TL;DR: The IMF’s first formal note on agentic AI in payments argues for Know Your Agent, but the verification stack it endorses still leaves a human-authentication gap at high-stakes execution, according to Incode. The real control problem is no longer bot identity alone; it is proving the human behind delegated authority when agent actions exceed the original mandate.
At a glance
What this is: This is an independent analysis of the IMF’s Know Your Agent framing and its main limitation: the standards it endorses verify the agent and mandate, but not the human behind high-stakes delegated action.
Why it matters: IAM, fraud, and identity teams need to understand where agent verification ends and human verification begins, because delegated authority gaps will cut across NHI, autonomous, and human identity programmes.
👉 Read Incode's analysis of the IMF's Know Your Agent framework and its human verification gap
Context
Know Your Agent is an emerging identity and authorization model for agentic payments: it seeks to verify the software agent, the mandate it operates under, and the authority attached to that mandate. The problem is that this still does not answer the hardest identity question in high-stakes workflows, which is whether the person behind the delegation is the right person, at the right time, for the right action.
That gap matters because payment systems are deterministic, while AI agents are probabilistic and can act beyond the narrow assumptions built at mandate creation. For identity programmes, the issue is not only bot authentication or OAuth scope. It is whether delegated authority can be revalidated when the action exceeds what the original human sign-off actually covered.
Key questions
Q: How should security teams handle delegated authority when AI agents initiate payments?
A: Security teams should treat delegated authority as time-bound and context-bound, not as a permanent license to execute. The control goal is to verify the agent, the mandate, and the human behind the delegation when the action crosses a defined risk threshold. That means escalation rules, re-authentication steps, and clear accountability for high-stakes transactions.
Q: Why do AI agents create a different identity problem than ordinary automation?
A: AI agents can decide how to pursue an objective at runtime, which means the identity issue is not just whether they are authenticated. The harder problem is whether the original mandate still matches the action path they choose. That makes runtime assurance and delegated approval more important than a one-time registration event.
Q: What breaks when a mandate is reused for higher-risk actions?
A: What breaks is the assumption that the original authorization still describes the current transaction. Once the action becomes materially different in value, recipient, or purpose, a standing mandate no longer proves the human intended that outcome. Without a fresh verification step, accountability and fraud detection both weaken.
Q: Who is accountable when an agent acts outside its intended scope?
A: Accountability should sit with the party that approved the mandate, the party that built the execution rules, and the organisation that allowed the higher-risk action to proceed without re-verification. In regulated environments, that shared responsibility must be explicit before deployment, because dispute handling depends on it.
Technical breakdown
Why Layer 2 identity controls do not close the human verification gap
The IMF’s three-layer model separates intent and orchestration from authorization and settlement, which is the right architectural idea for payments. Layer 2 is where identity, mandates, and compliance belong, so standards such as OAuth, OpenID Connect, and verifiable credentials can prove that an agent is registered and operating within declared scope. But those primitives only authenticate the actor and the mandate. They do not prove whether the human who granted authority is still the right human, still present, or still aligned to the action being attempted. That distinction becomes critical when an agent initiates a transaction that exceeds the original delegation context.
Practical implication: Treat agent verification and human verification as separate controls, not one control with a broader label.
Structural versus transactional authorization in delegated payments
Structural authorization means a standing mandate exists for a class of actions. Transactional authorization means the specific action is re-evaluated at execution time. AI agents expose the weakness in conflating the two, because they can initiate actions that are valid in structure but risky in context. A low-value recurring payment may remain safely inside the original mandate, while a high-value insurance claim or financial transfer may not. The security issue is not the existence of delegation. It is the point at which the delegated scope no longer captures the real intent behind the action being executed.
Practical implication: Define explicit escalation thresholds for when delegated actions must be re-authorized before completion.
Why probabilistic reasoning changes identity assurance in payment flows
Payment rails depend on deterministic outcomes, but AI agents reason probabilistically and can produce different action paths from the same input. That means the identity programme cannot assume a fixed relationship between request, intent, and execution. When the agent can decide how to pursue a goal, identity assurance must follow the whole decision path, not just the login or the mandate issuance event. This is where conventional fraud logic starts to break down, because it assumes a human-patterned actor behind the transaction rather than a runtime decision system operating within delegated authority.
Practical implication: Review payment controls for assumptions that rely on stable human behaviour rather than runtime decision traces.
Threat narrative
Attacker objective: The objective is to complete a high-value transaction or claim using delegated authority without re-verifying the human behind the action.
- Entry occurs when a registered agent acts under a legitimate mandate and submits a payment or claim within its delegated scope. Escalation occurs when the action exceeds the original authorisation context and the system lacks a fresh human verification step. Impact follows when the transaction is accepted without proving that the human behind the delegation is the right person for that high-stakes action.
Breaches seen in the wild
- Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
- Meta AI Instagram Account Takeover — 20,225 Instagram accounts hijacked via compromised Meta AI support chatbot with overprivileged access.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Know Your Agent is an incomplete identity model unless it also resolves the human behind delegated action. The IMF gets the architectural separation right, but the standards it cites prove the agent and the mandate, not the living identity behind the authority. For regulated payments, that leaves a control gap at the exact moment a transaction exceeds its original delegation context. Practitioners should treat human re-verification as a distinct governance requirement, not a side effect of agent authentication.
