Tiger Research: AI Agents Will Also Need to Verify Their Identity
- Core Insight: As AI agents enter an era of autonomously executing contracts, payments, and transactions, the lack of a unified identity verification standard has become a key risk. This article outlines the different strategies of four major players in the "Know Your Agent" (KYA) standard debate, and points out that regulatory frameworks (such as the EU AI Act, US NIST, etc.) are accelerating progress, suggesting KYA could become a watershed moment for the industry.
- Key Elements:
- KYA Demand Scenarios: KYC within centralized platforms is sufficient, but KYA becomes essential when independent agents access decentralized exchanges (DEXs), engage in A2A payments, or merchant payments, to prevent identity forgery, unauthorized transactions, and accountability gaps.
- Four Major Players, Divergent Paths: ERC-8004 takes an on-chain route, registering identities as NFTs; Visa TAP issues identity credentials (Visa Intelligent Commerce, VIC) via its payment network; Trulioo, following the SSL certificate model, issues Digital Agent Passports (DAP) with continuous verification; Sumsub, without issuing certificates, performs real-time human re-verification for anomalous transactions.
- Regulation Has Already Paved the Way: The 2019 FATF Travel Rule reshaped the crypto exchange landscape. Currently, the EU AI Act, Singapore's national framework, and US NIST all prioritize agent identity management, signaling that KYA will repeat the regulatory watershed scenario.
- Business Model Comparison: ERC-8004 focuses on on-chain autonomous transactions; Visa anchors payment-bound scenarios; Trulioo, leveraging its KYC/KYB expertise in fintech, is favored by the regulated financial industry; Sumsub focuses on real-time detection of fraudulent transactions.
- Market Structure Assessment: There will be no single winner in this market. The real competition lies in the combination and pairing of different scenarios (on-chain, payments, regulation, risk control) with corresponding standards/players, and the window of opportunity is narrowing.
This report is written by Tiger Research.AI agents can now sign contracts, make payments, and execute trades autonomously. But there's a fundamental problem: how do you know who that agent on the other side actually is? This article dissects the different strategies of four key players in the KYA standard race and examines how far regulation has already come.
Key Takeaways
- AI agents are entering an era of autonomous contract execution, payment, and trading, yet there is no unified standard for identity verification. In A2A (Agent-to-Agent) scenarios, KYA is gaining more attention than KYC.
- KYA isn't necessary everywhere. Within centralized platforms like Google, OpenAI, or Coinbase, existing KYC is sufficient. KYA is truly needed when independently deployed agents access DEXs, engage in A2A payments, or make merchant payments.
- The battle for standards has already begun. ERC-8004, Visa TAP, Trulioo, and Sumsub are taking entirely different approaches, focusing on on-chain, payment networks, compliance certification, and risk detection, respectively.
- Regulators have already moved. The EU AI Act, the US NIST, and Singapore's national framework have all prioritized agent identity management. In 2019, FATF's Travel Rule determined which crypto exchanges survived; KYA is likely to follow a similar playbook.
1. Why Now
KYC Reshaped the Financial Foundation
Before 1989, the global financial system lacked a unified identity standard. This void made it difficult to trace the sources of drug money and illicit funds. It wasn't until that year, with the formation of the FATF, that KYC became a hard requirement for the financial industry, effectively barring illegal capital at the door.
Over the next three decades, KYC's influence expanded layer by layer. After 9/11 in 2001, anti-terrorism financing provisions were added, and the US Patriot Act elevated KYC to a legal obligation. The 2010s saw the implementation of the EU's AMLD, Basel III, and FATCA, leading to the automatic exchange of cross-border KYC information. In 2019, FATF's Travel Rule extended KYC requirements to Virtual Asset Service Providers.
Each extension was designed to fill a specific gap.
Without Agent Identity, the System Regresses
Fast forward to today. AI agents don't need human oversight to sign contracts, make payments, or trade. But no one can verify who they are.
