Decentralized Identity
Know Your AI
Identity and Trust for AI Agents
Part 1 & 3
Mark Medum Bundgaard
Chief Product Officer, Partisia
Part 2
Søren Eller Thomsen
Senior Cryptographic Engineer, Partisia
Scroll
Know Your AI
Partisia
Partisia
Privacy-preserving computation and decentralized identity
Founded on 30+ years of cryptographic research
Pioneers of Multiparty Computation (MPC)
MPC infrastructure powers our zero-knowledge proving systems
Operating in regulated enterprise environments
The Challenge
AI agents are acting on behalf of humans
But there is no standard way to verify who they are, who authorized them, or what they are allowed to do.
Every service, every API, every transaction faces the same unanswered questions.
Today's Talk
01
The Problem
Why current identity models break down when AI agents act on behalf of humans.
Mark Medum Bundgaard
02
The Solution
Verifiable credentials, decentralized identifiers, and cryptographic delegation chains.
Søren Eller Thomsen
03
The Vision
Multi-agent systems, zero-knowledge authorization, and the future of trusted AI.
Mark Medum Bundgaard
The world is changing
Before
Now
Part 1 - Mark Medum Bundgaard
What is an AI Agent?
Autonomous Action
Takes real actions in external systems
Multi-Step Reasoning
Chains decisions without human input at each step
Natural Language
Interprets goals, not just predetermined rules
Adaptive Planning
Dynamically adjusts to new requirements
Model Context Protocol
The universal adapter connecting agents to the world
AI Agent
Memory · LLMs · Tools
MCP
Databases
PostgreSQL · SQLite
Dev Tools
Git · Sentry
Productivity
Slack · Google Drive
Web Services
APIs · Live data
When an agent calls a service, who is making the request?
A Concrete Example
Autonomous Trading
Trader
Wants to trade stocks
but not sit at a screen
delegates
AI Agent
Executes trades
autonomously 24/7
trades at
Stock Exchange
Must verify who is
placing the order
How does the exchange know who authorized this agent and what it is allowed to trade?
Three questions every service must ask
Authentication and Authorization are familiar. Delegation is the new question that AI agents introduce.
01
Authentication
“Who is this agent?”
Which agent is connecting - and is it legitimate?
02
Delegation
“Who authorized it?”
Which human instructed this agent to act - and with what scope?
03
Authorization
“What can it do?”
Is this specific action permitted, right now, in this context?
Existing solutions fall short
API Keys
Issued to apps, not agents. No user context. Cannot express delegation scope.
OAuth Tokens
Even OAuth 2.1 and GNAP are scoped to app-level grants. They cannot express verifiable delegation chains or carry portable agent identity across organizational boundaries.
Session Cookies
User-bound but cannot travel across agent handoffs or organizational boundaries.
We lack a standard way to say: “Here is cryptographic proof that this agent is authorized.”
Part 2
The Technical
Solution
Søren Eller Thomsen
Senior Cryptographic Engineer, Partisia
The Context
From Federated to Self-Sovereign Identities
Federated
Provider holds your identity.
You log in through a third party.
Self-Sovereign
You control your own identity.
Cryptographic credentials you carry
with you.
Mandatory 2026 Click to reveal
The Building Blocks
Core Technologies
Identity controlled by the individual, no central authority required
VC
Verifiable Credentials
- Cryptographically signed statements about a subject
- Tamper-evident and holder-controlled
VP
Verifiable Presentations
- Packages of credentials assembled by the holder
- Enables selective disclosure to specific verifiers
DID
Decentralized Identifiers
- Globally unique, self-created identifier
- Resolvable to a public key
- No registration authority needed
The Foundation
Basic Usage
Issuer
Signs credentials
Holder
Controls credentials
Relying Party
Verifies presentations
Registry
Stores DID documents
Resolves DID
Resolves DID
No callback to the Issuer. The Relying Party verifies the credential using the Issuer's public key from the Registry.
Click to reveal
Verifiable Credentials
Verifiable Credential
Issuer signs
The government (did:ex:gov) signs Jane's credential with its private key, binding it as the authority.
Holder stores
Jane stores the credential in her wallet and controls when and where to share it.
Verifier checks
Any relying party can verify the issuer's signature against did:ex:gov, no central lookup needed.
Verifiable Presentations
Verifiable Presentation
Holder selects
Jane chooses which credentials and which fields to disclose, sharing only Name and DOB, nothing more.
Holder signs nonce
The verifier challenges Jane with a random nonce. Jane signs it with her private key, proving she controls did:ex:jane right now.
Verifier checks
The employer verifies both Jane's holder signature and the government's issuer signature in one step.
Decentralized Identifiers
DID Document
did:ex:employer{
"@context": "https://www.w3.org/ns/did/v1",
"id": "did:ex:employer",
"authentication": [{
"type": "Ed25519VerificationKey2020",
"publicKeyMultibase": "z6Mkq8..."
}],
"assertionMethod": [{
"type": "Ed25519VerificationKey2020",
"publicKeyMultibase": "z6Mkr3..."
}],
"service": [{
"type": "VerificationService",
"serviceEndpoint":
"https://employer.example.com/verify"
}]
}Self-created
The employer generates a key pair and registers did:ex:employer, no central authority needed.
Globally resolvable
When Jane presents her VP, the employer's public key is looked up via did:ex:employer to verify the nonce signature.
Cryptographically bound
The DID document binds the employer's identity to its public key, anyone can verify who they are dealing with.
