This report is written by Tiger Research.AI agents are now capable of signing contracts, making payments, and conducting transactions on their own. However, there is an unresolved issue: how do you know who the agent on the other side is? This article organizes the different approaches of four players in the KYA standard dispute and where the regulation currently stands.
Key Points
- AI agents have entered the era of independently executing contracts, making payments, and conducting transactions, but there is no unified standard in the market to verify identities. In A2A (agent to agent) scenarios, KYA is receiving more attention than KYC.
- KYA is not needed everywhere. Within centralized platforms like Google, OpenAI, and Coinbase, existing KYC requirements are sufficient. KYA is truly needed when independently deployed agents connect to DEX, A2A payments, or merchant payments.
- The standard dispute has already begun. ERC-8004, Visa TAP, Trulioo, and Sumsub are coming from different directions: on-chain, payment network, compliance certification, and risk detection respectively, with completely different paths.
- Regulation is already in motion. The EU AI Act, the US NIST guidelines, and Singapore's national framework all list agent identity management as a priority. The FATF travel rules from 2019 determined which crypto exchanges would survive, and KYA is likely to see a similar script unfold.
1. Why Now
KYC Reshaped Finance
Before 1989, there was no unified identity standard in global finance. This gap made it difficult to trace dirty money and illicit funds. It was not until the FATF was established that KYC became a mandatory requirement in finance, effectively keeping illegal funds at bay.
Over the next thirty years, the influence of KYC expanded layer by layer. After 9/11 in 2001, the addition of anti-terrorist financing provisions elevated KYC to a legal obligation in the US through the Patriot Act. In the 2010s, the EU's AMLD, the Basel III Accord, and FATCA were successively implemented, leading to the automatic exchange of cross-border KYC information. The 2019 FATF travel rules extended KYC to virtual asset service providers.
Each extension fills a gap.
Without Agent Identity, the System Regresses
Returning to the present, AI agents do not require human supervision; they can sign contracts, make payments, and conduct transactions independently. But nobody can verify their identity.
In the A2A environment, responsibility is unclear. When issues arise, it's impossible to pinpoint accountability. Users are also at risk of encountering money laundering and various fraud schemes.
When comparing the financial environment before 1989 with the agent market of 2026, the structure is strikingly similar. Back then, there were anonymous accounts transferring across borders, while today, unverified agents are conducting A2A transactions. Verification responsibilities were placed on individual banks each back then and are now on each platform separately. There is no common standard.
This similarity is not a coincidence but a pattern. The technology has raced ahead while the identity layer has fallen behind.
What is KYA
KYA (Know Your Agent) is a layer of trust mechanism that clarifies the source, permissions, and responsibilities of agents in advance.
Skipping this step can spark three types of risks. The first is unauthorized transactions: a user has authorized payment, but the agent moves assets or signs contracts beyond the agreed scope. The second is identity fraud: a malicious agent masquerading as a legitimate one, hijacking payments, forging responses, and stealing credibility. The third is a responsibility vacuum: after an incident, the agent, developer, and client blame each other, making compensation untraceable.
What KYA does is lock in these three issues ahead of time. By pre-registering and verifying the scope of permissions, unauthorized actions are directly blocked. By verifying identity and source, only legitimate agents are allowed in. The source of each agent and their clients are recorded and can be traced in case of incidents.
2. Where Should KYA Operate
Not Everywhere
KYA is not particularly necessary within centralized platforms. Users have completed KYC, and the platforms themselves provide guarantees, creating a closed loop throughout the entire chain.
What requires KYA is the open environment beyond platforms. Agents need to connect to DEX, perform A2A payments, and make payments to merchants. At this point, nobody provides guarantees, nor can anyone vouch for them.
For instance, within a country, an ID card (KYC) suffices. Once crossing the border (leaving the platform), the environment changes, and it becomes necessary to undergo inspection (KYA) upon entry to clarify intentions and credibility.
Four-Step Process
The operation of KYA can be broken down into four steps. The first two steps are "passport issuance": first registering the agent's identity and permissions, then issuing a digital passport after verification. The last two steps are "border inspection": confirming the identity of the counterpart when a transaction occurs, followed by updating records based on transaction results.
Identity validation is not a one-time issuance but is rechecked with every transaction.
3. Four Players Competing for Standards
Currently, there are four players in the standard dispute, each with completely different paths.
ERC-8004: Making Identity an NFT
ERC-8004 follows a purely on-chain route. It adds a layer of identity on top of ERC-721, minting an NFT as a unique ID for each agent.
Accompanying this are three on-chain registries. Identity is responsible for "who this agent is," based on the unique AgentID from ERC-721. Reputation is responsible for "whether transactions can occur with it," leaving scores, tags, and evidence on-chain after transactions. Validation is responsible for "whether it actually performed that activity," cross-verified by third-party validators using zkML, TEE, and other plugins.
