Knock, knock. Who’s there? A new trust layer. Onboarding and AI agents

Two things have made me stop and think over the past few months. On the surface they have nothing to do with each other. Look a little closer, and they’re the same story.
The first is about cinema. A full-length movie can now be produced entirely with AI — actors who don’t exist, faces, voices, micro-expressions that are indistinguishable from reality. Technically, we no longer need flesh-and-blood actors to make a film. And yet, when this is done at scale, the real actors – the ones whose features and voices the AI is borrowing – will have to authorize that use. AI can do it all by itself. But not without permission.

The second is about robots. A few years ago we were watching them stumble over simple steps. Today they walk, move, perform complex tasks — sometimes beyond what a human body can do. Can one help me fold the laundry at home? Probably yes, and nobody is going to ask it for an ID. But can I send a robot to pick up a parcel at the post office? To pay with my credit card? To open a bank account on my behalf? The answer, today, is no. Not because the technology can’t do it, but because the most important piece is missing: a layer that says “this agent is authorized to act on behalf of that human being.”

Two very different scenarios, the same underlying problem: AI is becoming more and more autonomous, but autonomy without authorization isn’t trust. It’s risk.

And in the digital processes we design every day, onboarding a customer, activating a service, signing a contract — this problem has already arrived.

Will Smith and Sonny in I, Robot (2004): “Can a robot write a symphony? Can a robot turn a canvas into a beautiful masterpiece?” – “Can you?”

The scene inverts the classic Turing test: it isn’t the human judging the machine, but the machine exposing the limits of the one passing judgment. Demanding that artistic creativity be the decisive proof of humanity is a criterion that would exclude most humans themselves — the definition reveals itself as arbitrary the moment it’s used to exclude someone.

It’s the Frankenstein motif reread in a contemporary key: the creature laying bare the hypocrisy of its creator, showing a moral conscience clearer than that of the one who built it. And the echo of Blade Runner is unmistakable: there too, it was the machines that forced their interrogators to ask themselves whether the difference between human and artificial was ontological — or just a convenient convention.

The real reversal is that the question “what makes you human?” stops being rhetorical. It becomes uncomfortable, because there is no answer that holds.

Who’s really on the other side of your onboarding?

When we designed our onboarding flows, a few years ago, we had one figure in mind: a real person on the other side of the screen, entering their data. At worst, a dishonest person impersonating someone else. Everything that followed – KYC, video-identification, document checks – was built around that mental model.

Today, behind an onboarding request, there can be at least four very different actors:

• A legitimate human being, the classic case KYC was born for.
• A fraudulent human being, using stolen documents, impersonation, social engineering.
• A legitimate AI agent, operating on behalf of a real person — increasingly common, and about to explode.
• A fraudulent AI agent, chaining autonomous attacks (deepfakes, synthetic identities, device spoofing) at a speed and a cost no human can match.

The problem is that traditional KYC, designed for the first two, can’t tell the third and the fourth apart. And it can’t for a simple reason: it was never asked to recognize an artificial intelligence, let alone to decide whether that intelligence is authorized to act.

“KYC was designed for a world where a human was always on the other side. That world no longer exists.”

From KYC to KYA: what changes (and why the bar moves up)

Know Your Customer is no longer enough. The question shifts: who is acting, on whose behalf, with what legitimacy. It’s a paradigm shift we could call KYA – Know Your Agent, and it carries some very practical consequences:

• What you verify changes: not just the identity of a person, but the legitimacy of the “human → agent” delegation chain.
• The threat model widens: on top of classic threats (forged documents, presentation attacks, deepfakes), we now face agentic attacks — autonomous bots that orchestrate fraud end-to-end.
• The trust anchor moves: from the ID document to the entire context surrounding the interaction.

This last point is, in my view, the most important — and the most underestimated. So let me spend a moment on it.

The trust used to live in the document. Now it lives in the chain.

For two decades, onboarding has been built around a deceptively simple idea: trust the document. Verify that the ID is real, match the face on the document with the face in front of the camera, cross-check against a fraud database. It’s a model deeply oriented to the human on the other side – every control assumes a person standing in front of the camera, holding their own credentials. The biometric and the eID layers – wallet included – were natural extensions of the same logic: the more we can prove who the holder is, the more we can trust the transaction.

