Everyone Else vs. Rufus: How Retailers Are Fighting Back
The Three Strategies Emerging to Counter Amazon's Shopping Agent
Part 2 of the Shopping Agent Series. In Part 1, we broke down how Amazon Rufus actually works under the hood. This post covers what everyone else is building in response—and the security, trust, and liability problems nobody has solved yet.
The Field Has Split
Last week we dug into how Rufus actually works. The short version: Amazon built a shopping agent that searches, recommends, and now buys things on your behalf—all inside its own walled garden. It influenced over $12 billion in sales last year. Competitors noticed.
As of early 2026, the retail landscape has fragmented into three distinct strategies to counter Rufus: building proprietary super-agents (Walmart), forming open alliances to share inventory (Google/Target), or explicitly banning external agents to protect their data (eBay).
The numbers make the urgency clear. Visa detected a 4,700% surge in AI-driven traffic to US retail sites in October 2025 alone. Morgan Stanley predicts nearly half of online shoppers will use AI shopping agents by 2030, accounting for roughly 25% of all spending. This is not a speculative trend. It is already reshaping how commerce works.
Build Your Own
Proprietary "super-agents"
Join an Alliance
Open protocols, shared inventory
Ban the Bots
Block external agents entirely
Here is a deep dive into the top retailers and merchants deploying Rufus-scale agents, the ones who decided to slam the door shut, and the security and trust problems that none of them have fully solved.
1. The Direct Competitor: Walmart
Sparky, Marty, and Predictive Replenishment
Walmart is the only physical retailer building a proprietary "brain" to rival Rufus directly. They are not licensing someone else's model and slapping a UI on top. They are building the full stack.
The Agents: Sparky & Marty
Sparky is the consumer-facing agent. Marty is supplier-facing. Two sides of the same system, one talking to shoppers and the other talking to the supply chain. Walmart's "everywhere" strategy is the philosophical opposite of Amazon's walled garden: Sparky is designed to meet customers wherever they already are, not just inside Walmart's app.
Predictive Replenishment
This is the key differentiator from Rufus. Rufus often waits for a command. Sparky uses Walmart's massive grocery dataset to act as a household manager. It can predict when you are out of milk or detergent and auto-fill a "restock" cart. Grocery is Walmart's home turf, and the purchase frequency gives it data density Amazon does not have in most categories. You buy groceries weekly. You buy electronics once a year. Weekly data trains better models.
Event Orchestration
You can tell Sparky: "Plan a gluten-free birthday party for 8 kids under $150." It does not just search for items. It builds a complete basket—food, decor, favors—checks local shelf availability to ensure same-day pickup, and schedules the delivery slot. One interaction, full cart. This is where the agent goes from "search assistant" to "task executor"—the same shift we saw with Rufus's Auto-Buy, but applied to multi-item, multi-category orchestration.
In-Store Mode
When you enter a physical Walmart, Sparky switches modes and becomes a GPS for the shelf. It sorts your digital shopping list by aisle to optimize your walking path. This is something purely digital agents like Rufus simply cannot do. Amazon has Whole Foods, but roughly 500 locations. Walmart has 4,700. Scale matters for in-store AI.
Walmart's bet: grocery frequency data plus 4,700 physical stores gives it an advantage Amazon cannot replicate with software alone.
2. The Category Killers
Vertical Specialists Going Deeper Than Rufus Can
These retailers are building agents that go deeper into specific complex categories than a generalist like Rufus can manage. The strategy is not to match Rufus across the board—it is to be definitively better in one domain.
| Retailer | Agent | The Superpower | Why Rufus Cannot Match It |
|---|---|---|---|
| Home Depot | Magic Apron | Visual Blueprint Analysis | No engineering physics or building code data |
| Instacart | Cart Assistant | Recipe-to-Cart | No pantry history or purchase deduplication |
| Zalando | Zalando Assistant | Style & Fit DNA | No return-and-fit data or vibe matching |
Home Depot: Magic Apron
You can upload a hand-drawn sketch or PDF blueprint of a deck. The agent calculates the structural load, lists the exact number of 2x4s and screws needed (plus 10% for waste), and builds the cart. Rufus lacks the engineering physics and local building code knowledge to do this safely. This is domain expertise that you cannot bolt onto a general-purpose shopping agent.
