For the agent payment system to work, it's necessary to know who the agent is.

In the second article of the series on agent commerce, Edson Santos explores the concept of Know Your Agent (KYA) — the central piece for the safe scaling of this new transactional model in the digital economy.

Edson Santos 17/05/26 14:55

For the agent payment system to work, it's necessary to know who the agent is.

Without reliably identifying the agent, the mandate lacks a foundation.

This is the second article in a series of three that I'm publishing on NeoFeed about agentic trading . The first described how an agentic transaction happens from start to finish, paying attention to the technical details that underpin everything. That text ended with an open hook. It said there that, without identifying the agent with confidence, the mandate lacks an anchor. This article deals precisely with that.

Know Your Agent , or KYA, is the name that's gaining traction for the new category of practices that answers a seemingly simple question: "Is this software initiating a transaction on my behalf really who it claims to be and is it authorized to do so?"

As in the previous text, I describe here the situation as I understood it after studying the available material. KYA is in accelerated formation, with recent academic publications and still embryonic institutional initiatives. Some pieces will move.

Knowing the agent is not the same as knowing the client.

Anyone who works with payments is very familiar with KYC ( Know Your Customer ). It's the regular practice of identifying and verifying people who interact with financial institutions: checking documents, validating biometrics, cross-referencing with sanctions lists, and monitoring behavior over time.

It has existed for five decades, is consolidated in laws and regulations, is an established industry with specialized suppliers, and costs billions of dollars a year to the global financial system. In Brazil, it is part of the operation of any institution authorized by the Central Bank of Brazil (Bacen).

KYA is an analogous problem, but the subject is different. It's not a person, it's software. It's not a generic AI platform ( ChatGPT , Gemini , Claude , Copilot , Perplexity ); it's a specific instance with its own identity, running on a specific infrastructure, under the operation of a specific company. The questions that need answering are similar to those of KYC, but the nature of the answers changes.

Who operates the agent — which company develops and maintains it? What infrastructure supports its operation? What AI model is behind it? How has this agent's behavior been tested and how is it monitored in production? What changes does it undergo over time, and who approves these changes? When the agent makes a decision that is outside its mandate, is there an auditable record of why it made it? Is there a mechanism for immediate revocation if the behavior deviates from what is expected?

Perhaps the most important difference is temporal. KYC, in its origin, was a one-time event reinforced by transaction monitoring. You opened an account, provided documents, were verified, and from then on the monitoring focused on what you did, not on who you were.

KYA doesn't support this design because software can be altered through updates, model changes, or operator changes without anything visible to the user changing. KYA needs to be continuous in the nature of the agent itself, not just in its behavior.

The concept has a more solid lineage than it seems.

One problem with the term KYA is that, at first glance, it seems like just another acronym invented by supplier marketing. It isn't. It has a consistent, albeit recent, academic and institutional track record.

The first consistent formulation of the concept appears in 2024, in the book Money in the Metaverse , in which David Birch and Victoria Richardson discuss the need for a digital identity infrastructure that also covers bots.

The acronym KYA wasn't yet fully established there, but the problem had been posed. In February 2025, Tomer Jordi Chaffer, a researcher at McGill Law School, published the paper Know Your Agent: Governing AI Identity on the Agentic Web in SSRN, with his own framework focused on agent identity in a decentralized web—the first formal academic record of the term.

In September of the same year, Birch returned to the topic in co-authorship with Jelena Hoffart of Mastercard , in the paper Know Your Agent: Enabling Autonomous Financial Services , published in the Journal of Digital Banking . It is this last paper that has established itself as the industry benchmark for KYA applied to payments and financial services.

Institutionalization began in February 2026, when NIST, the American standards and technology institute, launched a specific initiative on the reliability of AI agents through NCCoE. CAISI, the Center for AI Standards and Innovation, also began addressing the topic.

In April 2026, the Cloud Security Alliance published a survey on security incidents involving AI agents in corporate environments — funded by Token Security, it's worth noting, but with methodology from CSA itself.

This is not a folkloric topic. It is an emerging category that is being built in parallel by academia, standardization bodies, and the market. Brazil is not yet part of this debate, and this is one of the important observations of this article.

The agency economy cannot scale without this piece.

It's worth pausing and considering why this category matters now, in practical terms.

Imagine a scenario where 5% of online payments in Brazil are initiated by agents within two years. In volume, that's several billion reais per month. Without reliable identification of the operating agents, three problems quickly escalate.

