KYC to KYA: why agent identity needs execution-time governance

TL;DR: KYC and KYE verify customers and employees at entry, but autonomous AI agents act at execution time, which leaves a governance gap, according to 1Kosmos. The key problem is not registration, but proving human accountability at the moment an agent takes a consequential action.

NHIMG editorial — based on content published by 1Kosmos: From customers to employees to agents, the path to KYA

By the numbers:

• 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%).

Questions worth separating out

Q: How should security teams govern autonomous agents that can act without human approval?

A: Security teams should govern autonomous agents with runtime authorisation, not just onboarding checks.

Q: Why do KYC and KYE controls fall short for AI agents?

A: KYC and KYE verify identity at entry, but AI agents create risk at execution time.

Q: What breaks when organisations reuse workforce identity processes for AI agents?

A: Workforce identity processes assume a human employee whose authority can be tied to hiring, employment and access review cycles.

Practitioner guidance

• Map consequential agent actions to runtime approval thresholds Separate routine actions from actions that can change data, systems or funds, and require real-time human approval before those actions reach the tool layer.
• Treat agent identity as its own lifecycle object Assign ownership, scope, review cadence and revocation rules to each agent, including what happens when the developer leaves, the use case changes, or the agent is retired.
• Bind agent actions to verifiable human authority Ensure every high-risk tool call can be traced back to a named human approver and a current policy decision, not just a valid registration record.

What's in the full article

1Kosmos's full article covers the operational detail this post intentionally leaves for the source:

• The full KYC, KYE and KYA framework comparison with the identity verification questions each one answers.
• The runtime authorisation model for distinguishing routine agent actions from consequential ones.
• The practical examples of how policy thresholds change when agents act at machine speed.
• The article's view of where human approval should sit in the execution chain.

👉 Read 1Kosmos's analysis of KYC, KYE and KYA for AI agent governance →

KYC to KYA: why agent identity needs execution-time governance?

Explore further

View Full Forum →  |  NHI Foundation Course →