What is Know Your Agent (KYA)?

Know Your Agent (KYA) is an identity framework that validates which AI agent is acting, under whose authority, and within what scope at the moment of execution.

It extends verified identity principles to autonomous AI agents that operate in enterprise environments, meaning every agent action is tied to a verified, authorized identity before execution.

Unlike traditional identity verification that happens once at registration, Know Your Agent (KYA) validates an agent's identity and authorization every time it attempts to act. This runtime authorization ties every consequential action taken by an AI agent to a verified human authorizer, and includes a full cryptographic audit trail.

Because AI agents can act at machine speed across thousands of systems, the cryptographic audit trail is the only way to reconstruct exactly who authorized what, when, and under what scope.

Why AI agents need different identity controls than humans

AI agents differ from traditional machine identities like service accounts and API keys because agents are autonomous and non-deterministic. An AI agent receives a prompt, reasons about it, and decides what action to take at runtime.

That variance creates both value and risk. Traditional identity controls that validate access once at registration can’t account for autonomous decisions made at execution time.

How KYA extends KYC and KYE principles

Know Your Agent (KYA) follows a logical progression from two established identity frameworks: Know Your Customer (KYC) and Know Your Employee (KYE).

Know Your Customer (KYC) established that digital interactions require verified identity anchored to government-issued documentation and biometric verification, not assumed trustworthiness.

Know Your Employee (KYE) applied verified identity logic internally, replacing knowledge-based verification at help desks with biometric verification that returns a pass or fail determination.

Know Your Agent (KYA) extends this pattern to AI agents. The common thread is that identity must be verified at the point of consequence, not assumed from a prior check. As AI agents gain the ability to take consequential actions autonomously, enterprises are discovering that registration-time identity checks are insufficient.

Why AI agents need their own identity framework

Enterprises are deploying AI agents faster than they can govern them. According to a 2026 field audit by 1Kosmos, a single scan of one Fortune 100 environment found 700 agents in operation across 24 MCP servers, yet fewer than 10 were running production-facing workflows with dedicated governance controls in place. The scope of this problem extends across industries.

The scale of ungoverned agents in enterprise environments

• 82% of enterprises have unknown agents operating in their environments, according to the Cloud Security Alliance

• Only 15% of organizations have near-full agent ownership visibility, according to the same report

• The average enterprise environment contains over 800 risky AI agents, with 40% carrying medium-to-critical risk factors, according to Obsidian Security

What makes AI agents different from service accounts and scripts

Traditional non-human identity (NHI) governance assumes machine identities are deterministic. A service account runs a defined script on a defined schedule, and an API key authenticates a connection between known systems.

AI agents operate differently

An agent receives a prompt like "wake up infrastructure," reasons about what that means, and autonomously decides which tools to call and what parameters to use. This non-deterministic behavior creates a governance challenge that traditional NHI tools were not designed to solve.

The real consequences of ungoverned AI agents

The consequences of ungoverned agents are already documented:

• 65% of enterprises running AI agents experienced at least one agent-related security incident in the past twelve months, and more than a third produced direct financial loss (Cloud Security Alliance)

• 47% of CISOs have observed AI agents exhibiting unintended or unauthorized behavior, yet only 5% felt confident they could contain a compromised agent (Saviynt)

• 60% of organizations cannot terminate a misbehaving agent quickly, and 63% cannot enforce purpose limitations (Kiteworks)

Three documented incidents from 2026 illustrate how agent identity failures create real enterprise exposure.

McKinsey Lilli breach: unauthenticated agent access

In March 2026, security researchers and ethical hackers at CodeWall pointed an autonomous offensive agent at McKinsey's internal AI platform, Lilli. The exercise found 22 unauthenticated API endpoints that allowed access to 46.5 million chat messages, 728,000 files, and 57,000 user accounts.

The incident demonstrated a systemic issue: agent platforms built without runtime identity validation expose data at scale.

PocketOS incident: agents acting beyond their scope

Accoridng to The New Stack, on April 25, 2026, a Cursor AI agent deleted an entire production database in under ten seconds. The agent autonomously discovered an API token with broader authority than its assigned scope and used it to execute a database deletion command.

The agent was behaving as designed: it searched for available tools, found one with sufficient authority, and acted on it. The failure was structural; the API token had no scope limitations or expiration.

Meta internal agent exposure

In April 2026, an internal AI agent at Meta exposed sensitive data to unauthorized employees for approximately two hours. The incident was classified as Severity 1 and illustrated that even internal agents require identity validation at runtime.

The three components of AI agent identity

Governing AI agents requires understanding three distinct concepts: identity, authentication, and authorization.

