Know Your Agent (KYA): Verifiable Identity for AI Agents
As of 2024, Know Your Agent (KYA) is the emerging standard for verifying the identity, behavior, and authorization of AI agents. Functioning as the agentic-economy equivalent of Know Your Customer (KYC), KYA utilizes cryptographic credentials and RFC 9421 message signatures to distinguish legitimate automated agents from malicious bots. A comprehensive KYA program involves four key pillars: product audits, cryptographic issuance, network recognition, and continuous monitoring to ensure secure, authorized digital transactions.
Why do AI agents need verifiable identity?
AI agents require verifiable identity to prevent being blocked by security infrastructure while maintaining the ability to perform complex, automated tasks.
* Current Web Application Firewalls (WAFs) often block useful agents as "unknown bots."
* Agents use HTTPS and execute JavaScript, making them indistinguishable from browsers via heuristics.
* Unlike standard crawlers, interactive agents must perform actions like completing purchases.
* KYA allows legitimate agents to carry credentials that exclude dangerous or unauthorized bots.
What does a KYA program cover?
A complete KYA program ensures an agent is authenticated and compliant through four distinct components:
1. Agent Product Audit
Before credential issuance, the agent's codebase, data access scope, and intent are reviewed to ensure it handles errors safely and stays within its claimed scope.
2. Cryptographic Credentials
Approved agents receive signing keys tied to their identity. Every request is signed using RFC 9421 HTTP Message Signatures, allowing verifiers to confirm the request source.
3. Network-Level Recognition
Credentials must be recognized by major intermediaries. The Cloudflare Verified Bots program is a primary example of this recognition for crawlers, now extending to interactive agents.
4. Continuous Monitoring and Revocation
Identity is not a one-time event; credentials are re-evaluated if an agent's behavior or data access changes. Compromised credentials can be revoked instantly.
How does KYA relate to TAP and AP2?
KYA serves as the overarching framework, while Visa TAP and AP2 are specific functional implementations.
| Protocol | Primary Function | Relationship to KYA |
|---|---|---|
| Visa TAP | Proves legitimacy to firewalls. | A specific implementation of KYA-style credentials. |
| AP2 | Authorizes specific transactions. | Builds on identity to verify user-authorized purchases. |
| Mastercard Agent Pay | Facilitates agentic payments. | Utilizes tokenized cards and audit trails for identity. |
Why is KYA important for merchants and platforms?
KYA infrastructure is essential for reducing fraud and unlocking new revenue from automated agent buyers.
* Fraud Reduction: Verified agents are easier to allow and manage than unverified traffic.
* New Revenue Surfaces: Merchants can safely sell to "agent buyers" that were previously blocked.
* Compliance: KYA provides the audit trails required by regulators to establish accountability for AI actions.
What is the current status of KYA standards?
The KYA landscape is early but maturing rapidly through major financial and infrastructure partnerships.
* Visa TAP is currently in developer preview.
* Cloudflare Verified Bots is currently in production.
* Mastercard has announced "Agent Pay" for agent-issued tokenized cards.
* Technical specifications are consolidating around RFC 9421 for cryptographic signing.
* AgentFi provides product audits, credential issuance, and integration with network recognition layers.
*
Related Resources:
* Learn more about Trust & Identity