In an A2A environment, accountability is ambiguous. If something goes wrong, it's unclear who is responsible. Users are also highly susceptible to money laundering and various sophisticated scams.
Looking at the financial world before 1989 and the agent marketplace of 2026 side-by-side reveals a striking structural similarity. Back then, anonymous accounts moved across borders; today, unverified agents engage in A2A transactions. Then, verification responsibility rested with each individual bank; now, it rests with each individual platform. In both cases, a common standard was and is absent.
This similarity is no coincidence; it's a pattern. The technology raced ahead, but the identity layer failed to keep pace.
What is KYA?
KYA (Know Your Agent) is a trust mechanism designed to verify an agent's origin, permissions, and accountability in advance.
Skipping this step leads to three simultaneous risks. First is unauthorized transactions: a user authorizes payment, but the agent moves assets or signs contracts beyond its scope. Second is identity spoofing: malicious agents impersonate legitimate ones to hijack payments, forge responses, or steal reputation. Third is an accountability vacuum: when problems arise, the agent, developer, and principal shift blame, leaving no one liable for compensation.
KYA's purpose is to lock down these three issues proactively. By pre-registering and verifying permission scopes, unauthorized actions are blocked. By verifying identity and origin, only legitimate agents are allowed in. By binding each agent's origin and principal to the record, traceability is enabled for post-event analysis.
2. Where Does KYA Operate?
Not Needed Everywhere
Inside centralized platforms, KYA isn't strictly necessary. Users undergo KYC, and the platform provides guarantees, creating a fully enclosed loop.
KYA is needed in the open environment outside these platforms. This is when agents need to interact with DEXs, conduct A2A payments, or pay merchants. In this environment, no one provides guarantees, and no one can vouch for the agent.
Think of it this way. Within a country, an ID card (KYC) is sufficient. But once you cross a border (exit the platform), the environment changes. You must go through immigration inspection (KYA), stating your purpose and proving your trustworthiness.
A Four-Step Process
KYA's operation can be broken down into four steps. The first two steps are "passport issuance": first, register the agent's identity and permissions; second, issue a digital passport after successful verification. The last two steps are "immigration inspection": when a transaction occurs, confirm the counterparty's identity, then update the record based on the transaction outcome.
Identity is not permanently valid after a single issuance; it is re-verified with each transaction.
3. Four Players Competing for the Standard
Currently, four players are vying for the standard, each with a completely different approach.
ERC-8004: Identity as an NFT
ERC-8004 takes a pure on-chain route. It layers an identity system on top of ERC-721, minting an NFT as a unique ID for each agent.
It is supported by three on-chain registries. The Identity Registry handles "who this agent is," based on a unique AgentID derived from ERC-721. The Reputation Registry handles "can I transact with it," recording on-chain scores, tags, and evidence after a transaction is completed. The Validation Registry handles "did the agent actually perform the action," with third-party validators using plugins like zkML or TEE to verify claims.
This structure isn't unprecedented in Ethereum's history. ERC-20 standardized token issuance, giving rise to USDT, USDC, UNI, and AAVE. ERC-721 standardized NFT issuance, with CryptoPunks, BAYC, and ENS supporting the entire NFT market. ERC-8004 aims to be the third standard in a similar position.
Visa TAP: Packaging via the Payment Network
Visa's approach is entirely different. It issues agents a credential called Agent Intent, functioning like a keycard. Without this key, agents cannot even initiate a transaction. Only after Visa's pre-approval is the key issued, and each transaction must carry a signature for the merchant.
What the merchant receives isn't one signature, but three. Agent Intent proves the agent is legitimate, backed by a key approved by VIC. Consumer Recognition identifies who the agent is acting for, passing a user identifier to the merchant. Payment Information provides payment assurance, using payment tokens or hashed card information for authentication.
Visa packages this system into a larger framework called Visa Intelligent Commerce (VIC). Besides TAP, it includes Agent APIs (proprietary technology used with Visa cards), Tokenization (tokens specifically for AI), and Intelligent Commerce Connect (compatible with competing protocols like AP2, ACP, and x402).
