Know Your Agent (KYA) is the practice of verifying that an autonomous AI agent is operated by a known, accountable party — the agent-era counterpart to Know Your Customer (KYC). It answers the two questions counterparties can no longer skip when software shows up instead of a person: who is behind this AI agent, and who is liable if it acts in bad faith?
A definition
For twenty years, every identity system on the internet has assumed a human at the keyboard. Log-ins, KYC checks, fraud scores, CAPTCHAs — all of them ultimately identify a person who is present. Agentic AI breaks that assumption: agents now book travel, purchase goods, negotiate terms and sign requests on people’s behalf, with no human in the loop at the moment of the transaction.
KYA is the discipline that restores the missing link. An agent that passes a KYA check can demonstrate, on demand, that a real and accountable party stands behind it — a party who was verified once, who remains liable, and who can be reached through a defined process if something goes wrong. Crucially, KYA is not “KYC for bots”: the subject of verification is the human (or organisation) behind the agent, and the direction of proof inverts — it is the agent that proves its backing, not the human who identifies themselves.
Why agents force the question now
The numbers behind the shift are stark. Machine identities already outnumber human ones by roughly 50 to 1 in enterprise environments (Omdia, 2024), and industry analysts project more than a billion deployed agents by 2029 (IDC, 2025). The OpenID Foundation’s 2025 whitepaper on identity for agentic AI put the principle plainly: with autonomy comes accountability.
Today’s identity stack fails agents on four fronts at once:
- Accountability. There is no verifiable link between an agent and a liable party. An API key says nothing about who answers for the traffic behind it.
- Blast radius. When agents borrow their operator’s credentials, a stolen agent credential is a stolen human credential.
- Sybil resistance. Anonymous client registration lets one operator spin up unlimited agents with no paper trail at all.
- Privacy. The only way to make an agent accountable today is to attach its operator’s real identity to everything it does — turning accountability into surveillance.
The fourth failure is the one that locks in the other three. As long as accountability and privacy are treated as a binary trade-off, operators will choose anonymity, and counterparties will be left guessing. KYA done properly dissolves the trade-off: accountability becomes provable while identity stays private.
How KYA works
verify once · mint per agent · prove per session
fig. 1 — the kya loop · accountability without identity
Three steps, each done exactly once at its own layer:
1. Verify once
A human (or organisation) completes KYC with an approved issuer and receives a principal credential — an anonymous credential carrying a private assurance grade from A1 to A4. This is ordinary reusable KYC: the verification happens once, and the evidence stays with the issuer, off-chain.
2. Mint per agent
For every agent they deploy, the principal mints a fresh agent credential. Each one attests three things: the agent is backed by a valid principal credential of grade ≥ G from an accepted issuer; it operates within a bounded, delegated scope S fixed at mint time (purpose, transaction limits, permissions); and it can be revoked. Scope cannot be self-elevated — you cannot delegate authority you cannot prove.
3. Prove per session
When a counterparty asks, the agent answers with a short-lived zero-knowledge presentation — in MintID’s design, valid for ten seconds and bound to a unique challenge, the exact audience and the current revocation state. The verifier learns “human-backed, at assurance ≥ G, within scope, active” — and nothing else. Not the human’s name, not the principal credential, not which sibling agents exist.
KYA vs KYC
| dimension | know your customer | know your agent |
|---|---|---|
| subject | the customer, present at the transaction | the human principal behind an autonomous agent |
| who proves | the person identifies themselves | the agent proves its backing |
| frequency | repeated per relying party | verified once; reused across every agent |
| verifier learns | full identity, documents, attributes | a claim: human-backed ≥ G, within scope S |
| linkability | one identity, correlated everywhere | presentations and sibling agents unlinkable |
| revocation | account closure, provider by provider | per-agent kill switch, issuer root, principal-wide |
What KYA is not
It is not surveillance. A KYA check confers no tracking right. In MintID’s formulation — identification, not surveillance — a verifier gets a yes/no answer to a policy question, not a dossier. There is no public, on-chain registry of agents to crawl: to the chain, an agent is indistinguishable from any other credential holder.
It is not a guarantee of behaviour. KYA attests calibrated assurance about the source of an agent — never the soundness of the agent’s outputs. An agent backed by a verified human can still be wrong, and presenting assurance as a binary stamp of trust would be its own failure mode.
It is not identity disclosure by default. The proof is the product. Identification of the principal is the exception — priced and consented on the commercial path, or ordered under due process in a dispute — never the routine cost of doing business.
How MintID implements KYA
MintID’s agent KYC layer turns the pattern above into protocol invariants, three of which carry the whole design:
- Backing is provable, identity is not. Every presentation proves a KYC-verified, liable human principal — and structurally cannot reveal which one.
- Siblings are unlinkable. No two agents of the same principal can be correlated, on-chain or across verifiers.
- The only link lives in escrow. The agent-to-human mapping exists exactly once, in the issuer’s private records, released only under a certified due-process finding — never bought with a payment.
Around those invariants sit the mechanics: revocation as three independent levers (per-agent self-revoke, issuer status roots republished every 30 seconds, and principal-wide revocation that can cascade to every derived agent); sybil resistance through per-principal agent caps and economic mint fees, enforced privately by issuers; and a money-before-identity cascade for disputes, so pre-funded recourse settles most incidents without anyone being unmasked. None of it adds per-agent state to the chain — live state scales with issuers and validators, not with the number of agents.
KYA also does not replace the agent stack — it rides it. MintID’s posture is bridge, don’t fight: proofs travel over A2A and MCP transports, issuance and presentation use OpenID4VCI and OpenID4VP, and a valid presentation can mint a scoped, short-lived OAuth token where that is what the relying system expects. The full requirement set lives in the protocol specification.
One honest caveat: MintID is a research-stage protocol. There is no mainnet before independent application, cryptography, infrastructure and economic audits — the mechanism is committed, the deployment is not.