First, the fraud. An imposter posing as a legitimate platform, or an agent compromised by an attack, can initiate transactions within legitimate mandates, and the system has no way of distinguishing between them.

Secondly, there's the disputed attribution. If a botched purchase occurs, to whom is responsibility attributed? To the agent, to the client who set up the mandate, to the operating platform? Without traceable identity, the chain of responsibility breaks down.

If a bad purchase occurs, who is held responsible?

Third, an auditable trail for regulatory and chargeback purposes. The Central Bank , merchants, issuers—everyone needs verifiable evidence of who did what.

KYA is not, in other words, an accessory layer. It is an operational precondition for the agentic model to operate at scale with some reasonable level of legal and technical security. Bandeiras has already understood this.

As I mentioned in the previous article, Visa and Mastercard are creating their own mechanisms for registering and verifying agents on the network. But what these companies do is only a part of KYA, focused on who is authorized to operate on their networks.

The broader concept — which involves continuous verification, behavior monitoring, and operator governance — goes beyond what an individual flag can do on its own.

Brazil has suppliers in a privileged position.

Here we find one of the most relevant observations in this text, especially for those working in the digital identity sector.

Over the past fifteen years, Brazil has built a robust ecosystem of KYC and identity verification providers. These are companies that process, in volume, the identities of hundreds of millions of Brazilian individuals and legal entities, with integration to the Federal Revenue Service, notary offices and traffic authorities, behavioral databases, risk scores, biometrics and infrastructure to operate at high volume.

Some specialize in onboarding, others in continuous monitoring, others in document verification or risk scoring. The set is dense, and this density is not trivial in international terms.

Extending KYA capabilities is a natural move for these companies. The core skills—identity verification, continuous monitoring, API integration—remain the same. What changes is the object: it becomes software as well, not just a person. Some of these companies have already started looking into this, although they don't yet have a consolidated product.

The competitive window is interesting for a specific reason. Brazil has a more advanced KYC ecosystem than many developed markets, in terms of coverage, integration, and cost.

If KYA emerges as an international category, and if the initial standards are still being developed, there is room for Brazilian suppliers not only to serve the local market but also to export their expertise. This is not a guaranteed move. It depends on the technical capacity to embrace the category, coordination with card brands and issuers, and alignment with any regulations that may arise.

Brazilian regulation has not yet named the problem.

The Central Bank of Brazil (Bacen) has a legal basis to comment on the matter. Law 12.865/2013, which regulates payment arrangements, and the general competence regarding the identification of transaction initiators provide a basis for it to comment on how AI agents can operate as initiators. Until now, there has been no specific public statement on KYA. The institution's focus is on Pix, Open Finance, and Drex. Agent commerce, and in particular the identity of agents, has not entered the declared regulatory agenda.

The CVM's involvement is more peripheral. If agents start operating in financial markets, making decisions to buy and sell assets, it gets involved. It's not an immediate scenario, but it will happen.

CADE (Brazil's antitrust authority) could intervene through the competition door. If KYA focuses on a few global operators—which is plausible, given that card networks are already creating their own mechanisms—there is a competitive risk. The agency has a history of intervening in market structures in payments.

The Consumer Protection Code already provides a basis for issues of liability for purchases made by agents with questionable scope. The application of this basis in specific cases does not yet have consolidated jurisprudence, but it will emerge.

The window of opportunity is as follows. Brazil can choose to anticipate the issue, with proactive regulation that recognizes the specificities of KYA before imported standards become established. Or it can wait and adopt whatever comes from abroad.

The first option is more difficult, but it has precedent: this is how Pix became an international differentiator, with the Central Bank of Brazil taking an early position and shaping what came after. The second is more convenient, but it tends to leave the Brazilian market adopting a foreign standard. The choice is strategic and has not yet been made.

Identifying the agent is a technical prerequisite. But agentic commerce, within a five-year horizon, will redistribute value across the layers of the ecosystem. AI platforms, card brands, issuers, and retailers are in a silent battle for strategic positioning that, ultimately, defines who owns the customer in the new model. In the next and final article in this series, I will address this dispute.

* Edson Santos is a payment methods specialist with over 25 years of experience. He is a partner at Colink Business Consulting, and a strategic advisor to companies in the financial and technology sectors. He is the author of "From Barter to Financial Inclusion" and co-author of "Payments 4.0 — The forces that are transforming the Brazilian market".