Agents Might be Helpful But How Do we Trust Them

Introducing Know-Your-Agent - a framework for agents to trust each other

Over the next couple of years, society is preparing to hand real responsibilities to software agents—answering email, booking travel, negotiating with vendors, dealing with customer service, etc. That’s exciting and a little terrifying. This is going to allow amazing productivity for B2B and individual use cases. Imagine real-time supplier negotiations to find the best places to source from, real-time communication between warehouses and logistics providers, and automated customer support. But, before we can allow agents to do anything we have to have a way to tell if the agent should be doing what it’s trying to do.

I’m calling the idea KYA—Know Your Agent. It’s the agentic analog to KYC (Know Your Customer), and it should become part of the next wave of AI products. If KYA exists, agents can safely transact. If it doesn’t, then it’s hard to see how the agent economy takes off.

Basically, we’re going to need to solve two new problems:

1. Make sure that the agent actually represents the person or company it’s supposed to represent

2. Make sure that person or company has actually authorized the agent to do the thing it’s trying to do

Let’s start by taking a step back and looking at what KYC consists of.

What KYC Is (and Why It Exists)

KYC—Know Your Customer—is the boring-but-essential compliance layer in finance. Banks and brokers verify that you are who you say you are (identity), that you’re allowed to do certain things (eligibility), and that your behavior isn’t obviously criminal (risk). KYC slows onboarding, but it also reduces fraud and keeps out bad actors.

If you’ve recently applied for something from a bank, you’ve probably noticed that you must upload a photo of your ID and then take a selfie to compare to that. That’s an example of KYC. Definitely annoying but it’s a way to make sure someone didn’t just steal your license.

The Core Problem

Agents will act in all sorts of contexts where identity and authorization matter:

• Your “travel agent” emails a corporate travel desk to rebook a flight using company credits

• Your “ops agent” pings a supplier to change a shipping address and pays an invoice

• Your “personal ticket scout agent” finds tickets to the concert you want to attend and negotiates a price with the seller

In each case, the system the agent interfaces with needs to figure out if the agent represents you and if the agent is allowed to do it. At the same time your system, may need to verify the counterparty agents to make sure they are authorized. Without those proofs, none of these applications are possible.

How do we actually do this?

This is a complicated problem. Here are a few ideas:

1) Digital permission slips

Essentially the human has a private key which they can use to authorize an agent with certain permissions for a certain amount of time. The agent presents this signed, time-bound credential whenever it acts. This is sort of like a high-tech signed permission slip where your signature can’t be forged. High-risk actions might require explicit human permission – sort of like multi-factor authentication. E.g., the travel agent might text and say, “Your agent is trying to book a flight to Germany. Did you authorize that?” or require the human to use a passkey like FaceID.

2) Agentic passports

At the same time, the agent would have a signed “agent passport” that says what program it comes from and what it’s allowed to do. Platforms like Microsoft Azure, Amazon Web Services, Apple, and others could help verify these virtual documents. Counterparties can then be willing to accept a valid passport, especially for low stakes transactions.

3) Always take a receipt

KYA should ensure that there’s a “paper trail” of tamper proof receipts that show what the agents is doing, what authority it used, counterparties involved, etc. That way, if there’s a dispute, there’s clear evidence of who did what, so things can be unpacked.

4) Kill switch

Not just for KYA but, in general, there should be a very easy way to stop agent activity immediately. Every delegation must be easily revocable. So, if you get the text that your agent is trying to book at trip to Germany and you only asked it to research flights, then you should be able to reply with a secret passphrase, and the agent will immediately stop running. Probably, software companies will have to implement lots of different kill switches depending on the application, so this is something we’ll hopefully see more of soon.

Closing Thought

We already verify who our customers, supplier, and employees are. Soon we’ll need to verify who their agents are, and whether those agents are operating with consent inside clearly defined lines. That’s KYA. It won’t eliminate every failure mode, but it will make the default interaction between humans, agents, and services safe enough to scale.

Someone is going to get this right – might be a startup or an existing privacy company – and that someone is going to make a lot of money. And at the same time, they will make it possible for businesses and individuals to take the first steps towards trusting and working with agents.

Note: The opinions expressed in this article are my own and do not represent the views of Bain & Company.