What Is Know Your Agent (KYA)?

TL;DR: Know Your Agent (KYA) is an emerging framework for verifying the identity of AI agents before they transact on behalf of humans. Like KYC for customers and KYB for businesses, KYA answers three questions: Who made this agent? Who does it represent? What is it authorized to do?

---

AI agents are already shopping on your behalf. They’re comparing prices, filling carts, and in some cases, completing purchases—all without you clicking “buy.” Over the past year, AI-driven traffic to U.S. retail sites surged 4,700%, according to Visa. Nearly half of U.S. shoppers now use AI tools for at least one shopping task.

This creates a problem merchants didn’t have before: How do you tell the difference between a legitimate AI assistant acting on behalf of a real customer and a malicious bot trying to scrape your inventory or commit fraud?

The answer emerging across the payments and identity industry is Know Your Agent—or KYA.

Where the term comes from

The phrase “Know Your Agent” entered academic literature in February 2025 when Tomer Jordi Chaffer, a researcher at McGill University, published a paper titled “Know Your Agent: Governing AI Identity on the Agentic Web”. The paper argued that as AI agents become more autonomous and decentralized, we need frameworks to verify their identity, monitor their behavior, and hold them accountable.

Chaffer’s paper proposed using blockchain-based tools—soulbound tokens, zero-knowledge proofs, and decentralized autonomous organizations (DAOs)—to create a global registry for AI agents. The framework he outlined, called ETHOS, would enable dynamic risk classification and automated compliance monitoring.

Within months, the concept jumped from academia to industry. Identity verification companies, payment networks, and enterprise security firms all began using “KYA” to describe their own approaches to the same problem—though their solutions look quite different.

The three questions KYA tries to answer

Regardless of implementation, every KYA framework attempts to answer the same three questions:

1. Who created this agent?
Is the agent from a legitimate, vetted developer? Can we trace it back to a real business entity? This is the “provenance” question—establishing the chain of custody from code to deployment.

2. Who does this agent represent?
Is there a real human behind this agent? Did that human actually authorize the agent to act on their behalf? This is the “user binding” question—confirming that the agent isn’t operating autonomously without consent.

3. What is this agent authorized to do?
What specific permissions has the human granted? Can it browse but not buy? Can it spend up to $100 but not $1,000? This is the “scope” question—ensuring the agent stays within its approved boundaries.

Different players answer these questions in different ways.

The major players building KYA

Trulioo and the Digital Agent Passport

Trulioo, a global identity verification company covering 195 countries, has positioned itself as the leading voice in KYA. In August 2025, Trulioo partnered with Worldpay—which processes $2.5 trillion in payments annually—to introduce the KYA framework powered by their Digital Agent Passport.

The Digital Agent Passport is a tamper-proof credential bundle that travels with an agent. It contains five checkpoints:

1. Provenance — Verification that the developer is a legitimate business entity
2. User binding — Proof that a verified human authorized the agent
3. Permission scope — Documentation of what the agent is allowed to do
4. Real-time behavior telemetry — Continuous monitoring of agent actions
5. Continuous risk scoring — Dynamic assessment of trust level

Trulioo proposes that independent “Digital Passport Authorities”—similar to SSL certificate authorities—would issue, sign, and revoke these passports. In December 2025, Trulioo joined Google’s Agent Payments Protocol (AP2) to bring KYA to that ecosystem.

Visa Trusted Agent Protocol (TAP)

Visa took a different approach. In October 2025, Visa unveiled the Trusted Agent Protocol (TAP), developed in collaboration with Cloudflare. TAP is an open framework built on existing web infrastructure that enables merchants to verify agents at checkout.

Here’s how it works: Agents must first be onboarded through Visa’s Intelligent Commerce program, where they receive a unique cryptographic key. When an agent visits a merchant’s site, it signs its requests with that key, passing three pieces of information:

• Agent intent — Confirmation that this is a Visa-trusted agent with intent to purchase
• Consumer recognition — Data linking the agent to a specific customer account or device
• Payment information — Hashed credentials or tokenized payment data

The protocol is available on GitHub and uses RFC 9421 HTTP message signatures—a standard cryptographic method for signing web requests. By December 2025, Visa announced that hundreds of secure agent-initiated transactions had been completed in pilot programs.

Key partners include Stripe, Adyen, Shopify, Microsoft, Coinbase, and Akamai.

