Know Your Agent · KYA

Know Your Agent (KYA): the trust layer for AI agents

AI agents now book, buy, negotiate and sign on people’s behalf — so every counterparty has to ask who is really behind them. Know Your Agent (KYA) is the missing trust layer for agentic AI. With MintID, a person verifies once, then deploys as many AI agents as they need — and each agent can prove it is backed by a real, accountable, KYC-verified human, without ever revealing who.

The problem

Six ways agent identity is broken

Every identity system of the last twenty years assumed a human at the keyboard. Agents act autonomously, in fleets, across organisational boundaries, at machine speed — and today’s stack bolts them onto service accounts, API keys and OAuth tokens. Six failures follow.

01

Impersonation

A stolen or injected agent credential acts with the principal’s full authority — and nothing proves a liable party stands behind it.

02

Anonymous clients

Agents register with no paper trail. Non-human identities sprawl with no accountable identity to point to.

03

Delegation breaks at the boundary

Delegation chains don’t survive crossing organisations. The relying party cannot verify who ultimately authorised the agent in front of it.

04

Consent fatigue

Humans are asked to approve so often that approval stops meaning anything.

05

Revocation is unsolved

There is no fast, scalable way to kill a compromised agent’s standing across the whole ecosystem.

06

Accountability or privacy, pick one

Today the only way to make an agent accountable is to attach its human’s real identity — and the only way to stay private is to be unaccountable.

MintID’s thesis is to resolve the sixth — accountability and privacy at the same time — and, in doing so, supply the missing answers to the other five.

Definition

What is Know Your Agent (KYA)?

Know Your Agent (KYA) is the practice of verifying that an autonomous AI agent is operated by a known, accountable party — the agent-era counterpart to Know Your Customer (KYC). It answers two questions counterparties can no longer skip: who is behind this AI agent, and who is liable if it acts in bad faith? MintID delivers KYA as verifiable, privacy-preserving agent identity — human-backed, provable on demand, and revocable.

fig. 1 — the agent credential model · accountability without identity

01

1. A human verifies once

A person or business completes KYC a single time with an approved issuer. That verification — not the raw documents — becomes the accountable foundation every one of their agents can stand on.

02

2. They issue identities to their agents

From that one verification they issue a distinct, privacy-preserving credential to each AI agent they operate, with its permissions and limits baked in. No re-verification, no new paperwork per agent.

03

3. Each agent proves it is human-backed

On request, an agent proves in seconds that a real, liable, KYC-verified human stands behind it — and that it is acting within its allowed scope — without exposing who that human is.

From Know Your Customer to Know Your Agent

Classic KYC identifies the customer. KYA flips it: one human verification backs many AI agents, and it is the agent that proves its backing.

KYC

Know Your Customer

A person identifies themselves to the business. Being accountable means handing over a real identity — and, usually, a full trail of everything they do afterwards.

KYA

Know Your Agent

A person does KYC once with an approved issuer, then issues credentials to each of their AI agents. Every agent can prove it is run by a verified, liable human — without revealing which human, and without any two of that person’s agents being linkable to each other.

Verifiable AI agents, accountable and private at once

Agent identity verification that gives counterparties real assurance and gives operators real privacy. No trade-off — and no new burden on the chain, however many agents you run.

Provably human-backed

Every agent can prove a real, KYC-verified, liable human stands behind it, at the assurance level you require — the core Know Your Agent guarantee.

Private by design

The proof reveals that the agent is backed and in good standing — never the identity of the human behind it, and never a trail of everywhere the agent has been.

S

Scoped permissions

What an agent is allowed to do is fixed into its credential when it is issued. It cannot quietly grant itself more power — counterparties see exactly the authority it carries.

Funded recourse

An agent can carry pre-funded recourse, so a counterparty can confirm there is money standing behind it to make good on a dispute — without learning the amount or the owner.

Instant revocation

Shut down one misbehaving agent, or stand down every agent a person operates at once. Trust can be withdrawn the moment it is misplaced.

Scales to any fleet

Run one agent or a million: the design adds no per-agent footprint to the chain, so verification stays fast and cheap however large the deployment grows.

Where KYA matters

Built for the agent economy

Wherever AI agents transact, delegate or act under rules, the counterparty needs to know an accountable human stands behind them.

$

Agentic commerce & payments

When an AI agent checks out, books or pays, the merchant can confirm it is human-backed and carries recourse — cutting fraud and chargeback risk without a login for every buyer.

Agent-to-agent (A2A)

Before two AI agents transact or delegate over A2A or MCP, each can verify the other is backed by an accountable party — turning open agent networks into ones you can safely deal with.

Enterprise agent fleets

Give every agent your organisation deploys a verifiable identity with scoped permissions, so partners and regulators can trust them and you can revoke any one instantly.

§

Regulated & high-trust workflows

In finance, healthcare and the public sector, prove an agent is operated by a verified, liable party at the required assurance level — accountability that satisfies compliance without a privacy honeypot.

Accountability without surveillance

When something goes wrong, money moves before identity

Every AI agent can carry pre-funded recourse behind it, so most disputes are settled financially without anyone being unmasked. Identity is the last resort, not the first move — decided by an independent arbiter under due process, never bought with a payment.

L0

First: the money settles it

Routine disputes are paid out from the funds standing behind the agent, quickly and with no identity revealed. For most cases, this is the whole story.