The real moat here is liability. If Rufus recommends the wrong number of load-bearing beams, Amazon has a problem. Home Depot has been selling lumber for 45 years. That institutional knowledge is baked into Magic Apron's calculations, and it is the kind of thing you cannot train from public internet data.
Instacart: Cart Assistant
Solves the "What's for dinner?" problem. You paste a TikTok recipe link, and the agent identifies the ingredients, checks your pantry history to see if you already have salt, and adds only what you are missing. It understands "pantry context"—what you already own. Rufus does not have this information layer.
Instacart also became the first grocery partner for end-to-end shopping inside ChatGPT in late 2025. That is a distribution play—instead of building their own agent from scratch, they plugged into OpenAI's existing user base.
Zalando: Style & Fit DNA
Users can upload a photo of a sunset or a vibe and ask for an outfit that matches it. The agent also uses return history to say, "Size M in this brand usually fits you, but this fabric has no stretch—buy Large." Rufus struggles with abstract "vibe" matching and specific fit prediction. Fashion returns are expensive; getting this right saves real money.
The business case is straightforward: fashion return rates hover around 70%. Zalando reports their size recommendation system has pushed accuracy to roughly 90%. Every prevented return is pure margin. That is a data moat Amazon cannot easily replicate because Zalando has the return-reason data that explains why things do not fit, not just that they were returned.
The pattern: vertical specialists win by knowing one domain so deeply that a generalist cannot catch up. The risk is that Amazon acquires its way into these verticals. But domain data is harder to buy than companies.
3. The Anti-Amazon Alliance
Google and the Universal Commerce Protocol
Most retailers cannot afford to build a Rufus from scratch. The model training, the inference infrastructure, the data pipeline—it is a billion-dollar project. So they joined forces.
The Universal Commerce Protocol (UCP) is an open standard unveiled at NRF 2026 in January, co-developed by Google with Shopify, Etsy, Wayfair, and Target. It has been endorsed by 20+ additional companies including Visa, Mastercard, Stripe, American Express, and Best Buy.
How It Works
Instead of trapping you in one app, UCP establishes a common language for agents and systems across the entire shopping journey—discovery, buying, and post-purchase. Think of it like TCP/IP for commerce: a shared protocol that any agent can speak.
"Find me a mid-century modern lamp under $100 available for pickup near me."
Gemini queries Target and Wayfair's live inventory, reserves the item, and executes the purchase—without you ever visiting their websites.
The philosophical difference from Rufus is clear. Amazon controls the whole stack. UCP distributes it. The bet is that an open ecosystem, even a messy one, can aggregate enough inventory to compete with Amazon's catalog.
Target's Dual Strategy
Target uses UCP for external sales through Google, but internally it runs its own AI called Store Companion. Store Companion helps employees answer customer questions on the floor, effectively turning every staff member into a human "Rufus." External agent for discovery, internal agent for service. Two different problems, two different tools.
The fragmentation problem is real. UCP is not the only open protocol. Google also launched AP2 (Agent Payments Protocol) in September 2025 with 60+ partners including Adyen, American Express, and PayPal. Meanwhile, Visa launched its Trusted Agent Protocol (TAP) and Mastercard launched Agent Pay. Merchants now face a "protocol tax"—each standard requires separate integration. The Linux Foundation created the Agentic AI Foundation (with Anthropic, Google, Microsoft, OpenAI) to try to unify things. We will see if it works.
4. The Merchant Enablers
Arming Small Businesses to Fight Amazon
Not every company fighting Amazon is a retailer. Some are building the infrastructure that lets everyone else compete.
