Know Your Agent – Not a new idea. We have been doing it in mobile money for years. Every cash-in, every cash-out, every float top-up at a small shop, sits on top of one quiet discipline. Know Your Agent.
We onboarded the human agent against a verified identity. We gave them a float, a limit, a scope. We watched every transaction they touched. And the day one of them turned, we suspended them before the damage spread.
That is KYA. Boring, operational, unglamorous. It is also the reason hundreds of millions of people hand their money to a stranger at a kiosk and trust that it will arrive. The trust was never in the stranger. It was in the system standing behind the stranger.
Now the agent has stopped being human.
In the agentic era, the thing that starts the action is software. It authenticates. It calls a tool. It signs. It moves money on your behalf, while you sleep. From the outside the mechanics look the same. One thing underneath has changed completely, and it changes everything. The human agent could be held accountable. The AI agent cannot.
So the question inverts. Know Your Customer asks who the customer is. Know Your Agent, in this new era, asks something harder. Which verified human or entity is accountable for what this agent just did, and can you prove it. The human agent had skin in the game: a licence, a float you could claw back, a person you could call, fine, or hold in a room. The AI agent has none of that. There is nothing to seize, no licence to pull, no one to answer for it. So the verified human root behind the agent stops being good practice and becomes the entire control. Everything hangs from that root, or it hangs from nothing. The agent is temporary. The accountability is forever. Build for the second one.
01 – THE INVERSION
The agent stopped being human
In the agentic era, the thing that starts the action is software. It authenticates. It calls a tool. It signs. It moves money on your behalf, while you sleep. From the outside the mechanics look the same. One thing underneath has changed completely.
Diagram 1. When the agent cannot be held, the verified human root becomes the whole control. Everything hangs from that root, or it hangs from nothing.
- The Inversion of Accountability: While traditional human agents have immediate, tangible skin in the game (licenses, physical floats, and legal presence), AI agents lack assets to seize or bodies to hold accountable. The control mechanism must completely shift from monitoring the temporary agent to validating the permanent human or entity root behind it.
- The Foundation of Systemic Trust: The success of massive mobile money ecosystems has never relied on trusting the individual stranger at a kiosk; it relies entirely on a strict, unglamorous backend discipline of identity verification, precise scoping, and proactive transaction auditing.
- New Clothes, Old Discipline: Agentic AI alters the execution layer by allowing software to autonomously authenticate, trigger tools, sign transactions, and move capital. However, this shift does not require a brand-new operational philosophy—it requires applying the rigorous, time-tested principles of “Know Your Agent” to autonomous systems.
So the question inverts. Know Your Customer asks who the customer is. Know Your Agent now asks something harder. Which verified human or entity is accountable for what this agent just did, and can you prove it. The human agent had skin in the game: a licence, a float you could claw back, a person you could call. The AI agent has none of that. There is nothing to seize, no licence to pull, no one to answer for it. So the verified human root behind the agent stops being good practice and becomes the entire control. The agent is temporary. The accountability is forever.
The money sentence. An agent that cannot be held is not a risk you manage. It is a risk you inherit, in full, the moment it acts.
02 – THE CIRCUIT
The breaker is the float limit
I think about it as current flowing through a circuit. Current flows only through a verified, in-scope path. The moment it is not, a breaker trips and nothing moves. If you have ever set a float limit on an agent, you already understand this in your bones. The breaker is the float limit. We are simply moving it into software, and running it before the action, not after.
Diagram 2. Current flows only through a verified, in-scope path. Otherwise the breaker trips. The float limit, moved into software and run before the action.
- The Root is the Entire Control: Because an AI agent has no license to pull or float to claw back, every security vector hangs entirely from a verified human or corporate root entity.
- The Accountability is Forever: The software agent executing the automated workflow is completely temporary, but the ultimate liability for its actions remains permanent.
In mobile money we did not trust an agent because we hoped they were honest. We trusted them because the system would not let them move more than their float, and flagged them the moment their pattern looked wrong. The control was structural, not personal.
The money sentence. Do not trust the agent. Trust the structure around it. That is the only trust that survives an audit.
03 – THE PATH
The eight steps of an accountable agent action
Here is the path, step by step. Each one costs you something if you skip it. Root: everything starts from a verified human or entity, the power source. Agent identity: the agent gets its own provable identity, not a shared key. Delegation: authority that is scoped, limited, time-boxed and revocable, the float limit reborn for machines. Intent: the agent proposes the action, and this layer is allowed to be probabilistic.
Diagram 3. Eight steps. Probabilistic on the left where the model proposes, deterministic on the right where the system verifies, settles and records.
- The Determinism Boundary: While an agent’s intent-generation phase can remain probabilistic on the left side of the lifecycle, the system must enforce a strict, deterministic gate on the right before any irreversible action is executed.
- The Reborn Float Limit: Machine delegation requires explicitly scoped, time-boxed, and revocable authority—directly mimicking the classic mobile money discipline of limiting a human agent’s physical float.
The Determinism Boundary: before anything irreversible, a deterministic gate checks identity, scope, limit and root. Screening: sanctions, policy, velocity, and anomaly detection on the agent itself. Settlement: only a verified, in-scope, screened action moves money. Audit: every step, settled or blocked, is written to a chain you can replay.