1. Agent identity

AI agent identity is the unique identifier of a specific agent instance, bound to a verified human owner. It establishes accountability by linking every agent to the human responsible for its actions.

Traditional machine credentials like API keys do not carry ownership records, which creates the "ghost agent" problem: when an employee leaves the organization, agents they created may continue operating on persistent credentials with no accountable human attached.

2. Agent authentication

AI agent authentication proves the agent is who it claims to be, and it has two pillars:

1. Registration-time authentication: Validates identity once when the agent is created, then issues a credential the agent presents in future interactions. This approach works for deterministic systems but fails for autonomous agents that make runtime decisions.

2. Runtime authentication: Validates the agent's identity at every consequential action. Rather than trusting a credential issued days earlier, the system checks identity at the moment the agent attempts to act.

3. Agent authorization

AI agent authorization determines what the agent is allowed to do at this specific moment. Authorization is a dynamic evaluation that considers the agent's identity, the action it is attempting, the data or system it is targeting, and the current context.

Traditional authorization relies on role-based access control (RBAC), where permissions remain valid until explicitly revoked. For autonomous agents that can independently decide what to do, static authorization creates risk.

Runtime authorization validates not just whether the agent has access, but whether the specific action it is attempting is authorized right now, with approval from the responsible human.

This is where Know Your Agent (KYA) operates: at the execution plane.

How does Know Your Agent (KYA) work?

Know Your Agent (KYA) shifts identity and authorization validation from a one-time check at agent creation to continuous validation at the moment of execution.

The shift from registration-time to runtime authorization

Traditional identity governance operates on a registration-time model: an administrator creates a service account, assigns permissions, and issues credentials. Those permissions remain valid until explicitly changed.

For autonomous agents that interpret prompts and decide at runtime what to do, registration-time authorization is structurally insufficient.

How runtime authorization intercepts agent actions

Runtime authorization intercepts every consequential action before it reaches the target system. When an agent attempts to call a tool, the request passes through a policy engine that:

1. Validates the agent's identity

2. Checks scope against the requested action

3. Confirms credential validity

4. Determines whether human approval is required

5. Only allows execution to proceed after validation passes

The recent PocketOS incident in April is an example of this risk: the Cursor AI agent autonomously found an API token with broader authority than its assigned task and acted on it. Runtime authorization would have intercepted that action before the database was deleted.

The role of verifiable credentials in KYA

Verifiable credentials (VCs) are W3C-standard cryptographically signed, time-bound, scope-bound tokens that replace static API keys.

A verifiable credential carries five fields:

1. Issuer identity: The human who authorized the credential

2. Cryptographic binding: Links the credential to the specific agent

3. Validity window: Automatic expiration (hours to days, not indefinite)

4. Permitted scope: Specific actions allowed

5. Environmental context: Where and under what conditions the credential is valid

Unlike an API key that is valid until revoked, a verifiable credential expires automatically. This automatic expiration limits exposure when agents are compromised or behave unexpectedly.

Why verifiable credentials establish accountability

Each credential identifies the human who issued it, the agent it was issued to, and the specific scope of access granted.

If an agent takes an unauthorized action, the audit trail shows exactly which credential was used, who issued it, and whether the action fell within the defined scope.

Because they follow a W3C standard, verifiable credentials work across agent frameworks including LangChain, Relevance AI, and Microsoft Copilot Studio. This interoperability means enterprises can apply consistent identity policies regardless of which tools their teams use to build agents.

Human-in-the-loop authorization for high-risk actions

High-risk agent actions require real-time human approval before execution proceeds. This mechanism uses Client Initiated Backchannel Authentication (CIBA), a protocol that decouples the authorization decision from the execution flow.

Policy thresholds determine when step-up authentication fires. Low-risk actions, such as a read-only query or a purchase below a defined spend limit, execute automatically once the agent's verifiable credential is validated. High-risk actions follow a different path.

How do policy thresholds trigger step-up authentication for AI agents?

Policy thresholds determine when step-up authentication fires. Low-risk actions, such as a read-only query or a purchase below a defined spend limit, execute automatically once the agent's verifiable credential is validated. High-risk actions follow a different path.

When an agent attempts a high-risk action, the policy engine halts execution before the tool is ever reached and sends a push notification to the human owner's mobile wallet via Client Initiated Backchannel Authentication (CIBA). The notification includes the agent's identity, the action it is attempting, and the proposed validity window. The human reviews the request and approves or denies it with biometric verification.

If approved, the agent receives a verifiable credential scoped to that specific action with a short validity window, often minutes to hours, and only then does execution proceed. The system logs the approval with cryptographic proof linking the action to the human who authorized it.