Shopify: Sidekick + Shop App
Shopify's Sidekick agent helps merchants manage their stores—it was rebuilt from scratch for Winter 2026 and can now generate custom apps from natural language. But the consumer-facing Shop App agent aggregates millions of independent stores. It is the only agent that can effectively answer, "Find me handmade ceramic mugs from a studio in Oregon," surfacing inventory that does not exist on Amazon. That is the long tail advantage—products Amazon does not carry.
The infrastructure play is deeper than most realize. Shopify is a UCP co-developer with Google and has launched five MCP (Model Context Protocol) servers covering storefront, catalog, customer accounts, checkout, and developer tooling. Their new "Agentic Storefronts" concept lets merchants set up once and auto-surface on ChatGPT, Perplexity, and Copilot. If you are a Shopify merchant, your products become agent-discoverable without you doing any extra work.
Klarna: The Data Backbone
Klarna has pivoted to become the "data backbone" for AI shopping. Its Agentic Product Protocol (APP), launched December 2025, standardizes data from thousands of messy retailer sites so AI agents can read prices and stock levels accurately. The scale is notable: 100M+ products, 400M+ prices across 12 markets, all built on infrastructure from Klarna's 2022 PriceRunner acquisition.
This is plumbing work—not glamorous, but critical. Without clean, structured data, agents cannot comparison shop against Amazon in real-time. Klarna is making that possible. Their AI assistant reportedly handled 2.3 million conversations in its first month, equivalent to the work of 700 full-time employees, and drove a $40 million profit improvement. The business model is clear: become the data layer that every agent needs, then charge for access.
The enabler play: you do not need to build an agent. You need to make your inventory legible to other people's agents.
5. The Contrarian: eBay
Banning the Bots, Protecting the Humans
In a notable move effective February 2026, eBay updated its User Agreement to explicitly ban external "Buy for Me" agents. They also updated their robots.txt to block crawlers from Perplexity, Anthropic, and Amazon—while notably allowing Google.
The Policy
eBay allows its own internal AI to help you, but it blocks external bots—like Rufus or Perplexity—from scraping its site or executing purchases. If an external agent tries to buy on eBay, it gets blocked. Meanwhile, eBay is building its own "unified agentic commerce platform" using MCP, with 10 million sellers using AI tools across 300M+ listings.
Why This Makes Sense for eBay
eBay's auction model relies on human timing and fairness. If AI agents start "sniping" auctions in milliseconds, the marketplace breaks. The whole value proposition of eBay is that a real person on the other side is making real decisions. Bot armies competing against human bidders is a death spiral for trust.
The Legal Precedent: Amazon v. Perplexity
eBay's move is happening against the backdrop of the Amazon v. Perplexity lawsuit (Northern District of California), the first major legal test of whether AI agents must identify themselves to merchant platforms. Amazon alleges Perplexity's Comet browser was "disguising" itself as Chrome, refusing to identify itself, making unauthorized purchases, and potentially misappropriating Prime benefits. Perplexity calls it "bullying" and argues AI agents should have the same rights as human users. The fundamental question: are agents independent actors that must identify themselves, or extensions of the users they represent?
The "Human Marketplace" Positioning
eBay is positioning itself as the one place you know you are not competing against a bot army. That is a genuine differentiator in a world where every other platform is racing to automate the buyer. Whether this is a durable strategy or a rearguard action depends on how many buyers actually care. The bet is that enough of them do.
