What is Know Your Agent?
Know Your Agent (KYA) is the principle that organisations must be able to identify, verify and account for every AI agent operating within their environment, in the same way that financial institutions are required to identify their customers. KYA requires that AI agents carry registered, cryptographically verifiable identities linked to accountable human or organisational principals. Without KYA, authority cannot be delegated, policy cannot be enforced and governance cannot be applied. As AI agents move from experimental pilots into production environments, handling transactions, accessing sensitive data and executing workflows autonomously, the question of who is responsible for their actions becomes urgent. KYA answers that question before something goes wrong.Why KYA Matters Now
In 2026, enterprises are deploying AI agents with direct access to APIs, databases, financial systems and customer records. Most cannot reliably answer four questions that regulators, auditors and boards are beginning to ask: Who is this agent? Where did it come from? Who is accountable for what it does? And how do you prove it? Traditional identity infrastructure was built for humans and long-running services with stable, predictable behaviour. AI agents are different. They act dynamically, across systems, without a persistent session. A single prompt modification or model update can change their behaviour entirely. An API key or token identifies a credential, not an agent. A stolen credential looks identical to a legitimate one. Without KYA, organisations have no reliable way to distinguish a legitimate agent from a compromised one, a sanctioned deployment from an unsanctioned one, or an authorised action from an unauthorised one.The Problem KYA Solves
When an AI agent takes an action inside an enterprise environment, most organisations face the same set of gaps. Identity blindness. Current systems treat agents as API consumers with user-like credentials. These credentials are not bound to the agent’s code, configuration or operational context. There is no way to verify that a request is coming from the agent that was deployed, rather than something else claiming to be that agent. No accountability chain. Without cryptographically verifiable identity linked to a responsible principal, there is no chain of accountability when something goes wrong. Logs record what happened. They do not record who was responsible. Authority cannot be delegated. Delegating authority to an agent requires knowing who the agent is. Without verified identity, there is no foundation for delegated authority, scoped permissions or enforceable policy constraints. Governance cannot be applied. Identity is the starting point for every governance control. Without it, policy enforcement, audit trails and compliance evidence are impossible to produce in a way that holds up under scrutiny.How KYA Works
KYA establishes four capabilities for every AI agent operating in a governed environment. Cryptographic identity using decentralised identifiers (DIDs) Each agent receives a unique, unforgeable identifier that is cryptographically bound to its code and configuration. This identifier is decentralised and portable, not dependent on a single issuer or registry. If the agent’s model, prompt or tool bindings change, the identity changes detectably. Identities can be rotated and revoked in real time. Clear audit trails linking AI actions to responsible parties Every action taken by an agent is linked back to its verified identity and the accountable principal behind it. Audit records are private, tamper-evident and produced in a form that satisfies regulatory and compliance requirements. Organisations can demonstrate exactly which agent acted, when, and under whose accountability. Cross-platform agent verification and authentication KYA works across cloud environments, IAM systems and enterprise infrastructure without replacing existing controls. Agents can be verified consistently whether they are operating on-premise, across public cloud, or within partner ecosystems. Anti-spoofing protection against malicious agents Cryptographically verifiable identity makes it significantly harder for malicious agents, prompt injection attacks or compromised deployments to impersonate legitimate agents. An attacker cannot produce a valid identity credential without access to the cryptographic material bound to the legitimate agent.How KYA Identity is Created
Creating a verified agent identity follows the same layered process used to establish trust for any actor in the Nuggets environment. A developer first completes KYC, verifying their individual identity against their physical credentials using NFC chip verification, biometrics and liveness checks. This creates a reusable, portable identity they carry into every subsequent interaction. They then complete KYB, cryptographically binding their verified individual identity to the legal entity they represent. The developer is now verifiably acting on behalf of a known, accountable organisation. Where the developer is an employee or contractor acting on behalf of that organisation, KYE verifies the employment relationship, confirming they are genuinely authorised to act in that capacity. This closes the accountability chain between the individual, their role and the organisation. From that verified foundation, they can register an AI agent through KYA. The agent receives a cryptographically verifiable identity linked to the developer, their role and the organisation behind them. Every action the agent takes carries that full accountability chain. The result is not just an agent with credentials. It is an agent with a verified owner, a verified organisation, a verified chain of human accountability, and an identity that holds up under audit and regulatory scrutiny.KYA as Part of the Trust Stack
KYA does not operate in isolation. It is one of five identity primitives that together establish verifiable trust across every actor in an enterprise environment.| Framework | Verifies | Who it covers |
|---|---|---|
| Know Your Customer (KYC) | Individual identity — documents, biometrics, liveness | Humans |
| Know Your Business (KYB) | Legal entity — individual cryptographically bound to organisation | Organisations |
| Know Your Employee (KYE) | Employment relationship — individual confirmed as authorised to act for the business | Employees & contractors |
| Know Your Agent (KYA) | AI agent identity — agent verified as controlled by and accountable to a verified organisation | Autonomous AI agents |
| Know Your Machine (KYM) | Device integrity — hardware bound to a verified business entity | Devices & hardware |
KYA and Regulatory Compliance
Regulatory frameworks across financial services, healthcare and critical infrastructure are beginning to require exactly what KYA provides. EU AI Act. Requires transparency, human oversight and audit trails for high-risk AI systems. KYA’s cryptographically verifiable identity and tamper-evident action logs satisfy these requirements directly. DORA. Requires operational resilience and accountability for automated systems in financial services. KYA’s identity and accountability chain provides the evidence DORA demands. FCA Senior Managers Regime. Makes individuals personally accountable for decisions within their firms. That accountability does not end when a decision is delegated to an AI agent. KYA ensures the delegation chain is verifiable and the responsible principal is identifiable. SOC2 Type II, ISO 27001 and NIST AI RMF. Each requires the ability to attribute actions to responsible parties, verify access controls and produce evidence for audit. KYA makes all three possible for AI agents.How Nuggets Implements KYA
Nuggets provides cryptographically verifiable identity for AI agents as part of a broader trust infrastructure that covers humans, businesses, employees, agents and machines. Every agent operating through Nuggets carries a registered identity linked to an accountable principal. That identity travels with every action the agent takes, creating a clear and verifiable accountability chain across systems, cloud environments and organisational boundaries. KYA is the identity layer. Above it sits the execution governance layer: the controls that verify delegated authority, enforce policy constraints and produce audit-grade evidence at the point of execution. Together they give enterprises what they need to deploy autonomous AI in regulated environments with confidence.Ready to deploy KYA in your environment? Book an enterprise discovery call to discuss how Nuggets implements Know Your Agent for your production AI deployment.