Home
News
Details

Tiger Research: KYA Standards for AI Agents Gain Momentum Amid Regulatory Push

iconOdaily
Share
Share IconShare IconShare IconShare IconShare IconShare IconCopy
AI summary iconSummary

expand icon
Tiger Research notes increasing interest in KYA standards as AI agents manage more autonomous transactions. With altcoins under watch gaining momentum, the absence of identity verification in A2A interactions is attracting regulatory attention. Standards such as ERC-8004 and Visa TAP are emerging amid growing concerns reflected in the Fear & Greed Index. The EU, U.S., and Singapore are advocating for clearer identity rules for AI agents, mirroring past cryptocurrency regulations.

This report is written by Tiger Research. AI agents can now sign contracts, make payments, and conduct transactions on their own. But one problem remains unsolved: how do you know who the other agent really is? This article examines the different strategies of four key players in the KYA standards debate and where regulation currently stands.

Key Points

  1. AI agents are entering an era of autonomous contract execution, payments, and transactions, but there is still no universal standard for identity verification. In A2A (agent-to-agent) scenarios, KYA is beginning to gain more attention than KYC.
  2. KYA isn't needed everywhere. On centralized platforms like Google, OpenAI, and Coinbase, existing KYC is sufficient. KYA is truly required when independently deployed agents connect to DEXs, A2A payments, or merchant payments.
  3. The standard war has begun. ERC-8004, Visa TAP, Trulioo, and Sumsub are each entering from four distinct directions: on-chain, payment networks, compliance certification, and risk detection, with entirely different approaches.
  4. Regulation has already moved. The EU AI Act, the U.S. NIST, and Singapore’s national framework have all prioritized agent identity management. In 2019, the FATF Travel Rule determined which crypto exchanges survived—KYA is likely to follow the same script.

1. Why now?

KYC has reshaped that layer of finance

Before 1989, there was no global standard for financial identity. This gap made it difficult to trace drug money and illicit funds to their source. That year, the FATF was established, making KYC a mandatory requirement in the financial industry and keeping illegal funds at bay.

Over the next three decades, the impact of KYC expanded layer by layer. After 9/11 in 2001, anti-terrorism financing provisions were added, and the U.S. Patriot Act elevated KYC to a legal requirement. In the 2010s, the EU’s AMLD, Basel III, and FATCA were gradually implemented, enabling automatic cross-border exchange of KYC information. In 2019, the FATF Travel Rule extended KYC to virtual asset service providers.

Each extension fills a gap.

Without an agent identity, the system is regressing.

Back to the present. AI agents can sign contracts, make payments, and execute trades without human oversight—but no one can verify their identity.

In an A2A environment, responsibility is unclear—no one can say who to hold accountable when issues arise. Users are also easily exposed to money laundering and various types of scams.

Comparing the financial system before 1989 with the agent market of 2026 reveals striking structural similarities. Back then, anonymous accounts moved across borders; today, unverified agents transact A2A. Then, verification responsibility rested with each individual bank; now, it rests with each individual platform. No common standards exist in either case.

This similarity is not a coincidence—it’s a pattern. Technology has moved ahead, but the identity layer hasn’t caught up.

What is KYC?

KYA (Know Your Agent) is a trust mechanism that verifies the source, permissions, and accountability of agents in advance.

Skipping this step exposes three risks simultaneously. First, unauthorized transactions: users authorize only payments, but the agent moves assets or signs contracts outside the permitted scope. Second, identity spoofing: malicious agents impersonate legitimate ones to hijack payments, forge responses, and steal reputation. Third, accountability vacuum: after an incident occurs, the agent, developer, and principal blame each other, making it impossible to determine liability or seek compensation.

KYA locks down these three things in advance: pre-register and validate permission scopes, and block any unauthorized actions outright. Verify identity and origin to allow only legitimate agents to enter. Each agent’s origin and principal are bound to the record, enabling traceability in case of incidents.

2. Where must KYA operate?

Not everywhere needs it.

Centralized platforms don’t really need KYA. Once users complete KYC and the platform itself provides backing, the entire process is closed-loop.

The open environment outside the platform is where KYA is needed. Agents must interact with DEXs, perform A2A payments, and pay merchants. At this point, no one is there to back them up or guarantee their actions.

For example, within a country, an ID card (KYC) is sufficient. But once you cross the border (leave the platform), the environment changes—you must undergo inspection at immigration (KYA) to explain your purpose and establish credibility.

Four-step process

The operation of KYA can be broken down into four steps. The first two steps are "passport issuance": register the agent’s identity and permissions, then issue a digital passport after verification. The last two steps are "border control": confirm the other party’s identity when a transaction occurs, then update the records based on the transaction outcome.

Identity is not issued once and valid forever; it is re-verified for each transaction.

3. Four players are competing for the standard

There are currently four players in the standards battle, each with entirely different paths.

ERC-8004: Turning identity into an NFT

ERC-8004 follows a purely on-chain approach. It adds an identity layer on top of ERC-721, minting one NFT per agent as a unique identifier.

It is supported by three on-chain registries: Identity handles "who this agent is," using a unique AgentID based on ERC-721. Reputation handles "whether you can transact with it," recording ratings, tags, and evidence on-chain after each transaction. Validation handles "whether the agent actually performed the action," verified by third-party verifiers using plugins such as zkML and TEE.

