This report is written by Tiger Research.AI agents are already capable of signing contracts, making payments, and executing trades autonomously. But there's one unresolved problem: how do you know who the agent on the other side really is? This article outlines the different strategies of four key players in the KYA standard competition, and how far regulation has already progressed.
Key Takeaways
- AI agents have entered an era of autonomously executing contracts, payments, and trades, but there is no unified standard in the market for verifying their identities. In A2A (agent-to-agent) scenarios, KYA is starting to gain more attention than KYC.
- KYA is not needed everywhere. Within centralized platforms like Google, OpenAI, or Coinbase, the existing KYC is sufficient. The real need for KYA arises when independently deployed agents interact with DEXs, engage in A2A payments, or make payments to merchants.
- The battle over standards has begun. ERC-8004, Visa TAP, Trulioo, and Sumsub are approaching from four distinct directions: on-chain, payment networks, compliance verification, and risk detection, respectively.
- Regulators are already moving. The EU AI Act, the U.S. NIST, and Singapore's national-level framework have all prioritized agent identity management. The 2019 FATF Travel Rule determined which crypto exchanges survived; the KYA narrative is likely to follow a similar script.
1. Why Now?
The Layer KYC Reshaped in Finance
Before 1989, global finance had no unified identity standard. This void made it difficult to trace the origins of drug money and illicit funds. It wasn't until the FATF was established that year that KYC became a mandatory requirement for the financial industry, keeping illegal funds out.
Over the next three decades, KYC's influence expanded layer by layer. Post-9/11 in 2001, anti-terrorism financing clauses were added, and the U.S. Patriot Act elevated KYC to a legal obligation. In the 2010s, the EU AMLD, Basel III, and FATCA were successively implemented, enabling the automatic exchange of cross-border KYC information. In 2019, the FATF Travel Rule extended KYC to Virtual Asset Service Providers (VASPs).
Each expansion was plugging a gap.
Without Agent Identity, the System is Regressing
Now, back to the present. AI agents can sign contracts, make payments, and trade without human supervision. But there's no way to verify who they are.
In an A2A environment, accountability is blurred. When something goes wrong, it's unclear who is responsible. Users are also easily exposed to money laundering and various sophisticated scams.
Placing pre-1989 finance side-by-side with the 2026 agent market reveals a strikingly similar structure. Back then, it was anonymous accounts moving cross-border; today, it's unverified agents conducting A2A transactions. Back then, verification responsibility rested with each individual bank; today, it rests with each individual platform. Neither had a common standard.
This similarity is not a coincidence; it's a pattern. The technology sprinted ahead, but the identity layer didn't catch up.
What is KYA?
KYA (Know Your Agent) is a layer of trust mechanism that verifies an agent's origin, permissions, and accountability in advance.
Skipping this step invites three simultaneous risks. The first is unauthorized transactions: a user authorizes only a payment, but the agent moves assets or signs contracts beyond its scope. The second is identity forgery: malicious agents impersonate legitimate ones to hijack payments, forge responses, and steal credibility. The third is accountability vacuum: when something goes wrong, the agent, developer, and delegator blame each other, making compensation impossible to pursue.
KYA's role is to lock these three issues down in advance. By pre-registering and verifying permission scopes, unauthorized actions are directly blocked. By verifying identity and origin, only legitimate agents are allowed in. Each agent's origin and delegator are bound to a record, enabling traceability when issues arise.
2. Where KYA Needs to Operate
It's Not Needed Everywhere
Within centralized platforms, KYA isn't critically needed. Users complete KYC, and the platform provides a safety net; the entire chain is closed-loop.
The need for KYA arises in the open environment after an agent steps outside the platform—when it interacts with DEXs, performs A2A payments, or makes payments to merchants. Here, there is no safety net and no one to vouch for it.
An analogy: moving within a country, an ID card (KYC) is sufficient. Once crossing the border (leaving the platform), the environment changes, and one must undergo inspection at the point of entry (KYA), clarifying intent and credibility.
Four-Step Process
KYA's operation can be broken into four steps. The first two are "passport issuance": register the agent's identity and permissions, and upon verification, issue a digital passport. The latter two are "entry inspection": confirm the counterparty's identity when a transaction occurs, and then update records based on the transaction outcome.
Identity is not permanently valid upon issuance; it is re-verified with each transaction.
3. Four Players Competing for the Standard
Currently, four players are in the standards competition, each with a completely different approach.
ERC-8004: Making Identity an NFT
ERC-8004 follows a pure on-chain path. It adds an identity layer on top of ERC-721, with each agent minting an NFT as its unique ID.
It is accompanied by three on-chain registries. The Identity registry handles "who this agent is," based on the unique AgentID from ERC-721. The Reputation registry handles "can we transact with it," leaving ratings, tags, and evidence on-chain after transactions. The Validation registry handles "did it actually do that thing," verified by third-party validators using plugins like zkML, TEE, etc.
This structure isn't new in Ethereum's history. ERC-20 standardized token issuance, with USDT, USDC, UNI, and AAVE built on it. ERC-721 standardized NFT issuance, with CryptoPunks, BAYC, and ENS supporting the entire NFT market. ERC-8004 aims to be the third standard in that same foundational position.
