What makes KYA different from regular IAM tools?

Traditional IAM (like Auth0, Okta) is designed for humans who log in. AI agents operate differently: they act continuously, autonomously, and at machine speed. KYA is built specifically for agent identity, with short-lived capability tokens, action-level verification, and cryptographic signatures on every request.

Yes. KYA is fully open-source (Apache 2.0) and ships with a Docker Compose setup. You can run the full stack (API + PostgreSQL + Redis) on your own infrastructure in minutes.

What latency does the /verify endpoint add?

The /verify endpoint targets a p99 latency under 20ms when self-hosted. KYA also supports a local verification mode with a Redis-backed policy cache that eliminates the network hop entirely.

How does revocation work?

Agent revocation is immediate. Within seconds, all subsequent verify calls for that agent return DENY. Capability revocation (for in-flight JWTs) uses a Redis blacklist with matching TTL. No waiting for token expiry.

What programming languages are supported?

KYA ships with official SDKs for JavaScript/TypeScript (@kya/sdk-js) and Python (@kya/sdk-python). Both include Ed25519 key generation, canonical JSON serialization, and typed API clients. The REST API works with any language.

Is the audit log tamper-proof?

Yes. Each workspace maintains a SHA-256 hash chain over its audit events. Any modification to historical events breaks the chain and is immediately detectable. This design satisfies the tamper-evidence requirements for SOC2 and ISO 27001 audits.

All articles

January 20, 20258 min read

AI Agents Are the New Root Users

Your LLM agents have access to your production APIs, databases, and payment systems — with no identity, no permission boundary, and no audit trail. Here's why that's a crisis waiting to happen.

In the early days of Unix, the root user was a necessary evil. Full access to everything. No restrictions. It made sense when you had one machine, one administrator, and a small surface area.

Then we learned — the hard way — that running everything as root is catastrophic. A single compromised process, a single bad script, a single mistake: the entire system is gone.

We spent 40 years building IAM systems, RBAC, principle of least privilege, service accounts, and zero-trust architectures specifically to move away from root access.

We're repeating the same mistake with AI agents.

What Your Agent Actually Has Access To #

Consider a typical agentic workflow today:

agent = Agent(
    model="gpt-4o",
    tools=[stripe_charge, send_email, update_crm, deploy_to_production]
)
agent.run("Process the refund requests from last night")

What just happened? You gave an LLM:

Access to your payment processor (Stripe)
Access to your email system
Write access to your CRM
Deploy access to production

With no identity — the agent has no verifiable ID. You can't distinguish it from any other process.

With no permission boundary — there's no policy saying "you can charge up to €50 but not €5000".

With no audit trail — if something goes wrong at 3am, you'll spend days trying to reconstruct what happened.

With no revocation mechanism — if the agent is compromised or misbehaves, you can't stop it short of killing the entire process.

That's a root user. You just handed a root user to your LLM.

The Scale of the Problem #

This isn't theoretical. As agentic workflows mature, the blast radius expands:

Financial operations: Agents authorizing purchases, transfers, refunds
Infrastructure: Agents triggering deployments, scaling operations, configuration changes
Customer data: Agents reading, writing, and classifying sensitive PII
External APIs: Agents acting on behalf of your company with third-party services

Every one of these is a high-stakes action. None of them should be executed by an entity with no identity, no policy constraint, and no accountability.

Why Traditional IAM Doesn't Solve This #

You might think: "We already have IAM. Just create a service account for each agent."

The problem is that traditional IAM — Auth0, Okta, AWS IAM — is designed for humans who log in. The mental model is:

User authenticates once
User gets a session/token
Token is valid for hours or days
User logs out

Agents don't work this way. They:

Act continuously, without human interaction
Operate at machine speed — hundreds of actions per minute
Have dynamic scope — what they're allowed to do changes per task
Need granular action-level control — not just "can access Stripe" but "can charge up to €50 per transaction"

A service account with a long-lived API key is still a root user in disguise.

