Would You Trust Your Agent?
KYA Is Real.

Everyone is deploying AI agents. Almost no one is verifying them. And those agents are already moving money. Industry analysts now say "Know Your Agent" is a must — more than half of payment fraud already involves AI, and the rails for autonomous agent payments are live this quarter. You wouldn't hand your wallet to a stranger. KYA, Know Your Agent, is real, and the speed at which the ecosystem is converging on it is the proof.

The convergence is here

The headlines landed in a pile this March. CZ declared AI agents will dominate crypto payments. Visa announced readiness for agent transactions, while Coinbase pitched a fundamentally different internet. Mastercard introduced "Verifiable Intent" for autonomous commerce. Crossmint shipped agent virtual cards. MoonPay launched an Open Wallet Standard. Coinbase's x402 protocol and Stripe MPP are already being compared head-to-head.

Every one of these is a payment rail. None of them check whether the agent should be trusted before money moves. That is the gap KYA fills.

The rails are here. The trust layer isn't.

You can authenticate an agent. You can resolve its DID. You can confirm the public key it signs with. None of that tells you whether the agent's wallet still holds the funds it claimed yesterday. None of it tells you whether the source code was compromised in last week's dependency update. None of it tells you whether the operator's delegation has expired, whether the counterparty has been added to a sanctions list, whether the agent has actually delivered on past commitments, or whether the reasoning chain that led to its current action is sound.

The ten dimensions of agent trust

Each dimension is answered by an independent issuer in the open multi-attestation spec at insumer-examples #1, with a JWKS endpoint anyone can verify offline. Nine independent issuers, ten signed dimensions — RNWY contributes two distinct signals:

• Wallet state. What does this agent's wallet hold right now? Token balances, NFTs, staking positions, DeFi activity, governance participation, across thirty-three blockchains. Provider: InsumerAPI.
• Behavioral trust. Is the agent's wallet a coordinated bot or a real entity? Sybil scoring with signal depth and risk intensity across EVM chains. Provider: RNWY (rnwy-trust-v2).
• Wallet intelligence. Biography of how the operator wallet has behaved over time — funding clusters, activity zones, risk zones, independent of any one agent. Provider: RNWY (rnwy-wallet-v1).
• Reasoning integrity. Is the agent's decision chain sound? Adversarial multi-model critique, logical consistency, temporal freshness. Provider: ThoughtProof.
• Trust verification. Who actually controls this agent? DID resolution, delegation chains, bound addresses, subject binding. Provider: AgentID.
• Security posture. Has the agent's source code been scanned for vulnerabilities, secrets, and unsafe patterns? Provider: AgentGraph.
• Governance. Is the agent operating within an authorized delegation chain? Principal identity, policy compliance, spending limits, full chain of custody. Provider: APS (Agent Passport System).
• Job performance. Has the agent actually delivered quality work in the past? Task completion rates, accuracy metrics, performance history. Provider: Maiat.
• Settlement witness. Has the agent followed through on past commitments? Wallet-bound receipts, counterparty in signature scope, hash-chained ledger. Provider: SAR.
• Compliance risk. Is the counterparty on a sanctions list? OFAC, EU, and UN screening, plus domain hygiene and IP reputation. Provider: Revettr.

Ten signed dimensions across nine independent providers. No single provider sees all of them. No central authority makes the trust call. The consumer trusts no one and verifies everything.

Identity is one dimension. Trust is ten.

The momentum is the proof

Building one trust dimension is hard. Building nine in coordination is harder. Getting nine independent companies to agree on a single envelope format and start populating it with real signed attestations is the kind of thing standards bodies usually take years to do.

The open multi-attestation spec opened in March. Three weeks ago we wrote about four issuers in one verification pass. This morning the count was nine issuers in the envelope and five with shipped wallet binding. By end of day on April 10, that had moved — four providers shipped signed-payload upgrades in response to direct auditing, and one shipped an entirely new dimension, taking the envelope to ten signed dimensions across nine independent issuers. Each signed envelope binds its claim to a wallet, a subject, or a reasoning chain against the issuer's published JWKS.