The Authentication Flow
KYA Framework
Know Your Agent
01
Authentication
Who is the agent?
Both users and agents have DIDs
Agent signs each request
Service verifies signature
02
Delegation
Who authorized it?
User issues VC to agent
Defines permitted actions
Agent presents VC to service
03
Authorization
What can it do?
Service evaluates VC claims
Checks action scope
Allows or denies request
KYA in Practice
Trading Agent Example
Trader
Issues credential
Trading Agent
Holds credential
Stock Exchange
Verifies authorization
Registry
Stores DID documents
Resolves DID
Resolves DID
Phase 1: Issuance
Phase 2: Trade
Click to reveal
Part 3
The Vision
Mark Medum Bundgaard
Chief Product Officer, Partisia
The Future
Multi-Agent Systems
Research Agent
sub-agent
Scheduling Agent
sub-agent
Finance Agent
sub-agent
Each handoff requires a verifiable delegation chain.
KYA makes every step auditable.
Specialised Sub-Agents
Multi-Agent Delegation
Trader
Issues master VC
Parent Agent
Holds master VC
Equities Agent
Stocks only
Forex Agent
FX pairs only
Crypto Agent
Crypto only
NYSE
Equities exchange
FX Exchange
Currency pairs
Coinbase
Crypto exchange
Master VC
Sub-VC: Equities
Sub-VC: Forex
Sub-VC: Crypto
VP
VP
VP
Phase 1: Issuance
Phase 2: Sub-delegation
Phase 3: Trade
Click to reveal
The Problem
Trading Policy is Secret
Budget Limit
The 10k EUR trading limit reveals the trader's risk appetite and capital allocation strategy.
Allowed Instruments
Knowing the agent can only trade equities exposes the trader's investment strategy to competitors.
Trading Hours
Permitted trading windows reveal when the trader expects volatility - a signal competitors can exploit.
A trader’s policy is commercially sensitive. The exchange should only know: is this order authorized?
The Building Block
Zero-Knowledge Proofs
A prover convinces a verifier that a statement is true, without revealing why it is true.
Prover
holds secret X
”I know X for which P(X) holds”
zero-knowledge proof
Verifier
accepts: P(X) holds
01
Completeness
If the statement is true, an honest prover can always convince an honest verifier.
02
Soundness
If the statement is false, no cheating prover can convince an honest verifier (except with negligible probability).
03
Zero-Knowledge
The verifier learns nothing beyond the fact that the statement is true.
Privacy-Preserving Authorization
Zero-Knowledge Proofs - prove without revealing
Without ZK Proofs
The exchange sees the full credential:
trader identity, exact 10k EUR limit,
allowed instruments, all delegation details
Trading strategy and budget exposed to the exchange
With ZK Proofs
The trader commits to the policy.
The agent produces a ZK proof that
the order satisfies the committed policy.
Exchange verifies authorization without seeing the policy
The exchange only learns: “This order is authorized and within the permitted scope.”
How It Works
Policy-Hiding KYA
Commit
The trader encodes the policy as a vector V and commits to it: c = commit(V).
V = {max_amount: 10k, instruments: equities, hours: 09-17}Sign
The trader signs the commitment c together with the agent's public key and an expiration date.
Sign(c, pk_agent, expiry)Prove
The agent produces a ZK proof that the requested trade satisfies V (without revealing V).
Prove: trade.amount <= V.max_amountVerify
The exchange verifies both the signature and the proof, without ever learning V.
Verify(signature, proof) -> allow | denyTrust without centralization
Central Registry
Single point of failure
Concentration of power
Interoperability barriers
Gatekeeping
DID-Based Model
Cryptographically verifiable identity
No phone-home required
Cross-provider interoperability
Anyone can verify anyone
Governance & Accountability
KYA as foundational infrastructure for AI governance
Regulatory Compliance
EU AI Act Article 50 requires AI transparency. MiCA demands agent accountability in finance. KYA provides the verifiable evidence.
Liability Assignment
Delegation chains aligned with eIDAS 2.0 electronic attestations make "who authorized what" forensically answerable.
Consent Infrastructure
Issuing a delegation VC is machine-readable, specific, revocable consent.
Cross-Border Interop
Built on W3C DID Core and eIDAS 2.0 VC infrastructure. A credential issued anywhere is verifiable everywhere.
Where We're Going
The Agentic Future
Protocols like MCP and A2A connect agents to tools and to each other. KYA adds the missing layer: verifiable identity, delegation, and privacy-preserving authorization.
Global Agent Identity
Agents carry portable, cryptographic identities across platforms, providers, and jurisdictions. No walled gardens.
Agent-to-Agent Commerce
Agents transact directly with each other, verifying delegation chains in milliseconds without human intervention.
Privacy by Default
Zero-knowledge proofs ensure compliance verification never requires exposing strategy, intent, or sensitive data.
Accountable Autonomy
Every autonomous action traces back through a verifiable delegation chain to a responsible human or organization.
Partisia
Build the trustworthy
agentic web with us
Enterprises
Deploying agentic AI and need verifiable authorization trails
Regulators
Building accountability frameworks for autonomous AI systems
Developers
Building MCP-connected services that need to verify agent identity
Researchers
Working on ZK credential schemes, delegation verification, and privacy-preserving policy
Decentralized IdentityQ&A
Know Your AI: Identity and Trust for AI Agents
Mark Medum Bundgaard
Chief Product Officer, Partisia
Søren Eller Thomsen
Senior Cryptographic Engineer, Partisia
partisia.com