VERIK / V063 / 06 JUN 2026
Agent IdentityAcademic

Know Your Principal, Not Just Know Your Agent

A framework-agnostic trust layer treats humans, agents, and service accounts as one schema. What it does not settle is who gets to write the schema.

On May 25, 2026, an independent researcher posted an arXiv preprint describing KYA, an open-source trust and governance layer for autonomous systems that ships native adapters for more than fifteen agent frameworks. The paper's central move is named directly in its own abbreviation stack: alongside Know Your Agent sits KYP, or Know Your Principal, described as "a schema-level unification of trust scoring across human users, AI agents, and service accounts." The paper reports that on a 4 by 9 cross-backend compatibility matrix, all 36 cells pass, that the scorer runs sub-millisecond at the 99th percentile, and that the system sustains roughly 1,800 operations per second across 20 concurrent workers with HMAC chain integrity preserved end to end. Released under Apache 2.0 as the veldt-kya package on PyPI, the tool is available for anyone to install today, not a research prototype awaiting productization.

The paper's stated detection result is specific: 89 percent of 1,200 adversarial probes drawn from PyRIT and Garak, two established red-teaming toolkits, including what the abstract calls "the recently-published topology-guided multi-agent attack." That figure invites scrutiny on its own terms. An 89 percent detection rate against a fixed, known probe set says something about performance against known attack classes. It says nothing directly about performance against attack classes not yet published, which is the population that matters most for a trust layer deployed in production.

What KYP unifies, and why unification is the hard part

The paper's own framing draws a distinction that has organized most of the governance conversation around agentic systems for the past year: "where observability answers how long, how much, and what path, KYA answers was it authorized, did it conform, and can it be verified." Observability tooling has matured quickly across the agentic stack, largely because it does not require anyone to agree on what a valid principal is. A trace records what happened. A trust score requires a decision about who or what is entitled to have happened.

KYP's proposition is that a single schema can score trust across three categories that current identity infrastructure treats as separate problems: human users, whose trust is typically anchored in identity providers and multi-factor credentials; AI agents, whose trust has no comparable settled infrastructure; and service accounts, whose trust has historically been static, provisioned once and rarely revisited. Folding all three into one schema is an architectural claim, not merely an engineering convenience. It implies that the properties which make a human trustworthy for a given action and the properties which make an autonomous agent trustworthy for the same action can be represented on a common scale, adjusted by the same composition rules.

The paper's mechanism for adjusting that scale is what it calls an "only-tighten composition algebra over a three-channel multi-tenant hierarchy," paired with a four-gate inbound apply pipeline. The only-tighten property is doing real work here: it asserts that as policies compose across a multi-tenant hierarchy, the resulting permission set can only narrow, never widen, regardless of the order in which policies are applied or which tenant layer introduced them. That is a strong invariant if it holds under adversarial composition, and a description of an aspiration if it does not. The paper reports formal and empirical validation across the 36-cell backend matrix; it does not claim to have proven the property holds under every possible policy ordering an enterprise deployment might generate.

Delegation gets priced, not just permitted

The paper's fifth primitive addresses a problem that has been mostly absent from public agentic-governance discussion: what happens to trust scoring when an agent delegates work to another agent, which delegates again. KYA's answer is described as "two-axis delegation attribution: a static premium for risky delegates and a runtime debit for actual delegate misbehavior in multi-agent fan-out." The static premium is assessed before any delegate has done anything, based on prior risk characteristics. The runtime debit is assessed after the fact, when a delegate's behavior deviates from expectation.

This is a pricing model applied to authority, not a binary access decision. It treats delegation the way a credit system treats a cosigned loan: the act of vouching for a delegate carries a cost regardless of outcome, and a bad outcome imposes an additional, separate cost. Whether that pricing model produces the right incentives at scale, across chains of delegation several agents deep, is an empirical question the paper's 20-worker, single-organization benchmark does not directly answer. A four-level delegation chain inside one test harness is not the same claim as a four-level delegation chain spanning multiple organizations with competing incentives to under-report their own delegates' misbehavior.

Composability with observability, not replacement of it

The paper is explicit that KYA "composes with observability rather than replacing it." That framing matters because it forecloses a reading in which a sufficiently good trust score substitutes for a verifiable trace of what an agent actually did. The two are meant to sit side by side: a trace shows the path taken; a trust score, in this framework, shows whether the actor taking that path was authorized to be there.

That division of labor is coherent on paper. It becomes an open question the moment a trust score and an observability trace disagree, a high-trust principal producing an action a trace shows was out of policy, or a low-trust principal producing an action that passes every check. The paper does not specify which artifact an auditor would treat as authoritative in that case, because that is a governance decision sitting one layer above the schema, not a property the schema itself can settle.

What an Apache license does and does not resolve

Releasing KYA under Apache 2.0 as a PyPI package removes one kind of adoption friction: any organization can install it, inspect the source, and modify it without a licensing negotiation. It does not resolve a separate and harder question, which is who is accountable when a schema this consequential, spanning human, agent, and service-account trust across an enterprise, is authored by a single independent contributor and adopted without independent validation of the 89 percent detection claim against attack classes the benchmark did not include. Open source lowers the barrier to inspection. It does not substitute for the inspection itself.

Open Questions

The governance artifact is retained. The governance function is not.