Subscribe to the Non-Human & AI Identity Journal
Home Glossary Governance, Ownership & Risk Know Your Customer (KYC)
Governance, Ownership & Risk

Know Your Customer (KYC)

← Back to Glossary
By NHI Mgmt Group Updated July 4, 2026 Domain: Governance, Ownership & Risk

KYC is the process of verifying a customer’s identity and assessing whether the relationship is acceptable to the business. In AML/CFT programmes, it includes identity evidence, risk checks, and ongoing review, not just a one-time signup step.

Expanded Definition

KYC is more than identity capture at onboarding. In regulated environments, it is the ongoing process of establishing who a customer is, understanding the expected relationship, and confirming that activity remains consistent with risk appetite, sanctions obligations, and AML/CFT controls. In practice, KYC often combines documentary evidence, beneficial ownership checks, screening, transaction monitoring, and periodic refresh. The term is used most precisely in financial services, but the underlying governance pattern also matters anywhere an organisation must decide whether an identity, account, or relationship should be trusted over time.

Definitions vary across vendors and jurisdictions, especially where KYC overlaps with customer due diligence, enhanced due diligence, and identity proofing. For a standards-oriented view of how identity assurance and ongoing authentication support trust decisions, NIST Cybersecurity Framework 2.0 is a useful reference point, particularly when mapping identity risk into governance and protection outcomes. In NHI security, the same logic applies to service accounts and API clients: the question is not only whether an entity was verified once, but whether its privileges, purpose, and behaviour still match expectations. The most common misapplication is treating KYC as a one-time signup check, which occurs when organisations stop after initial document review and fail to maintain ongoing risk-based monitoring.

Examples and Use Cases

Implementing KYC rigorously often introduces friction at onboarding and during periodic review, requiring organisations to weigh faster customer activation against stronger risk controls.

  • A bank verifies a new business customer, identifies beneficial owners, screens against sanctions lists, and sets a risk tier that determines review frequency.
  • A fintech monitors transactional behaviour after onboarding, then escalates for enhanced due diligence when activity deviates from the declared business model.
  • An exchange freezes account changes until identity evidence, jurisdiction checks, and source-of-funds review are completed.
  • An organisation applies the same discipline to machine identities by validating the purpose of API clients and reviewing whether access remains justified, a pattern discussed in the Ultimate Guide to NHIs.
  • Teams reference NIST Cybersecurity Framework 2.0 to connect identity assurance, monitoring, and response into one governance cycle.

As NHI Management Group notes in the Ultimate Guide to NHIs, only 5.7% of organisations have full visibility into their service accounts, which shows why post-onboarding review matters beyond human customers. The same control mindset appears in KYC programmes when new evidence, new ownership, or new geography changes the risk profile.

Why It Matters in NHI Security

KYC matters in NHI security because trust decisions fail when identity evidence, approval context, and ongoing monitoring are disconnected. In NHI environments, the equivalent failure mode is a service account, token, or API key that was once approved but later accumulates excessive access, outlives its business purpose, or is reused outside the original control boundary. That is why identity governance must cover creation, use, review, and revocation, not just authentication at first contact. The broader NHI risk picture is severe: NHI Management Group reports that 97% of NHIs carry excessive privileges, which broadens the attack surface and makes stale approval processes especially dangerous.

KYC logic also supports Zero Trust by forcing continuous verification rather than relying on a one-time trust event. When mapped into NHI operations, it helps teams decide when to step up scrutiny, when to revalidate ownership, and when to remove access that no longer fits the relationship. Practitioners should view KYC as a lifecycle control, not a paperwork exercise. Organisations typically encounter the consequences only after a suspicious transfer, fraud alert, or regulatory inquiry, at which point KYC becomes operationally unavoidable to address.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST SP 800-63, NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST SP 800-63Digital identity assurance concepts underpin identity verification and ongoing confidence decisions.
NIST CSF 2.0GV.OVKYC aligns with governance oversight and continuous risk review of identity relationships.
NIST Zero Trust (SP 800-207)Zero Trust requires continuous verification, matching KYC's ongoing assurance model.

Use assurance levels and reauthentication rules to keep identity evidence proportionate to risk.

NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on July 4, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org