KYE Protocol™ is the open standard that turns every AI-agent and automation action into signed, replayable evidence a regulator, court, auditor, or dispute panel can verify with public keys alone.
Until recently, governance assumed a person at the keyboard. AI agents now book payments, sign documents, move money, triage health records, and trade autonomously — on someone else’s behalf, often outside the audit log. Regulators (EU AI Act, DORA, NIS2, PSD3, NIST AI RMF, ISO 42001) have caught up to the gap and now ask a question your existing identity, authorisation, and audit stack can’t answer cleanly: who or what acted, on whose authority, within which limits, in what state, with what evidence?
KYE Protocol™ closes that gap with one open contract every gateway, vendor, and regulator can verify the same way. It doesn’t replace your legal agreements, your AI-policy committee, or your existing systems — it gives them something stable, signed, and replayable to point to.
Inventory
Register your existing AI agents, capabilities, and credentials as KYE™ entities. Each gets a URN, a metadata binding, and a sector / jurisdiction / risk classification. Your existing IDs continue to work alongside.
Wire the gateway
Stand up the reference Gateway in shadow mode. Every API call your stack makes is mirrored to the Gateway, which produces a Decision Map™. Nothing is enforced yet — you read the maps and tune.
Enforce tier-2 actions
Payment-prepare, capability invocation, and external send go through the Gateway as the source of truth. Tier-1 actions stay on your existing path while the Gateway records the evidence.
Ship the audit story
Hand auditors the evidence-pack URL. Run the 37-fixture conformance pack. Publish the report. Map the controls. Close the audit cycle in days.
Cascade-on-compromise
The compromise drill stops being a fire drill. One stop signal; cascade revoke; signed proof of recovery. Authority Finality™ is operational.
AI accountability is a board-level liability under the EU AI Act, DORA, and post-incident litigation.
KYE™ turns every AI-agent action into signed, replayable evidence a court or regulator can verify. You sleep through the next agent incident.
Five identity vendors, three policy engines, fourteen audit logs — and your AI agents sit outside all of them.
KYE™ is vendor-neutral and additive. Keep Okta, SPIFFE, Cerbos, OPA, your SIEM. KYE™ wires them into one open contract that produces a single decision and a single audit chain.
When a credential is compromised you don’t know what it touched, what it can still do, or what to revoke first.
KYE™ produces a Blast Radius Map™ — a graph of every capability, agent, payment, and decision affected. Revoke once; the protocol cascades the stop signal everywhere it’s needed.
Audit prep takes weeks. Evidence is reconstructed by humans from logs that were never designed for forensics.
KYE™ exports signed evidence packs mapped to SOC 2, ISO 27001, PCI DSS, PSD2/PSD3, DORA, NIS2, EU AI Act, HIPAA, and NIST 800-207 controls. Auditors fetch a URL; they don’t schedule interviews.
A client asks: “Was the agent allowed to do that, and can we prove it in court?”
KYE™ binds every action to a delegation chain back to a named human or business, a scope the action stayed inside, and a policy decision with a reason code. The chain is signed, replayable, and admissible.
Agents move money. PSD3, FFIEC, MAS, and RBI all want a payment authority chain — not an OAuth token.
KYE™’s Payments profile gives you scope-bound caps, currency / rail / threshold gating, and signed proof bundles per authorise. PSD3 / DORA / NIS2 controls evidenced from one chain.
Operators, vendors, contractors, autonomous control software and AI all touch safety-critical equipment. NIS2 and IEC 62443 want a chain of authority.
KYE™’s Critical Infrastructure and Energy profiles give you operator / vendor / maintenance / emergency authority on every capability, with cascade revocation and signed audit evidence.
Six different vendors’ agent stacks, six different audit formats, six different ways “authorised” is defined.
Every conformant KYE™ gateway exports the same evidence pack format. Verify signatures with public keys; replay the audit chain; re-derive the decision. One contract, every vendor.
Auditors and regulators fetch a signed evidence pack from a URL. Verify with public keys alone. No interviews, no log archaeology.
Compromised credential or rogue agent? One stop signal cascades through every delegation, payment authority, and capability grant in milliseconds.
For every authority decision — allow, deny, escalate, quarantine — a replayable graph shows exactly why. Tangible explainability, not a black box.
Open standard, Apache 2.0. No lock-in. Three reference SDKs. Thirty-four normative profiles.
173 controls mapped across SOC 2, ISO 27001, PCI DSS 4.0, PSD2/PSD3, DORA, NIS2, EU AI Act, NIST 800-207, HIPAA. Evidence binds to controls automatically.
Before you pull the trigger, see exactly what breaks. The Blast Radius Map™ turns “crisis revocation” into a controlled procedure.
KYE™ is the operational evidence and control layer beneath the governance frameworks your organisation is already accountable to. The KYE Compliance Mapping Rail™ binds each runtime control and signed evidence pack to the specific obligations every framework imposes.
KYE™ does not replace these frameworks. It exports the signed evidence they consume.
Each sector composes from the same base profiles plus a sector-specific overlay. Adopt only what you need; the core never shifts under you.
KYE Protocol™ is an open standard, Apache 2.0. There is a reference Gateway, three reference SDKs, and a conformance pack — but the contract is what matters. Vendors implement it; regulators verify against it; you adopt it without committing to a single supplier.
No. KYE™ wires them into one open contract. Keep Okta, SPIFFE, Cerbos, OPA, AWS Cedar, Splunk, Datadog, your SIEM. KYE™ adds the layer above — authority, scope, decision, evidence — that none of them owns today.
No. KYE™ governs any entity acting on someone else’s behalf — humans, businesses, AI agents, services, models, tools, workflows. AI agents are the urgent case because they are the most autonomous, but the contract is the same for an automation script or a contractor logging in.
No. KYE™ ships as a Gateway you put in front of your AI-agent and automation surface, plus three SDKs for the agents themselves. Existing systems don’t need to change. The Gateway becomes the source of truth for “was this allowed, and is the proof signed?”
The evidence is cryptographically signed, replayable, and verifiable with public keys alone. Whether a specific court or regulator accepts it as admissible depends on jurisdiction and chain-of-custody — KYE™ provides the technical and evidentiary foundation; legal admissibility is a question for your counsel.
The protocol is free (Apache 2.0). Reference implementations are free. Hosted offerings (KYE Cloud™ Registry, Validator API, Recovery Console, Evidence Packs, Compliance Profiles, Regulated-Sector Packs, Enterprise Deployment) are commercial — talk to us for sector pricing.
If you want the contract, schemas, conformance pack, and reference implementation — head to the technical landing. If you want a one-hour conversation with the team, drop a note in Discussions.