PYMNTS and Trulioo Introduce 'Know Your Agent' Framework for AI Agent Authentication
Akihiro Suzuki
Twitter
Source: www.pymnts.com
Key Takeaways
- PYMNTS Intelligence and Trulioo publish new AI agent authentication framework "KYA"
- Bot management is a challenge for ~90% of enterprises, with digital ID gaps costing ~$95 billion annually
- E-commerce businesses must urgently prepare for three-layer authentication: KYC → KYA → Know Your Human
AI Agent "Identity Verification" Begins
Know Your Agent Models Are a Must for Enterprises
'Know Your Agent' tools can help authenticate AI agents and defend against malicious bots as automation reshapes digital commerce.
On March 12, 2026, PYMNTS Intelligence published a joint research report with digital identity verification firm Trulioo titled "How Enterprises Can Build a 'Know Your Agent' Defense." Based on a survey of 350 compliance, risk management, and fraud prevention leaders worldwide, the report outlines the complete picture of a new identity verification framework called "Know Your Agent (KYA)" needed for the AI agent era.
As agentic commerce rapidly expands, areas that traditional KYC (Know Your Customer) and KYB (Know Your Business) cannot address are emerging. In an era where AI agents autonomously open accounts and execute transactions, mechanisms to verify "whose agent is this?" and "does it have legitimate authority?" are essential.
Background and Industry Context
With the growth of agentic commerce, bot traffic management has become a top-tier challenge for enterprises. The survey found approximately 90% of companies consider bot management a "major challenge." Furthermore, losses from fraud, false declines, and compliance violations due to inadequate digital ID verification systems total approximately $94.9 billion annually across respondent companies — averaging 3.1% of annual revenue.
Particularly severe is the "false decline" problem, where authentication systems incorrectly block legitimate users. 56.3% of companies face bot or agent-related threats, and 58.6% suffer from bot-caused fraud. Yet 96.3% express "confidence in their ability to detect harmful bots," revealing a stark gap between perception and reality.
Across the industry, major players including Visa, Akamai, and Skyfire are developing proprietary agent authentication protocols. Akamai promotes "Web Bot Authentication", Visa advances the "Trusted Agent Protocol (TAP)," and Skyfire pushes "KYAPay" — signaling the start of agent authentication standardization competition.
The Three-Layer Structure of the KYA Framework
The report's most significant concept is viewing identity verification as a "three-layer structure."
Layer 1: KYC (Know Your Customer) handles individual identity verification as before, verifying "does this person exist?" through name, address, and ID document matching.
Layer 2: KYA (Know Your Agent) is the newly added layer. It verifies AI agent developers, code integrity, user consent, and behavioral patterns in real time. According to Trulioo's blog, KYA introduces a "Digital Agent Passport" — a lightweight, tamper-resistant ID layer that links all agent-driven transactions to verified humans and authorized agents.
Layer 3: Know Your Human bridges KYC and KYA. As PYMNTS' explainer notes, "even if an agent has valid login credentials or authenticated payment tokens, it may execute instructions that a human has not explicitly approved." Know Your Human continuously verifies that the delegation chain is maintained throughout the entire transaction.
Trulioo Chief Product Officer Zac Cohen stated: "We want to understand who the agent is and confirm that it accurately conveys the individual's instructions and prompts."
Technical Authentication Protocol Developments
Technical standards supporting KYA implementation are also being rapidly developed. Akamai's report introduces three major protocols.
"Web Bot Authentication" is a lightweight authentication method based on HTTP Message Signature Protocol (RFC 9421), issuing API tokens and signed credentials to bots. Adoption is advancing with major bot operators including Google, OpenAI, and Microsoft.
"KYAPay" is an open protocol developed by Skyfire, specializing in payments between AI agents and services. It issues encrypted JWTs (JSON Web Tokens) after registration and approval, verified server-side with each request.
Visa's "Trusted Agent Protocol (TAP)" is designed for card payments based on the HTTP Message Signature standard. It coordinates with other card issuers to standardize agent-mediated e-commerce transactions.
These protocols are also compatible with Google's Agent2Agent (A2A) Protocol and Model Context Protocol (MCP).
Impact and Practical Implications for E-Commerce Businesses
For e-commerce businesses, adapting to the KYA framework is a "now" issue, not a "someday" consideration. Key preparation points include:
First, shifting bot management policy from "block everything" to "selective management." Akamai's analysis shows scraping detected through advanced methods reaches 8x the direct traffic in AI bot categories. Simply blocking all AI bots is insufficient protection.
Second, considering integration of tokenization and agent authentication. Linking tokens issued after KYC with verified attributes, device information, and agent permissions enables both high-speed transactions and traceability. Companies that implemented global unified ID platforms report 65.6% reduction in digital transaction rejection rates and 62.5% reduction in false positives.
Third, building a clear accountability framework. Trulioo's Cohen identifies "the liability question as the biggest bottleneck to mainstream adoption of agentic transactions," making traceability for disputes, chargebacks, and refunds essential.
Summary
The KYA framework is positioned as the "trust infrastructure" for agentic commerce. As Trulioo CTO Hal Lonas notes, "agentic commerce will work, but at first it will be slow, constrained, with humans approving at judgment gates" — gradual adoption is expected.
Key areas to watch include the outcome of standardization competition between Visa TAP, KYAPay, and Web Bot Auth, and which protocols e-commerce platforms adopt. If the three-layer structure of KYC → KYA → Know Your Human becomes industry standard, Trulioo's vision of "bringing to agentic commerce what encryption brought to online payments" will become reality. E-commerce businesses should begin reviewing their authentication infrastructure and preparing for agent readiness now.
Related Articles
Cambridge University Warns AI Agent Safety Disclosures Are 'Dangerously Behind' -- Security and Transparency Framework Efforts Accelerate
A joint MIT-Cambridge study reveals that 26 of 30 major commercial AI agents fail to disclose safety evaluations. NIST, Vouched, and SentinelOne race to build trust frameworks for agentic commerce.
As AI Agents Start Making Purchases, Security Teams Face the New Risk of Intent Drift
Chargebacks911 CTO highlights fundamental authentication and authorization challenges in AI agent purchasing. Traditional fraud detection loses human behavioral signals, creating new fraud gray zones.
Riskified Formally Discloses Agentic Commerce Fraud Risk in SEC Filing — Structural Threat to Chargeback Guarantee Model
Riskified discloses agentic commerce as a new risk category in its SEC Form 20-F, highlighting threats to its chargeback guarantee model from AI agent transactions, friendly fraud increase, and AI model accuracy degradation.
Tags
Share this article