Impersonation
A stolen or injected agent credential acts with the principal’s full authority — and nothing proves a liable party stands behind it.
AI agents now book, buy, negotiate and sign on people’s behalf — so every counterparty has to ask who is really behind them. Know Your Agent (KYA) is the missing trust layer for agentic AI. With MintID, a person verifies once, then deploys as many AI agents as they need — and each agent can prove it is backed by a real, accountable, KYC-verified human, without ever revealing who.
Every identity system of the last twenty years assumed a human at the keyboard. Agents act autonomously, in fleets, across organisational boundaries, at machine speed — and today’s stack bolts them onto service accounts, API keys and OAuth tokens. Six failures follow.
A stolen or injected agent credential acts with the principal’s full authority — and nothing proves a liable party stands behind it.
Agents register with no paper trail. Non-human identities sprawl with no accountable identity to point to.
Delegation chains don’t survive crossing organisations. The relying party cannot verify who ultimately authorised the agent in front of it.
Humans are asked to approve so often that approval stops meaning anything.
There is no fast, scalable way to kill a compromised agent’s standing across the whole ecosystem.
Today the only way to make an agent accountable is to attach its human’s real identity — and the only way to stay private is to be unaccountable.
MintID’s thesis is to resolve the sixth — accountability and privacy at the same time — and, in doing so, supply the missing answers to the other five.
Know Your Agent (KYA) is the practice of verifying that an autonomous AI agent is operated by a known, accountable party — the agent-era counterpart to Know Your Customer (KYC). It answers two questions counterparties can no longer skip: who is behind this AI agent, and who is liable if it acts in bad faith? MintID delivers KYA as verifiable, privacy-preserving agent identity — human-backed, provable on demand, and revocable.
one human · many unlinkable agents
sibling agents mutually unlinkable
fig. 1 — the agent credential model · accountability without identity
A person or business completes KYC a single time with an approved issuer. That verification — not the raw documents — becomes the accountable foundation every one of their agents can stand on.
From that one verification they issue a distinct, privacy-preserving credential to each AI agent they operate, with its permissions and limits baked in. No re-verification, no new paperwork per agent.
On request, an agent proves in seconds that a real, liable, KYC-verified human stands behind it — and that it is acting within its allowed scope — without exposing who that human is.
Classic KYC identifies the customer. KYA flips it: one human verification backs many AI agents, and it is the agent that proves its backing.
A person identifies themselves to the business. Being accountable means handing over a real identity — and, usually, a full trail of everything they do afterwards.
A person does KYC once with an approved issuer, then issues credentials to each of their AI agents. Every agent can prove it is run by a verified, liable human — without revealing which human, and without any two of that person’s agents being linkable to each other.
Agent identity verification that gives counterparties real assurance and gives operators real privacy. No trade-off — and no new burden on the chain, however many agents you run.
Every agent can prove a real, KYC-verified, liable human stands behind it, at the assurance level you require — the core Know Your Agent guarantee.
The proof reveals that the agent is backed and in good standing — never the identity of the human behind it, and never a trail of everywhere the agent has been.
What an agent is allowed to do is fixed into its credential when it is issued. It cannot quietly grant itself more power — counterparties see exactly the authority it carries.
An agent can carry pre-funded recourse, so a counterparty can confirm there is money standing behind it to make good on a dispute — without learning the amount or the owner.
Shut down one misbehaving agent, or stand down every agent a person operates at once. Trust can be withdrawn the moment it is misplaced.
Run one agent or a million: the design adds no per-agent footprint to the chain, so verification stays fast and cheap however large the deployment grows.
Wherever AI agents transact, delegate or act under rules, the counterparty needs to know an accountable human stands behind them.
When an AI agent checks out, books or pays, the merchant can confirm it is human-backed and carries recourse — cutting fraud and chargeback risk without a login for every buyer.
Before two AI agents transact or delegate over A2A or MCP, each can verify the other is backed by an accountable party — turning open agent networks into ones you can safely deal with.