The logic is clear. Visa once captured the entry point to the payment network; now it wants to integrate the age of agents into its own ecosystem. If agent payments continue to flow through card networks and this package becomes the default option, Visa's market share will be solidified.
Trulioo: Mimicking the SSL Model
Trulioo is a major player in the global KYC and KYB compliance space, now extending its verification stack to KYA.
It draws inspiration from the SSL certificate model for websites. In SSL, a Certificate Authority (CA) issues a TLS certificate to a website, verifying only its domain. Trulioo's proposed Digital Passport Authority (DPA) issues a Digital Agent Passport (DAP) to agents, verifying the developer's KYB and the user's KYC.
The DAP is not a static certificate. It is a live token that refreshes and is re-verified with each transaction. If the delegation is revoked or anomalous behavior is detected, the DAP is immediately invalidated.
It has five checkpoints: Provenance (which developer created it), User Binding (who authorized it), Permission Scope (what it's allowed to do), Behavior Telemetry (what it's currently doing), and Risk Scoring (its risk rating).
Banks and fintech companies legally must verify people and companies. As agents enter the financial domain, Trulioo's established position in KYC and KYB becomes even more secure.
Sumsub: Monitoring Anomalies, Not Issuing Credentials
Sumsub's approach differs from the previous three. It doesn't issue standards or certificates; instead, it re-verifies the human behind an agent when anomalous transactions occur.
Having been in the compliance business since 2015, its verification system is now adapted to detect anomalous agent behavior. The process has three steps. First, automated detection differentiates humans from machines using device and agent characteristics. Second, risk scoring provides a score based on context, transaction amount, and historical data. Finally, Liveness verification is initiated only for high-risk, high-value, or critical changes, re-authenticating the registered real person.
Four characteristics set Sumsub apart from other players. Its starting point is as a compliance operator, not a standard setter. Verification is triggered by risk events, not pre-registration. The method is re-authentication of the real person, not data or tokens. The philosophy is to bind the agent to a responsible party, not to directly block the agent.
While other players focus on one-time upfront identity verification, Sumsub focuses on real-time verification after credential issuance. As agent permissions expand, anomaly detection becomes more critical. As fraudulent methods advance with technology, Sumsub's real-time stack is worth watching.
4. Before Regulation Takes Hold
The FATF Travel Rule Playbook
When the FATF Travel Rule was introduced in 2019, the VASP industry immediately fractured. Entities that could bear the cost of KYC and AML infrastructure survived; those that couldn't closed down or relocated to jurisdictions with laxer regulations. CryptoBridge and Deribit were among those forced to adjust during this period.
Regulation isn't the end; it's a dividing line.
The KYA playbook is likely to be similar. The EU, Singapore, and the US are already jockeying for a leading position.
Article 12 of the EU AI Act explicitly requires that activity logs for high-risk AI systems include the operator's identity. Singapore has released the world's first national AI governance framework for agents, extending identity management to agents and requiring each to have an accountable responsible party. The US NIST has listed agent identity management as a priority standard area.
The window of opportunity is shrinking.
There Will Be No Single Winner
The real variable in the standards race isn't technology, but combinations. Major players have already entered a phase of collaboration and integration. What determines the outcome for each market segment is who pairs with which merchants, payment networks, and KYC customer bases.
This market will not have a single winner.
For autonomous on-chain transactions, Ethereum is likely in the lead. For transaction scenarios tied to payments, Visa holds a clear advantage. In the regulated financial industry, Trulioo's KYC and KYB accumulation is difficult to replace. For transactions involving fraud risk, Sumsub's real-time detection is more suitable.
These four are not direct competitors; they occupy different niches. The true competition lies in which scenarios are categorized under which niche.
It took KYC from 1989 to the present day, three decades, to complete the global financial identity layer.
When the dust settles, the survivors may not be those with the strongest technology, but those who first integrated into the identity infrastructure.
