KYC to KYA shows why agent identity needs runtime checks

At a glance

What this is: This is an analysis of how KYC, KYE and KYA form a progression from entry-time identity checks to execution-time governance for AI agents.

Why it matters: It matters because IAM teams now have to govern customers, employees and autonomous software with different verification models, not one shared control pattern.

By the numbers:

• 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%).
• 92% agree governing AI agents is critical to enterprise security, yet only 44% have implemented any policies to do so.

👉 Read 1Kosmos's analysis of KYC, KYE and KYA for AI agent governance

Context

The primary issue here is that identity verification at registration does not solve execution-time accountability for autonomous software. KYC and KYE were built to confirm who is entering a system or employment relationship, but AI agents can keep acting after registration and without a human present at the moment of consequence.

That creates a real governance gap for IAM, PAM and lifecycle teams. If an agent can decide, select tools, and act at machine speed, the control point moves from onboarding to runtime authorisation, and the organisation needs a way to tie every consequential action back to a verified human authority.

Key questions

Q: How should security teams govern autonomous agents that can act without human approval?

A: Security teams should govern autonomous agents with runtime authorisation, not just onboarding checks. The key control is to require a verified human decision before consequential actions reach systems, data or tools. That means classifying agent actions by risk, binding each high-risk action to accountability, and treating the agent as a separate identity lifecycle object.

Q: Why do KYC and KYE controls fall short for AI agents?

A: KYC and KYE verify identity at entry, but AI agents create risk at execution time. An agent can hold valid credentials and still act beyond intended scope if no control exists at the moment of consequence. That is why organisations need a distinct model for agent identity, authority and traceability.

Q: What breaks when organisations reuse workforce identity processes for AI agents?

A: Workforce identity processes assume a human employee whose authority can be tied to hiring, employment and access review cycles. Autonomous agents do not fit that pattern because they can keep acting after registration, change task scope mid-session and generate actions faster than review cadences can catch. The result is weak accountability.

Q: Who should be accountable when an AI agent takes a high-risk action?

A: Accountability should rest with the verified human authoriser and the organisation operating the agent, not with the agent itself as a standalone trust object. The control goal is to ensure every consequential action can be traced to a current policy decision and a named approver before execution completes.

Technical breakdown

Why registration-time identity checks fail for autonomous agents

KYC and KYE both assume that identity verification happens before the risky action occurs. In those models, a person is authenticated or vetted, then allowed to operate within a defined scope. Autonomous agents break that assumption because the meaningful decision happens after registration, when the agent interprets a prompt, selects tools, and executes actions without waiting for a human to approve each step. That is why entry controls alone do not govern agent behaviour. The real boundary is not account creation, but the execution plane where actions become consequential.

Practical implication: move governance from onboarding review to runtime authorisation checkpoints.

Runtime authorisation as the control point for agent identity

Runtime authorisation means validating the specific action at the moment it is about to happen, not trusting that a prior identity check remains sufficient. For autonomous systems, this requires policy thresholds that distinguish routine actions from consequential ones and bind the latter to a verified human authoriser. That is materially different from a login or provisioning workflow, because the agent may already hold valid credentials while still needing separate approval for the action itself. This is the control pattern KYC and KYE cannot supply on their own.

Practical implication: define which agent actions must be intercepted before tool execution.

How KYC, KYE and KYA map to identity governance

KYC governs customers, KYE governs employees, and KYA governs agents. The useful insight is not that these are three separate ideas, but that they are three layers of the same accountability principle applied to different actor types. Each framework answers a different question: who is entering, who is working, and what software is acting under whose authority right now. For identity architects, that means agent governance should not be bolted onto workforce identity as an afterthought. It needs its own runtime model tied to authorisation and traceability.

Practical implication: model agent identity as a separate governance domain, not as a variant of employee access.

Threat narrative

Attacker objective: The objective is to use trusted agent credentials and weak execution controls to make autonomous actions look authorised while bypassing human accountability.

1. Entry occurs when an AI agent is registered with valid credentials or a trusted development workflow and appears legitimate to existing controls.
2. Escalation occurs when that agent uses persistent access to make decisions, select tools, and reach systems without a human approval gate at execution time.
3. Impact occurs when the agent takes consequential actions beyond intended scope, such as modifying systems, exposing data, or triggering harmful transactions.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• AI LLM hijack breach — attackers used stolen AWS access keys to hijack Anthropic LLM models on Bedrock.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

KYC and KYE were designed for actors whose trust could be established before execution. That assumption fails when the actor is autonomous because the consequential decision is made at runtime, not at registration. The implication is that identity governance must stop treating earlier verification as durable proof of authority. The article correctly shows that autonomous software changes the timing of control, not just the identity subject. That is why runtime accountability becomes the real governance boundary for agentic systems. Practitioners should stop assuming that pre-approved credentials fully answer the authorisation question.

