Tiger Research: AI intelligences also need to check ID cards now

This report is written by Tiger Research. AI agents can now sign contracts, make payments, and conduct transactions on their own. But there is one unresolved issue: how do you know who the agent on the other side is? This article outlines the different approaches of four players in the KYA standard dispute and the current state of regulation.

Key Points

1. AI agents have entered an era of autonomous contract execution, payments, and transactions, but there is no unified standard in the market to verify identities. In A2A (agent-to-agent) scenarios, KYA has begun to receive more attention than KYC.
2. KYA is not needed everywhere. Within centralized platforms like Google, OpenAI, and Coinbase, existing KYC is sufficient. KYA is truly needed when independently deployed agents connect to DEX, A2A payments, or merchant payments.
3. The standard dispute has already begun. ERC-8004, Visa TAP, Trulioo, and Sumsub are approaching the issue from four different directions: on-chain, payment networks, compliance certification, and risk detection, respectively.
4. Regulation has already started. The EU AI Act, the US NIST, and Singapore's national framework have all prioritized agent identity management. The 2019 FATF travel rule determined which crypto exchanges would survive, and KYA is likely to see a similar script replay.

1. Why Now

KYC Reshaped Finance

Before 1989, there was no unified identity standard in global finance. This gap made it difficult to trace illicit funds and money laundering back to their sources. It wasn't until the FATF was established that KYC became a hard requirement in the financial industry, keeping illegal funds at bay.

Over the next thirty years, the impact of KYC expanded layer by layer. After the 9/11 attacks in 2001, along with anti-terror financing provisions, the US Patriot Act elevated KYC to a legal obligation. In the 2010s, the EU's AMLD, Basel III, and FATCA were implemented, leading to automatic exchanges of cross-border KYC information. The 2019 FATF travel rule extended KYC to virtual asset service providers.

Each extension fills a gap.

Without Agent Identity, the System Regresses

Back to the present. AI agents can sign contracts, make payments, and conduct transactions without human oversight. But no one can verify who they are.

In an A2A environment, the attribution of responsibility is murky. If something goes wrong, no one can clearly identify who to blame. Users can easily fall victim to money laundering and various types of fraud.

When comparing the financial landscape before 1989 with the agent market in 2026, the structure is remarkably similar. Back then, anonymous accounts were flowing across borders; today, unverified agents are transacting in A2A. The responsibility for verification was in the hands of each bank, and now it lies with each platform. There are no common standards.

This similarity is not a coincidence; it is a pattern. Technology has advanced, but the identity layer has not kept pace.

What is KYA

KYA (Know Your Agent) is a layer of trust mechanism that verifies the source, authority, and responsibility of agents in advance.

Skipping this step can lead to three simultaneous risks. The first is unauthorized transactions: users only authorized payments, but the agent moves assets or signs contracts outside the scope. The second is identity fraud: malicious agents impersonate legitimate ones, hijacking payments, forging responses, and misusing reputations. The third is a responsibility vacuum: after an incident, agents, developers, and clients blame each other, making compensation impossible to pursue.

What KYA does is lock in these three issues in advance. It registers and verifies the scope of authority beforehand, directly blocking unauthorized actions. It verifies identity and source, allowing only legitimate agents to enter. The source and client of each agent are bound in the records, making it traceable in case of incidents.

2. Where KYA Should Operate

Not Needed Everywhere

KYA is not particularly needed within centralized platforms. Users have completed KYC, and the platform itself provides a safety net, creating a closed loop for the entire process.

KYA is needed in open environments after leaving the platform. Agents need to connect to DEX, conduct A2A payments, and make payments to merchants. At this point, there is no safety net, and no one can vouch for them.

For example, within a country, an ID card (KYC) is sufficient. Once crossing the border (leaving the platform), the environment changes, and they must undergo inspection at the entry point (KYA), clarifying their intentions and credibility.

Four-Step Process

The operation of KYA can be broken down into four steps. The first two steps are "passport issuance": first, register the agent's identity and authority, and issue a digital passport after verification. The last two steps are "entry inspection": confirm the identity of the other party when a transaction occurs, and update records based on the transaction results.

Identity is not permanently valid after a single issuance; it must be re-verified with each transaction.

3. Four Players Competing for Standards

Currently, there are four players in the standard dispute, each taking a completely different approach.

ERC-8004: Making Identity an NFT

ERC-8004 follows a purely on-chain route. It adds a layer of identity on top of ERC-721, minting an NFT as a unique ID for each agent.

It comes with three on-chain registries. Identity is responsible for "who this agent is," based on the unique AgentID from ERC-721. Reputation is responsible for "whether it can be transacted with," leaving ratings, tags, and evidence on-chain after transactions. Validation is responsible for "whether it actually did that thing," verified by third-party validators using plugins like zkML and TEE.

This structure is not the first of its kind in Ethereum's history. ERC-20 standardized token issuance, with USDT, USDC, UNI, and AAVE built on it. ERC-721 standardized NFT issuance, with CryptoPunks, BAYC, and ENS supporting the entire NFT market. ERC-8004 aims to play the role of the third standard in the same position.