That logic worked because there was always a human on the other side, and that human was holding a physical or qualified credential. Take that assumption away, and the entire trust anchor collapses onto something far too narrow.

In a KYA world, the trust anchor has to widen — dramatically. The ID document can still be a piece of the puzzle, but it’s no longer the puzzle. Trust now has to be assembled from a much broader set of signals:

• Device signals
• Behavioral cues
• Digital footprint
• Document and AML intelligence

Behind each of these labels lies a constellation of data points: hardware fingerprint and network parameters of the device the user is on; the rhythm with which fields are filled in, the way the cursor moves, copy-paste patterns; the digital traces a person leaves across the internet (email age and reputation, phone validation, social presence); and, of course, the document and screening checks we’ve always relied on. None of these signals is decisive on its own. Together, they paint a portrait of the interaction that no single document ever could – a hundred signals collected silently, scored by AI in real time, fed into an adaptive rule engine that decides, for this user in this context, whether to allow, challenge or block.

And when an agent enters the picture, a fifth pillar joins the others:

• Delegation chain: who authorized the agent to act, with what scope, and how that authorization can be verified end-to-end.

The mental model has to flip. Trust is no longer a property of the document I’m holding. It’s a property of the chain of evidence I can assemble around the interaction. The document is one link. The device is another. The behavior is another. The delegation, when there’s an agent involved, is yet another. None of them, alone, is sufficient. Together, they are far more resilient than the document ever was on its own.

This isn’t about replacing KYC. It’s about extending it, by accepting that the founding assumption – “there’s a human on the other side, holding a credential we can verify” – no longer always holds.

A challenge that’s already here, not in the future

When I bring up KYA in conversations, I sometimes catch a reaction along the lines of “interesting, but it sounds like science fiction.” The data tells a different story.

• $442 billion: estimated global financial fraud losses in 2025, according to Interpol’s latest Global Financial Fraud Threat Assessment.
• 4.5x more profitable: AI-driven fraud now yields roughly four-and-a-half times the return of traditional fraud, for the same effort.
• 35% of organizations were hit by deepfake incidents in the past year.
• 61% of enterprises have AI agents in production, and Gartner reports 59% of them are running outside the perimeter of formal security oversight.

What’s most uncomfortable about this picture isn’t the numbers themselves — it’s how cheap the attack has become. A year ago, generating a credible deepfake video required time, computing power, and money. Today anyone with a laptop and a recorded video call can produce one in minutes, for free. And the next step is already here: synthetic identities, faces that look entirely real, but belong to no one. No leak, no theft, no source person to verify. A fraud vector that scales with a single API call.
Translated: the attack surface has grown, it’s automated, and economically it’s far more attractive than before. This is not a hypothetical scenario — it’s now.
While security teams chase that wave, business teams are still – rightly – focused on the question they’ve always cared about: how do I avoid losing conversions?

Three forces, one balance you can’t break

Every onboarding platform lives in a constant tension between three forces:

1. Reduce fraud, close the door on increasingly sophisticated and fast-moving attackers.
2. Increase conversion, don’t lose legitimate users along the way.
3. Hit the right compliance level, neither too loose, nor over-engineered for the use case.

Every decision on one lever inevitably affects the others. Adding a check reduces fraud but slows the flow. Simplifying the flow boosts conversion but can leave a control exposed. “Minimum” compliance can under-protect high-risk use cases.

The arrival of AI agents amplifies all three tensions. Brand-new conversion killers, specific to agent-driven flows, are appearing:

• APIs that aren’t agent-friendly: onboarding requires UI interaction, and the agent doesn’t know what to click.
• No trust chain: there’s no standard way, today, to verify who authorized an agent to do what.
• No delegation model: we lack a framework for the human → agent handoff (and the reverse, when explicit human approval is needed).
• No feedback loop: when something fails, the agent can’t interpret the error and retry intelligently.

When an AI agent fails an onboarding flow, it doesn’t complain on your forum. It doesn’t call support. It just leaves. And with it, the transaction.

MCP: the lingua franca between AI agents and trust layers

MCP – the Model Context Protocol is an open standard that lets AI models and agents discover, understand and invoke the capabilities of an external system in a declarative way — without developers having to hand-code REST orchestrations line by line.

It’s the shift I describe as moving from imperative integration to declarative orchestration:

• Imperative: I tell the system exactly what to do, step by step. Weeks of glue code, fragile if-else logic, a release cycle for every change.
• Declarative: I tell the agent what to achieve. The agent discovers available capabilities at runtime, decides how to combine them, handles errors and retries on its own. What used to be weeks of integration becomes configuration.

