Banks verify humans through KYC. Oris verifies agents through KYA. Both serve the same purpose: ensuring that the entity spending money has a verified identity. The difference lies in what constitutes proof. Humans present documents. Agents present behavior, cryptographic signatures, and operator attestations.
Why Agent Identity Requires a New Standard
KYC works because governments issue identity documents, banks verify those documents, and courts enforce accountability when fraud occurs. This system took decades to build. It assumes a stable identity that persists over time: a person with a name, an address, and a face.
AI agents have none of these attributes. An agent can be cloned in seconds. Its behavior changes with every model update. It can operate from any jurisdiction simultaneously. It has no face, no address, and no government-issued credential. Applying KYC to agents produces a meaningless result. The operator passes KYC as a human, and the agent inherits that identity by proxy. When the agent misbehaves, the audit trail points to the operator, but the operator may have had no knowledge of the specific transaction.
KYA solves this problem by treating the agent as an independent financial entity with its own identity, its own trust score, and its own behavioral profile. The operator remains accountable, but the agent carries its own verifiable record.
The Four Trust Levels
| Level | Name | Per-Tx Limit | Daily Limit | Requirements |
|---|---|---|---|---|
| L0 | Registered | $10 | $50 | Agent profile created. Operator email verified. API key issued. |
| L1 | Verified | $500 | $2,000 | Operator KYB complete. Agent purpose declared. Wallet linked. |
| L2 | Trusted | $5,000 | $25,000 | 30-day clean transaction history. Behavioral baseline established. No compliance flags. |
| L3 | Institutional | $50,000 | $500,000 | 90-day clean history. Operator SOC2/ISO27001 attested. Manual review passed. Dedicated compliance contact. |
Trust levels increase only through demonstrated behavior. An operator cannot purchase L3 status or skip levels. The system requires real transaction history, clean compliance records, and time. This design mirrors how traditional banking relationships work: a new customer starts with low limits and earns higher limits through a track record of responsible use.
How Trust Builds Over Time
When a developer registers an agent with Oris, the agent starts at L0. At this level, the agent can execute only small transactions, suitable for testing and sandbox experimentation. The operator then completes Know Your Business (KYB) verification, providing company registration documents, a business address, and a designated compliance contact. Upon successful KYB, the agent advances to L1.
L1 unlocks production-grade transaction limits. The agent can process real payments up to $500 per transaction and $2,000 per day. During this period, the KYA system records a behavioral baseline: typical transaction sizes, frequency patterns, common destinations, and time-of-day distributions.
After 30 days of clean operation with no compliance flags, policy violations, or anomalous behavior, the agent becomes eligible for L2. The system performs an automated review of the agent's full transaction history and behavioral profile. If all criteria pass, the trust level advances automatically. L2 agents can process transactions up to $5,000 each, with $25,000 daily limits.
L3 requires 90 days of clean history plus additional attestations from the operator. The operator must provide evidence of SOC2 or ISO 27001 compliance, designate a compliance officer, and pass a manual review conducted by the Oris compliance team. L3 is designed for institutional agents that handle high-value transactions on behalf of regulated entities.
Behavioral Drift Detection
KYA does not stop at registration. Every transaction the agent executes updates its behavioral profile. The system tracks five key dimensions.
Average daily count vs. current count. A 10x spike triggers review.
Median and P95 transaction size. Sudden shifts indicate model changes or compromise.
Ratio of unique destinations to total transactions. A sudden concentration suggests exfiltration.
Hour-of-day and day-of-week distribution. Deviations from baseline indicate anomalous control.
Percentage of policy or compliance rejections. A rising rate suggests the agent is testing boundaries.
When an agent's behavior deviates significantly from its established baseline, the system takes graduated action. Minor deviations (within 2 standard deviations) generate an alert to the operator. Major deviations (beyond 3 standard deviations) trigger an automatic suspension. The agent's wallet enters a frozen state, blocking all outgoing transactions until the operator reviews the alert and explicitly reactivates the agent.
Suspension is immediate and automatic. Reactivation requires human intervention. This asymmetry is intentional. Compromised or malfunctioning agents must stop spending money within milliseconds. Resuming operations should require a deliberate decision from a responsible human.
KYA vs. KYC
| Attribute | KYC (Humans) | KYA (Agents) |
|---|---|---|
| Identity Proof | Government ID + liveness check | Operator attestation + cryptographic key pair |
| Verification Frequency | Once at onboarding, periodic refresh | Continuous (every transaction updates profile) |
| Behavioral Monitoring | Transaction monitoring (batch, delayed) | Real-time drift detection (sub-second) |
| Trust Model | Binary (verified or unverified) | Graduated (L0 through L3, earned over time) |
| Suspension Trigger | Manual review by compliance team | Automatic on behavioral deviation |
| Reactivation | Submit updated documents | Operator review + explicit reactivation |
| Entity Persistence | Lifetime (person does not change) | Model-versioned (new model = new baseline) |
The most important distinction lies in verification frequency. KYC verifies a human once and trusts that identity for years. KYA verifies an agent continuously because agents change with every deployment. A model update can alter an agent's decision-making patterns entirely. KYA treats each significant behavioral shift as a new identity event that requires re-establishing the trust baseline.
The Trust Graph
As more agents register with Oris and build transaction histories, the KYA system accumulates a trust graph across the entire agent economy. This graph maps relationships between agents, operators, destinations, and transaction patterns. Over time, the graph reveals clusters of trustworthy behavior and isolates anomalous actors more effectively than any single-agent analysis could achieve.
KYA creates a trust infrastructure that grows with the agent economy. Every verified agent, every clean transaction, and every behavioral baseline strengthens the network for all participants.
The agent economy needs a native identity standard. KYC was built for a world where humans held every account and signed every transaction. That world is ending. KYA provides the identity framework for what comes next.
Learn how KYA works in detail at useoris.xyz/how-it-works/kya.html
Get started with Oris
Two minutes to set up. Full spending controls from day one.