KYA Now
Identity is the basic building block for agentic commerce.
Dateline: Woking, 19th February 2026.
Sean Neville, co-founder of Circle and architect of USDC, was one of the global experts quoted in Andressen-Horowitz’s “17 things we’re excited about for crypto in 2026”. He said that the bottleneck in the agent economy “is shifting from intelligence to identity”, which I think is a very helpful phrase. He further observed that in financial services “non-human identities” (which now outnumber people by two orders of magnitude at the very least) remain “unbanked ghosts”, which I think is another very helpful phrase. As he then went to say, and I could not agree more, the critical missing primitive here KYA: Know Your Agent.
Not New, But Fundamental
Now, KYA itself is not a new idea. As Victoria Richardson and I wrote in our 2024 book “Money in the Metaverse”, the new economy demands a digital identity infrastructure in place not only for people and businesses but for things and, crucially, for bots. Given the advances in AI since the book was written, bots are even more central to that discussion now.
(For more background here’s something I wrote about KYA in Forbes a year ago and additionally, here is a more detailed paper about it that I co-authored with Jelena Hoffart in the Journal of Digital Banking.)
What is new, though, is the mainstream recognition that KYA is fundamental to the evolution of commerce and therefore finance. Without digital identity, we can’t have nice things, and that is as true in the agentic world as it is for the virtual and the mundane. This is no longer futuristic (or controversial). In one of their recent reports, McKinsey said that what they label “credentialing and identity” is the first of their key control points in the agentic economy because agents need secure, user-granted permission before they can initiate transactions across multiple institutions. Therefore, as they point out, organisations that already manage high-trust credentials start with a clear advantage. They go on to highlight some success factors: zero-trust architectures that never assume persistent access, dynamic consent via standardised protocols (for example, OAuth2/OpenID Connect, although I suspect new and more lightweight protocols might be required) and continuous audit trails.
Digital identity companies are already active in the field. Persona, the verified identify platform used by a host of fintechs (including Robinhood, Brex and OpenAI) has raised $200 million at a $2 billion valuation. The company says that the rise of AI agents, increasingly sophisticated AI-driven fraud, regulatory fragmentation, and growing privacy expectations have created a far more complex — and constantly evolving — identity landscape. As Rick Song, CEO of Persona, said
Identity in an AI-driven world isn’t about ticking a box, and the question is no longer ‘is this a bot or not?’ but rather ‘who is the bot acting on behalf of, and what is their intent?’
That is a problem that is simple to frame, but rather more complicated to solve.
Don’t Trust, Verify
At the heart of the problem is the need for agents to provide verifiable credentials in order to transact and there is an urgent need to get a framework for these credentials into place. As Sean put it, the industry that built out KYC infrastructure over decades now has just months to get KYA infrastructure into place. Fortunately we know what the building blocks for this are, because verifiable credentials themselves are well-established and well-understood and if you know what they are you can save time and skip the next paragraph.
A verifiable credential is some attribute of its holder that has been attested to by someone else. That someone else should be someone who is trusted (let’s not get sidetracked into what that means for now) by a service provider who needs to check that attribute in order to proceed with a transaction. So to take the canonical example, if I want to buy a drink in a pub, the pub needs to know that I am over 18, so it will want to check an IS-OVER-18 attribute. Now, an IS-OVER-18 attribute that is digitally signed by me is of no use to the pub at all, since they don’t know who I am and don’t trust me, but an IS-OVER-18 attribute that is digitally-signed by Barclays Bank is great, since they can easily check that the digital signature is actually from Barclays.
So the pub asks me to scan a QR code or tap on something, my phone tells me that pub wants to see a credential with the IS-OVER-18 attribute and I choose one (there may be several, of course) and then my phone sends it to the pub. But how does the pub know that the IS-OVER-18 credential belongs to me? Well, the credential contains not only the IS-OVER-18 attribute but also a public key. The pub constructs a challenge using that public key and sends it to my phone. That challenge can only be answered by someone who has the corresponding private key. This private key is in the secure element in my phone. No-one else in the world can answer that challenge. So when the pub gets the answer back from my phone, it knows that the credential is mine.
Now take the pub example into the world of agents and you can see why the solution is more of a complication: billions of interactions between agents that may only live for milliseconds means that billions of verifications will be required. As KYA (and digital ID in general) become more important, there will need to be a taxonomy of transaction types. What level of identification and consent is required for a $10 transaction? For $10,000? For a mortgage? For medical records?