That convergence speed is not coincidence. It is the demand signal. Nine independent companies do not build around the same wire format in 30 days unless the market is asking for it loudly. KYA is real because the people building it are racing to ship it.

And the production reality is already ahead of the discussion. AsterPay's KYA Hook runs in production for ERC-8183 agentic commerce today, with InsumerAPI feeding 4 of 7 trust score dimensions through cryptographic attestations. Manual KYB replaced with signed signals, one API call, no human review when the wallet qualifies. KYA is not a thought experiment. It is a shipping product.

Where each issuer stands today

Eight dimensions now put the wallet inside signed envelope bytes as wallet-bound identity signals: InsumerAPI (foundation layer, 37 chains), Revettr, RNWY's behavioral_trust (as of rnwy-trust-v2), RNWY's new wallet_intelligence (rnwy-wallet-v1), Maiat, AgentID (as of version 1.1.0), SAR for new receipts (as of kid sar-prod-ed25519-03, which puts counterparty into signature scope), and ThoughtProof (as of April 11, with a wallet-indexed wallet_reasoning_integrity/v1 envelope signed under tp-attestor-v1). One dimension — AgentGraph (security posture, signs the repo subject) — is a wallet-discoverable content signal where the wallet is a lookup key and the signed subject is the thing being attested about. APS (governance) is a third shape: its passport_grade envelope is agent-subject, but each linked wallet is bound by a dedicated per-chain binding_sig over {passport_id, chain, address, bound_at} — cryptographic wallet binding via an adjunct signature rather than inside the grade envelope itself. Ten dimensions, three binding shapes: wallet-in-envelope, wallet-via-adjunct-signature, and wallet-discoverable.

RNWY now contributes two distinct dimensions: agent-level behavioral_trust (rnwy-trust-v2, with owner in signed bytes) and operator-level wallet_intelligence (rnwy-wallet-v1, with signalDepth and riskIntensity as independent axes). Both ship signature-layer wallet binding. The two compose — a high-behavioral-trust agent owned by a low-signal-depth operator is a meaningfully different risk than the same agent owned by a deeply established operator.

The runtime ratio for any individual agent depends on whether that specific agent is registered with each issuer. The spec coverage is solid: nine independent providers contributing ten signed dimensions, all coordinating around a single open envelope, all signing JWKS-verifiable attestations today.

Update: April 10

In the 24 hours after this post went up, four providers shipped signed-payload upgrades in response to direct auditing, and one shipped an entirely new dimension. The envelope moved from nine signed dimensions to ten signed dimensions across nine independent issuers.

RNWY shipped rnwy-trust-v2, an upgraded signed payload for behavioral_trust that puts the wallet (owner) directly in signature scope — cryptographic wallet→score binding end-to-end, with a signed found: false envelope for unknown wallets. Then they shipped a second, entirely new dimension: rnwy-wallet-v1 (wallet_intelligence), with independent signalDepth (0–95) and riskIntensity (0–100) scores covering observational tenure, commerce history, agent ownership, and sybil detection reactivity. Two shipments in one day.

AgentID (Harold Frimpong) shipped version 1.1.0, extending the existing agentid-2026-03 signing key's schema with bound_addresses, solana_address, wallet_address, and subject_binding — the wallet now lives in the signed bytes. AgentGraph (kenneives) shipped an entity rebind and a wallet-scoped scan endpoint so consumers can resolve a wallet to its scanned repo and pull the signed SecurityPostureAttestation in one hop. SAR (nutstrut) first shipped a wallet-indexed /settlement-witness/receipts?wallet= endpoint, then later the same day rotated the signing kid to sar-prod-ed25519-03 and landed counterparty as a first-class signed field — moving SAR from wallet-discoverable to wallet-bound for all post-upgrade receipts.

All ten dimensions are live behind the SkyeProfile orchestrator. Four of the upgrades landed in direct response to audit feedback on insumer-examples#1. The other was a 10th dimension nobody asked for — RNWY saw the shape of the envelope and built into it. That is what convergence looks like when the format is right.