Visa TAP: Bundling with Payment Networks

Visa's approach is completely different. It issues an identity credential (Agent Intent) to agents, equivalent to a card. Without this key, agents cannot even initiate transactions. Visa approves the issuance of the key in advance, and each transaction must carry a signature to the merchant.

What merchants receive is not a single signature, but three. Agent Intent proves the agent's legitimacy, backed by a key approved by VIC. Consumer Recognition indicates who the agent is working for, passing the user identifier to the merchant. Payment Information provides payment guarantees, completing authentication with payment tokens or hashed card information.

Visa has packaged this into a larger offering called Visa Intelligent Commerce (VIC). In addition to TAP, it includes Agent APIs (proprietary technology running when using Visa cards), Tokenization (tokens specifically for AI), and Intelligent Commerce Connect (compatible with competing protocols like AP2, ACP, x402).

The logic is clear. Visa captured the entry point of payment networks, and now wants to integrate the agent era into its own framework. If agent payments continue to use card networks, and this package becomes the default option, Visa's market share will be secured.

Trulioo: Bringing Over the SSL Model

Trulioo is a player in the global KYC and KYB compliance space, now extending its verification stack to KYA.

It draws on the model of website SSL certificates. SSL involves a CA (Certificate Authority) issuing TLS certificates to websites, verifying only the domain name. Trulioo's proposed DPA (Digital Passport Authority) issues DAP (Digital Agent Passport) to agents, verifying the developer's KYB and the user's KYC.

DAP is not a static certificate. It is a dynamic token that refreshes with each transaction. If the delegation is revoked or anomalies are detected, the DAP is immediately invalidated.

It has five checkpoints: Provenance (which developer created it), User Binding (who authorized it), Permission Scope (what tasks it can perform), Behavior Telemetry (what it is currently doing), and Risk Scoring (risk rating).

Banks and fintechs are legally required to verify the identities of individuals and companies. Once agents enter the financial sector, Trulioo's KYC and KYB positions become even more solid.

Sumsub: Monitoring Anomalies, Not Issuing Certificates

Sumsub's entry point is different from the previous three. It does not issue standards or certificates; instead, it re-verifies the person behind an agent when anomalous transactions occur.

Since 2015, it has been in the compliance business, and its verification system is now used to detect anomalous behavior in agents. The process is divided into three steps. First, automated detection distinguishes between humans and machines based on device and agent characteristics. Next, risk scoring combines context, amount, and historical data to provide a risk score. Finally, Liveness verification is initiated only during high-risk, large-amount, or critical changes, re-confirming the registered real person.

Sumsub's four characteristics sharply contrast with other players. Its starting point is as a compliance operator rather than a standard setter. The timing of verification occurs when risky transactions happen rather than during prior registration. The verification method involves real person re-confirmation rather than data or tokens. The philosophy is to bind agents with responsible parties rather than directly blocking agents.

Other players focus on one-time identity verification before actions, while Sumsub conducts real-time verification after certificates are issued. As agent permissions expand, anomaly detection becomes increasingly critical. Fraud methods evolve with technology, making Sumsub's real-time stack noteworthy.

4. Before Regulation Takes Effect

The Script of the FATF Travel Rule

Once the FATF travel rule was released in 2019, the VASP industry immediately split. Those able to bear the costs of KYC and AML infrastructure survived, while those who could not either shut down or moved to regions with looser regulations. CryptoBridge and Deribit were forced to adjust during that wave.

Regulation is not the end; it is a watershed.

The script for KYA may be similar this time. The EU, Singapore, and the US are already competing for a leading position.

Article 12 of the EU AI Act explicitly requires that the behavior logs of high-risk AI systems must include the identity of the operator. Singapore has released the world's first national-level governance framework for AI agents, extending identity management to agents and requiring each agent to have a accountable responsible party. The US NIST has prioritized agent identity management as a standard area.

The time window is narrowing.

There Will Not Be a Single Winner

The real variable in the standard dispute is not technology, but combinations. Major players have entered a phase of cooperation and combination. Who pairs with which merchants, payment networks, and KYC customer groups will determine the ownership of each niche market.

This market will not have a single winner.

In the area of on-chain autonomous transactions, Ethereum is likely to lead. In transaction scenarios tied to payments, Visa has a clear advantage. In the regulated financial industry, Trulioo's KYC and KYB accumulation is hard to replace. In transaction scenarios with fraud risks, Sumsub's real-time detection is more suitable.

The four are not direct competitors; they each occupy a different hill. The real competition occurs in which scenarios are assigned to which hill.

KYC took thirty years to complete the identity layer of global finance from 1989 to today.

This round of KYA appears to be moving much faster. Regulation has already begun, standard players are already positioned, and the time window for large-scale deployment may be in the coming years.

When that time comes, survival may not depend on the strongest technology, but on the earliest integration of identity infrastructure.