Structural versus transactional authorization is the real fault line in agentic payments. A standing mandate can be sufficient for low-risk, bounded actions, but it becomes a liability when the same agent can escalate into a materially different transaction. That is not a tooling problem, it is a governance boundary problem. The implication is that identity teams must stop treating delegated scope as if it were equivalent to live approval.
Probabilistic agent behaviour breaks the assumption that intent is known at provisioning time. Traditional payment and IAM models assume the actor’s purpose is stable enough to be authorised once and reused safely. That assumption fails when the agent can re-plan, re-route, or choose a higher-risk action path at runtime. The implication is that least privilege for agents cannot be defined only at onboarding or mandate creation.
Know Your Agent will become a compliance issue before it becomes a purely technical one. The paper’s own risk matrix acknowledges that traceability breaks down when agents initiate transactions without transaction-level instructions. Once that happens, attribution, accountability, and dispute handling all become harder, not easier. For identity leaders, this means payment assurance, fraud controls, and delegated access governance now share the same failure surface.
Continuous identity assurance is the missing concept in this debate. The useful boundary is no longer just identity verification at login or registration. It is whether the person behind delegated authority remains provable at the point of high-stakes execution, especially when the action exceeds the original mandate. Practitioners should read Know Your Agent as a prompt to redesign verification depth, not as a finished control model.
From our research:
- 98% of companies plan to deploy even more AI agents within the next 12 months, despite documented rogue behaviour in 80% of current deployments, according to AI Agents: The New Attack Surface report.
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, according to SailPoint research on AI agent behaviour.
- The relevant forward view is not whether adoption slows, but whether delegated authority models can survive scale without collapsing into exception handling and manual review.
What this signals
Continuous identity assurance is becoming the missing control layer for agentic payments, because a mandate alone no longer proves that the right human intended the right transaction. As AI agents move from bounded automation into delegated execution, IAM and fraud teams will need stronger triggers for re-verification at the point of high-stakes action, not just at enrollment.
The programme implication is broader than payments. Any workflow that allows a software actor to reuse a human-approved mandate, whether in claims, procurement, or financial operations, now needs a defined threshold for when delegation expires and fresh authority is required. That change should be tracked alongside identity governance and fraud controls, not as a separate AI project.
For practitioners
- Separate agent verification from human verification Map which payment and claim flows only prove the bot and mandate, then identify where the human behind delegated authority must be re-checked before completion. This is especially important where the action size, beneficiary, or risk profile changes after mandate creation.
- Set escalation thresholds for mandate overreach Define the transaction conditions that require fresh approval, such as value jumps, new payees, or action types outside the original authorization scope. Treat these as control points in the workflow rather than exception handling after the fact.
- Audit for structural versus transactional authorization gaps Review whether your current controls only prove standing authority or also verify the specific action at runtime. The gap is most visible in recurring payments, delegated claims, and agent-initiated transfers that exceed the original assumptions.
- Document who is accountable when delegation is reused Clarify who owns the decision to allow agent-initiated action without re-verification, and under what conditions that decision expires. Use that ownership map to align IAM, fraud, legal, and compliance review paths.
Key takeaways
- Know Your Agent solves only part of the identity problem if the human behind delegated action is still unverified at execution time.
- The key evidence is the gap between standing mandate logic and the need for transaction-level revalidation when an agent exceeds its original scope.
- Practitioners should redesign delegated workflows so that high-stakes actions trigger fresh assurance, clear accountability, and explicit escalation thresholds.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 address the attack surface, NIST AI RMF, NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the technical controls, and GDPR define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST AI RMF | GOVERN | The article focuses on accountability and governance for agentic payment decisions. |
| OWASP Agentic AI Top 10 | The piece addresses agent identity, mandate scope, and runtime action boundaries. | |
| NIST CSF 2.0 | PR.AC-4 | Access permissions and least privilege are central to mandate-based agent execution. |
| NIST Zero Trust (SP 800-207) | The article’s separation of intent, authorization, and settlement aligns to zero-trust verification. | |
| GDPR | Art.5 | Human identity and delegated authority can involve personal data in regulated workflows. |
Review delegated agent entitlements against PR.AC-4 and tighten scope before high-value execution.
Key terms
- Know Your Agent: A delegated identity model for agentic systems that verifies the software agent, the mandate it operates under, and the authority attached to that mandate. In practice, it is only useful when governance also resolves when the human behind the delegation must be re-verified before a high-stakes action is allowed.
- Structural Authorization: A standing approval model that allows a class of actions under defined conditions. It is useful for bounded, low-risk workflows, but it cannot be treated as proof that every future transaction still matches the original intent or risk level.
- Transactional Authorization: A control that evaluates a specific action at the point of execution rather than relying only on prior permission. In agentic and delegated workflows, it is the difference between a valid mandate and a current decision that still deserves approval.
- Continuous Identity Assurance: An approach to identity verification that treats trust as something to be revalidated when context changes, not just established at enrollment or login. For agentic payments, it means the human behind delegated authority may need fresh proof at the point of high-stakes execution.
What's in the full article
Incode's full article covers the operational detail this post intentionally leaves for the source:
- The IMF table and Layer 2 model discussion that frames where mandate verification fits in agentic payments.
- The specific public-sector recommendation text on verifying both the AI agent's identity and the user's delegated authority.
- The author’s detailed comparison of KYC's maturity curve and what that implies for Know Your Agent adoption.
- The original examples that distinguish low-risk delegated actions from high-stakes execution requiring renewed human assurance.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing identity governance in your organisation, it is worth exploring.
Published by the NHIMG editorial team on 2026-05-21.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org