On paper, MCP is a massive enabler for agents. But – and this is the point I want to drive home – MCP alone is not enough. An open standard is a door. If the room behind that door has no trust layer deciding who comes in, what they can do, and how their actions are tracked, all we’ve done is make it easier for attackers.

| Not just MCP. MCP with a trust layer.

That’s the principle we built into the Namirial OnBoarding MCP Server: the open standard is the form, but the substance is the guarantee of compliance, verified identity and audit trail at the level of a European Qualified Trust Service Provider.

Concretely, when an AI agent connects to our MCP server to orchestrate an onboarding flow:

1. It authenticates via My Namirial SSO: every action is traceable to a real corporate identity — not a shared API key, but the same identity the user holds in the portal.
2. It inherits its operator’s entitlements: the agent can do nothing its human operator cannot already do in the platform. No privilege escalation through prompt injection.
3. It receives the jurisdictional configuration automatically: Italian KYC rules are different from German or Spanish ones. The server applies the right rules based on country and customer type.
4. It writes an AI Act–grade audit trail: every tool call is logged with conversation context, agent identity, timestamps and tamper-evident hashing — regulator-ready.

The practical result for whoever is integrating: a single natural-language prompt like “Create a KYC onboarding request for an Italian individual customer and generate a verification link with a QR code” gets translated into a chain of certified, governed, traceable API calls. What looks from the outside like identity verification is, underneath, an adaptive, smart, step-by-step journey — the platform decides which checks to apply, in which order, and when to escalate, based on the context of each interaction. The developer focuses on the business workflow; eIDAS, AMLR and AI Act controls are enforced server-side, not re-implemented for every new agent.

There’s another nuance worth calling out. The trust layer doesn’t shut the integrator out of the flow, it works with them. Throughout the onboarding journey, the platform emits events the system integrator can react to: triggering additional checks, surfacing a custom message to the user, or asking them to redo a step. The integrator co-operates in delivering a successful transaction; what they cannot do is weaken the compliance the platform guarantees end-to-end.

“The more capable AI becomes, the more critical the ability to trust it.”

In other words: the agent accelerates, but trust is never delegated.

What this means for whoever designs onboarding today

When I talk to CIOs, CISOs and Heads of Digital, one sentence keeps coming back: “our onboarding has worked for year, why should we change it?”

My answer is simple. We don’t need to change onboarding. We need to change the way we think about onboarding. For years the prevailing assumption, across the industry, has been that there was one type of counterparty on the other side: a human, holding a credential we could verify. That assumption is no longer always true. The audience on the other side is now plural – humans, agents, hybrids – and our flows have to welcome all of them, with the right assurance level for each.

Three guiding principles, from my time in the field:

• It’s not the customer who has to adapt to the platform. It’s the platform that has to adapt to the context. Modularity, configurability, certification: the same infrastructure has to deliver a low-friction service activation and a maximum-assurance Qualified Electronic Signature, by configuration alone.
• Trust is a chain, not a checkpoint. It can’t sit inside a single step (the document check, the liveness, the OTP). It has to be assembled from the entire interaction – document, device, behavior, footprint, delegation – and reasoned about in real time. Only a chain holds up to AI agents; a single checkpoint never will.
• Audit is a design requirement, not an afterthought. With the AI Act in force and regulators starting to ask for evidence of AI-driven decisions, logging who did what, and why is part of the product — not a nice-to-have.

The point, in one line

We can keep calling it “onboarding”, but what we’re really building is something larger: a trust system capable of telling, in real time, who is truly on the other side – a human, an agent, a legitimate chain of delegations, or an automated attack – and of granting each one the right level of confidence.

AI can do a lot of things on our behalf. But not without permission.

It’s up to us, as an industry, to build the infrastructure that can issue, verify and – above all – guarantee that permission.

Want to see what this looks like in practice?

At Namirial we’ve built a modular onboarding platform openly composable by AI agents through the Namirial OnBoarding MCP Server. If you’re designing your next onboarding flow, let’s talk: explore Namirial Onboarding.

And if you found this useful, share the post or leave a comment on LinkedIn. KYA is a conversation we’re starting now — and I’d like to hear many voices in it.