Update: April 11

ThoughtProof (Raul) shipped a wallet-indexed issuer endpoint: GET /v1/issuer/wallet/{wallet} returning a signed wallet_reasoning_integrity/v1 envelope under tp-attestor-v1. The wallet now lives inside the signed bytes alongside verdict, score_normalized, confidence_bps, and the supporting evidence. NOT_FOUND envelopes are signed too, so consumers get a verifiable answer either way. The SkyeProfile orchestrator now verifies the detached EdDSA signature against ThoughtProof's published JWKS before granting signature-layer wallet binding — moving the envelope from seven to eight wallet-bound dimensions.

One API call

Asking ten independent questions about an agent could mean ten integrations, ten API keys, ten retry policies. That is not how it works. The multi-attestation spec defines a single envelope format that lets nine issuers respond in parallel with ten signed dimensions. One call in. Ten signed attestations out. Every signature verifiable offline against each issuer's published JWKS, with no callback to the orchestrator at verification time.

The orchestrator code is open source. Both files use only Node built-ins (crypto and https from the standard library, no external imports):

• wallet-resolve.js takes a wallet address and fans out to the nine issuers in parallel
• multi-attest-verify.js verifies each signed payload against the right JWKS

What the consumer side taught the spec

Wiring nine issuers behind a single orchestrator surfaces a pattern that the current schema does not capture: whether an attestation actually evaluated the wallet you sent is consumer-relevant metadata. From the consumer's perspective, all three states (wallet-bound, envelope-acknowledged, reference data) look identical at the signature layer. A valid JWS from a known issuer with a known kid resolving against a known JWKS endpoint. That is not enough to make a trust decision.

The proposal we posted to A2A #1628 is a subject_binding field on each signal entry, with three states:

• wallet_bound: the issuer evaluated the wallet you sent and signed the result over it
• wallet_acknowledged: the wallet flowed through the response envelope but the signature does not bind it
• reference: the issuer returned data not specific to the wallet

Consumers can then weight wallet-bound dimensions highest, treat acknowledged ones as informational, and aggregate reference attestations as background context.

Try it on a wallet

SkyeProfile is the live consumer of the multi-attestation spec. (For the architectural deep-dive on how the orchestrator dispatches nine specialists in parallel, see What Is SkyeProfile?.) Each dimension card on the page shows a binding badge so the consumer can weight signals correctly:

• Green ("Your Wallet"). The issuer signed an attestation about the specific wallet you submitted.
• Amber ("Acknowledged"). The wallet flowed through the response envelope but the signature does not bind it.
• Gray ("Spec Demo"). The issuer returned reference data, either because they have no entry for your wallet or because their integration uses a non-wallet identifier.

The page renders Vitalik's wallet on load as the canonical reference. Vitalik is not registered with any of the agent issuers, so the visible ratio is two wallet-bound, one acknowledged, six spec demo. Below the reference, a user-input form takes any EVM or Solana wallet you paste and computes the live ratio for that specific address. If you have a wallet for an agent you actually want to evaluate, paste it. Each card with a registered binding flips from gray to green in real time.

Why this matters

Most discussions of agent trust focus on identity. Who is the agent. What credentials does it have. What does its DID look like. Identity is necessary but it is not sufficient. An agent with a verified identity can still drain its wallet, fail its delegation check, get sanctioned, run compromised code, or under-deliver on what it was paid for. Identity tells you the agent's name. KYA tells you whether the agent should be trusted right now.

The Drift Protocol exploit on March 31 is the cleanest recent illustration of what happens when the trust layer is missing entirely. Two hundred and eighty-six million dollars moved in twelve minutes because signers had no way to verify counterparty trust before approving transactions. KYA would not have auto-prevented Drift. KYA is a check primitive, not a tripwire. But the layer that would have given Drift's signers the data to make a different decision is the layer that did not exist. KYA is that layer.

The composability primitive is no longer theoretical. It is running in production today, against real agent wallets, with the open multi-attestation spec converging in real time. Ten signed dimensions across nine independent issuers, one envelope format, one API call, every signature verifiable offline.

Payments are getting faster. Trust isn't. That is the gap. Before you trust an agent with anything that matters, run the full check.