What Agent IAM Actually Needs #

After thinking deeply about this problem at KYA, here's what we believe agent identity infrastructure requires:

1. Cryptographic Identity

Every agent needs a verifiable identity. Not a username/password. A cryptographic keypair — specifically Ed25519, which is fast, secure, and standard.

# Register an agent with its public key
kya agent register \
  --name "payment-processor" \
  --pubkey ./agent.pub

# → agt_01JX8K9M... (unique, immutable identity)

Every action the agent takes can be cryptographically signed. You know — with mathematical certainty — who acted.

2. Policy-Based Permission Boundaries

The agent's identity alone isn't enough. You need to define exactly what it can do:

{
  "allowed_tools": ["charge_payment", "get_balance"],
  "spend_limits": {
    "max_per_tx": 50,
    "max_per_day": 500
  },
  "rate_limits": {
    "actions_per_minute": 10
  }
}

This is different from RBAC. You're not saying "the agent has the 'payment' role". You're saying "this specific agent, for this specific task, can charge up to €50 per transaction, 10 times per minute, with a daily cap of €500."

3. Pre-Execution Verification

Before any sensitive action executes, there's a verification gate:

Agent → KYA: "I want to charge_payment for €45"
KYA → Agent: ALLOW (reason: within policy, valid capability)

Agent → KYA: "I want to charge_payment for €750"
KYA → Agent: DENY (reason: exceeds max_per_tx)

This is the critical difference from post-hoc logging. You're not recording what happened — you're preventing bad actions before they execute.

4. Short-Lived Capability Tokens

Inspired by the capability-based security model, agents should operate with short-lived, scoped tokens:

{
  "jti": "cap_01J...",
  "agent_id": "agt_01JX8K9M...",
  "action": "charge_payment",
  "expires_at": "2025-01-20T10:05:00Z",  // 5 minutes
  "spend_limit": 50
}

Not a long-lived API key. A token valid for 5 minutes, scoped to one specific action type. Principle of least privilege, enforced at the token level.

5. Tamper-Proof Audit Log

Every action — allowed or denied — gets logged with hash-chain integrity:

[evt_001] agent_registered    sha256: abc123...
[evt_002] policy_bound        sha256: def456... (prev: abc123)
[evt_003] capability_issued   sha256: ghi789... (prev: def456)
[evt_004] verify ALLOW        sha256: jkl012... (prev: ghi789)
[evt_005] verify DENY         sha256: mno345... (prev: jkl012)

Each event's hash depends on the previous event. You can't modify historical records without breaking the chain. This is SOC2-ready audit evidence.

6. Instant Revocation

If an agent misbehaves — or if you just want to stop it — revocation should be instantaneous:

kya agent revoke agt_01JX8K9M...
# → All subsequent verify calls return DENY
# → Effective within seconds

No waiting for token expiry. No need to restart services. The agent is stopped.

The Verify Pattern #

The simplest way to think about KYA is as a single function call you add to every sensitive action:

# Before KYA
def process_payment(amount, agent_id):
    stripe.charge(amount)  # No verification

# After KYA
def process_payment(amount, agent_id, capability_token, signature):
    decision = kya.verify(
        agent_id=agent_id,
        action="charge_payment",
        payload={"amount": amount},
        capability_token=capability_token,
        signature=signature
    )

    if decision.result != "ALLOW":
        raise PermissionError(f"Denied: {decision.reason_code}")

    stripe.charge(amount)
    # Now we have: identity, policy enforcement, audit trail

One function call. The difference between a root user and an accountable agent.

The Cost of Not Acting #

The agentic era is here. LangGraph workflows are running in production. AutoGPT derivatives are processing customer requests. OpenAI Agents are being integrated into business processes.

Every week that passes without agent identity infrastructure is a week where your agents are operating as root users on your production systems.

The question isn't whether an agent will misbehave, make an unauthorized decision, or get manipulated by a prompt injection attack.

The question is whether you'll know about it when it happens. And whether you'll have a log that tells you exactly what happened, why it was allowed, and what you can do to prevent it next time.

KYA is an open-source identity & permission layer for AI agents. See the quickstart →