AI agent trust in Greater China depends on verification

At a glance

What this is: This survey says AI agent adoption in Greater China is advancing faster than consumer understanding, and trust signals such as verification and review controls are becoming decisive.

Why it matters: It matters because IAM, NHI, and autonomous governance teams need to design for delegation, traceability, and user-visible control before agent use becomes normalised.

By the numbers:

• 1, he Sumsub Greater China AI Agents Consumer Trust Survey was conducted among 1,050 respondents.
• 44% of consumers reported at least one negative outcome associated with AI agent use.
• 82% of consumers in Mainland China say a verified AI agent label would make them more comfortable using one.

👉 Read SumSub's survey on AI agent trust in Greater China

Context

AI agent trust is becoming an identity problem, not just a product design problem. When a consumer cannot tell whether software is acting as an assistant or as a delegated agent, the boundaries for authorisation, accountability, and fraud controls start to blur.

Greater China is a useful stress test because users already live inside integrated digital platforms, while regulators are warning that agentic AI can be granted access to files, emails, credentials, external services, and multi-step workflows. The issue is no longer whether AI can act, but whether its identity, permissions, and actions can be verified at the point of use.

Key questions

Q: How should security teams verify AI agents before allowing delegated actions?

A: Use a registration model that binds the agent to a responsible person or organisation, records its purpose, and issues a stable identity signal that can be checked at runtime. Verification should prove legitimacy, but it should not automatically grant broad access. The agent still needs scoped permissions, logging, and revocation controls.

Q: Why do AI agents complicate fraud and identity controls?

A: Because they can act across multiple systems without a human click for each step, which makes it harder to distinguish authorised delegation from abuse. If controls still assume a single user session and a visible human decision for every action, agentic workflows create gaps in traceability, accountability, and fraud detection.

Q: What breaks when consumers cannot tell an AI agent from ordinary automation?

A: Delegation becomes unsafe because users may grant real authority to software they do not understand, and attackers can hide inside that confusion. When identity labels are unclear, consent, accountability, and permitted scope all weaken at once, which raises the risk of unauthorized actions and account abuse.

Q: Who should be accountable when an AI agent causes a harmful action?

A: Accountability should sit with the organisation that enabled the agent, the team that defined its permissions, and the person or business function that authorised its use. In practice, no agent should be allowed to operate without a named owner, a review path, and a revocation mechanism.

Technical breakdown

Verified agent identity and delegated authority

AI agents become a governance issue when they are allowed to act on behalf of a user without a reliable way to establish what they are, who authorised them, and what they can touch. In practice, that means identity is no longer just about login, but about binding a software actor to a responsible person or organisation. In delegated environments, the control plane has to distinguish legitimate agentic action from automation that merely looks similar. KYA, or Know Your Agent, is the emerging pattern for that distinction, because it extends identity verification into the delegated execution layer.

Practical implication: security teams need a verifiable trust signal for agent identity before they permit any delegated action.

Why review-before-execution matters

The survey’s strongest signal is not simply that consumers want control, but that they want review before action. That is a classic sign that autonomy must be bounded by the risk of the task. For payments, account changes, data sharing, or external purchases, the user needs an approval checkpoint because the downside of a mistaken or malicious action is immediate. This is the same governance logic IAM teams use in privileged workflows: high-impact action needs a visible authorisation boundary, not just a capable assistant.

Practical implication: align approval gates to the sensitivity of the action, not to the sophistication of the agent.

Fraud controls must treat agents as actors, not tools

Once agents can complete tasks across apps, messaging systems, and commerce platforms, fraud controls have to treat them as actors in their own right. That means tracing who initiated the action, whether the agent stayed within scope, and whether the resulting behaviour matches the claimed purpose. If the security model still assumes that every action maps cleanly back to a human click or a static account, agentic workflows will create blind spots. The verification layer has to sit alongside telemetry, account linking, and abuse detection, not replace them.

Practical implication: extend fraud and IAM telemetry so agent actions can be traced, challenged, and revoked at runtime.

Threat narrative

Attacker objective: The attacker aims to exploit delegated trust so that legitimate-looking agent activity produces fraudulent or harmful outcomes without immediate user recognition.

1. Entry occurs when a user or business platform delegates real-world actions to an AI agent inside a trusted digital environment.
2. Escalation follows when the agent is granted access to account credentials, payment functions, files, or multi-step workflows beyond the user’s immediate oversight.
3. Impact appears as unintended actions, unauthorized purchases, personal data leaks, fraud, or account compromise when the delegated identity is abused or misunderstood.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• AI LLM hijack breach — attackers used stolen AWS access keys to hijack Anthropic LLM models on Bedrock.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

AI agent trust is now a delegated identity problem, not a feature problem. The article shows that consumers are willing to hand tasks to software they do not fully recognise, which means the real control question is how delegated authority is established and bounded. That shifts the governance burden from usability alone to identity proof, scoped permissioning, and traceable action. Practitioners should treat agent trust as an access model design issue, not a marketing problem.