The money sentence. Skip a step and you do not save time. You move the cost to the day a regulator asks you to prove what happened.
04 – THE SPINE
The Determinism Boundary
Step five is the spine of the whole thing. Above the line the system is allowed to be probabilistic, clever, even creative. Below it, authorisation and settlement are deterministic and accountable, and they do not negotiate.
Diagram 4. Above the line, probabilistic and clever. Below it, deterministic and accountable. The model never guards its own gate.
| Architectural Layer | System Behavior | System Responsibility |
| Above the Line (The Brain) | Probabilistic & Creative Driven by specialized models allowed to reason, propose actions, and iterate dynamically. | Intent Generation Formulates the proposed payload, handles linguistic nuances, and maps out the non-binding strategy. |
| The Boundary (The Spine) | Inflexible & Segregated A strict architectural firewall ensuring the model never guards its own gate. | Gatekeeping Prevents automated false negatives by isolating reasoning from final authorization. |
| Below the Line (The Gate) | Deterministic & Accountable Hard-coded, zero-trust validation mechanisms that do not negotiate or interpret. | Verification & Settlement Checks absolute limits, cryptographically verifies roots, and commits irreversible transactions. |
This is also where most teams will get it wrong. They will let the model guard its own gate, the same probabilistic system that reasons also deciding whether the action is allowed. Do not do this. A model is a probabilistic engine. It can be confidently wrong. And confidence is exactly what fraud has always wanted from the inside.
The money sentence. Let the model guard its own gate and you have not deployed AI. You have automated your own false negatives.
05 – TWO ACTIONS
Two actions, one rail
Picture two actions on the same rail. The first is good. It flows from the root, through identity, delegation and intent, reaches the boundary, passes every check, screens clean, and settles. It is logged. The second is over its limit, or its delegation has already expired. It travels the same path, full of the same confidence. It reaches the boundary, and the breaker trips.
Diagram 5. Let the good current flow. Stop the bad current at the gate. Record both, every single time, so you can prove later that you did.
Nothing moves. And it is still written to the audit chain, marked blocked, with the reason. That single loop is the entire point of Know Your Agent.
The money sentence. A blocked action you cannot prove you blocked is worth nothing. The record is the product.
06 – THE VALIDATION
A sovereign just wrote it down
This is no longer only my view from the field. A few days ago Estonia became the first country to back official identity codes for AI agents. The framing is almost word for word the discipline above: an agent must have a distinct identity, limited and auditable authorisations, the ability to act only within a fixed monetary limit, and it must always be clear who is acting, on whose behalf, and who is responsible. A distinct agent identity is step two.
Diagram 6. Estonia’s policy maps straight onto the eight steps. The mobile money instinct is becoming sovereign policy for machines.
The money sentence. When a sovereign writes your architecture into policy, the question stops being whether to build it, and becomes how late you are.
| Sovereign Directive | Architectural Blueprint | System Enforcement |
| Distinct Agent Identity | Step Two Implementation | Issues explicit, unique identity codes for autonomous entities rather than using shared API keys. |
| Fixed Monetary Limits | Step Three Execution | Hard-codes maximum financial thresholds directly into the delegation layer, reviving the classic mobile money float constraint. |
| Accountable Root Allocation | The Root Layer | Mandates a permanently mapped, legally verifiable human or corporate entity responsible for every autonomous action. |
A money limit is step three. A named, accountable human or company is the root. A full audit trail is the chain. That is not a prediction of Know Your Agent. That is a government writing it down.
Conclusion – None of this is futuristic. It is the oldest discipline in mobile money, wearing new clothes. We already know how to onboard an agent, scope it, watch it, and pull it the moment it turns. We did it for human agents at the last mile, at scale, under real regulators, for years, in markets where the cost of getting it wrong was somebody’s rent money.
The agentic era does not ask us to invent Know Your Agent. It asks us to remember it. And it asks us to be honest about the one inversion that changes the design: the AI agent cannot be held accountable at all, so the verified human root behind it becomes the entire control. Build for the accountability, not for the agent. The agent is temporary. The accountability is forever.
Feedback & Further Questions
I write about putting AI safely into regulated financial systems, mobile money, payments, AML, identity, and the physics-minded thinking behind it. Have a question, or a war story from your own deployments? Leave a comment or send me a note through the contact page. I will do my best to answer.
Points to Note
The hardest part is step five, the Determinism Boundary. Drawing it well is judgement earned in production, not a setting you toggle. If you take one thing from this piece, take that: decide, deliberately, what the model is allowed to propose and what stays deterministic, screened, and recorded.
Books Referred & Other material referred
- Open Internet research, news portals and white papers reading
- Lab and hands-on experience of @AILabPage (Self-taught learners group) members.
- Self-Learning through Live Webinars, Conferences, Lectures, and Seminars, and AI Talkshows
============================ About the Author =======================
Read about Author at : About Me
Thank you all, for spending your time reading this post. Please share your opinion / comments / critics / agreements or disagreement. Remark for more details about posts, subjects and relevance please read the disclaimer.
FacebookPage ContactMe Twitter ====================================================================