This structure is not new in Ethereum's history. ERC-20 standardized token issuance, with USDT, USDC, UNI, and AAVE growing from it. ERC-721 standardized NFT issuance, with CryptoPunks, BAYC, and ENS supporting the entire NFT market. ERC-8004 aims to play a similar role as a third standard.
Visa TAP: Packaging with Payment Networks
Visa's approach is completely different. It issues an identity credential (Agent Intent) to agents, equivalent to a card. Without this key, the agent cannot even initiate a transaction. Visa pre-approves before issuing the key, requiring a signature for each transaction supplied to the merchant.
What the merchant receives is not one signature, but three. The Agent Intent verifies the agent's legitimacy, backed by a key approved by VIC. Consumer Recognition indicates for whom it is working, passing user identifiers to the merchant. Payment Information provides a payment guarantee, using payment tokens or hashed card information to complete verification.
Visa integrates these elements into a larger package called Visa Intelligent Commerce (VIC). Besides TAP, it includes Agent APIs (technologies running when using Visa cards), Tokenization (tokens specifically for AI), and Intelligent Commerce Connect (compatible with competing protocols like AP2, ACP, x402).
The logic is clear. Visa seized the entry point of the payment network years ago, and now aims to package the age of agents into its own orbit. If agent payments continue to use card networks, and this package becomes the default option, Visa's market share will be secured.
Trulioo: Bringing Over the SSL Model
Trulioo is a player in the global KYC and KYB compliance track and is now extending its verification stack to KYA.
It draws from the model of website SSL certificates. SSL allows CA (Certificate Authority) to issue TLS certificates to websites, only verifying the domain name. Trulioo proposes the DPA (Digital Passport Authority) to issue DAP (Digital Agent Passport) to agents, validating developer KYB and user KYC.
DAP is not a static certificate. It is a live token that refreshes, revalidating with each transaction. If a delegation is revoked or anomalies are detected, the DAP becomes invalid immediately.
It includes five checkpoints: Provenance (which developer created it), User Binding (who authorized it), Permission Scope (what tasks it can perform), Behavior Telemetry (what it is currently doing), and Risk Scoring (risk rating).
Banks and fintechs are legally required to verify identities of individuals and companies. Once agents enter the financial sector, Trulioo's KYC and KYB positions become harder to replace.
Sumsub: Monitoring Anomalies Without Issuing Credentials
Sumsub's approach differs from the previous three. It does not issue standards or certificates but revalidates the person behind an agent when an abnormal transaction occurs.
Since 2015, it has been in the compliance business, and its verification system is now used to detect anomalous behaviors of agents. The process is broken into three steps. First, automated detection distinguishes between humans and machines through device and agent characteristics. Second, a risk score is generated, integrating context, amounts, and historical data to produce a risk rating. Finally, Liveness verification is only initiated during high-risk, large-sum, or critical changes to reconfirm the registered real person.
Sumsub's four features sharply contrast with other players. Its starting point is as a compliance operator rather than a standard setter. The timing of verification occurs during risky transactions rather than through prior registration. Its verification method involves real person confirmation rather than data or tokens. Its philosophy binds agents to responsible parties instead of simply shutting down the agents.
While other players focus on one-time identity verification before action, Sumsub performs real-time verification after credential issuance. As agent permissions expand, anomaly detection becomes increasingly critical. With fraud methods evolving alongside technology, Sumsub's real-time stack is worth noting.
4. Before Regulations Take Root
The Script of the FATF Travel Rules
With the release of the FATF travel rules in 2019, the VASP industry immediately split. Those able to withstand KYC and AML infrastructure costs survived, while others closed or moved to areas with looser regulations. CryptoBridge and Deribit were forced to adjust during that wave.
Regulation is not the end but a watershed.
The KYA script may unfold similarly. The EU, Singapore, and the US are already vying for a leading position.
Article 12 of the EU AI Act explicitly requires high-risk AI systems' behavioral logs to include the operator's identity. Singapore has released the world's first national AI governance framework for agents, extending identity management to agents and requiring accountable parties for each agent. The US NIST has prioritized agent identity management as a standard field.
The time window is narrowing.
There Will Be No Single Winner
The real variable in the standards dispute is not technology but combinations. Major players have entered a stage of collaboration and combinations. Moving forward, which players pair with which merchants, payment networks, and KYC customer bases will dictate ownership in each niche market.
There will be no single winner in this market.
In the domain of on-chain autonomous transactions, Ethereum is likely to lead. In payment-bound transaction scenarios, Visa has a clear advantage. Within the regulated financial industry, Trulioo's KYC and KYB accumulation is hard to replace. In transaction scenarios with fraud risks, Sumsub's real-time detection is more suitable.
These four are not direct competitors; they each occupy a different hill. The real competition occurs in the delineation of which scenarios fall under which hill.
KYC has taken thirty years to fill in the identity layer of global finance since 1989.
In this round of KYA, the pace seems a lot faster. Regulation is already underway, standard players have taken their positions, and the timeframe for large-scale deployment may be in the coming years.
When the time comes, survival may not be determined by the strongest technology, but by which entities integrated identity infrastructure the earliest.
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
