Contact
Insights
May 27, 2026

From KYC to KYA: Why Agentic Commerce Needs a 'Know Your Agent' Trust Layer

Contents
Agentic Commerce Studio - Validate AI-agent shopping in your browser

Key Takeaways

  1. E-commerce and payments were built on the assumption that a human makes every purchase. AI agents break that assumption, and verifying the customer (KYC) alone can no longer prove a transaction was legitimate
  2. Know Your Agent (KYA) is emerging as the new trust layer, verifying which agent acted, on whose authority it was delegated, and within what mandate
  3. Visa's Trusted Agent Protocol, Mastercard Agent Pay, and Google's AP2 are already implementing KYA, and merchants and payment providers will need to identify agents and prove delegated authority

Rethinking Who Exactly Made the Purchase

From KYC to KYA: The New Trust Layer in AI Commerce

AI agents have inserted an autonomous intermediary between the human and the 'pay now' button, breaking the human-centric assumptions behind KYC and fraud monitoring. A new trust layer, Know Your Agent, is needed to verify which agent acted, on whose authority, and with what mandate.

www.unite.ai

Shopping has become remarkably convenient over the past decade or so. The week's groceries and the outfit for a party now arrive at the door after a few taps on a phone. AI agents push that convenience another notch, scanning hundreds of sites in seconds to find the best deal and surfacing a product from a vague prompt like 'it was something small, round, and green.' At first glance, this looks like the natural evolution of friendly interfaces. Yet as Unite.AI points out, beneath that comfort the entire infrastructure of commerce is being rewritten in ways never seen before.

E-commerce platforms were built for years on a deceptively simple idea: that every purchase is made by a human. Ten or fifteen years ago, who else could it have been? The whole chain of user actions was shaped by KYC systems and fraud monitoring tools, and they were largely effective at preventing abuse. That structure was upended only recently.

The heart of the change is that an autonomous intermediary has slipped in between the human and the 'pay now' button. Like its owner, an agent can search for a product, compare prices, and apply a promo code, but the logic driving its actions is not always easy to trace. At the moment of purchase, the user may not even be in the room. That raises real questions about authorization and accountability. A platform may verify the user, yet it has no way to tell whether the purchase truly reflected that person's intent, or whether the agent acted in a way the user never authorized at all.

This is precisely why KYC is becoming insufficient. What is needed is a new mechanism that can track agent activity itself, a trust layer that can be called Know Your Agent, or KYA. PYMNTS positions this framework as a third verification layer, sitting alongside the established KYC and KYB (know your business) checks.

The Questions KYA Has to Answer

To be effective, KYA must answer several questions at once. How trustworthy is the agent? Who exactly stands behind it? What authority did it receive from the user? And what evidence can be preserved if a dispute arises? That last question matters most of all, because multibillion-dollar losses may hinge on it.

The identity verification firm Trulioo frames KYA as binding every agent action to a verifiable identity (the exact agent and version) and to accountable authority (who it represents and what it is permitted to do). Simply identifying an agent is not enough. Trust only holds once you can bundle together when it acted, under whose consent, and within what constraints.

Sumsub, which supplies verification tooling, makes a similar case: the essence of KYA is to continuously verify the origins, integrity, and permissions of an agent so that each action can be traced back to a verified source. Easy to overlook is that this is not a one-time check. Agents act in chains at machine speed, sometimes escalating their own privileges. The old habit of verifying once at human login simply cannot keep up.

Competing for the Attention of a Black Box

Once online sellers start factoring in these questions, they realize how radically their own business model is changing. The user hands the agent a commercial task, and the machine interprets it on its own, in what is effectively a black box. Sellers and platforms have to adapt to the logic of the machine, not the human, and find ways to draw its attention to their products.

