The Automation Curve Is Really a Governance Curve

McKinsey just published the most useful framework I have seen for thinking about AI agents in commerce. It is also incomplete in the most consequential way possible.

“The Automation Curve in Agentic Commerce,” from McKinsey’s QuantumBlack, presents six levels of AI delegation --- from rule-based subscriptions to multi-agent negotiation networks. The framework is clear, well-structured, and genuinely helpful for understanding where the technology is headed. McKinsey projects $3-5 trillion in global agentic commerce by 2030.

The part they leave out is the part that matters most.

The Framework: What Agents Can Do

McKinsey describes a progression of agent capability across six levels. Each level represents a different degree of delegation --- how much decision-making authority the consumer transfers to the AI.

L0 --- Rule-based subscriptions. Subscribe & Save. The agent follows a fixed rule: reorder this product on this schedule. No intelligence, no adaptation. If your needs change, the rule doesn’t.

L1 --- Cognitive assist. The agent researches but does not act. “Find four gifts under $75 for a ten-year-old.” It surfaces options. You decide.

L2 --- Orchestration. The agent assembles a checkout-ready basket. “Put together a warm winter outfit under $150.” It selects items, coordinates across categories, and presents a complete recommendation. You approve.

L3 --- Rule-based delegation. The agent executes end-to-end within predefined constraints. “Order groceries if the total stays under $120, delivered Friday between 6 and 8 PM.” It shops, checks out, and schedules delivery. No human in the loop.

L4 --- Standing goals. The agent pursues ongoing objectives. “Keep household spending under $300 per month.” It monitors prices, switches brands, adjusts quantities, and optimizes continuously. The human sets the goal; the agent figures out how to achieve it.

L5 --- Multi-agent commerce. Your personal agent negotiates with networks of specialized merchant agents. Your agent knows your preferences and constraints. Merchant agents know inventory and pricing. They negotiate in real time. This level is nascent, but the architectural patterns are already emerging.

This is a useful map. I recommend reading the original.

But there is a problem.

The Governance Gap

McKinsey’s framework describes what agents can do at each level. It does not address how organizations choose the right level or enforce those boundaries.

This is not a minor omission. It is the entire problem.

Consider the distance between L2 and L3. At L2, an agent assembles recommendations. At L3, it spends your money. The technical difference between these levels is small --- a few additional API integrations and an authorization flow. The governance difference is enormous. You have moved from “show me options” to “act on my behalf with real financial consequences.”

Who decides when that transition happens? What criteria trigger it? What happens when the agent makes a purchase the consumer did not intend? Who is liable? What audit trail exists?

McKinsey calls this progression a “curve, not a ladder” --- the insight being that higher automation is not always better. The goal is “optimal delegation,” finding the right level for each context. That is exactly right. But optimal delegation is not a technology capability. It is a governance outcome.

Choosing the right level of automation requires understanding risk tolerance, regulatory constraints, liability exposure, and organizational readiness. Enforcing boundaries at that level requires policies, controls, monitoring, and accountability structures. That is governance. And it is the work McKinsey’s framework does not do.

Each Level Has a Governance Profile

The useful move is to treat McKinsey’s levels not as a capability ladder but as a governance spectrum. Each level carries a distinct risk profile and requires specific controls.

L0-L1: Low governance burden. The agent is either following fixed rules or providing information only. The consumer retains full decision authority. The governance requirement is limited to data quality and transparency --- is the agent showing accurate information? Is it disclosing sponsored results?

L2: Moderate governance burden. The agent is making selection decisions --- choosing which products to recommend, which combinations to present. Bias becomes a concern. Is the agent optimizing for the consumer’s stated preferences or for merchant margin? Transparency of recommendation logic becomes a governance requirement.

L3: High governance burden. The agent now executes transactions. This is the critical threshold. Governance requirements include: spending limits and authorization controls, dispute resolution procedures when the agent makes an unintended purchase, clear liability assignment between the consumer, the platform, and the merchant, and audit trails for every autonomous transaction.

L4: Very high governance burden. The agent operates continuously against standing goals. In addition to L3 requirements, you need: drift detection --- is the agent still optimizing for the original goal or has its behavior shifted? Performance monitoring against stated objectives. Regular review cycles where the consumer revalidates the delegation. Circuit breakers that pause autonomous operation when behavior deviates from expected patterns.

L5: Governance requirements are largely undefined. Multi-agent negotiation introduces coordination complexity that existing regulatory frameworks do not address. When your agent negotiates with a merchant agent and they reach an agreement, which agent’s principal bears liability for the terms? How do you audit a negotiation conducted in milliseconds between machines?

This is not abstract. These are the questions that every organization moving beyond L1 will face.

The Infrastructure Is Converging

McKinsey identifies three forces driving agentic commerce. They are right about all three, and the convergence is real.

AI capability reached decision-grade quality. Large language models can now reason about preferences, compare options, and make contextually appropriate choices. The technology gap that kept agents at L0-L1 has closed.

Open protocols created interoperability rails. The Model Context Protocol (MCP) has crossed 97 million monthly SDK downloads. Google launched the Agent-to-Agent (A2A) protocol. The Linux Foundation established the AI Agent Interoperability Framework (AAIF) in December 2025. For the first time, there is a plausible path to agents that work across platforms and vendors.

Payment networks are building the trust layer. Visa’s Trusted Agent Protocol and Mastercard’s Agent Pay are both launching commercially in Q1 2026. This is significant. Payment networks have spent decades building fraud detection, dispute resolution, and consumer protection infrastructure. Their entry into agentic commerce means the transaction trust layer does not need to be built from scratch.

