For over two decades, Know Your Customer (KYC) and Know Your Business (KYB) have formed the bedrock of financial crime compliance. They worked well in a world where every transaction had a human behind it. That world is changing fast.
By early 2026, over 70% of banking firms report deploying or piloting agentic AI — autonomous systems that execute compliance workflows and make preliminary risk assessments without direct human intervention. Yet only 6% of organisations have an advanced AI security strategy in place. This gap between adoption and governance is where the concept of Know Your Agent (KYA) enters the conversation.
KYC asks: Who is this customer? KYB asks: What is this business? KYA extends the same logic to AI: What is this agent, what can it do, and who is accountable for its actions? Just as KYC requires identity verification and ongoing monitoring for human customers, KYA demands that institutions verify an agent’s identity, declare its capabilities, maintain audit trails, and bind its actions to a responsible human operator.
This shift is already being formalised. Earlier this year, NIST launched the AI Agent Standards Initiative focusing on agent identity and authentication. The EU AI Act, effective August 2026, mandates human oversight and transparency for high-risk AI systems. FINOS has released its AI Governance Framework v2.0, cataloguing 46 risks specific to agentic AI in financial services. KYA is moving from concept to compliance requirement.
Over-authorisation remains a common pitfall — agents receive system access far beyond what their task requires, enabling them to modify records or trigger downstream workflows from unexpected outputs. Prompt injection attacks represent a new threat vector: Palo Alto Networks’ Unit 42 found that 56% of injection tests against LLMs succeeded, meaning compliance agents could be manipulated into misclassifying transactions. Auditability gaps pose perhaps the most immediate regulatory risk — the EU AI Act requires deployers to maintain AI system logs for at least six months, a standard many agentic deployments cannot yet meet.
Effective KYA governance deploys agents with the same rigour applied to any compliance participant. Four principles are emerging as best practice:
Agent registration and identity binding catalogues every AI agent’s capabilities, permissions, and responsible operator — mirroring KYC’s customer identification, applied to machines. Human oversight of critical decisions keeps analysts in the loop for high-stakes actions like SAR filing or enhanced due diligence. Explainable recommendations ensure every agent output traces back to its inputs and logic. And model risk and change management applies governance to model updates — a sanctions screening agent may classify differently after a refresh, with direct SAR filing implications.
The KYA moment highlights the value of partnerships bridging compliance expertise with emerging technology. The strategic partnership between Audit Alliance and Elven — combining two decades of traditional audit rigour with crypto-native accounting automation — reflects a broader pattern: established institutions recognising that digital asset compliance requires the same standards as traditional finance, delivered through technology-native solutions. The same principles — verification, audit trails, accountability — are exactly what KYA demands of every AI agent in financial services.
First, audit where AI agents already operate in your workflows and whether their permissions, trails, and accountability meet regulatory standard. Second, engage with emerging standards — NIST’s initiative is seeking input and the FINOS framework offers a practical benchmark. Third, ensure your technology stack embeds human oversight, explainability, and model risk management as core capabilities, not afterthoughts.
Institutions that move early on KYA will deploy agentic AI with greater confidence and scale. Those that wait risk a compliance gap that is significantly more difficult — and expensive — to close after the fact.
About WIDTH
WIDTH is an AI-native unified compliance platform dedicated to helping global regulated industries complete compliance work in a more efficient, auditable, and scalable way. By integrating intelligent workflows, risk automation, and audit-grade execution capabilities, WIDTH enables institutions to achieve both greater efficiency and greater trust in an evolving regulatory environment.
