Know Your Agent (KYA): Verifying AI Agent Identity and Authorization
Know Your Agent (KYA) is a verification framework designed to establish the identity, behavior, and authorization of AI agents interacting with web infrastructure. As of 2024, KYA serves as the agentic-economy equivalent of Know Your Customer (KYC), enabling legitimate agents to bypass Web Application Firewalls (WAFs) through structured audits and cryptographic credentials. Current implementations include the Visa TAP protocol, currently in developer preview, and Cloudflare’s production-ready Verified Bots program.
What is Know Your Agent (KYA)?
KYA is the emerging standard for verifying that an AI counterparty is who they claim to be and is authorized for specific actions.
* Establishes verifiable identity and behavior for autonomous AI agents.
* Functions as the agent-focused analogue to financial Know Your Customer (KYC) regulations.
* Differentiates legitimate, automated agents from unauthorized or malicious bots.
* Enables structured answers regarding an agent's identity and operational limits.
Why do AI agents require verifiable identity?
AI agents require verifiable identity because they occupy a middle ground between human browsers and standard web crawlers, often leading to technical friction.
* Agents use HTTPS, cookies, and Javascript, making them appear like human browsers.
* Automated high-volume fetching causes agents to be mistaken for standard search crawlers.
* Existing Web Application Firewalls (WAFs) frequently block useful agents by default.
* KYA allows legitimate agents to be identified and permitted based on verified credentials.
What are the components of a KYA program?
A standard KYA program consists of four essential phases: auditing, credentialing, recognition, and active monitoring.
Agent Product Audit
Before credential issuance, the agent's codebase, data access scope, and intent are reviewed to ensure it behaves as claimed and handles errors safely.
Cryptographic Credentials
Approved agents receive signing keys tied to their identity. Every request can be signed according to the RFC 9421 standard for HTTP Message Signatures.
Network-Level Recognition
Credentials must be recognized by major intermediaries. Cloudflare’s Verified Bots program serves as the canonical example for crawler recognition, which KYA extends to interactive agents.
Continuous Monitoring and Revocation
Agent behavior is evaluated continuously. If an agent's intent changes or it becomes compromised, credentials can be revoked instantly to prevent unauthorized access.
How does KYA relate to other protocols?
KYA acts as an umbrella concept, while protocols like TAP and AP2 provide specific implementation layers for transactions and security.
| Protocol / Program | Primary Function | Current Status |
|---|---|---|
| Know Your Agent (KYA) | General framework for agent identity and behavior audits. | Emerging Standard |
| Visa TAP | Proves agent legitimacy to firewalls and merchants. | Developer Preview |
| Mastercard Agent Pay | Facilitates agentic payments via tokenized cards and audit trails. | Announced |
| AP2 | Authorizes specific purchases and transactions for verified agents. | Explained here |
Why is KYA important for merchants and platforms?
KYA infrastructure provides the security and compliance layers necessary for businesses to support the agentic economy.
* Fraud Reduction: Verified agent traffic is significantly easier to permit than unverified bot traffic.
* Revenue Growth: Secure KYA infrastructure enables merchants to sell directly to autonomous agent buyers.
* Regulatory Compliance: KYA provides the audit trails required by regulators to ensure accountability for AI actions.
* Seamless Integration: As of 2024, specifications are consolidating around RFC 9421 rather than proprietary authentication schemes.
Learn more about related security standards in the Trust & Identity knowledge base.