This structure is not the first of its kind in Ethereum's history. ERC-20 standardized token issuance, with USDT, USDC, UNI, and AAVE all built on top of it. ERC-721 standardized NFT issuance, with CryptoPunks, BAYC, and ENS forming the backbone of the entire NFT market. ERC-8004 is set to assume the same role as the third standard.

Visa TAP: Package with a payment network

Visa’s approach is completely different. It issues agents an identity credential (Agent Intent), equivalent to a card. Without this key, an agent cannot even initiate a transaction. Visa pre-approves before issuing the key, and every transaction must include a signature for the merchant.

The merchant receives not one signature, but three. Agent Intent proves the agent’s legitimacy, endorsed by a key approved by VIC. Consumer Recognition indicates who the agent is acting for by transmitting the user identifier to the merchant. Payment Information provides payment assurance, authenticated using a payment token or hashed card information.

Visa bundled all of this into a larger package called Visa Intelligent Commerce (VIC), which includes TAP, Agent APIs (Visa’s proprietary technology for processing Visa card transactions), Tokenization (tokens specifically designed for AI), and Intelligent Commerce Connect (compatible with competing protocols such as AP2, ACP, and x402).

The logic is clear. Visa seized the entry point of the payment network back then, and now it wants to integrate the agent era into its own system. If agent payments continue to rely on card networks, and this bundle becomes the default option, Visa’s market share will remain secure.

Trulioo: Apply the same SSL setup

Trulioo is a player in the global KYC and KYB compliance space and has now expanded its verification stack to include KYA.

It draws inspiration from the website SSL certificate model, where a Certificate Authority (CA) issues TLS certificates to websites, verifying only the domain. Trulioo’s proposed Digital Passport Authority (DPA) issues Digital Agent Passports (DAP) to agents, verifying developer KYB and user KYC.

DAP is not a static certificate. It is a dynamic token that refreshes and revalidates with each transaction. If a delegation is revoked or an anomaly is detected, the DAP is immediately invalidated.

It has five checkpoints: Provenance (who developed it), User Binding (who authorized it), Permission Scope (what actions it can perform), Behavior Telemetry (what it is currently doing), and Risk Scoring (risk rating).

Banks and fintech are legally required to verify the identities of individuals and companies. Once agents enter the financial sector, Trulioo’s KYC and KYB solutions become even more secure.

Sumsub: Monitor for anomalies, do not issue certificates

Sumsub’s approach differs from the first three companies. It does not issue standards or certificates; instead, it re-verifies the individual behind an agent when abnormal transactions occur.

It has been operating compliantly since 2015, and its verification system is now used to detect anomalous behavior by agents. The process consists of three steps. First, automated detection identifies humans versus machines using device and agent characteristics. Second, a risk score is assigned by analyzing context, transaction amounts, and historical data. Finally, liveness verification is triggered only for high-risk, high-value, or critical changes, reconfirming the identity of the registered real person.

Sumsub’s four features stand out sharply from those of other players. It starts with compliant operators rather than standard setters. Verification occurs at the time of risky transactions, not during pre-registration. The method involves human re-confirmation, not just data or tokens. Its philosophy ties agents to responsible parties rather than blocking agents outright.

Other players perform one-time identity verification before acting, while Sumsub conducts real-time verification after issuance. As agent permissions expand, anomaly detection becomes increasingly critical. Fraud techniques evolve alongside technology, making Sumsub’s real-time stack worth noting.

4. Before regulations are implemented

FATF Travel Rule script

When the FATF Travel Rule was introduced in 2019, the VASP industry immediately split. Those that could withstand the costs of KYC and AML infrastructure survived; those that couldn’t shut down or moved to jurisdictions with lighter regulation. CryptoBridge and Deribit were both forced to adapt during that period.

Regulation is not the end, but a turning point.

KYA the script this time might be the same. The EU, Singapore, and the U.S. are already vying for the lead.

Article 12 of the EU AI Act explicitly requires that behavior logs of high-risk AI systems include operator identity. Singapore has released the world’s first national AI agent governance framework, extending identity management to agents by requiring each agent to have an accountable party. The U.S. NIST has identified AI agent identity management as a priority standard area.

The time window is closing.

There will be no single winner

The real variable in the standards battle is not technology, but combinations. Major players have entered the phase of collaboration and pairing. Who partners with which merchants, payment networks, and KYC customer bases will determine the ownership of each segment.

There will be no single winner in this market.

For on-chain self-directed trading, Ethereum is likely to lead. For payment-linked transaction scenarios, Visa has a clear advantage. In the regulated financial industry, Trulioo’s KYC and KYB capabilities are hard to replace. For transactions with fraud risk, Sumsub’s real-time detection is more suitable.

The four are not direct competitors; each occupies its own territory. The real competition lies in which scenarios are assigned to which territory.

KYC has taken thirty years, since 1989, to complete the identity layer of global finance.

This round seems to be moving much faster. Regulators have already acted, major players have positioned themselves, and the window for large-scale deployment may be just the next few years.

By then, the ones that survive won't necessarily be the ones with the strongest technology, but those that integrated identity infrastructure the earliest.

Source:Show original
Disclaimer: The information on this page may have been obtained from third parties and does not necessarily reflect the views or opinions of KuCoin. This content is provided for general informational purposes only, without any representation or warranty of any kind, nor shall it be construed as financial or investment advice. KuCoin shall not be liable for any errors or omissions, or for any outcomes resulting from the use of this information. Investments in digital assets can be risky. Please carefully evaluate the risks of a product and your risk tolerance based on your own financial circumstances. For more information, please refer to our Terms of Use and Risk Disclosure.