persona-logo
Published April 21, 2026
Last updated May 11, 2026

Building Know Your Agent: The missing identity layer for agentic commerce

AstraSync and Persona create Know Your Agent (KYA) infrastructure that verifies the people behind each agent and the agent itself.
Tim Williams
Tim Williams
5 min

We’ve been collaborating with others to explore how agentic commerce and enterprise agents will work. Tim Williams is the CEO and co-founder of AstraSync AI, a platform for AI agent identity management that provides AI governance and compliance through transparent oversight and accountability. Below, he shares his thoughts on deploying Know Your Agent (KYA) in the real world and what AstraSync is building.

AI agents are being deployed in the real world at pace.

In the enterprise realm, they’re accessing APIs, shipping code, and running decisioning workflows on behalf of the organizations and individuals who deploy them. Entirely new businesses have sprung up, leveraging AI agents to streamline customer support and sales processes.

In the consumer realm, the commercial infrastructure for agentic payments is already being built. Stripe launched its Agentic Commerce Protocol (ACP) in September 2025, co-developed with OpenAI, followed by the Agentic Commerce Suite in December with major retailers, including URBN, Coach, and Etsy. Mastercard Agent Pay and Visa Intelligent Commerce are both live through Stripe's stack. Google launched its Universal Commerce Protocol at NRF in January 2026, with Walmart, Target, Visa, and Mastercard among its early endorsers. Coinbase has x402. In the space of roughly six months, every major payments network has shipped an agentic commerce story. 

However, the ecosystem still has some tough challenges to iron out. Stripe’s Shared Payment Tokens announcement in October 2025 acknowledged a core problem: agent trust cannot be inferred. It has to be explicitly granted, scoped, and enforced. And in March, OpenAI scaled back Instant Checkout, the flagship use case for ACP, citing the lack of fraud safeguards for automated transactions as one of the structural blockers. 

The implication? There's an attribution problem sitting in the middle of it all.

Three open identity questions need to be answered

To determine whether to trust an agent, merchants and enterprises need answers to three critical questions:

  1. Who are the people behind the agent?

  2. What is the agent? What is it authorized to do?

  3. Is its behavior consistent with its normal cadence within its delegated authority?

The identity industry has already addressed these types of questions. KYC addresses these questions for individual identity, and KYB extends that to legal entities, tying verification back to their beneficial ownership chains. Know Your Agent, or KYA, is the next evolution of these questions. 

Extending KYB and KYC to build KYA

To build actual KYA systems, we need to solve a number of unique challenges.

For one, agents break the existing structure of KYB and KYC frameworks, which center around three things: a legal person or entity, documents that attest to their identity, and ongoing monitoring of their behavior. 

Agents aren’t legal entities. They don't have documents. The beneficial ownership question is genuinely complicated because an agent may have been built by one party, deployed by another, and instructed by a third, with all three potentially sitting in different jurisdictions. The agent itself may have spawned additional child agents at runtime. The question your Customer Due Diligence (CDD) process is supposed to answer is who is accountable. Existing frameworks don’t answer that question for agents.

Agents also surface an entirely new set of interaction requirements. When merchants and enterprises want to know whether an agent can be trusted, the identity and compliance checkpoints that were designed for human applicants fall apart. Passport? Not applicable. Liveness check? Not applicable. PEP screening? The databases don’t have an entry type for software. 

The workarounds are, to put it charitably, improvised. Some teams pass through the credentials of the human who built or owns the agent. Some use service account tokens. Some bypass verification entirely and accept the risk exposure quietly. None of these approaches would survive a regulatory audit, and most would fall apart the moment an agent is transferred to a new owner, spawns a sub-agent, or does something it wasn't supposed to.

The KYA infrastructure AstraSync built

At AstraSync, we’re building KYA infrastructure to deliver identity and trust for AI agents. We verify the people behind each agent, identify the agent itself, and monitor its behavior to ensure consistency with its original scope.

Our infrastructure starts with an expanded trust framework that’s built around five parties: 

  1. The developer who created the agent

  2. The organization that owns it

  3. The agent itself

  4. The person or system instructing it at runtime

  5. Whoever it's transacting with on the other side

That chain mirrors the accountability structure that financial services compliance already uses: a creator, an owner, a beneficial controller, and a counterparty.

Persona handles the KYC layer for developers: before a developer can register agents on AstraSync, they go through identity verification using Persona's government ID verification and liveness check capabilities, along with business entity validation where applicable. 

The developer then receives a certification that follows them across every agent they subsequently register. This creates a consistent identity layer for KYA, spanning human customers, business counterparties, and the agents acting on their behalf. 

The three entity types that matter most in an agentic economy are all verified through the same underlying infrastructure.

undefined

Each agent registered on our platform receives a unique cryptographic identifier that traces back to a verified human or legal entity, not just an API key. Registered agents also receive a dynamic trust score updated continuously from behavioral data, and an immutable audit trail anchored to the blockchain. The audit trail sits on-chain specifically because conventional audit logs can be modified by compromised agents or administrators.

undefined

The AstraSync dashboard allows developers to view and influence their trust score, which contributes to an agent’s trustworthiness.

undefined

AstraSync downloadable cards display developers’ key trust attributes and link to their public profile (if opted in).

The industry didn’t wait for KYA, but KYA will streamline agents

The commercial infrastructure for agentic payments is arriving quickly. While early adopters are happy to test and explore, parts of the infrastructure still need to mature before we see widespread use. 

Within enterprises, workforces are adopting agents en masse in search of productivity gains. Yet to enable meaningful agentic adoption, the compliance, fraud, and risk teams need a way to distinguish authorized activity. 

That’s why we’re building the identity and accountability layer that makes agent behavior trustworthy, and that gives merchants, platforms, and counterparties a basis for deciding which agents to transact with.

If you're building agent-aware products, integrating with any of the protocols above, or running compliance for an organization starting to deploy agents, we'd like to talk. Reach us at astrasync.ai or drop me a line at [email protected]. And reach out to Persona to explore how their digital identity platform can provide valuable trust signals to enable your agentic AI use case.

The information provided is not intended to constitute legal advice; all information provided is for general informational purposes only and may not constitute the most up-to-date information. Any links to other third-party websites are only for the convenience of the reader.
Tim Williams
Tim Williams
Tim Williams is CEO and co-founder of AstraSync AI, building identity, trust and governance infrastructure for the agentic economy. He brings twenty years of experience commercialising AI and technology across financial services, including a decade working directly with KYC, AML and identity verification frameworks across multiple jurisdictions. That experience, with a recurring front-row seat to what happens when accountability infrastructure gets built after the fact rather than before it, is what led to AstraSync. He writes regularly on agentic AI governance at medium.com/@astrasyncai and can be reached at [email protected].
Continue reading