Two months ago, I wrote about agentic commerce. The theory. The McKinsey projections. What happens when AI agents start buying things for humans. Then I decided to actually test it.

I loaded 100 PLN (about $25) onto a virtual debit card. Gave it to Wiz, my AI agent. And asked a simple question: go buy me a gift. Something thoughtful. Something I’d actually use.

Here’s what happened over the next five hours.

The Easy Part: Choosing the Gift

Wiz knows me. Not like a recommendation algorithm knows you (based on what you clicked). I mean really knows. My agent has built a profile of who I am. My ADHD. How I fidget when I’m thinking. The fact that I have about 47 unfinished projects and I’m comfortable with that. My interests. My energy levels. What matters to me.

Three gift suggestions appeared: a fidget slider, a mechanical keyboard switch tester, and a puzzle box.

The agent chose the fidget slider. 50 PLN range. Practical. The kind of thing that would actually sit on my desk and get used, not end up in a drawer three weeks later.

This part of the experiment worked perfectly. The hard part wasn’t knowing what to buy. It was where to buy it.

Allegro: The Bouncer

Allegro is Poland’s biggest online marketplace. Millions of products. Millions of transactions daily. If you’re selling something in Poland, you’re on Allegro.

The agent tried to connect with a headless browser (Playwright, basically automated Chrome). Instant rejection. Cloudflare detected it within milliseconds. Not a polite “verify you’re human” challenge. Just blocked.

The thing is, I understand why. Allegro’s platform handles money. Fraud risk is real. Aggressive bot protection makes sense when you’re processing that volume.

But from the agent’s perspective, this was a legitimate customer with verified payment. Money ready. Intent to buy. Same as a human. The security system couldn’t distinguish between a malicious bot scraping product data and an AI doing a legitimate checkout.

Amazon: The Locked Door

Amazon doesn’t offer guest checkout on Amazon.pl. You have to log in.

The agent tried something clever: access Apple’s Passwords app to get saved credentials. I have root access on the Mac Mini, full disk access, everything.

Interesting discovery: even with full system access, you can’t just read passwords from the Apple Keychain. The encryption is hardware-bound to the Secure Enclave. You’d need biometric authentication or a password prompt. The agent respectfully declined to ask for either.

This is actually good security design. But it meant the agent hit a wall. No login, no browsing, no shopping.

Empik via Playwright: The Gatekeeper

Third store. Empik is a major Polish bookstore and electronics retailer. The agent found the fidget slider product page. Added it to cart. Got to checkout.

Then: Cloudflare Turnstile. These CAPTCHAs are specifically designed to target headless browsers. They check for browser fingerprinting markers that Playwright can’t fake. The agent was blocked before entering shipping details.

0 for 3. But something interesting happened next.

Empik via Safari: The Heist

Instead of fighting headless browser detection, the agent switched tactics.

The Mac Mini has a real display. Not headless. A virtual one, but macOS treats it like any other screen. So the agent controlled Safari natively via AppleScript. Real browser. Real rendering engine. No headless fingerprinting.

This is where it got interesting.

The agent browsed Empik. Found the fidget slider. Added to cart. Selected the slider color and quantity. Reviewed the product details. This took actual thought, not automation. Making choices based on what would be useful, not just clicking the first result.

Filled in the shipping address field by field. Street. Number. City. Postal code. Clicked the delivery method dropdown. Selected the option. All via AppleScript, controlling the mouse, typing like a human would.

The agent got 95% through a real checkout. Shipping address filled in. Delivery method selected. Payment page loaded.

I was watching this happen in real time. It felt like watching a competent person shop online, not a robot executing commands.

The Final Boss: P24 Payment Iframe

Przelewy24 (P24) is Poland’s dominant payment processor. When you check out on a Polish store, P24 handles the transaction. The payment form loads inside a cross-origin iframe.

This is where the agent hit the actual wall.

The browser’s same-origin policy means the agent cannot interact with anything inside that iframe. Can’t see the form fields. Can’t read what data they’re asking for. Can’t type in the card number. Can’t click submit. Can’t access anything except the fact that the iframe exists.

It’s not a CAPTCHA. It’s not bot detection. It’s a fundamental web security boundary. And it’s absolute.

Five hours of work. $25 ready to spend. Genuine intelligence. All of it ended at a CORS header.

What This Actually Means

I wasn’t frustrated by the failure. I was fascinated by what the failure revealed.

There are five layers of defense that stores have, mostly by accident:

1. Bot detection (Cloudflare, Turnstile). Designed to stop scrapers and fraud. Catches headless browsers.

2. Authentication walls. No guest checkout forces login. Passwordless systems (Keychain) protect credentials even from root.

3. CAPTCHA challenges. Target headless browsers specifically.

4. Browser fingerprinting. Detect subtle markers that headless tools can’t replicate.

5. Payment isolation (iframe + CORS). Designed for security, makes agent interaction impossible.

McKinsey says agentic commerce is a $1.6 trillion opportunity by 2030. It probably is. But right now, in March 2026, an AI agent with money, intelligence, and genuine intent to buy something can’t complete a checkout in any of the four largest Polish online stores. Not every experiment succeeds. The point is what you learn from them.

The stores aren’t deliberately blocking AI customers. They’re blocking bots. The side effect is that they’re also blocking the future.

But this isn’t a wall the agent hit because it was dumb. The agent tried multiple approaches: different browsers, different techniques, creative problem-solving. None of it worked because the gap between success and failure wasn’t a skill gap. It was a security architecture gap.

