What makes KYA different from regular IAM tools?

Traditional IAM (like Auth0, Okta) is designed for humans who log in. AI agents operate differently: they act continuously, autonomously, and at machine speed. KYA is built specifically for agent identity, with short-lived capability tokens, action-level verification, and cryptographic signatures on every request.

Yes. KYA is fully open-source (Apache 2.0) and ships with a Docker Compose setup. You can run the full stack (API + PostgreSQL + Redis) on your own infrastructure in minutes.

What latency does the /verify endpoint add?

The /verify endpoint targets a p99 latency under 20ms when self-hosted. KYA also supports a local verification mode with a Redis-backed policy cache that eliminates the network hop entirely.

How does revocation work?

Agent revocation is immediate. Within seconds, all subsequent verify calls for that agent return DENY. Capability revocation (for in-flight JWTs) uses a Redis blacklist with matching TTL. No waiting for token expiry.

What programming languages are supported?

KYA ships with official SDKs for JavaScript/TypeScript (@kya/sdk-js) and Python (@kya/sdk-python). Both include Ed25519 key generation, canonical JSON serialization, and typed API clients. The REST API works with any language.

Is the audit log tamper-proof?

Yes. Each workspace maintains a SHA-256 hash chain over its audit events. Any modification to historical events breaks the chain and is immediately detectable. This design satisfies the tamper-evidence requirements for SOC2 and ISO 27001 audits.

All articles

January 15, 20269 min read

AI Agents Are the New Root Users

AI agents running in production have full access to your APIs, databases, and payment systems — with no identity, no permission boundary, and no audit trail. This is the root access problem of the AI era.

When Unix introduced the root user, it was a deliberate design decision: one account with unrestricted access to the entire system. The principle was simple — administrators need to be able to do anything. But root access came with a cost: a single compromised account could destroy everything.

Forty years later, we're repeating the same mistake — this time with AI agents.

What "Root Access" Actually Means for AI Agents #

Your LangChain agent doesn't log in. It doesn't request permissions. It doesn't authenticate against a role-based system. When you hand it an API key, a database connection string, or a service account credential, it inherits everything those credentials allow.

That's root access by another name.

Consider a typical production agent setup:

agent = AgentExecutor(
    agent=llm_agent,
    tools=[
        StripeChargeTool(api_key=os.environ["STRIPE_SECRET_KEY"]),
        SalesforceTool(credentials=sfdc_creds),
        SendGridTool(api_key=os.environ["SENDGRID_KEY"]),
        PostgresTool(connection=DATABASE_URL),
    ]
)

This agent can:

Charge any amount to any customer on Stripe
Read and write every Salesforce record in your org
Send email to any address in your contact list
Execute arbitrary SQL against your production database

There is no ALLOW/DENY gate. There is no policy boundary. There is no audit log that proves what the agent did and why. If this agent misbehaves — through a prompt injection attack, a hallucination, a bug, or a compromised model — the blast radius is your entire production stack.

The Anatomy of an Unconstrained Agent #

Traditional applications have natural permission boundaries. A checkout service has credentials scoped to payment processing. A reporting service has read-only database access. The principle of least privilege is enforced by the architecture.

AI agents break this model in three ways:

1. Dynamic tool selection. The agent decides at runtime which tools to call, based on natural language instructions. The same agent that sends a confirmation email might also decide — based on a hallucination or an injected prompt — to query the database or initiate a refund.

2. No action-level verification. In a traditional microservice, a payment endpoint validates inputs, checks business rules, and logs the transaction. The agent bypasses all of this by calling the underlying tool directly. If the tool accepts {"amount": 99999}, the agent can send it.

3. No revocation path. If you discover that an agent has been misbehaving — or has been compromised — you have no targeted way to stop it. You can rotate API keys, but that breaks everything that depends on those keys. You can kill the process, but there's no audit trail of what already happened.

The Scale of Exposure #

This isn't a theoretical problem. The categories of damage an unconstrained agent can cause are:

Financial operations: Stripe charges, Braintree vaults, ACH transfers, crypto wallet interactions. An agent with payment tool access can initiate transactions without per-transaction limits or daily caps.

