On April 30, 2026, Experian launched Agent Trust, a framework that verifies the link between consumers and AI agents transacting on their behalf. Built with Visa, Cloudflare, and Skyfire, the launch introduces "Know Your Agent" (KYA) as the agentic counterpart to KYC. For businesses building toward agentic commerce, the identity layer just became real.
Why This Matters for Your Business
Agentic commerce already has the payments rails, the protocols, and the model capability. What it has been missing is a way to answer a single question at transaction time: is this agent authorized to act for this person?
That is the gap Agent Trust is built to close. According to Juniper Research's April 2026 study, trust is the number-one barrier to agentic commerce deployment, ahead of every technical concern. Without an identity layer, merchants face a choice between blocking legitimate agent traffic or accepting fraud they cannot trace. Neither is acceptable at scale, and neither matches how your finance and risk teams want to operate.
The identity gap is also a security gap. Visa's Payments Ecosystem Risk and Control team found dark-web mentions of AI agents climbing more than 450% over six months, and the World Economic Forum has estimated that one in four data breaches by 2028 could result from AI agent exploitation. The threat is not theoretical, and it is not slowing down.
What Experian Actually Launched
Agent Trust is not a single product. It is three connected pieces that together create an end-to-end identity story for agentic transactions.
Human-to-Agent Binding. This is the upstream verification step. Experian links a verified consumer identity to a specific AI agent and the device or session that agent runs in. The output is a real-time Agent Trust Token that travels with the agent's actions.
Agent Trust Token. A token that encodes identity verification status and transaction fraud risk. Merchants and payment networks can read it at decision time rather than waiting for downstream chargeback or dispute signals.
Agent Registry. A directory of known agents with dynamic trust scoring based on behavior and risk signals. Think of it as a credit score for AI agents, updated as their activity changes.
The launch ecosystem is the most important detail and the easiest to miss in the headline. Visa, Cloudflare, and Skyfire are listed as collaborating contributors, with Visa's Trusted Agent Protocol explicitly cited as a compatible enforcement layer. That means Agent Trust is positioned to plug into the same merchant integrations Visa is already shipping through Intelligent Commerce Connect, which we covered when agentic commerce first reached production.
How KYA Maps to KYC, and Where It Differs
The naming is not accidental. Know Your Customer is a 1970s-era regulatory and fraud-prevention discipline that established who a customer is, where their money comes from, and whether their behavior is consistent with their identity. Know Your Agent transplants those goals into a world where a software agent is the proximate actor.
The mapping is direct in three places and breaks down in one.
Identity verification. KYC verifies a human; KYA verifies the agent and the human it represents. Both depend on a trusted authority issuing the verification.
Behavior monitoring. KYC programs track transaction patterns to flag suspicious activity. KYA's Agent Registry does the same, except the entity being scored is a piece of software that may run thousands of transactions per minute.
Sanctions and risk signals. KYC programs check customers against watchlists. KYA programs will need to check agents against registries of compromised, deprecated, or unauthorized agents. The categories are different, the discipline is the same.
Where the analogy breaks. A human customer typically has one identity and a stable risk profile over years. An AI agent can be reset, retrained, hijacked, or impersonated within a session. KYA needs to operate at a tempo KYC was never designed for, which is why real-time tokens and dynamic trust scores matter.
What This Means for Your Vendor and Risk Stack
Three implications follow for any business that already accepts payments or expects to in 2026 or 2027.
Your fraud stack needs an agent-aware layer. Existing fraud controls were tuned for humans: device fingerprints, mouse movement, abandoned-cart patterns, time-on-page. Agents do not produce those signals. Without an agent identity layer, you will either block legitimate agent traffic or accept a higher rate of disputes you cannot defend. The same point applies to bot management; legitimate AI agents and adversarial scrapers can look identical to a generic bot filter.
Payment processor and identity vendor conversations are now linked. A year ago, your acquirer relationship and your identity verification provider were separate procurement tracks. With Agent Trust, AP2, Trusted Agent Protocol, and Mastercard Verifiable Intent all converging, those tracks now intersect. Vendors that cannot speak to agent identity are about to look like vendors that could not handle 3D Secure ten years ago.
