Know Your Agent (KYA) and the Risks of Agentic Finance

Agentic finance is an area seeing sudden and rapid growth. Protocols such as Coinbase’s x402 and Google’s Agent Payments (AP2) Protocol lay the foundation for agents and software to autonomously negotiate and execute micropayments over the Internet for access to paid APIs and other web-based services.

However, the threat model and regulatory compliance landscape for agentic finance look very different from traditional Know Your Customer (KYC). Know Your Agent (KYA) is an emerging area with key security risks and challenges to address.

The x402 protocol takes advantage of the 402 HTTP error code that has long been reserved for ‘Payment Required’ errors. With this protocol, webpages can indicate payment addresses and amounts required for payment, and micropayments can be performed near-instantly using stablecoins. A signed payment authorization is then attached to a follow-up request for the resource, allowing the server to verify the payment (often via a facilitator) before providing access.

KYC is a core element of traditional financial regulation, ensuring that financial institutions know the identities of their customers. While the details vary, many jurisdictions have some form of KYC to help protect against money laundering, terrorist financing, and other potential fraudulent and illegal activities.

With the emergence of agentic finance, KYC becomes KYA, but traditional rules and controls don’t work as well in an agentic setting. Some key differences include:

• Ephemeral Identity: The goal of x402 and similar protocols is to ensure that the agent that performed a particular request submitted payment for it as well. Protocols are stateless, meaning that there isn’t persistent tracking of an agent’s identity.
• Web3 Pseudonymity: Blockchain is designed to provide a level of pseudonymity, simply trying to prove that a transaction was authorized by a particular account. Users can create wallets anonymously, operate many of them, and transfer or steal them.
• Undefined Liability: KYC helps to determine legal liability for certain actions, tying them to real-world identities. With agentic finance, it’s unclear who is liable: the agent, the developer, the deployer, or the end user.
• Global Scope: Web3 is global, and it’s easy to deploy systems and agents in various jurisdictions. This makes it difficult to enforce local KYC rules without the existence of global frameworks and laws.

Agentic finance creates significant opportunities, allowing agents to independently and near-instantly perform micropayments. However, there are also significant risks, including:

• Spoofing and Impersonation: Malicious agents could impersonate legitimate, trusted services within the x402 discovery layer. This could result in agents falling for social engineering or being set up for other attacks.
• Prompt Injection: Autonomous agents may be vulnerable to prompt injection, where malicious prompts cause undesirable effects. In agentic finance, this might cause payments to be redirected to an attacker’s account.
• Supply Chain Attacks: Autonomous agents may rely on third-party software to implement payment and signing code. Supply chain attacks against these projects could result in stolen private keys or redirected payments.
• Runaway Agents: Agents with direct access to a wallet could go beyond their intended scope when performing payments. For example, an error or unexpected response could cause a loop where the agent repeatedly makes irreversible micropayments on-chain.
• Money Laundering: Agentic finance can be used for money laundering, with agents performing many micropayments across various sites and blockchains. These transactions can occur faster than compliance engines can monitor.
• Malicious or Compromised Infrastructure: Malicious resource servers can send fake 402 errors to extract payments from agents. Facilitators that help with on-chain actions in the x402 protocol may be compromised by an attacker.
• Secrets Management: The x402 protocol relies on settlement via on-chain micropayments using stablecoins. Compromised private keys could expose wallets to theft.

KYA needs to work differently from traditional KYC due to the velocity of on-chain micropayments and the difficulty of defining the identities of various agents. Some key elements that need to be included in agentic finance protocols, KYA regulation, and agentic finance deployments include:

• Agent Identities: Currently, x402 depends on wallet addresses for authentication and authorization, which isn’t enough for identity management. KYA requires cryptographically-verified agent identities that can be used to identify all requests made by that agent and that are registered to the legal owner of that agent (individual, business, etc.).
• Spending Caps and Authorizations: Agents are vulnerable to prompt injection and other issues that can cause unauthorized and undesirable spending. These can be mitigated by protocol-level support for spending limits, time-bounded authorization, purpose-restricted wallets, and human-in-the-loop requirements for large transactions.
• Behavioral Monitoring: Behavioral monitoring can be applied to on-chain transactions to track agent micropayment patterns. This can be used both for KYA and for the detection of compromised agents.
• Auditability and Incident Response: Agents’ decision chains leading to micropayments should be recorded and logged to support future audits. Incident responders should also be able to terminate agents and freeze access to wallets used for payments.
• Compatibility and Regulation: Currently, agentic payments are implemented in various standards, such as Coinbase’s x402 and Google’s AP2. Standardization and interoperability are important for protocols and KYA regulation alike.

Agentic finance is growing rapidly, but regulation isn’t keeping up with the technology. Traditional methods of implementing KYC don’t work as well when payments are performed on-chain by agents that can operate and perform payments independently of their deployers and users.

While x402 and its use of on-chain settlement make rapid payments possible, it introduces challenges for KYA and risk management. Payments are identified by pseudonymous wallet addresses, making attribution difficult. Microtransactions can also be performed rapidly and at large scale, and blockchain immutability means that transactions are irreversible after they have been recorded on-chain.

While proper regulation of KYA will likely take some time, organizations can take steps to manage the security risks associated with agentic finance and position themselves ahead of likely regulatory requirements. Halborn’s security advisory services can help organizations to design effective protocols and implement applicable security best practices. Get in touch to find out more.