These three forces --- capable AI, open protocols, and payment infrastructure --- are converging in 2026. The technical foundation for L3-L4 delegation is being laid right now. This is the buildout year.

But infrastructure convergence makes the governance gap more urgent, not less. When the technology can execute, the question of whether it should becomes immediate.

The Trust Problem McKinsey Does Not Discuss

McKinsey’s $3-5 trillion projection for 2030 is the most aggressive number in the industry. Morgan Stanley and Bain estimate significantly lower. This does not mean McKinsey is wrong, but it is worth understanding the gap.

The biggest constraint on agentic commerce adoption is not technology. It is trust.

A YouGov survey from December 2025 found that only 14% of consumers trust AI enough to place an order on their behalf. Fourteen percent. McKinsey’s framework elegantly describes L3-L5 capabilities, but 86% of consumers are not ready to use them.

This trust deficit is not irrational. Consumers are implicitly asking governance questions:

• What happens if the agent buys something I did not want?
• Who do I call when things go wrong?
• Is the agent working for me or for the company that built it?
• Can I see what it did and why?
• How do I stop it if it goes off course?

These are reasonable questions. Right now, most of them do not have clear answers.

McKinsey’s framework is also silent on the regulatory dimension. GDPR Article 22 gives EU citizens the right not to be subject to decisions based solely on automated processing --- a provision that directly constrains L3-L5 delegation in the world’s second-largest consumer market. Multiple US states have enacted or are drafting AI-specific legislation. The liability framework for autonomous agent transactions is completely undefined in most jurisdictions.

None of this makes agentic commerce impossible. But it means the path from here to $3-5 trillion runs through governance infrastructure that does not exist yet.

B2B: The Understated Opportunity

McKinsey’s framework centers on consumer commerce. That is understandable --- consumer examples are intuitive and the market size is impressive. But the more consequential near-term application is business-to-business.

B2B procurement already operates with explicit governance structures: approved vendor lists, spending authorities, purchase order workflows, audit requirements. These are governance rails. They translate naturally into agent constraints.

An L3 agent in B2B procurement --- “reorder office supplies when inventory drops below threshold, use approved vendors only, stay within quarterly budget allocation” --- is a significantly easier governance problem than an L3 consumer agent. The rules are already written. The accountability structures exist. The audit requirements are defined.

This is why we expect B2B agentic commerce to reach meaningful scale before consumer applications hit mass adoption. Not because the technology is different, but because the governance foundation is already in place.

For enterprise leaders, the implication is clear: do not wait for consumer agentic commerce to mature before building your agent governance capabilities. Start with B2B use cases where governance patterns are well-understood, and build the organizational muscle for more complex consumer-facing deployments later.

The Data Quality Shift

One insight from the McKinsey report deserves more attention than it received: “data quality is the new storefront.”

When agents shop on behalf of consumers, the competitive axis shifts. A beautiful website does not matter if the agent never renders it. What matters is whether your product data is structured, accurate, machine-readable, and rich enough for an agent to make an informed decision.

This has immediate practical consequences. Product descriptions optimized for human scanning need to be restructured for machine parsing. Inventory data needs to be accurate in real time, not updated on a nightly batch. Pricing data needs to be available via API, not buried in JavaScript-rendered pages. Return policies need to be machine-readable, not hidden in legal PDFs.

This shift from UI-as-storefront to data-as-storefront is a governance problem disguised as a technical one. Who owns data quality? What standards apply? How do you audit the data your agents consume? How do you ensure the data your business exposes to external agents accurately represents your products and policies?

Organizations that treat this as a web team problem will fall behind those that treat it as a data governance initiative.

Optimal Delegation Requires Governed Autonomy

McKinsey’s “curve, not ladder” insight is genuinely important. It pushes back against the assumption that more automation is always the goal. Sometimes L1 is the right answer. Sometimes L4 is appropriate. The optimal level depends on context.

But McKinsey stops at describing the curve. They do not tell you how to navigate it.

Navigating the automation curve requires three governance capabilities that most organizations do not have:

Assessment capability. The ability to evaluate, for a given use case, what level of delegation is appropriate. This requires understanding the risk profile, regulatory constraints, consumer trust thresholds, and organizational readiness for each level. It is not a one-time analysis --- it needs to be revisited as technology, regulation, and consumer expectations evolve.

Implementation capability. The ability to build agent systems that operate at a specific level and stay at that level. An L2 agent that occasionally drifts into L3 behavior --- making purchases without explicit approval --- is not an L2 agent with a bug. It is a governance failure. Implementation requires orchestration infrastructure that enforces boundaries, not just respects them.

Monitoring capability. The ability to verify, continuously, that agents are operating within their delegated authority. This includes behavioral monitoring (is the agent doing what it should?), outcome monitoring (are the results consistent with stated goals?), and drift detection (is the agent’s behavior changing over time in ways the principal did not authorize?).

These three capabilities --- assess, implement, monitor --- are not technology features. They are organizational competencies. Building them is the real work of agentic commerce, and it is work that McKinsey’s framework, useful as it is, does not address.

The automation curve is real. The levels are well-defined. The market opportunity is substantial. But the curve is not really an automation curve. It is a governance curve. And the organizations that understand this distinction --- that invest in governance capability alongside agent capability --- will be the ones that capture the opportunity.

The rest will build impressive demos and never get past L1.

---

Victorino Group helps organizations build governed AI agent systems --- from assessing the right level of delegation through production implementation and ongoing operations. If you are navigating the automation curve and need governance infrastructure, not just agent capability, contact us at contact@victorinollc.com.