What the IMF Missed in Its Know Your Agent Framework

The IMF just published its first formal note on agentic AI in payments. The headline shift: regulators should move from Know Your Customer to Know Your Agent, with "mandated verifiable identities for financial bots linked to legal entities."

The framework is sound. But the standards the IMF endorses will not deliver Know Your Agent in any meaningful sense. They verify the agent. They verify the mandate. They leave the actual human behind the action untouched.

‍

The Three-Layer Model Is the Most Useful Idea in the Paper

Davidovic and Tourpe argue that payment systems and AI agents work in opposite ways. Payment rails are built on rules, finality, and auditability. Every transaction is tied to a clear lineage and an irrevocable outcome. AI is probabilistic by design, so the same prompt can produce different outputs from one run to the next.

The fix is architectural separation:

1. Intent and orchestration. Agents reason, plan, and negotiate.
2. Authorization and control. Rules check whether the proposed action is allowed.
3. Settlement. Money moves on existing rails.

Probabilistic reasoning stays upstream. Authorization and settlement stay deterministic. KYA lives in Layer 2, alongside identity, mandates, and compliance. The framing is clean enough that the industry will pick it up, and it deserves to.

‍

‍

‍

The Layer 2 Stack Has a Hole Where the Human Should Be

Look at what the paper endorses for Layer 2: AP2 mandates, ERC-8004 agent registries, OAuth, OpenID Connect, and verifiable credentials. Together, these primitives add up to cryptographic signatures, registry lookups, and permissions scoped to a specific job. Every one of them answers a different question than the one the biggest fraud cases will actually pose.

When an agent submits a $50,000 insurance claim on behalf of a policyholder, three things need verifying:

1. The agent. Is this a registered bot operating within its declared scope?
2. The mandate. Did a user sign authorization for this kind of action, at this size, at some point in the past?
3. The human. Is the person whose mandate is being invoked actually the person they claim to be? Are they alive, uncoerced, and the same person who signed?

The standards in the paper handle the first two cleanly. The third one is the hole.

The gap does not open on every transaction. A $4 vending machine purchase under a daily allowance mandate does not need re-verification of the human. Recurring SaaS billing under an existing authorization does not either. The gap opens at the seam between mandate creation and high-stakes execution, when an agent attempts an action the user would not have specifically authorized at setup.

Not every agent action needs to escalate to the human, and most should not. A scheduling agent moving a meeting, a procurement agent reordering printer toner inside a $200 monthly cap, a trading agent rebalancing within preset bounds—these are exactly what mandates are for, and the standards above handle them cleanly. The gap opens the moment an action exceeds the assumptions baked into the original mandate. That is the row Table 3 names, and the point where the human question actually matters.

‍

The Paper Concedes the Gap, Then Walks Past It

The IMF's own risk matrix flags this directly. The first row of Table 3 names "structural versus transactional authorization" as a market failure. Account holders delegate broad mandates. Agents execute payments without instructions at the transaction level. Authorization traceability breaks down.

The paper concedes the point in a single sentence buried in the public sector recommendations:

"Traditional fraud models rely on human behavioral patterns, which become ineffective when transactions are initiated by autonomous agents. Hence, developing authentication frameworks that verify both the AI agent's identity and the user's delegated authority remains key."

User identity verification and delegated authority verification are both flagged as essential. Then the paper moves on.

‍

KYC Took 40 Years. KYA Is Starting Where KYC Started

KYC began as paperwork checks in the 1970s. It became document scanning in the 1990s. It evolved into liveness detection in the 2010s. It is only now becoming continuous and dynamic. Each generation discovered that the previous primitive was necessary but not sufficient.

KYA is starting today where KYC started fifty years ago, at registries and signatures. Foundational on their own. Nowhere near enough.

The cycle will compress, but the maturity curve still applies. The work that matters over the next 24 months sits at the seam between mandate creation and execution that exceeds the user's original authorization. That is where reverification, escalation, and authority renewal need to live.

‍

What to Do With This If You Run Fraud or Trust at a Regulated Company

The IMF paper is a good place to start. Read the three-layer model. Use it. Then ask the question the paper underspecifies: when an agent acting on a mandate triggers an action that exceeds its declared scope, what verifies the human?

That is where your fraud losses will come from in 2027.

Ready to close the human verification gap before it becomes a fraud line item? Explore how Incode secures agent-initiated transactions with continuous identity assurance.

‍