Runtime authorisation is the new identity perimeter for agentic systems. The article's KYA model usefully reframes the problem as action validation rather than account validation. In NIST CSF terms, this is a governance and access control issue, not merely an authentication issue. The practitioner conclusion is that the security boundary now sits at execution, where policy must decide whether a specific agent action is allowed.

Agent identity should be governed as a distinct non-human identity class, not folded into workforce access programmes. The article shows why employee verification models cannot absorb autonomous software without losing precision. OWASP-NHI and Zero Trust thinking align here because the question is no longer whether the agent has a credential, but whether its current action still fits the verified scope. The practitioner implication is that agent identities need their own lifecycle, traceability and escalation model.

KYA is best understood as a control model for accountability collapse prevention. Once an agent can act without a human in the loop, the old linkage between identity and intent weakens. That does not just create risk, it changes what identity governance is supposed to prove. The field should now measure whether consequential actions can still be attributed to a verified human authoriser before execution completes.

From our research:

• 92% agree governing AI agents is critical to enterprise security, yet only 44% have implemented any policies to do so, according to AI Agents: The New Attack Surface report.
• Only 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, sharing sensitive data and revealing credentials, according to AI Agents: The New Attack Surface report.
• For a broader control lens, read OWASP NHI Top 10 for the runtime risk patterns that matter when agents can select tools and act independently.

What this signals

Agent governance is moving from policy discussion to control design. The organisations that wait for a mature standards stack will discover that their IAM programme already has an execution-time blind spot. The practical shift is to measure where approval, traceability and revocation still depend on human-paced workflows that autonomous software has already outgrown.

KYA creates a useful boundary for identity programmes that are now spanning workforce, machine and agent identities. Once agent actions can be intercepted before tool execution, the programme can separate entry verification from consequence verification. Teams that want a broader operating model should use Ultimate Guide to NHIs to anchor lifecycle thinking across all non-human identities.

With 48% of companies unable to track and audit the data their AI agents access, the compliance problem is already structural, not hypothetical. That gap should push IAM, PAM and GRC teams to inventory where agent actions remain unauditable before deployment expands further.

For practitioners

• Map consequential agent actions to runtime approval thresholds Separate routine actions from actions that can change data, systems or funds, and require real-time human approval before those actions reach the tool layer. Use the threshold to decide where agent autonomy ends and verified human authority begins.
• Treat agent identity as its own lifecycle object Assign ownership, scope, review cadence and revocation rules to each agent, including what happens when the developer leaves, the use case changes, or the agent is retired. Do not let agent credentials persist by default under human workforce assumptions.
• Bind agent actions to verifiable human authority Ensure every high-risk tool call can be traced back to a named human approver and a current policy decision, not just a valid registration record. This is the accountability link that prevents valid credentials from becoming unreviewed autonomy.
• Review IAM, PAM and compliance controls for execution-time gaps Test whether your current controls only prove who was onboarded, or whether they can also prove who authorised the specific action at the moment it occurred. Use that gap to prioritise remediation across agent, workforce and privileged access programmes.

Key takeaways

• The article shows that identity verification at registration is no longer enough once software can act autonomously at execution time.
• The governance failure is not only technical scope drift, but also the loss of a clear human accountability link for consequential agent actions.
• Practitioners should redesign controls around runtime authorisation, traceability and agent-specific lifecycle governance before deployment scales further.

Key terms

• Know Your Agent: Know Your Agent is an identity framework for autonomous software that verifies which agent is acting, under whose authority, and within what scope at the moment of execution. It extends identity governance beyond registration by requiring runtime accountability for consequential actions.
• Runtime Authorisation: Runtime authorisation is the practice of checking whether a specific action is allowed at the exact moment it is about to happen. For autonomous agents, it matters because a valid credential does not prove the current action still fits the approved scope or the verified human authority behind it.
• Execution Plane: The execution plane is the operational point where an identity actually performs work, reaches tools, or changes state. In autonomous systems, this is where governance must intervene, because the risk is created by action, not by registration alone.
• Accountability Link: An accountability link is the traceable connection between a consequential action and a verified human authoriser. In agent governance, that link must survive runtime decision-making so organisations can prove who approved what, when, and under which policy.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or programme governance, it is worth exploring.

This post draws on content published by 1Kosmos: From customers to employees to agents, the path to KYA. Read the original.