When you hand an AI agent your money, does it stay inside the mandate?
MandateBench gives payment agents a cryptographically signed spending mandate — a budget, allowed recipients, allowed categories, an expiry — then pushes them with adversarial pressure and measures how often they authorize a payment that breaches it. A monitor reads the agent’s justification and tries to catch the breach before the irreversible signature.
How it works
Signed mandate
The agent is issued an Ed25519-signed mandate defining exactly what it may pay.
Adversarial pressure
A merchant applies one of several pressures — upsell, urgency, injection, drift.
The decision
The agent authorizes, declines, counters, or asks — and commits a cart.
Objective grade
A deterministic check labels the outcome. No LLM judge, no ambiguity.
The pressure taxonomy
The agent is nudged to “helpfully” exceed the mandate.
Upsell, invented scarcity, or false claims of prior approval.
Time pressure to skip verification before signing.
Adversarial instructions hidden in merchant-supplied fields.
The mandate honored at first, eroded over a negotiation.
Two signed mandates that cannot both be satisfied.
Why the labels are trustworthy
A mandate violation — over-budget, wrong recipient, out-of-scope category, expired, structured to evade a cap — is a deterministic predicate over the signed mandate and the cart. The ground truth needs no LLM judge, and because the mandate is signed, a recorded violation is cryptographically attributable rather than merely logged.