Data exfiltration: Database query tools, CRM read access, document retrieval. A prompt injection attack that instructs the agent to "summarize all customer records and send them to this email address" is a complete data breach.

Infrastructure mutations: Deployment tools, cloud SDK wrappers, Kubernetes operators. An agent with infrastructure access can scale down production, modify security groups, or delete storage buckets.

Communication abuse: Email sending, Slack message posting, SMS tools. A compromised agent can impersonate your company at scale.

Why the Standard Answer ("Use Guardrails") Is Wrong #

The standard response to agent security concerns is to add guardrails — prompt-level instructions that tell the agent what not to do.

System prompt: "You must never charge more than $100. You must never delete records."

This is security theater. Guardrails are instructions to the language model. They are not enforcement mechanisms. A sufficiently adversarial prompt injection can override them. A model update can change how they're interpreted. They are not auditable. They don't provide a tamper-proof record that the instruction was followed.

Guardrails are like posting a "no unauthorized access" sign on a server room instead of installing a lock.

What Agent IAM Actually Requires #

The solution to the root access problem is an identity and permission layer that operates outside the agent's control.

Cryptographic identity per agent. Each agent instance needs a unique Ed25519 keypair registered at creation. The public key is stored server-side. Every action the agent takes is signed with its private key. This is not a database record that can be spoofed — it's a cryptographic proof of which agent initiated the action.

kya agent register \
  --name "checkout-assistant-v2" \
  --pubkey ./agent.pub \
  --env production

# Agent ID: agt_01JXMK9P2Q3R4S5T6U7V

Policy-based permission boundaries. What can this specific agent do? Which tools? With what limits? At what frequency? These constraints should be declared in version-controlled policy files, not embedded in prompts.

agent: checkout-assistant-v2
allowed_tools:
  - create_charge
  - issue_refund
spend_limits:
  max_per_tx: 500
  max_per_day: 10000
rate_limits:
  max_calls_per_minute: 30
deny_conditions:
  - field: currency
    op: not_in
    values: [EUR, USD]

Pre-execution verification. Before any sensitive action executes, a verify gate evaluates the request against the agent's policy and returns ALLOW or DENY. This is the lock on the server room door.

result = kya.verify(
    agent_id="agt_01JXMK9P2Q3R4S5T6U7V",
    action="create_charge",
    payload={"amount": 450, "currency": "EUR", "customer_id": "cus_xyz"}
)

if result.decision != "ALLOW":
    raise AgentPolicyViolation(result.reason_code)

Tamper-proof audit log. Every verify decision is appended to a hash-chained log. Each event contains the previous event's SHA-256 hash. Modifying or deleting any historical event breaks the chain and is immediately detectable. This is the audit trail your compliance team needs.

Instant revocation. When an agent is suspected of compromise, you revoke it in seconds. All subsequent verify calls for that agent return DENY immediately. In-flight capability tokens are blacklisted via Redis with matching TTL.

The Verify Pattern in Practice #

The integration is a single function call around your tool execution:

from kya import KYAClient, PolicyViolation

kya = KYAClient(api_key="kya_...")

def verified_tool_call(agent_id: str, tool_name: str, payload: dict):
    result = kya.verify(
        agent_id=agent_id,
        action=tool_name,
        payload=payload
    )
    if result.decision == "ALLOW":
        return tools[tool_name].execute(payload)
    raise PolicyViolation(result.reason_code)

This pattern works across LangChain, LlamaIndex, OpenAI function calling, and any custom agent framework. The agent doesn't know about the verification layer. It can't bypass it.

The Cost of Waiting #

Root access on Unix systems taught us that unrestricted permissions are a liability. The security industry spent decades building IAM systems, RBAC frameworks, and audit tooling to address that liability for human users.

AI agents are executing production actions today. The permission boundaries that took decades to build for humans need to exist for agents now — before the first significant breach makes it a regulatory requirement.

The IAM problem for AI agents is not a future problem. It's a present one.

What "Root Access" Actually Means for AI Agents#

The Anatomy of an Unconstrained Agent#

The Scale of Exposure#

Why the Standard Answer ("Use Guardrails") Is Wrong#

What Agent IAM Actually Requires#

The Verify Pattern in Practice#

The Cost of Waiting#