This mechanism solves a critical accountability gap. In traditional models, an agent with valid credentials can take any action those credentials permit, regardless of risk level.

Know Your Agent (KYA) applies graduated controls instead, so routine actions flow without friction while consequential actions such as money movement, infrastructure changes, or access to sensitive data require explicit, real-time human approval before the tool is ever reached.

What happens without KYA: Real incident analysis

Three documented incidents from 2026 illustrate how agent identity and authorization failures produce real enterprise exposure.

• The McKinsey Lilli breach (Unauthenticated Endpoints): This breach occurred because agent endpoints lacked authentication checks, executing any request they received. KYA requires cryptographic identity validation before a request reaches the API; uncredentialed requests are intercepted and blocked at the edge.

• The PocketOS database deletion (Over-privileged Tokens): An agent found a static API token with global delete authority and used it, despite only needing read access for its task. KYA replaces static tokens with dynamically scoped verifiable credentials, so an agent authorized to read data cannot execute a delete command.

• The "Ghost Agent" problem (Orphaned Automation): When developers leave an organization, the agents they built often keep running on persistent credentials with no accountable human attached. KYA cryptographically binds every agent to a verified human identity so that when HR offboards the employee, the agent’s credentials are automatically voided, instantly destroying its ability to act.

KYA vs. traditional identity approaches

This comparison shows why traditional approaches create risk when applied to autonomous agents:

Why API keys fail for autonomous agents

API keys authenticate a connection. If the key is valid, the tool executes the request, regardless of who or what is making it. API keys have no inherent expiration, no scope limitations, and no mechanism to link actions back to a verified human at the moment of execution.

Why service accounts are insufficient for agents

Service accounts establish ownership at creation, but ownership is recorded as a static registry entry. The system knows who created the account but has no way to validate whether a specific action the account is taking was authorized by that owner.

How KYA validates identity at execution time

Know Your Agent (KYA) validates identity at every consequential action. The agent must present a valid, time-bound, scope-bound verifiable credential that links back to a verified human authorizer. High-risk actions require real-time human approval via biometric verification.

How KYA handles agent-to-agent delegation

Multi-agent workflows, where one agent hands off a task to another, introduce a specific accountability risk. If each hop in the chain operates on its own static credential, the link back to the original human authorizer breaks and the audit trail becomes unenforceable.

Know Your Agent (KYA) addresses this through scoped delegation tokens. When Agent A needs to invoke Agent B, it passes a delegation token that carries the original human authorizer's identity, the permitted scope for that specific hop, and an expiration window. Agent B cannot act beyond the scope defined in the token it received, and every hop in the chain is cryptographically traceable back to the verified human who initiated the workflow.

The governing principle is that no agent acts without a credential chain traceable to a verified human, regardless of how many agents are involved in the workflow.

Industries and use cases where KYA matters most

Three industries face the highest immediate risk from ungoverned agents.

Financial services: preventing autonomous spending

Financial services organizations are deploying agents with access to payment systems, transaction platforms, and customer account data. The risk of autonomous spending is a top concern for risk and compliance teams.

According to emerging pressure from top cyber insurance underwriters, organizations must document human validation for every agentic workflow that makes a business decision.

Enterprise IT: managing agent sprawl and ghost agents

Our Fortune 100 audit that found 700 agents with fewer than 10 governed illustrates how quickly agents proliferate beyond visibility.

IT teams need mechanisms to discover which agents are running, identify who owns them, and determine what they are authorized to do. The ghost agent problem is particularly acute in IT environments where employees routinely create agents to automate tasks, then leave without documenting or decommissioning them.

Regulated industries: meeting compliance requirements

Organizations subject to regulatory frameworks requiring human review of automated decisions are adopting Know Your Agent (KYA) to meet compliance requirements.

Key frameworks that apply:

• GDPR Article 22 requires human review of automated decisions with significant individual effect

• SOC 2 requires access to be reviewed and approved by responsible parties

• OWASP Agentic Top 10 catalogs the specific failure modes auditors are referencing when evaluating AI agent security

How to start implementing KYA

Implementing Know Your Agent (KYA) begins with visibility.

Step 1: Discover what agents are running

Cloud Security Alliance is warning that 8 out of 10 enterprises have unknown agents operating in their environments. This lack of visibility means governance controls cannot be applied because the agents are not visible to administrators.

Discovery tools scan for agent activity by monitoring API calls, tool invocations, and credential usage patterns that indicate autonomous decision-making. The output is an inventory that identifies each agent, maps it to an owner, documents its access credentials, and flags which systems it can reach.

Step 2: Classify agents by risk

Not all agents carry the same risk. An agent that summarizes documents is low-risk, while an agent that can provision infrastructure or move money is high-risk.

