For data teams and security engineers building agentic systems, the central operational challenge is replacing human-centric authentication and authorization with machine-native identity and continuous control. As AI agents gain the ability to transact autonomously, existing identity infrastructure was not designed to verify, authorize, or audit them at scale.
Scale of the shift
According to Johnny Ayers (CEO, Socure), writing in PYMNTS on June 29, 2026, by Black Friday 2025 AI-driven traffic to US retail sites rose 805% year over year, with agents driving over $22 billion in global online sales (citing Adobe data). The global AI agents market, valued at $5.4 billion in 2024, is projected to reach $236 billion by 2034 (Grand View Research, per the article). Ayers also notes via WEF (January 2026) that bots now generate almost 50% of all internet traffic, with bad bots comprising nearly a third (Imperva data) - making human-verification-only frameworks structurally inadequate.
The KYA framework
The article frames a Know Your Agent (KYA) framework, modeled on historical Know Your Customer (KYC) practices. Per Ayers, KYA requires four capabilities:
- •Establishing who and what the agent is
- •Confirming the agent's permitted actions and limits
- •Maintaining accountability for every action taken
- •Continuously monitoring behavior against approved parameters
Ayers emphasizes that KYA must sit on top of robust KYC: "Agent identity is only as trustworthy as the underlying human or organizational identity it represents."
Engineering implications
Implementing KYA at scale touches identity-proofing, delegated-authorization standards (OAuth 2.0/2.1, DPoP-like patterns, OIDC), machine attestation, cryptographic key management, and high-frequency telemetry for anomaly detection. NIST's National Cybersecurity Center of Excellence published a concept paper in February 2026 identifying MCP, OAuth 2.0/2.1, OIDC, SPIFFE/SPIRE, and SCIM as candidate standards for agent identity. For practitioners, these map to: machine-identity lifecycle, policy-expressed authorization, tamper-evident logging, and real-time policy enforcement.
Risk framing
Gartner projects that 1 in 4 enterprise breaches by 2028 could stem from AI-agent exploitation (per Ayers/WEF). Without interoperable identity and authorization primitives, each agentic integration creates bespoke trust gaps that are difficult to audit or remediate at scale.
What to watch
Track whether standards bodies (NIST, IETF), major identity providers (Okta, Ping), or cloud vendors publish interoperable machine-identity and delegation primitives. Okta's "AI Agents at Work 2026" report and IANS Research coverage indicate the gap between enterprise agentic ambitions and actual IAM maturity is widening. Absent standardization, bespoke solutions will increase integration friction and detection blind spots.
Key Points
- 1Agent-driven transactions require machine-native identity and continuous authorization, not just human-centric KYC processes.
- 2A Know Your Agent framework centers on identity, permitted actions, accountability, and continuous monitoring to reduce impersonation and fraud.
- 3Standards and vendor primitives for machine identity and delegated authorization will determine how quickly KYA can be implemented at scale.
Scoring Rationale
The KYA concept is directly relevant to security and identity engineering teams building agentic systems, and the market-scale statistics are corroborated by Adobe and Grand View Research. Impact is capped because the piece is a vendor CEO opinion column (Socure's business aligns with KYA adoption) rather than a standards release, research paper, or major vendor commitment, and no interoperable KYA standard has been published yet.
Practice interview problems based on real data
1,625 SQL & Python problems across 15 industry datasets — the exact type of data you work with.
Try 250 free problems
