![Native[risk]](http://images.squarespace-cdn.com/content/v1/65704856a75e450a6d17d647/f3aa0ca7-8a4d-4034-992f-9ae514f1127e/Native+risk_logo-invert.png?format=1500w){kind=logo}
#75 - KYA is overhyped
KYA is everywhere right now.
Visa launched Trusted Agent Protocol. Mastercard dropped Agent Pay.
Every payments conference has a panel on it. And vendors - oh, vendors love this one.
But here's the thing:
KYA is probably the easiest problem agentic commerce throws at us. And by obsessing over it, we're quietly ignoring the ones that actually matter.
I've touched on it in the Rethinking Fraud Prevention for Agentic Commerce whitepaper, but in hindsight I’m not sure I drove the point home.
At least not clearly enough.
Today I want to break down why I think the KYA hype is drawing our attention from the real important things.
To answer that, we need to ask: what does KYA actually solve, and what it doesn’t.
What does KYA actually solve?
Let me give it a fair hearing first.
KYA - or Know Your Agent - is a loose term that should describe agent authentication.
When it comes to Agentic Commerce payments, my assumption is that we’ll see the market solidifying around the Web Bot Auth, an IETF standard that both Visa and Mastercard seem to be adopting.
Broadly speaking, the idea is that a merchant can verify that a declared agent is legitimate, issued by a known provider, and authorized to act on a specific user's behalf.
Without it, fraudsters could spoof these agents and get whitelisted by merchants.
Side note: This is already happening today, and at alarming rates. Read this incredible report from Radware to get a sense for exactly how.
But honestly? I think this is a problem the industry knows how to solve.
It’s not only the schemes, but also Cloudflare and AWS that are already implementing Web Bot Auth in their infrastructure.
For a fragmented ecosystem where getting everyone to agree on anything takes years, that alignment is meaningful.
So yes, KYA matters. The problem is that it solves only one fraud vector - agent spoofing.
What doesn't it solve? Let me count.
Think about it - every serious fraud scenario in agentic commerce passes right through KYA.
Stolen card fraud: An authorized agent running a stolen card passes every KYA check.
The agent is exactly what it says it is. The fraud is upstream and invisible to the protocol.
AI app ATO: A fraudster compromises a user's AI application account. They don't need to spoof anything - they inherit the agent's full delegated authority.
The agent authenticates correctly, the payment gets authorized, and KYA has nothing to say about it.
Policy abuse: An authorized agent hammering your promo codes or clearing out a limited drop is doing exactly what it's authorized to do.
Agent mistakes and friendly fraud: A legitimate agent placing a mistaken order passes all checks.
Or just as the case is today - what happens if a young family member gets access to your AI app and places the transaction without permission?
KYA would not solve that.
Merchant fraud: When the fraud originates on the merchant side, it’s clear that the agent itself isn’t compromised.
What’ll happen when fraudsters find new ways of attracting and duping agents to buy fake goods?
So what actually needs solving?
Here's what I take from all of this: most fraud vectors that are relevant to Agentic Commerce aren’t about who the agent is.
They’re about what the agent is, what it does, on whose behalf, and whether the underlying intent was legitimate.
KYA answers the first question and leaves the rest untouched.
So what should you be worried about? Here are some ideas:
Degraded data integrity: In-browser agentic flows strip out or fabricate most of the behavioral signals your fraud models rely on - device intelligence and behavioral biometrics.
And that degradation compounds through your enrichment pipelines: unreliable IP geolocation, broken device linking, inaccurate velocity calculations.
Each broken signal creates broken outputs further downstream.
This isn’t likely to completely break your models, but they're flying partially blind.
Intent inference: Risk-based decisioning still has to work, and it still relies mostly on revealing the intent hiding behind the user’s action.
So far, at least when it came to bots, it was pretty easy. If you detected bot activity, you could assume there’s a nefarious intent behind it.
That world is no more.
But do we know how to differentiate between “good bots” and “bad bots”?
Side note: I would urge caution when hearing someone claim they do know how to do so. The reality is that between little data and skewed early adopter behaviors no one really knows.
The attention problem: This is the one I find most underappreciated.
Being realistic, we’re likely not going to see Agentic Commerce explode and take a substantial proportion of eCom traffic. At least not that fast.
But this actually creates a bigger vulnerability.
Think about it: we’ll have a new flow, with fraudsters flocking to it to exploit any early loopholes, while teams will find it hard to keep track of it with all the regular “noise” of their daily jobs.
A small, yet high-risk population can cause major havoc in your business. Don’t ask me how I know.
The bottom line
KYA will get solved. The schemes are aligned, the standard exists, and adoption is coming.
The harder stuff - degraded signals, intent inference, agentic segmentation - doesn't have a standard coming to rescue it. That requires your team to do the actual work.
So yes, make sure your PSP is implementing the Visa and Mastercard protocols.
Just don't mistake that checkbox for a strategy.
And if you want to learn more, go download my whitepaper or check out the previous TSFS issue about it.
What are you doing to prepare for the fraud vectors KYA won't touch? Hit reply - I'd genuinely like to know.
In the meantime, that’s all for this week.
See you next Saturday.
P.S. If you feel like you're running out of time and need some expert advice with getting your fraud strategy on track, here's how I can help you:
Free Discovery Call - Unsure where to start or have a specific need? Schedule a 15-min call with me to assess if and how I can be of value.
Schedule a Discovery Call Now »
Consultation Call - Need expert advice on fraud? Meet with me for a 1-hour consultation call to gain the clarity you need. Guaranteed.
Book a Consultation Call Now »
Fraud Strategy Action Plan - Is your Fintech struggling with balancing fraud prevention and growth? Are you thinking about adding new fraud vendors or even offering your own fraud product? Sign up for this 2-week program to get your tailored, high-ROI fraud strategy action plan so that you know exactly what to do next.
Sign-up Now »
Enjoyed this and want to read more? Sign up to my newsletter to get fresh, practical insights weekly!
