From KYC to KYA in agentic commerce.
Payment ecosystems are already exporting their KYC and risk playbooks into the agentic world. Agentic commerce frameworks and emerging protocol standards introduce:
Agent registration and payment enablement, so only vetted AI agents can hold tokenised credentials and transact on the network.
Trusted agent onboarding flows, where agents are vetted upfront, assigned cryptographic keys, and required to sign their traffic so merchants and intermediaries can distinguish trusted shopping agents from generic bots at the edge.
Agent bound tokens and verifiable intent artefacts, which bind an AI agent, a payment credential and a signed intent record together so that downstream participants can verify that a transaction is linked to a specific agent and a specific mandate.
In parallel, the Agent Payments Protocol (AP2) has emerged as an open protocol for the agent economy, designed to enable secure, reliable and interoperable agent driven payments across networks and payment methods.
In this verifiable layered credential architecture, shopping agents are explicitly identified inside the user’s verifiable credential so they are cryptographically authorized to act on behalf of the cardholder or to use the cardholder’s payment instrument within predefined bounds. At the “autonomous” layer, the user delegates to a specific agent by embedding the agent’s public key. When the agent later constructs checkout or payment credentials, it signs them with this bound key and proves possession, giving merchants and payment providers a portable, independently verifiable record that this specific authorised agent, and not some arbitrary client, is the one exercising the user’s delegated payment intent
Why KYA matters (and what it actually checks).
KYA is the necessary foundation because payment ecosystem actors cannot just trust “any agent” claiming to represent a cardholder. At a minimum, providers must show that they operate a hardened agent platform aligned to modern LLM security guidance, as catalogued in industry standards like the OWASP.
On the identity side, KYA is about giving each agent a cryptographically verifiable identity rather than treating it as an opaque API consumer. Such cryptographic proof binds an agent ID, model/version metadata and capabilities to a provider’s signature; these credentials can be presented during interaction with other actors and checked by payment networks before an agent ever receives a payment token.
The limits of static KYA.
The problem is that all of this is fundamentally pre runtime trust. Provider audits, architecture diagrams, signed keys and onboarding flows tell you who built the agent and how it was configured, but they do not guarantee what it will do in production.
AI agents are non deterministic: the same input can produce different outputs across runs because they’re driven by probabilistic models and continuously evolving context. Even in tightly controlled settings, large language models exhibit quantifiable “non deterministic drift” across repeated runs, which becomes more pronounced under distribution shift and model updates. In real systems, this drift is amplified by:
Prompt injection and reasoning manipulation. An attacker can embed instructions to add hidden line items, swap merchants or always reach spend caps, while the HTTP signatures and KYA credentials all look valid.
Memory poisoning – long lived agents with persistent memory can be gradually conditioned so that later, perfectly normal prompts trigger malicious actions
Supply chain attacks – compromised MCP tools, plugins or marketplaces can shift agent behaviour without touching its outer identity: the agent is “the same,” but the tool it calls now exfiltrates data or alters cart payloads.
Emergent scope creep – even without an attacker, agents exhibit emergent behaviours as models, prompts or tools change; they start taking actions that violate implicit business policies, like repeatedly choosing higher‑risk merchants or reinterpreting vague user prompts to justify larger spends.
None of these failure modes are visible in the static credentials that KYA validates or in the agentic protocols leveraging on verifiable credentials. The agent’s identifiers and keys remain intact and the poisoned constraints captured within verifiable credentials are not detectable by the user; what drifts is the chain of decisions between “user intent” and “payment request.”
On top of that, a “shopping agent” in production is rarely a single, frozen model. It is usually an orchestration of multiple evolving sub‑agents, tools and workflows, each with its own prompts, models and release cadence. Freezing a single agent version for certification quickly becomes unrealistic as providers ship frequent model updates, swap tools, or re‑wire sub‑agent topologies; the effective behaviour of the system can change without any visible modification to the original KYA credential.
Relying solely on static KYA therefore creates a dangerous illusion of control: the paperwork says “same agent,” but the live, multi‑agent system has evolved, which is exactly why continuous, runtime verification is required.
Discover more in our agentic AI commerce blog series:
Chapter I: Agentic AI and payments: when AI gets a wallet and a will of its own.
Chapter II: Agentic commerce: when your wallet gets a brain.
Chapter III: Agentic commerce: issue on Llamas.
Chapter IV: Rethinking security in the age of agentic AI.
Chapter V: From emotion to algorithms: why Agentic Commerce needs a new trust layer.
Chapter VI: Closing the trust gap in agentic commerce.
Chapter VII: Trust framework: building verifiable trust for autonomous transactions.
Jean Luc Di Manno, Innovation Lead
Jean Luc Di Manno has over a decade of experience in the payments and authentication industry, with a strong focus on consulting and solution architecture. His expertise spans testing‑tool design, secure payment technologies, and digital identity, with an increasingly strategic perspective on how AI agents reshape commerce, risk, and trust in the payment ecosystem.
At Fime, Jean Luc is a Consultant and Solution Architect who leads innovation initiatives through Hyperlab. He works at the intersection of payments, authentication, digital identity, and smart mobility, helping clients explore new technologies and turn ideas into practical solutions. He also actively participates in international standards bodies and industry working groups such as W3C and FIDO, contributing to the evolution of secure and interoperable payment and authentication frameworks that can support emerging agentic AI commerce models.
Prior to his current role, Jean Luc designed and delivered testing‑tool architectures and led technical consulting missions for a range of stakeholders in the payments and authentication ecosystem, supporting the deployment and evolution of secure payment and payment‑related services.
This background informs his current focus on understanding how AI agents interact with payment rails, authentication, and fraud controls, and how to design trustable ecosystems where agentic AI commerce can grow safely and at scale.