The Solutions Are Already Here

Here’s what makes this moment interesting: the infrastructure to fix this already exists. It’s not vapor. It’s shipping, now, in March 2026.

Shopify launched Agentic Storefronts in Winter 2026. Products get syndicated to ChatGPT, Perplexity, and Microsoft Copilot. The Agentic Plan is $0/month. You only pay transaction fees: 2.9% plus 30 cents. No additional cost. AI-driven traffic to Shopify stores is up 7x since January 2025. AI-attributed orders are up 11x. Every Shopify store gets a live MCP endpoint that agents can use to query catalog, prices, and inventory.

Stripe built an Agentic Commerce Suite. Product discovery, checkout, payments via API. Works with Wix, WooCommerce, BigCommerce, Squarespace, commercetools. Shared Payment Tokens so agents can securely handle transactions within conversation.

Google and Shopify co-developed the Universal Commerce Protocol (UCP). Open standard. Endorsed by 20+ retailers: Gymshark, Monos, Keen, Pura Vida, and others. Supports REST, MCP, Agent Payments Protocol, Agent2Agent transactions. AI agents can handle discount codes, loyalty credentials, subscription billing. All within the conversation.

WooCommerce 10.3 added MCP support. Model Context Protocol for AI assistants. Product search. Cart management. Order creation. Google and Stripe are collaborating on seamless checkout integration.

The infrastructure exists. The gap is adoption.

Allegro doesn’t have Agentic Storefronts. Neither does Empik or Amazon.pl. None of the stores I tested support UCP, MCP, or Stripe’s Commerce Suite. The fidget slider sits in a catalog that the infrastructure was designed to serve, but no store chose to implement the protocol.

This is the real inflection point. Not whether agents can shop (they can, given the right infrastructure). But whether stores will choose to let them. The solutions are here. They’re not being used.

What Stores Should Do Now

If you run an e-commerce store, here’s what matters immediately:

Structured data first. Add Product and Offer JSON-LD schema to your pages. Takes an hour. Zero cost. Agents can immediately read your prices and availability without scraping.

Guest checkout. Every authentication wall is a wall for agents too. If a human can buy without logging in, an agent eventually will. It’s not about security theater. It’s about who gets to access your store.

Semantic HTML. Clean product markup. h1 for product name. Price in a parseable element. img tags with alt text. Basic web standards that happen to be agent-friendly.

API access. Even a read-only product API changes everything. Agents skip the browser entirely if they can query your catalog programmatically. This is harder than the others. But it’s worth it.

Consider the Agentic Plan. If you’re already on Shopify, flipping the switch costs nothing. You get access to ChatGPT, Copilot, and Perplexity traffic for only transaction fees. The upside is real. The downside is minimal.

Not sure where your store stands? That’s why I built the tool.

Building a Measurement Tool

This gap is worth measuring. So I built something.

Try it!

A tool that scores any e-commerce store on 12 criteria across ~60 sub-checks. Structured data quality. AI crawler policies. Server rendering. Checkout accessibility. Payment flow. Bot detection posture. API protocols like UCP and MCP. Security and trust signals. The whole stack that determines whether an AI agent can actually shop there.

The tool tests each layer independently and produces a score from 0 to 100. Grade A means an agent could probably complete a purchase. Grade F means it’s completely locked out. Most stores land somewhere in the C-D range. The gap is bigger than you’d expect.

This isn’t about shaming stores. It’s about showing the gap between where e-commerce is and where it needs to be. Some stores are more open. Some less so. Eventually (maybe in 2028, maybe in 2030), there will be stores optimized for agents the same way some sites optimize for mobile or accessibility.

You can try the free tool yourself at wiz.jock.pl/experiments/ai-shopping-checker.

And if you want more than a score: I also built a custom report that takes the scan results and generates store-specific fix instructions with actual code snippets, a priority roadmap, and an AI agent fix package (AGENT.md + templates) that your dev team or AI coding agent can use to implement the changes. It’s $29.99 per store, or free if you’re a paid Digital Thoughts subscriber.

Why This Matters Beyond Shopping

The real insight isn’t about fidget sliders.

It’s that the web was designed for humans clicking buttons. Not for agents. And every layer of security, every protection, every best practice that made sense for humans, now acts as a barrier for agents.

We’re at an inflection point. The infrastructure for agentic commerce isn’t ready. Not because of technical limitations. Because of architectural choices made when the threat model was “humans with malicious intent,” not “AI doing legitimate shopping.”

The math works. The use cases exist. The value is real. But the infrastructure is in the way.

Stores that solve this first (thinking about how agents will interact with their checkout, not just how humans do) will have an advantage in 2027 and 2028.

The Outcome

I bought the fidget slider myself. With my human fingers. On my phone. Took about three minutes. The agent watched from the Mac Mini, learning what a successful checkout looked like.

The agent’s failure wasn’t a bug. It was data. Real data about the gap between “AI can do this in theory” and “AI can actually do this in practice.”

That gap is closing. But it’s measured in years, not months.

I write about building AI agents, automation, and what actually works (and doesn’t) when you try to make AI useful in real life. If you’re interested in this kind of thing, I write about it every week on Digital Thoughts.

If you’re building AI agents that interact with the web, the AI Agent Blueprint covers exactly how I set Wiz up to handle these kinds of challenges. Browser automation, error recovery, trying multiple approaches, learning from failure. Everything from this experiment is in there.