I am not the only person to have noticed this, of course, and across the technology sector organisations are working on the building blocks for next-generation markets (and, indeed, societies). Towards the end of last year, Google launched Agent Payment Protocol (AP2), a secure, open standard is backed by industry leaders such as Mastercard, PayPal, American Express, Adobe, and Alibaba. Mastercard is developing its Agent Pay solution, and industry groups are working to extend Worldwide Web Consortium (W3C) verifiable credentials into payments. Visa is positioning its global network as a backbone for agentic commerce in partnership with AI platforms such as Anthropic, Mistral AI, OpenAI and Perplexity as well as IBM, Microsoft, Samsung and Stripe.
Meanwhile the startup world is looking at the same space. Skyfire for example, recently launched Agent Checkout, powered by a new protocol called KYAPay. This is an open standard that gives agents verified identities and programmable payment capabilities to facilitate verification, control and reputation tracking. Skyfire has onboarded partners like APIFY and Forter to begin using the protocols, which is compatible with existing authentication systems, APIs and MCP servers.
VCs For The Win
OK, I think that is straightforward and it is already clear that agentic commerce will be enabled by standard verifiable credentials (VCs) of one form or another, we do not need to speculate about that. If I want to grant my agent Dave1A permission to go and book flights on British Airways and book hotels with Hilton, then British Airways and Hilton need Dave1A to present a credential that says that the agent is allowed to book on my behalf together with my loyalty identifiers and maybe some other attributes.
I think we can see a rough outline of stack forming here. As Victoria and I outlined in our book, if we give bots access to some kind of smart wallet to manage money and identity then we need infrastructure to:
Provide agents with identifiers. To paraphrase Bruce Schneier, digital identity comes down to key management and key management is really, really hard. So…
Provide somewhere for agents to store their private keys. I’m old school, so to me that means either local or remote trusted execution environments (TEEs). We could, for example, use secure enclaves in smart phones for local TEEs and cloud-based hardware security modules (HSMs) for remote TEEs and then…
Implement a means for agents to present VCs on demand, which also means creating a trust framework for agents and their counterparties to use to mutually authorise and all transactions then to proceed. Here, I wonder if existing mechanisms and standards are sufficient: after all, agents may be created and destroyed in milliseconds, not the normal timescales for credentials.
Now, of course, it’s well beyond the scope of this brief note to delve into the details of this infrastructure, but it is interesting to speculate on who will define what such credentials might look like and the framework in which they will work, whichever protocols (e.g., Google’s AP2) are being used for the transactions. Mastercard and Visa are obvious players in that space, but it is early days, and I am curious to hear your view of the runners and riders.
Are you looking for:
A speaker/moderator for your online or in person event?
Written content or contribution for your publication?
A trusted advisor for your company’s board?
Some comment on the latest digital financial services news/media?
I still remember the example of "bar handshake for Over-18 proof" in the "Identity is the new money" that remains my absolute favourite. Has so many historical rhymes (Banchi dei cambio ran ledgers operating per identity of the merchant vs. tokens they carried). I did my take on the origins and trends w.r. to agentic commerce, where another missing element is loyalty (also deriving from the underlying identity data) https://medium.com/fintech-blog/agentic-commerce-3ba395d32ebd
Dave;
You will know that we set out on this journey fully three decades ago using the worlds regulated FI's (not just banks although they were obvious candidates) and indeed other regulated entities in pharma and energy were interested- and each of the founder banks of GTO (Global Trust Organization), which became Identrus which became IdenTrust, chipped in finance and management resource to build a "Constitution", an OpRuleset spanning Policy Legal Operational and Technological dimensions, to which they and all other qualifying entities, public and private sector could sign up to, which in effect would manage the Identity and Trust dynamics, the Liabilities and Responsibilities, Obligations and Entitlements of all member organizations each to the other...and by extension those of their Customers.
Essentially a Visa & MasterCard model but not just about Data movement re Payments, instead about all Data.
Its Privacy, its Authenticity, its Integrity and its Non-repudiability,
We need not dissect why over a quarter century later, and in a far more complex and fast moving Web3 environment we are still debating the same topic, but that is an inescapable fact. Let Historians be the judges .........
However the issues are not primarily Tech (which will go on evolving at an exponentially faster pace), they are about Liability... who is on the hook for what and when..... and that is where Common Law, Dispute Resolution and Arbitration processes etc all come into play.
We must move on from Digital Identity which has become a toxic phrase associated with Orwellian "Big Government", and leverage what we have already learnt.... now in Digital Verification, but it must be globally extensible and driven by/underpinned by updated regulatory frameworks themselves supported by the enduring strength and adaptability of Common Law.
Chairman Alan Greenspan of the Fed and his Board colleagues gave their approval to the Identrus proposition in a Board Resolution back on November 10th 1999.... He will be celebrating his 100th Birthday on March 6th 2026... Wouldn't that be a great birthday present for him to see it finally enacted as we move rapidly into this Agentic Era .....as is seen by organizations such as Inveniam which are charting the way forward...... BW John G Bullard