Compliance and chargeback policies need a refresh. When an agent makes an unintended purchase, who is responsible? American Express has issued partial guidance, networks are debating standards, and regulators have not weighted in. Until they do, your terms of service, dispute handling, and chargeback rules need to anticipate agent-initiated transactions explicitly. Pretending the question is theoretical is the riskiest position.
For organizations whose internal teams are not staffed to track this terrain in detail, the practical move is to fold agent identity into the same review cycle as the rest of the AI stack. We covered the broader discipline in our practical AI governance framework, and the same inventory-then-control logic applies cleanly here.
How to Prepare Without Overcommitting
It is a beta launch, not a finished standard. The right posture is to prepare without locking in vendors prematurely.
-
Inventory agent touchpoints. Walk your customer journey and tag every place an agent could plausibly act in the next 18 months: search and product discovery, shopping cart, checkout, customer service, post-purchase returns, subscription management. The map is the prerequisite for everything else.
-
Pick one identity standard to track in depth. You do not need to implement Agent Trust, AP2, and Trusted Agent Protocol on day one. Pick the one your payment processor or commerce platform is most likely to support and follow it through implementation details, not just press releases.
-
Update fraud rules and chargeback policy. Add explicit handling for agent-initiated transactions. Decide your authorization thresholds: when does an agent need a fresh human signature, and when can it act on a stored mandate?
-
Pilot in a low-risk surface. Internal procurement, recurring B2B reorders, and known-customer subscription renewals are good first surfaces. Consumer-facing high-value purchases are the wrong place to learn.
-
Build the audit log. Whatever you implement, log the agent identity, the binding, the authorization, and the outcome. The regulators that have not yet weighed in will eventually, and you will need the trail.
Common Mistakes to Avoid
Treating identity as a feature, not a layer. Agent identity is not a checkbox in your e-commerce platform. It is a horizontal capability that touches fraud, compliance, customer service, and product. Owning it requires a cross-functional decision, not a vendor selection.
Waiting for a single winner. Agent Trust, AP2, Trusted Agent Protocol, and other standards will probably coexist for years, the same way Visa, Mastercard, and ACH do today. Designing for multi-protocol support now is cheaper than retrofitting later.
Underestimating the bot problem. Legitimate AI agents share traits with malicious bots. Your bot management vendor needs to be in the room when you decide your agent identity strategy, not informed afterward.
Treating it as only a payments issue. Customer service, returns, account management, and B2B procurement are all places agents will act. The identity story has to cover them, not just the checkout button.
Our Take: The Trust Gap Is the Gating Item for 2027
The pattern from the last year is clear. The frontier labs shipped capable agents. The payment networks shipped agent-aware rails. The merchants that moved early built machine-readable product data and updated checkouts. What none of that solves on its own is the question of who, exactly, is on the other end of an agent's request.
KYA is the answer the industry has been working toward, and Agent Trust is the most prominent commercial implementation to date. It will not be the last, and it may not be the dominant one in two years. But the underlying need is structural. Until merchants can reliably answer "is this agent authorized to act for this person right now," agentic commerce will stay in pilots and constrained beta surfaces.
For business leaders, the move is to treat the identity layer the way you would have treated SSL in 1998 or 3D Secure in 2010. Not the most exciting line item in the roadmap, but the one that determines whether everything else can ship.
Key Takeaways
- Experian launched Agent Trust on April 30, 2026 with Visa, Cloudflare, and Skyfire as collaborators, introducing a "Know Your Agent" (KYA) framework for agentic commerce.
- Agent Trust binds a verified consumer to a specific AI agent and issues a real-time Agent Trust Token validating identity and transaction risk.
- Visa research found dark-web AI agent mentions rose more than 450% in six months, and Juniper Research found trust is the number-one barrier to agentic commerce deployment.
- KYA extends KYC discipline to AI agents but operates in real time and on software identities that can be reset or hijacked within a session.
- Practical actions: inventory agent touchpoints, track one identity standard in depth, update fraud and chargeback rules, pilot in low-risk surfaces, and log everything for audit.
The businesses that move early on agent identity will have a meaningful advantage as agentic commerce scales. If you want to be one of them, let's start with a conversation.