Verified AI agent identity: a claim of identity without verification is not trustworthy delegation. This survey makes clear that users want a visible signal that an agent is legitimate before they let it act, especially when money or account access is involved. The field should stop treating agent labels as sufficient and instead require binding between the agent, the initiating user, and the permitted action scope. Practitioners should assume that unlabeled or weakly identified agents will be treated as suspicious automation, even when they are functional.

Consumer review preferences expose a hard boundary for autonomy. The strongest trust signal in the survey is the desire to approve actions before they happen, which shows that autonomy is only acceptable when the consequence of a mistake is low. For higher-risk actions, the governance model must preserve an intervention point where humans can inspect intent before execution. That is not a UX preference alone, it is a boundary condition for accountable delegation. Practitioners should design escalation paths that preserve human review for high-impact tasks.

Know Your Agent will become part of identity governance, but it is not a substitute for control design. Verification can identify a legitimate agent, but it cannot on its own prevent over-scoped delegation, hidden reuse of credentials, or post-verification abuse. The article’s fraud context shows why identity proof must be paired with action monitoring and revocation. Practitioners should treat KYA as one layer in an agent governance stack, not the stack itself.

From our research:

• 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job, according to the 2026 Infrastructure Identity Survey.
• 69% of security leaders agree identity management must fundamentally shift to address agentic AI systems, which shows the governance debate has already moved past experimentation.
• If you are mapping this risk to control design, review OWASP Agentic AI Top 10 for the identity and delegation failure modes that matter most.

What this signals

Verified agent identity will become a procurement and control requirement, not an optional trust feature. With 70% of organisations already granting AI systems more access than they would give a human employee performing the same job, per the 2026 Infrastructure Identity Survey, the market is already normalising over-delegation before governance catches up. Teams should expect scrutiny around how an agent is bound to an owner, what action scope it receives, and how its activity can be revoked without breaking the surrounding workflow.

KYA-style verification will matter most where agentic actions cross payment, account, and data boundaries. Consumer trust rises when there is a recognisable identity signal, but trust does not replace policy. Security teams should prepare for controls that separate authentication of the agent from authorisation of the action, with audit trails that survive across platforms and channels.

The practical pressure point is not whether AI can automate more work, but whether programmes can preserve accountable delegation as autonomy expands. That means aligning IAM, fraud, and application teams around the same question: who can prove this agent is allowed to act, and who can stop it when the scope changes?

For practitioners

• Implement verified agent registration Bind each approved AI agent to a responsible user or organisation, record its purpose, and require a stable identity signal before allowing it to act in customer journeys or internal workflows.
• Enforce approval gates for high-risk actions Require user review before purchases, account changes, data sharing, or external service calls, and keep those checkpoints consistent across web, mobile, and messaging channels.
• Trace delegated actions end to end Log who initiated the request, which agent executed it, what permissions were used, and whether the action stayed within the approved scope so fraud teams can challenge abuse quickly.
• Separate agent verification from authorisation Treat identity proof as a prerequisite, not a permission grant, and use distinct policy logic for authentication, delegation scope, and revocation.

Key takeaways

• AI agents create an identity governance problem because users may delegate real authority to software they cannot reliably recognise.
• The survey shows a wide gap between adoption and understanding, with 44% of respondents already reporting at least one negative outcome linked to AI agent use.
• Practitioners need verified agent identity, scoped permissions, and review-before-execution controls for high-risk actions.

Key terms

• Know Your Agent: A verification approach for AI agents that establishes who or what the agent is, who is responsible for it, and what it is allowed to do. In identity governance, KYA extends trust from a human user to the delegated software actor and the action scope it may exercise.
• Delegated Authority: Permission granted to a software actor to act on behalf of a person or organisation. The key governance question is not whether the agent can act, but whether its scope, purpose, and accountability are explicit enough to prevent misuse or overreach.
• Verified AI Agent Label: A user-visible trust signal that indicates an agent has been identified and checked against a known governance policy. A label is useful only when it is tied to a real identity record, permission scope, and revocation path, otherwise it becomes a cosmetic indicator with little security value.
• Approval Boundary: The point at which a user must inspect or authorise an AI agent’s proposed action before it executes. In agentic governance, this boundary is what keeps high-impact tasks from becoming fully opaque automation and helps preserve accountability when consequences are material.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or lifecycle governance in your organisation, it is worth exploring.

This post draws on content published by SumSub: Building Trust as AI Agents Take Hold, Greater China Survey Results. Read the original.