L1

Next: a minimal fraud signal

If an independent arbiter finds genuine fraud, a small machine-readable signal is shared — enough for the counterparty to act, but never a name, document or personal data.

L2

Last resort: full identity, under due process

Only for serious harm or lawful compulsion is the human behind the agent unmasked — decided by an independent arbiter, released by the issuer and supervised by the council. Never on payment alone.

Silence always costs the silent party: when a dispute stage times out, whoever owed the next move loses that stage. And forfeited dispute bonds compensate the wronged party — they are never simply destroyed, and nobody else can pocket them.

Design decision

Consent is the firewall

Why a relying party wants identity determines whether consent can even be asked — and that splits disclosure into two rails that never touch.

The commercial rail

A relying party that wants a relationship — an account, a subscription, compliance for its own books — can simply offer: a priced disclosure bid, paid to the principal, resolved by the principal’s own policy or a live prompt to the human. Refusal is free, safe and the default. The lawful basis is the person’s explicit consent — never the payment.

The dispute rail

When something went wrong, you cannot ask the subject — a defrauder would always refuse. Disputes run on escrow, bonds and due process: paid first with no identity, escalated to a minimal fraud signal, unmasked in full only when an arbiter certifies a court case is warranted. The subject cannot veto it — and no one can buy it.

The two rails are different messages and different state machines. A refusal on the commercial rail can never escalate into a dispute, and an accountability unmasking can never be dressed up as a consented offer. Every disclosure, on either rail, leaves an on-chain receipt — the rail, the tier, the verifier, never the content.

Even a paid reveal identifies one agent at one moment. It confers no right to recognise, re-contact or track the principal afterwards — to know again later, pay again. Pairwise pseudonyms live only as long as the credential and churn on renewal by design: that churn is the privacy guarantee working. Identification, not surveillance.

The credential, sharpened

What an agent credential can prove

Four adopted capabilities extend the agent credential — each one provable in zero knowledge, none of them a tracking handle.

Scope you can prove, axis by axis

An agent’s delegated scope is structured along five axes — action, counterparty, category, geography, time-and-value — each provable on its own without revealing the rest. A merchant can learn “authorised for this category, under this limit” and nothing more. Unspecified axes fail closed on high-value requests.

KC

Key custody, attested

The issuer attests how the agent’s keys are held, and the agent proves “custody class at or above X” with no correlatable identifier. Regulated relying parties get their due-diligence answer as issuer policy — never as a consensus rule, and never as a tracking handle.

OC

Operator context, without linkability

An optional attested operator class distinguishes who runs the agent from which agent it is — as a cohort class by default, with an exact identifier only via explicit selective disclosure. Two agents of the same principal stay unlinkable, always.

45s

Revocation: 45 seconds guaranteed, sub-second in practice

Consensus rules enforce a fail-closed freshness window: no verifier accepts a status root older than 45 seconds. On top of that floor, a best-effort push channel streams new signed roots the moment they exist — typically sub-second. The push carries zero security weight by construction; the guarantee never depends on it.

No human reachable?

Autonomy over long horizons

Agents run for months with no human reachable. The principal can pre-delegate a bounded consent authority, with a ceiling cut along identifiability: the pairwise pseudonym is fully delegable; a single contact attribute only to a named allowlist; full KYC never — that always takes a live human, or the answer is no. A bid can gate a tier, but can never buy one unattended.

Works with the agent stack you already use

KYA rides the emerging agent-identity and agentic-payment rails rather than replacing them — so verifiable, human-backed identity drops into agent-to-agent (A2A) and Model Context Protocol (MCP) workflows.

A2AMCPOpenID4VCI / VPOAuth Token ExchangeCIBAAP2 / FAPIWeb Bot Auth

Know Your Agent — the essentials

What is Know Your Agent (KYA)?
Know Your Agent (KYA) is verifying that an autonomous AI agent is operated by a known, accountable party — the agent-era counterpart to Know Your Customer (KYC). MintID makes it verifiable and privacy-preserving: an agent proves a real, KYC-verified, liable human is behind it, without revealing who.
How is KYA different from KYC?
KYC identifies a customer to a business. KYA inverts that: one human is verified once, then backs many AI agents, and it is the agent that proves its backing on demand — accountable to counterparties while keeping the operator’s identity private.
How does an AI agent prove it is human-backed?
The person behind the agent completes KYC once with an approved issuer and issues each agent its own credential. On request, the agent presents a fast cryptographic proof that a verified, liable human stands behind it, at the required assurance level and within its allowed scope — without exposing the human’s identity.
Does KYA expose who is behind the agent?
No. Verification proves the agent is human-backed and in good standing, not who the human is. Identity is revealed only as a last resort — for serious harm or lawful compulsion, decided by an independent arbiter under due process, and never in exchange for a payment.
Does KYA work with A2A and MCP?
Yes. KYA is designed to ride existing agent-identity and agentic-payment rails — including agent-to-agent (A2A), Model Context Protocol (MCP), OpenID4VCI/VP, OAuth Token Exchange and AP2 — so human-backed identity drops into the workflows agents already use.

More questions — on assurance grades, key recovery or what the chain stores? Read the full FAQ. New to the concept? Start with the guide: What is Know Your Agent (KYA)?

Give your AI agents an identity people can trust

MintID is the Know Your Agent layer for agentic AI — human-backed, verifiable and private by design, grounded in the OpenID Foundation’s work on identity for agentic AI. See how the protocol defines it, or talk to us about building on it.