According to Obsidian Security, the average enterprise environment contains over 800 risky AI agents, with 40% carrying medium-to-critical risk factors.

Risk classification examines three dimensions:

1. Data access - What information can the agent access?

2. Action scope - What can it do with that access?

3. System reach - Which systems can it affect?

Step 3: Implement runtime authorization for high-risk actions

Once high-risk agents are identified, runtime authorization policies intercept their actions before execution. Many agent frameworks use the Model Context Protocol (MCP) as the standard tool access layer, making it a natural interception point.

A policy engine operating at the MCP layer can intercept every tool call, validate the agent's verifiable credential, check scope, and enforce human-in-the-loop requirements regardless of which framework generated the agent.

Runtime authorization applies three policy dimensions to every agent action: the prompt (what was the agent asked to do?), the data source (what information is it accessing?), and the action (what will it do with that access?). Learn more about implementation here.

The future of AI agent identity

Know Your Agent (KYA) is an emerging operating model, not yet an established industry standard. However, the forces driving adoption are accelerating.

Why insurance pressure is driving KYA adoption

Top cyber insurance underwriters are already asking enterprises to document human-in-the-loop controls for agentic workflows. Their claims data shows losses from agents acting without oversight, and they are adjusting coverage terms accordingly.

Insurance mandates are likely to move faster than formal regulatory frameworks because insurers respond to claims data in real time.

What the 2026 incidents reveal about agent risk

The documented incidents from 2026 provide proof points that agent authentication failures produce measurable business impact. Along with other cautionary statistics, Cloud Security Alliance reports that 65% of enterprises (respondents) running AI agents experienced at least one agent-related security incident in the past twelve months.

Organizations adopting Know Your Agent (KYA) now are addressing this exposure before it becomes a mandated compliance requirement.

How 1Kosmos fits into AI agent governance

1Kosmos operates at the execution plane, intercepting agent actions at the Model Context Protocol (MCP) layer before tools are reached. The platform applies runtime authorization policies across agent frameworks including LangChain, Relevance AI, and Microsoft Copilot Studio, ensuring consistent governance regardless of which tools teams use to build agents.

Every agent action is bound to a verifiable credential that carries issuer identity, scope limitations, validity window, and environmental context. Human-in-the-loop approval is required for high-risk operations, with biometric verification linking every consequential action to a verified human authorizer.

Visit our AI agents page below to learn more, or book a demo here.

FAQs

What does KYA stand for?

KYA stands for Know Your Agent. It is an identity framework that validates which AI agent is acting, under whose authority, within what scope, at the moment of execution.

Is Know Your Agent the same as KYC?

No, but Know Your Agent (KYA) follows the same principle as Know Your Customer (KYC). KYC established that customer identity must be verified, not assumed. KYA applies that same logic to AI agents. Both frameworks validate identity at the point of consequence, but KYC focuses on human customers while KYA governs autonomous agents.

How is KYA different from non-human identity management?

Non-human identity (NHI) management governs service accounts, API keys, bots, and automated processes that are deterministic and predictable. Know Your Agent (KYA) governs AI agents that interpret prompts and make autonomous decisions at runtime. AI agents decide what to do based on context, making their behavior non-deterministic.

What is runtime authorization for AI agents?

Runtime authorization validates an agent's identity and scope at the moment it attempts to act, not just when it is created. Every consequential action is intercepted by a policy engine before the tool is reached. High-risk actions require real-time biometric approval from the human owner.

Do all AI agents need KYA?

Whether an AI agent needs Know Your Agent (KYA) governance depends on what it can do. Agents with read-only access that summarize information carry lower risk. Agents that can modify data, move money, provision infrastructure, or access sensitive resources require governance.

How do verifiable credentials work with AI agents?

Verifiable credentials are W3C-standard cryptographically signed tokens that replace static API keys. A verifiable credential carries five fields: issuer identity, cryptographic binding to the specific agent, validity window, permitted scope, and environmental context. The credential is time-bound and expires automatically.

What happens if an employee leaves and their agent keeps running?

This is called the ghost agent problem. When an employee leaves, agents they created may continue operating on persistent credentials. Know Your Agent (KYA) solves this by binding agent credentials to verified human identities. When the human is offboarded, their credentials are cryptographically voided, and any agent operating under their authority is immediately blocked.

Are cyber insurers requiring KYA?

Cyber insurers are not yet mandating Know Your Agent (KYA) as a formal policy requirement, but they are applying emerging pressure. Top 50 cyber insurance underwriters are asking enterprises to document human validation for every agentic workflow that makes a business decision.