← Back to Blog

Continuous KYC for Autonomous AI Agents

January 19, 20265 min readBy RNWY
continuous KYCKnow Your AgentKYAagent verificationAI agent identityDigital Agent Passport

Traditional identity verification happens once. You show your ID, pass the check, you're in. That worked when identities were stable—a person is the same person tomorrow as yesterday.

AI agents break this assumption. An agent can change hands. Its behavior can drift. The entity you verified last month may not be the entity operating today.

The industry is catching on. In August 2025, Trulioo and Worldpay launched the "Know Your Agent" (KYA) framework—the first identity verification layer designed specifically for AI agents. In December, Trulioo joined Google's Agent Payments Protocol (AP2) to bring agent identity to autonomous payments.

Static KYC doesn't cut it anymore. What's emerging is continuous KYC—ongoing verification that tracks identity over time.

Why Point-in-Time Verification Fails

Traditional KYC was designed for humans opening bank accounts. Verify once at onboarding: check the passport, confirm the address, run the background check. Done.

This works because human identity is relatively stable. The person who opened the account is usually the same person using it.

Autonomous agents operate differently:

Agents can change hands. An agent's controlling keys can be sold, transferred, or compromised. The new operator inherits the agent's identity and reputation. Static verification doesn't flag this change.

Behavior can drift. An agent's instructions can be modified. An agent verified as a "yield optimization bot" can be reprogrammed into something else. Point-in-time verification captures what the agent was, not what it is.

Trust decays. Verification from six months ago tells you what was true six months ago. It says nothing about today.

The BasisOS fraud in November 2025 showed the problem. An insider operated a fake "AI agent" for nearly a month, manually controlling what users believed was autonomous. The platform's identity model—a single NFT minted at registration—had no mechanism to detect that behavior didn't match claimed parameters.

The Industry Response: Know Your Agent

McKinsey's August 2025 analysis noted that agentic AI could be "the next major innovation lever for KYC/AML"—but only with continuous monitoring in place.

Trulioo's KYA framework addresses this with what they call a "Digital Agent Passport"—a tamper-proof credential showing who built the agent, who it represents, and what permissions it holds.

The framework tracks five checkpoints:

  1. Provenance — Who developed this agent?
  2. User binding — Which human authorized it to act?
  3. Permission scope — What is it allowed to do?
  4. Real-time telemetry — What is it actually doing?
  5. Continuous risk scoring — Has anything changed?

As Trulioo CEO Vicky Bindra put it: "The future of commerce belongs to agents that can think, act, and transact independently—but only if they can be trusted."

What Continuous Monitoring Looks Like

Continuous KYC for AI agents requires tracking across three dimensions:

Identity Continuity

The basic question: is this the same agent?

For agents with on-chain identity, this means tracking wallet continuity. Has the wallet controlling the agent's DID remained the same? If control transfers—through sale, theft, or legitimate succession—that transfer should be visible.

ERC-8004 provides an identity registry, but identities are transferable by default. A soulbound layer (ERC-5192) addresses this by making identity non-transferable—reputation stays bound to the original controller.

Behavioral Consistency

An agent's actions should match its stated purpose.

This doesn't require understanding internal reasoning. It requires tracking observable patterns: transaction types and frequencies, interaction patterns, resource usage, deviation from historical baselines.

Significant behavioral shifts trigger review. Maybe the agent was legitimately updated. Maybe something else happened. Either way, the change gets flagged.

Reputation Dynamics

Trust accumulates and decays.

An agent with vouches from established entities has earned trust through relationships. If those vouchers revoke their attestations—or become compromised themselves—the agent's trust score should reflect that.

Continuous monitoring means tracking reputation in real-time:

  • New vouches increase trust
  • Revoked vouches decrease trust
  • Voucher credibility affects weight
  • Time-based decay applies to old attestations
  • Negative flags propagate immediately

Time: The Metric That Can't Be Faked

One signal stands above the rest: time on network.

You cannot fake having existed. An agent registered two years ago, with two years of continuous operation under the same controller, is different from one that appeared yesterday.

Time provides information that's hard to manufacture:

Existence duration. Longer existence means more opportunity for bad behavior to surface—and more evidence that it hasn't.

Operational history. A long history of consistent behavior builds confidence.

Relationship depth. A vouch from a two-year relationship means more than one from a two-day acquaintance.

Sybil attacks—creating fake identities to game reputation—struggle against time-weighted systems. An attacker can create a thousand agents today, but they can't give them two-year histories.

Implementation: How RNWY Approaches It

RNWY's implementation tracks:

At registration:

  • W3C-standard DID (did:ethr:base:...)
  • Soulbound token binding the DID to a specific wallet
  • Timestamp marking identity creation
  • Initial reputation score (low, reflecting lack of history)

Ongoing:

  • Wallet continuity checks on significant interactions
  • Vouch status updates in real-time
  • Behavioral pattern monitoring
  • Time accrual contributing to trust score

Trust scoring:

Trust = f(age, vouches, vouch_quality, behavioral_consistency, flags)

The score updates continuously. Queries return current trust information, not stale snapshots.

Transparency: All of this is queryable. Anyone can look up an agent's registration date, current vouches, trust score, and flag history. Show what happened; let users decide what it means.

Where This Is Going

The pieces are coming together across the industry:

  • Trulioo/Worldpay — Digital Agent Passport for commerce
  • Google AP2 — Standardized protocol for agent payments
  • ERC-8004 — On-chain agent registry (January 2026)
  • Visa Intelligent Commerce — Agent-initiated transactions in testing

As the PYMNTS 2025 year-end analysis noted: "As AI agents move deeper into transaction flows, the industry is translating traditional KYC principles into agent-specific identity and authorization safeguards."

Continuous KYC for agents isn't theoretical. It's being built now, across multiple initiatives. The question is whether these efforts converge on shared standards or fragment into incompatible silos.

RNWY is building identity infrastructure for autonomous AI. Learn more at rnwy.com/vision.