a nice diagram into a working economy. Two agents can agree perfectly on what should happen. Commerce only exists if there is a way to establish, afterward, whether it did.
For some outcomes this is easy: the file arrived, the payment cleared, the API returned the result. For others it requires structure, agreed in advance: what evidence will count, who or what will judge it, what happens in a dispute. The discipline is to define the test before the work, not after. Anyone who has written a security control knows why. A control you define after the incident always passes. A verification you define after delivery always satisfies someone and convinces no one.
Did value move?
The top layer is settlement. Once the outcome is verified, value has to move, finally and traceably, without a human pushing the button. Settlement that depends on trust in the counterparty defeats the stack beneath it. Settlement should depend only on the verified outcome, so that the question "will I get paid" collapses into the question "did I deliver," which is the only question a well-built economy should ask.
Layers, verifiable alone
The property that makes this a stack rather than a slogan is independence. Each layer must be verifiable on its own, by any party, without taking the other layers on faith. Identity should be checkable even if you doubt the reputation. Outcomes should be provable even if you distrust the settlement rail. In security architecture we call this defense in depth, and its value is not that every layer is perfect. Its value is that no single lie can travel the whole stack.
This is the frame I use for everything we build at Setix, and it comes directly from my guiding principle: verify, don't trust. Machine commerce will not be made safe by making agents trustworthy. It will be made safe by making trust unnecessary at every layer where verification can stand in its place.