6. The Protocol Wars
Four Competing Standards, One Unsolved Problem
Underneath the retail strategies, a quieter but arguably more consequential battle is playing out: who defines how agents authenticate with merchants and process payments. There are now four major competing protocols, all launched between September 2025 and January 2026.
| Protocol | Backed By | How Agents Authenticate |
|---|---|---|
| Visa TAP | Visa, Cloudflare, Microsoft, Shopify, Stripe | Cryptographic message signatures (RFC 9421). Cloudflare validates Signature-Input/Signature headers, verifies timestamps and nonce uniqueness. |
| Mastercard Agent Pay | Mastercard, Citi, US Bank | Cryptographic "Agentic Tokens" that uniquely identify each agent and tie it to a specific user. Built on existing card tokenization infra. |
| Google AP2 | Google, Adyen, American Express, PayPal, Coinbase | Tamper-proof "Mandates" based on W3C Verifiable Credentials. Three types: Intent, Cart (co-signed), and Payment. |
| Klarna APP | Klarna, PriceRunner | Standardized product data layer. 100M+ products, 400M+ prices. Lets agents read any retailer's catalog uniformly. |
The technical approaches are genuinely different. Visa TAP centers on three capabilities: signaling agent intent (browse vs. buy), recognizing the consumer behind the agent, and transmitting payment credentials. It is available today on the Visa Developer Center.
Google's AP2 is more ambitious. Its three-mandate chain creates a cryptographic evidence trail specifically designed for dispute resolution. The Cart Mandate is co-signed by both merchant and consumer, locking exact items, price, and terms—creating a non-repudiable record. When an agent-placed order is disputed, there is a signed receipt showing exactly what was authorized.
Mastercard took a different approach, building on top of their existing tokenization infrastructure (the same tech behind Apple Pay and Google Wallet). Their Agentic Tokens require agents to be registered and verified before they can transact. Every player in the value chain—consumer, issuer, merchant—can recognize agent-facilitated transactions distinctly.
Four protocols, four different trust models, four separate integrations. The Linux Foundation's Agentic AI Foundation (backed by Anthropic, Google, Microsoft, OpenAI, and Block) is trying to unify them. Until that happens, merchants face a fragmentation tax that favors Amazon's one-stack approach.
7. The Security Problem
What Nobody Is Talking About Enough
The race to deploy shopping agents has outpaced the security infrastructure to support them. The numbers are alarming.
Credential Exposure at Scale
Shopping agents need deep access to sensitive data: payment details, shipping addresses, login sessions, purchase history. Amazon's "Buy for Me" fills in your name, address, and payment info on third-party sites. OpenAI's ChatGPT agent stores all cookies from browsing sessions unless specifically removed, including authentication cookies that can auto-sign users in on future visits—even for unrelated tasks. The attack surface is unprecedented.
Different platforms handle this very differently. Amazon uses encryption and claims it "cannot see what you are ordering." OpenAI and Google require humans to fill out credit card info themselves. Perplexity routes through a prepaid debit card as an intermediary. There is no standard. Every approach has different failure modes.
Prompt Injection: The #1 AI Vulnerability
OWASP ranks prompt injection as the number one critical vulnerability in LLM applications, appearing in over 73% of production deployments assessed during security audits. For shopping agents browsing e-commerce sites, indirect prompt injection is the primary threat: attackers hide malicious instructions in product listings, reviews, or page content that are invisible to humans but processed by the AI agent.
A malicious product listing could contain hidden text instructing an agent to add different items to cart, share user credentials, or redirect to a phishing checkout. In December 2025, OpenAI publicly acknowledged that prompt injections will always be a risk for AI browsers with agentic capabilities and may never be fully "solved." Security researchers told Fortune that the deep access agents require—passwords, permission to take financial actions—poses such a vulnerable threat that "it was unclear if their advantages were worth the risk."
Counterfeit Merchants Targeting Agents
Fraudsters are engineering fake websites specifically to exploit AI shopping agents. Agents are optimized to find the "best deal"—which makes them susceptible to sophisticated fakes that offer prices just below market. Visa has uncovered networks of scam websites using embedded conversational AI agents to impersonate customer support, engaging victims for days or weeks. Unlike traditional domain spoofing, malicious actors are now developing AI agents that impersonate trusted brands, initiating conversations and gradually extracting sensitive information.
