From KYX to KYE™ — the protocol thesis.
Categories verify. Protocols govern.
KYC, KYB and KYA verify categories of actors. Once every component of a digital system can act through delegated authority, governance has to be a protocol, not a stitched-together report.
KYX hit a ceiling.
KYX was always going to be a generalisation. KYE™ is a different problem class.
KYC verifies the customer. KYB verifies the business. KYA verifies the agent. The natural next step is to generalise: KYX — know your X, where X is whichever new category of actor the market needs to onboard.
Agentic systems exposed the limit of that framing. The problem is no longer that we need one more category of identity verification. The problem is that almost any component of a modern digital system — a human, an organisation, an AI agent, a model, a tool, a workflow, an API, a dataset, a credential, a connector, a wallet, a device — can become an acting entity. It can delegate authority, call other entities, touch data, trigger workflows, and create real-world consequence.
Once that happens, the governance question shifts from who is this to what is this entity, what can it do, under whose authority, inside what scope, in what state, and with what evidence. Categories don’t answer that. A protocol does.
KYE™ is not another identity category. It is a runtime authority and evidence protocol for entities capable of consequential action.
Stitching is not governance.
IAM identifies you. OAuth scopes you. SIEM logs you. GRC documents you. Nothing connects them at runtime — not for your auditor, not for your regulator, not for your board.
Existing tools are necessary. None of them was designed to cover the full governance lifecycle of delegated AI action. IAM can identify a user. OAuth can grant a scope. API gateways can rate-limit and enforce auth. SIEMs can collect events. GRC platforms can map controls. Each one answers a fragment.
That fragmentation is tolerable when software is passive and humans are the obvious actors. It becomes brittle the moment AI agents, tools and workflows act through delegated authority chains at machine speed. Identity lives in one system, access tokens in another, runtime calls in a third, audit logs in a fourth, control evidence in a fifth, regulator-facing artefacts in a sixth. By the time a regulator, an auditor or a board asks who acted, under what authority, with what proof, the answer has to be reconstructed by hand from disconnected systems.
Frameworks like SOC 2, ISO 27001, ISO 42001, the EU AI Act and DORA ask exactly that question. The honest answer in most organisations today is that nobody can produce a signed, replayable trace on demand. We have a name for that pattern: post-facto stitching. It is not governance. It is paperwork that happens after the consequence — and it is what your auditor accepts only because the alternative does not yet exist.
Governance built from post-facto stitching survives audits. It does not survive agentic systems.
Runtime, not retrospective.
A canonical URN. A signed delegation chain. A Decision Map™. An Evidence Pack™. A Replay Proof™. Maps to SOC 2, ISO 27001, ISO 42001, OSCAL, EU AI Act, DORA.
KYE™ treats the entity as the primary unit of governance. Every entity carries a stable identifier — the KYEID™ in URN form kye:<class>:<trust-domain>:<subclass>:<local>. Every action is bound to a signed delegation chain with attenuable scope. Every decision is projected as a signed Decision Map™, sealed under an Execution Context Seal™, exported as an Evidence Pack™, and re-verifiable offline as a Replay Proof™.
The lifecycle is no longer linear and retrospective. Authority is checked at the moment of action. Evidence is emitted as the decision is made. Replay re-derives the same verdict from the same context, with public keys alone. Revocation cascades through the delegation chain. The result is a complete chain of authority over which Authority Finality™ holds — replayable proof for accountability, compliance, dispute resolution, and legally defensible audit trails.
This is what existing tools cannot compose: a single runtime contract that binds identity · authority · purpose · scope · state · decision · evidence · replay across every entity capable of action. KYE™ does not replace IAM, OAuth, GRC, or audit logs. It connects them at runtime under one open contract.
See it in your stack.
Start in shadow mode. Your first signed Evidence Pack™ in 4–8 weeks.