Give every agent your organisation deploys a verifiable identity with scoped permissions, so partners and regulators can trust them and you can revoke any one instantly.
In finance, healthcare and the public sector, prove an agent is operated by a verified, liable party at the required assurance level — accountability that satisfies compliance without a privacy honeypot.
Every AI agent can carry pre-funded recourse behind it, so most disputes are settled financially without anyone being unmasked. Identity is the last resort, not the first move — decided by an independent arbiter under due process, never bought with a payment.
Routine disputes are paid out from the funds standing behind the agent, quickly and with no identity revealed. For most cases, this is the whole story.
If an independent arbiter finds genuine fraud, a small machine-readable signal is shared — enough for the counterparty to act, but never a name, document or personal data.
Only for serious harm or lawful compulsion is the human behind the agent unmasked — decided by an independent arbiter, released by the issuer and supervised by the council. Never on payment alone.
Silence always costs the silent party: when a dispute stage times out, whoever owed the next move loses that stage. And forfeited dispute bonds compensate the wronged party — they are never simply destroyed, and nobody else can pocket them.
Why a relying party wants identity determines whether consent can even be asked — and that splits disclosure into two rails that never touch.
A relying party that wants a relationship — an account, a subscription, compliance for its own books — can simply offer: a priced disclosure bid, paid to the principal, resolved by the principal’s own policy or a live prompt to the human. Refusal is free, safe and the default. The lawful basis is the person’s explicit consent — never the payment.
When something went wrong, you cannot ask the subject — a defrauder would always refuse. Disputes run on escrow, bonds and due process: paid first with no identity, escalated to a minimal fraud signal, unmasked in full only when an arbiter certifies a court case is warranted. The subject cannot veto it — and no one can buy it.
The two rails are different messages and different state machines. A refusal on the commercial rail can never escalate into a dispute, and an accountability unmasking can never be dressed up as a consented offer. Every disclosure, on either rail, leaves an on-chain receipt — the rail, the tier, the verifier, never the content.
Even a paid reveal identifies one agent at one moment. It confers no right to recognise, re-contact or track the principal afterwards — to know again later, pay again. Pairwise pseudonyms live only as long as the credential and churn on renewal by design: that churn is the privacy guarantee working. Identification, not surveillance.
Four adopted capabilities extend the agent credential — each one provable in zero knowledge, none of them a tracking handle.
An agent’s delegated scope is structured along five axes — action, counterparty, category, geography, time-and-value — each provable on its own without revealing the rest. A merchant can learn “authorised for this category, under this limit” and nothing more. Unspecified axes fail closed on high-value requests.
The issuer attests how the agent’s keys are held, and the agent proves “custody class at or above X” with no correlatable identifier. Regulated relying parties get their due-diligence answer as issuer policy — never as a consensus rule, and never as a tracking handle.
An optional attested operator class distinguishes who runs the agent from which agent it is — as a cohort class by default, with an exact identifier only via explicit selective disclosure. Two agents of the same principal stay unlinkable, always.
Consensus rules enforce a fail-closed freshness window: no verifier accepts a status root older than 45 seconds. On top of that floor, a best-effort push channel streams new signed roots the moment they exist — typically sub-second. The push carries zero security weight by construction; the guarantee never depends on it.
Agents run for months with no human reachable. The principal can pre-delegate a bounded consent authority, with a ceiling cut along identifiability: the pairwise pseudonym is fully delegable; a single contact attribute only to a named allowlist; full KYC never — that always takes a live human, or the answer is no. A bid can gate a tier, but can never buy one unattended.
KYA rides the emerging agent-identity and agentic-payment rails rather than replacing them — so verifiable, human-backed identity drops into agent-to-agent (A2A) and Model Context Protocol (MCP) workflows.
More questions — on assurance grades, key recovery or what the chain stores? Read the full FAQ. New to the concept? Start with the guide: What is Know Your Agent (KYA)?
MintID is the Know Your Agent layer for agentic AI — human-backed, verifiable and private by design, grounded in the OpenID Foundation’s work on identity for agentic AI. See how the protocol defines it, or talk to us about building on it.