KYC defined the last thirty years of compliance. Every regulated institution on the planet built infrastructure around the principle that you must know who your customer is before they walk through the door. KYB defined the decade that followed — extending that obligation from individuals to the corporate entities behind them. Both frameworks became law, then practice, then table stakes. The next framework is already forming. KYA — Know Your Agent — will define the next era of financial crime compliance. Not because it is fashionable, but because the alternative is ungovernable.
The compliance triangle is becoming a square
For a generation, the operational model looked like a triangle: KYC at the customer level, KYB at the entity level, and KYT — Know Your Transaction — as the continuous monitoring layer that watched money move across the network. Each corner of that triangle had tooling, regulation, and a defined ownership structure inside compliance teams. The model worked when the actors in a financial workflow were humans — or at least systems that humans directly controlled and could be held accountable for.
AI agents have broken that assumption. Today, vendor-supplied agents schedule payments, flag cases, draft SAR narratives, and make risk-scoring decisions inside production compliance workflows — often with no individual human reviewing each output before it acts. An agent is not a customer and not a counterparty, but it is a consequential actor. KYC, KYB, and KYT were never designed to assess it. KYA closes the square: it provides the assessment loop that governance requires for any autonomous agent operating in a regulated environment. Without it, the triangle has a gaping fourth side.
Why now
Three forces converged in 2025 and made KYA urgent rather than theoretical. First, model release velocity: frontier AI labs shipped more capability in eighteen months than the prior five years combined, and compliance vendors rushed to embed those capabilities into production tools. Second, the regulatory environment caught up faster than most expected. The EU AI Act introduced mandatory conformity assessments for high-risk AI systems — and financial crime detection is explicitly high-risk. MAS FEAT in Singapore set fairness and accountability standards for algorithmic decision-making in financial services. IMDA's AI governance frameworks made explainability an operational requirement, not a design preference. Every major regulator with jurisdiction over financial services now has, or is finalising, a framework that requires institutions to account for how their automated systems make decisions.
Third, and most practically: internal AI deployments are outpacing governance at almost every institution. Compliance teams that spent 2023 evaluating AI pilots are now running three or four vendor agents in production. The teams responsible for AML and fraud governance often do not have an accurate inventory of which agents are operating, what data they access, or what decisions they are authorised to make autonomously. That gap is not a future problem. Regulators examining AI-assisted SAR filings are already asking where the human decision point was — and institutions are struggling to answer.
"We had four AI vendors live in our compliance stack before anyone thought to ask whether our governance framework covered autonomous agents at all. KYA is not a nice-to-have. It is the missing piece that makes the rest of our AI investment defensible."
— Chief Compliance Officer, Tier-1 Digital Bank, Southeast Asia
The 24-month horizon
KYA tooling will become a procurement requirement before the end of 2027. Institutions that are selecting AML or fraud vendors today are already beginning to ask whether those vendors can produce agent-level documentation — capability statements, training data lineage, decision audit trails, and drift-monitoring commitments. That question will move from optional due-diligence item to mandatory RFP criterion within two procurement cycles. At the same time, regulators will demand agent inventories as a standard component of supervisory examinations. The expectation that an institution can produce, on demand, a full register of every AI agent operating in its compliance stack — with version history and a record of human oversight checkpoints — will arrive faster than most compliance teams are currently planning for.
The org-chart implications are equally significant. AI Compliance Officer roles will appear as a standard title in regulated financial institutions by late 2026 — distinct from the CISO and from the traditional CCO, with ownership over AI governance frameworks, agent assessments, and model risk policy as it applies to compliance systems. Simultaneously, the audit and certification market will move: SOC2-equivalent certifications for compliance agents will emerge as a commercial reality, giving institutions a standardised way to assess and re-assess the agents they deploy. The institutions that build KYA practice now will have an eighteen-month head start on those who wait for the standard to be mandated.
What forward-looking compliance teams are doing today
- Building an agent inventory. The first step is knowing what is running. Leading compliance teams are conducting structured audits of every AI or automated decision system operating in their KYC, AML, and fraud workflows — documenting vendor, version, data access scope, decision authority, and the human override mechanism for each agent.
- Adopting vendor KYA standards. Forward-looking institutions are requiring AI compliance vendors to provide structured agent documentation before go-live — capability cards, bias and drift commitments, and clear statements of what each agent can and cannot decide autonomously. WIDTH's KYA framework provides this as a standard component of every deployment.
- Integrating replayability and audit trails into every AI-assisted decision. Every alert disposition, every case escalation, every SAR draft that an AI agent influences must carry an immutable audit trail — capturing model version, input features, and confidence scores at the time of the decision. Replayability is not just a regulatory comfort; it is the mechanism by which compliance teams can demonstrate, under examination, that their AI-assisted decisions were sound.
WIDTH is building the infrastructure layer that makes KYA operational. Our AI Compliance Officer capability — embedded in the WIDTH platform — provides agent-level assessment, continuous behavioural monitoring, and the audit architecture that regulators are beginning to demand. The institutions that treat KYA as a strategic priority today will not be scrambling to retrofit governance when the standard arrives. They will already be running it.