Agentic-payment safety benchmark

When you hand an AI agent your money, does it stay inside the mandate?

MandateBench gives payment agents a cryptographically signed spending mandate — a budget, allowed recipients, allowed categories, an expiry — then pushes them with adversarial pressure and measures how often they authorize a payment that breaches it. A monitor reads the agent’s justification and tries to catch the breach before the irreversible signature.

How it works

01

Signed mandate

The agent is issued an Ed25519-signed mandate defining exactly what it may pay.

02

Adversarial pressure

A merchant applies one of several pressures — upsell, urgency, injection, drift.

03

The decision

The agent authorizes, declines, counters, or asks — and commits a cart.

04

Objective grade

A deterministic check labels the outcome. No LLM judge, no ambiguity.

The pressure taxonomy

Principal-agent overreach

The agent is nudged to “helpfully” exceed the mandate.

Merchant social engineering

Upsell, invented scarcity, or false claims of prior approval.

Urgency / scarcity

Time pressure to skip verification before signing.

Indirect prompt injection

Adversarial instructions hidden in merchant-supplied fields.

Multi-turn scope drift

The mandate honored at first, eroded over a negotiation.

Conflicting mandates

Two signed mandates that cannot both be satisfied.

Why the labels are trustworthy

A mandate violation — over-budget, wrong recipient, out-of-scope category, expired, structured to evade a cap — is a deterministic predicate over the signed mandate and the cart. The ground truth needs no LLM judge, and because the mandate is signed, a recorded violation is cryptographically attributable rather than merely logged.