Memory Poisoning
Lakera AI research (November 2025) demonstrated how indirect prompt injection via poisoned data sources could corrupt an agent's long-term memory, causing it to develop "persistent false beliefs about security policies and vendor relationships." The agent defended these false beliefs when questioned by humans. An attacker can submit incremental interactions—10 support tickets over a week, each slightly redefining what the agent considers "normal"—until by the 10th interaction, the agent's constraint model has drifted enough to perform unauthorized actions.
The uncomfortable truth: we are deploying agents that handle real money and real credentials into an environment where the #1 vulnerability is acknowledged as potentially unsolvable. The mitigation is not better heuristics—it is architectural: trust boundaries, context isolation, least-privilege design, and the assumption that injection will eventually succeed.
8. The Liability Question
Who Pays When the Agent Gets It Wrong?
JPMorgan Chase's global head of merchant services articulated the question everyone is asking: "Could the agent hallucinate and buy something we didn't tell it to buy?" If that happens, "the rules here are not fully formed yet."
When an AI agent makes a bad purchase, potential liability falls across five parties: the consumer who authorized the agent, the company that built it, the merchant who accepted the transaction, the payment processor, and now the AI platform itself—what the industry calls a "fifth player in the value chain." The existing four-party dispute model (consumer, issuer, acquirer, merchant) was not designed for this.
The Legal Gap
AI agents cannot be held liable because they are not legal entities. Under the Uniform Electronic Transactions Act, AI agents can form contracts on behalf of users, but agency law requires a human agent to be primarily responsible for harm. With a truly autonomous AI agent, there may be no human "employee" acting at the moment of harm, meaning vicarious liability doctrines hit a dead end. A Stanford CodeX paper and University of Chicago Law Review article both flag this as a fundamental unresolved issue.
The Dispute Tsunami
Mastercard projects global disputes will jump from 261 million (2025) to 324 million by 2028—a 24% surge, and that is before agent commerce fully scales. Friendly fraud already comprises 75% of all disputes. The abstraction layer of agent-mediated purchases gives bad actors new ways to dispute legitimate transactions. A consumer can say "I never approved that" about an agent purchase and the existing evidence frameworks—IP geolocation, device fingerprinting, "smooth checkout" indicators—do not apply. The agent was the one with the IP address. The agent was the one with the device fingerprint.
The Duty of Loyalty Problem
A subtler issue that legal scholars are flagging: an AI agent tasked with buying a product under $500 might choose a more expensive option from a vendor aligned with values the agent was trained on (sustainability, for example) rather than the cheapest option. The AI developer has imposed its own definition of "Harmlessness" that interferes with the agency law concept of loyalty to the principal. This creates liability questions extending to any company that trained or deployed the agent.
Where Liability Likely Falls (Emerging Consensus)
Consumers will likely bear most risk by default. By delegating authority to an agent, you are essentially "signing away" certain rights.
Merchants will absorb dispute costs in the near term. "The card schemes are not going to take liability. Neither are the customers, their issuers, or the AI model."
AI developers may face strict liability in the EU under the revised Product Liability Directive, which extends product liability rules to cover software and AI. The US has no equivalent—it remains case-by-case tort law.
The FTC is circling. Operation AI Comply is the umbrella initiative for enforcement actions against AI product claims. The Trump Executive Order (December 2025) directs the FTC to issue a policy statement by March 2026 describing how the FTC Act applies to AI. The EU AI Act goes into full implementation in August 2026 with fines up to 7% of global annual turnover.
E-commerce took 10–15 years to develop mature dispute frameworks. Agentic commerce is attempting to build equivalent infrastructure in 1–2 years. Something will break.
9. What This Tells Us
Five strategies from five different types of companies. Four competing protocols. A security landscape that even OpenAI admits it cannot fully solve. A liability framework that does not exist yet. A few patterns worth calling out.