Vouched and MCP-I

While Trulioo and Visa focus on merchants, Vouched took a protocol-first approach. The Seattle-based identity verification company, which raised $17 million in September 2025, built an identity extension for the Model Context Protocol (MCP)—Anthropic’s open standard for AI-to-server communication.

The result is MCP-I (Model Context Protocol – Identity), which adds cryptographic identity verification to any MCP-based agent system. Vouched also launched AgentShield, a free tool that lets websites detect whether sessions are coming from humans, bots, or AI agents.

Their approach centers on four capabilities:

1. Detection — Identifying that an agent is present
2. Authentication — Verifying the agent’s cryptographic identity
3. Authorization — Confirming what the human has permitted
4. Reputation — Tracking the agent’s behavior over time

Vouched’s KnowThat.ai serves as a public directory where MCP servers can report on agent behavior—essentially a credit score for AI agents.

Google Agent Payments Protocol (AP2)

Google launched the Agent Payments Protocol in September 2025 as a payment-agnostic standard for agentic commerce. Unlike Visa’s TAP, which is tied to the Visa network, AP2 is designed to work across payment methods—cards, bank transfers, and potentially stablecoins.

AP2 provides a common language for how AI agents can initiate transactions while capturing user consent cryptographically. Trulioo’s Digital Agent Passport integrates with AP2 to provide the identity verification layer.

What’s different about each approach

Player	Registry Model	Blockchain?	Open Standard?	Who Controls Access
Trulioo	Digital Passport Authorities	No	Whitepaper	Industry consortia
Visa TAP	Visa Intelligent Commerce	No	Yes (GitHub)	Visa
Vouched MCP-I	Decentralized (DIDs)	Optional	Yes	No central authority
Google AP2	Open protocol	No	Yes	No central authority

The philosophical split is clear: centralized approaches (Trulioo, Visa) offer faster deployment and easier compliance but create gatekeepers. Decentralized approaches (Vouched’s MCP-I, blockchain-based proposals) offer more autonomy but require ecosystem coordination.

What current KYA frameworks assume

Every major KYA implementation shares one assumption: the agent acts on behalf of a human.

This makes sense for today’s use cases. When you tell ChatGPT to book a flight, you’re still the principal—the agent is just your tool. KYA verifies that the human behind the agent is real and that they authorized the action.

But what happens when the agent isn’t representing anyone?

Some AI systems are already operating semi-autonomously. Truth Terminal, an AI that gained fame in 2024, holds its own cryptocurrency and makes its own financial decisions. Crypto AI agents on platforms like Virtuals Protocol and ai16z trade tokens without human intervention.

If an AI agent registers itself, accumulates reputation over time, and transacts independently, current KYA frameworks don’t have a clear answer. They’re built for a world where every agent has a human behind it.

This is the gap that newer projects are attempting to fill. RNWY, for example, uses soulbound tokens (non-transferable identity) combined with decentralized identifiers to create identity infrastructure where humans and AI register the same way—no assumption that there’s always a human behind the agent.

The timeline so far

Date	Event
February 2025	Chaffer publishes “Know Your Agent” paper on SSRN
May 2025	Vouched launches KYA suite and MCP-I specification
August 2025	Trulioo and Worldpay announce KYA partnership
September 2025	Vouched raises $17M Series A
September 2025	Google launches Agent Payments Protocol
October 2025	Visa launches Trusted Agent Protocol with Cloudflare
December 2025	Trulioo joins Google AP2
December 2025	Visa announces hundreds of completed agent transactions
December 2025	Visa and Akamai partnership for TAP + bot management

What comes next

KYA is moving fast—faster than most compliance frameworks in history. Within a single year, it went from academic paper to production transactions.

Several questions remain open:

Interoperability. Will a Digital Agent Passport from Trulioo work with Visa TAP? Will MCP-I credentials be recognized by Google AP2? Without standards, we may end up with fragmented identity silos.

Regulation. The EU AI Act, U.S. state privacy laws, and financial regulations don’t yet address AI agent identity. How KYA frameworks align with emerging rules will shape adoption.

Autonomous agents. What happens when agents don’t represent humans at all? Current frameworks assume human accountability. That assumption may not hold.

Cost and accessibility. Enterprise solutions like Trulioo and Visa serve large merchants. Smaller businesses and individual developers need accessible options.

The space is early, fragmented, and moving quickly. If you’re building in agentic commerce, agent infrastructure, or identity verification, KYA is a term you’ll be hearing a lot more.

---

This site tracks the emerging Know Your Agent ecosystem. We’re practitioners building in this space ourselves. Learn more about us.