Visa TAP: Bundling with the Payment Network
Visa's approach is completely different. It issues an identity credential (Agent Intent) to an agent, akin to a card. Without this key, an agent cannot even initiate a transaction. Visa pre-approves before issuing the key, and each transaction must carry a signature to the merchant.
The merchant doesn't receive just one signature, but three. Agent Intent proves the agent is legitimate, backed by a key approved by VIC. Consumer Recognition indicates who it's working for, passing the user identifier to the merchant. Payment Information provides payment assurance, using a payment token or hashed card information to complete authentication.
Visa has bundled this into a larger package called Visa Intelligent Commerce (VIC). Besides TAP, it includes Agent APIs (Visa's proprietary technology for card usage), Tokenization (tokens specifically issued for AI), and Intelligent Commerce Connect (compatible with competing protocols like AP2, ACP, and x402).
The logic is clear. Visa captured the payment network gateway back then, and now wants to bundle the agent era into its own orbit. If agent payments continue to flow through card networks and this bundle becomes the default option, Visa's market share is secured.
Trulioo: Adapting the SSL Model
Trulioo is a player in the global KYC and KYB compliance space, now extending its verification stack to KYA.
It draws on the website SSL certificate model. SSL involves a CA (Certificate Authority) issuing a TLS certificate to a website, verifying only the domain. Trulioo's proposed DPA (Digital Passport Authority) issues a DAP (Digital Agent Passport) to an agent, verifying both developer KYB and user KYC.
The DAP is not a static certificate. It's a live token that refreshes, re-verified with each transaction. If delegation is revoked or anomalies are detected, the DAP is immediately invalidated.
It has five checkpoints: Provenance (which developer created it), User Binding (who authorized it), Permission Scope (what tasks it can perform), Behavior Telemetry (what it's doing now), and Risk Scoring (risk rating).
Banks and fintech companies are legally required to verify the identities of individuals and companies. Once agents enter the financial realm, Trulioo's established position in KYC/KYB becomes even more solid.
Sumsub: Monitoring Anomalies, Not Issuing Certificates
Sumsub's entry point differs from the previous three. It doesn't issue standards or certificates; instead, it re-verifies the person behind an agent when anomalous transactions occur.
It has been in the compliance business since 2015, and its verification system is now used to detect anomalous agent behavior. The process is three-step. First, automated detection distinguishes between humans and machines based on device and agent characteristics. Next, risk scoring provides a risk score based on context, amount, and historical data. Finally, Liveness verification is triggered only for high-risk, large-amount, or critical-change scenarios, re-verifying the registered real person.
Sumsub's four characteristics contrast sharply with other players. Its starting point is as a compliance operator, not a standards maker. The timing of verification is during risky transactions, not pre-registration. The verification method is re-confirming a real person, not relying on data or tokens. Its philosophy is to tie the agent to the responsible party, not to directly block the agent.
Other players are focusing on one-time pre-transaction identity verification; Sumsub focuses on real-time verification after credentials are issued. The more agent permissions expand, the more critical anomaly detection becomes. As fraud techniques evolve with technology, Sumsub's real-time stack is worth watching.
4. Before Regulation Lands
The Script of the FATF Travel Rule
When the FATF Travel Rule was introduced in 2019, the VASP industry immediately fragmented. Those that could bear the KYC/AML infrastructure costs survived; those that couldn't shut down or relocated to jurisdictions with lighter regulation. CryptoBridge and Deribit were among those forced to adapt during that wave.
Regulation is not the end; it's a watershed.
The KYA narrative may follow a similar script. The EU, Singapore, and the U.S. are already vying for a leading position.
Article 12 of the EU AI Act explicitly requires that operational logs for high-risk AI systems include the operator's identity. Singapore released the world's first national-level agent AI governance framework, extending identity management to agents, requiring each agent to have an accountable responsible party. The U.S. NIST has listed agent identity management as a priority standards area.
The window of opportunity is narrowing.
There Won't Be a Single Winner
The real variable in the standards competition isn't technology; it's combinations. Major players are already entering a phase of cooperation and bundling. Who pairs with which merchants, payment networks, and KYC customer bases will determine the ownership of each market segment.
There won't be a single winner in this market.
For on-chain autonomous transactions, Ethereum is likely to lead. In payment-bound transaction scenarios, Visa holds a clear advantage. Within regulated financial industries, Trulioo's KYC/KYB accumulation is hard to replace. For transaction scenarios involving fraud risk, Sumsub's real-time detection is more suitable.
These four are not direct competitors; they each occupy their own hill. The real competition lies in determining which scenarios fall into which hill's territory.
It took KYC thirty years, from 1989 to today, to complete the identity layer for global finance.
This KYA round appears to be moving much faster. Regulators are already acting, standard players are already positioning themselves, and the window for scaled deployment might be just the next few years.
When the dust settles, the survivors may not be those with the strongest technology, but those whose identity infrastructure was integrated earliest.