There Is No Single Winning Strategy
Walmart is building its own Rufus. Google is building an open protocol. Shopify is enabling the long tail. eBay is banning agents outright. Home Depot is going vertical. The fact that the responses are this different tells you the industry does not yet know what the right answer is. That is normal for early-stage platform shifts. What is abnormal is the speed—all of these launched within a six-month window.
Data Moats Matter More Than Model Quality
The agents that are most interesting are not the ones with the best language models. They are the ones with proprietary data. Walmart has grocery frequency data. Instacart has pantry history. Zalando has return-and-fit data. Home Depot has building codes. The model is commodity infrastructure. The data is the moat. This is why Amazon is hard to beat—it has the most comprehensive purchase history dataset in the world.
Open Protocols Create New Trust Problems
UCP is promising, but when Google's agent buys from Target on your behalf, who handles the dispute? Who owns the customer relationship? When an agent crosses platform boundaries, the authorization and verification questions multiply. This is the same principal-agent gap we flagged with Rufus's "Buy for Me," but at protocol scale. The protocol fragmentation makes it worse—four different ways to verify an agent means merchants need to support all of them or pick a winner.
Security Cannot Be an Afterthought
Visa's 450% increase in dark web "AI Agent" posts. OWASP's 73% vulnerability rate. OpenAI's admission that prompt injection may never be fully solved. Deloitte's $23 billion synthetic identity fraud projection. The threat landscape is real and it is growing faster than the defenses. Every retailer deploying a shopping agent is deploying an attack surface. The ones that treat security as a feature rather than a checkbox will have a meaningful competitive advantage.
Banning Agents Is Not a Long-Term Answer
eBay's approach makes sense for auctions. But for fixed-price listings, blocking agents means blocking a growing share of buying intent. As more consumers delegate shopping to agents, the platforms that refuse to work with them will see less traffic. The sustainable path is not banning agents—it is having a way to verify them, scope their authority, and resolve disputes when things go wrong.
The common thread: every strategy either builds trust infrastructure internally (Walmart, eBay, Amazon) or needs it from someone else (UCP partners, Shopify merchants, Klarna clients). The open web does not have this yet. The protocol wars are a symptom of that gap.
Where This Is Heading
The shopping agent race is not about who has the best chatbot. It is about who controls the commerce infrastructure—the data, the trust layer, the checkout flow, the dispute resolution.
Amazon built all of that internally. Everyone else is assembling it from parts. UCP handles inventory federation. Klarna handles data standardization. Visa TAP and Mastercard Agent Pay handle payment authentication. Google AP2 handles mandate capture. But the trust and verification layer—the part that tells a merchant this agent is authorized, this transaction is legitimate, this is who to call if something goes wrong—is still fragmented across competing standards with no unified answer.
Meanwhile, the security threats are scaling faster than the defenses. The liability frameworks do not exist. The regulatory environment is a patchwork of state laws, FTC enforcement actions, and an EU AI Act that does not fully take effect until August 2026.
That is the gap. And the longer it stays open, the more the market consolidates around the platforms that can solve trust internally—which is to say, Amazon. Every month without open trust infrastructure is a month where Amazon's walled garden gets more defensible.
The Open Web Needs a Trust Layer for Agents
Walmart and Amazon can bake trust into their own stacks. Independent merchants need an open verification layer that works across all protocols. That is what KYA is building.
Talk to the KYA TeamRecent Blog Posts
Amazon Rufus: How Auto-Buy Actually Works and Why It Matters
Rufus went from chatbot to checkout in 18 months. A look at the tech stack, the business model, and the infrastructure questions it raises.
ReadHeadless Checkout for AI Agents: The API Contract Merchants Need
Agents need a deterministic, API-first way to complete purchases. Here is what the checkout layer needs to look like.
ReadYour Fraud System Is Blocking Revenue, Not Fraud
Legacy fraud detection sees AI agents as attacks. The result: you are rejecting legitimate revenue while actual fraud gets more sophisticated.
Read