People choose brands that stand out visually or respond to advertising that appeals to experience and emotion. Impressing an agent the same way is far harder. People are often lazy, glancing only at the first couple of pages of search results or clicking the top promoted listing. An agent, by contrast, scans dozens of pages in seconds and will pick a product even from the last page if it judges it the best match. As a result, platforms may no longer earn the same way from advertising and brand promotion, and sellers may find paid placement a weaker lever for visibility.

This shift weighs especially heavily on fintech and payment infrastructure. It is no longer enough to confirm that the client uses a valid card and that the transaction does not look fraudulent. Payment companies have to review each operation to determine whether it was performed by a trusted agent on behalf of a real user. According to Salesforce, nearly 40% of consumers have already used agentic AI for shopping in one way or another, which makes that verification heavier by the day.

Building a Payment Layer That Binds Identity, Intent, and Execution

To meet this challenge, the next generation of payment infrastructure will fold identity, intent, and transaction execution into a single system. Payments will center on context rather than the transaction itself. Traditional signals such as card credentials, merchant category, location, and device are insufficient in a world full of AI agents. A platform has to find a way to understand who exactly triggers a transaction and what their mandate is.

Lowering the risk of an agent performing the wrong transaction becomes the single most important task for payment systems. It is worth remembering that KYA does not replace traditional fraud scoring; it works as another layer wrapped around it.

The major players are already moving this way. Mastercard is building Agent Pay as a secure payment foundation centered on registered agents and traceable transactions. Before an agent can obtain tokens, it is registered and verified through a process Mastercard itself calls Know Your Agent, so that only legitimate parties are onboarded. The tokens issued are short-lived and scope-limited, carrying governance metadata such as agent ID, intent, and consent proof.

Visa has introduced its Trusted Agent Protocol to help merchants distinguish malicious bots from legitimate agents. It carries an agent's intent, verified user identity, and payment details inside cryptographically signed HTTP messages, using timestamps and session identifiers to prevent replay attacks. Google's AP2 (Agent Payments Protocol) represents each purchase as three signed mandates, for intent, cart, and payment, each verifiable as a W3C Verifiable Credential. These are only examples, and a growing number of companies see KYA as the next stage of payment infrastructure.

What Merchants and Payment Providers Should Prepare

Building these systems matters because many businesses are not yet measuring the problem at all. Some merchants do not distinguish agent traffic from bot traffic, while others wave through every AI transaction without a second look. Read the other way, this leaves room to provide real-time analysis, earn the trust of commerce providers, and uncover new sources of revenue.

The starting point for merchants and payment providers is to reach a state where they can identify the agents visiting their site. Because an agent's transaction pattern differs from human browsing in both speed and concurrency, the precision of separating fraudulent bots from legitimate agents comes into question. From there, rather than handing over full card details, shift to token-based delegated authorization scoped to merchant, amount, and purpose, and preserve every authorization event as a tamper-resistant audit trail. Laying that groundwork with an eye on the standards Visa, Mastercard, and Google are advancing is what protects a business when a dispute arises.

Conclusion

The future of commerce is no longer decided by who paid alone. What matters is which agent made the decision, and whether that decision genuinely reflected the customer's intent. The move from KYC to KYA is the flip side of agentic commerce graduating from concept to implementation. For merchants and payment providers, steadily stacking up the unglamorous work of identifying agents, scoping delegated authorization, and automating audit trails is what will keep them competitive on top of this new trust layer.

NextStord Raises $250M Series F at a $3B Valuation: Inside Its Robotics-Powered Physical Intelligence Layer and the Anti-Amazon Bet
Recommended Articles
Mar 27, 2026

The Race to Build Identity Stacks for Agentic AI: Ping Identity, Saviynt, Dock Labs, and More Enter the Arena

May 18, 2026

"Are You Who You Say You Are?" — Redesigning Digital Trust for Agentic Commerce with FIDO and Experian's Identity Stack

Mar 23, 2026

Unit 42 Warns of AI Agent-Powered Retail Fraud: Concrete Attack Scenarios Revealed