Agents can take action
They are no longer only generating answers. They are initiating real steps in business workflows, often without a visible user session.
§ 02 · LANDSCAPE · MARKET SHIFT
The identity market is moving from onboarding to authorization.
AI agents are changing where action begins, how quickly it moves, and how much depends on getting approval right. That shifts the market from verifying access to governing authority.
§ 02.5 · Why Know Your Agent matters
The trust problem
The shift
AI agents create a new trust problem.
Software no longer only suggests — it acts. That flips authorization from a login moment into a per-action question that has to hold up across the business.
Businesses need user authority
It must be clear what the user allowed the agent to do and when that permission applies — before and after the fact.
Users need control
People should be able to use AI help without handing away unlimited access to their identity — or handing it away forever.
§ 03 · What's Changing
Three forces
Forces
Three forces reshaping where trust lives.
Agentic workflows move the decision point
Authorization no longer happens only inside obvious user sessions. It can be triggered by software acting with delegated authority.
Fraud pressure follows the workflow
Delegated abuse, account misuse, and synthetic behavior become harder to reason about when automation enters the loop.
Trust has to be legible across the business
Product, operations, risk, compliance, and partners all need to understand why a sensitive action was allowed.
Legacy pattern
Identity ends at access. Approval remains fragmented.
Traditional digital journeys assume the user is always directly steering the experience and that a generic approval event is enough.
Next pattern
Identity extends into authorization and delegated action.
Sensitive actions require a clearer relationship between the request, the user's authority, and the confidence an organization can place in the result.
§ 04 · Where It Lands First
Four sectors
First adopters
The need appears first wherever automation meets consequence.
Financial services
Payments, account changes, and regulated onboarding require stronger control over agent-initiated action.
Slots into your KYC/KYB stack; does not replace it.
Marketplaces
Automated purchasing, verification, and seller trust flows require clearer human authority.
Mobility and travel
High-value bookings and account changes need confidence that the right person genuinely approved them.
Enterprise platforms
Delegated workflows demand a governance model that holds up under operational and legal review.
Regulated enterprise
MLRO, CISO, and fraud teams can defend each decision — the delegation credential, the attestation token, and the hash-chained receipt are artefacts their existing frameworks already read against.
§ · Interop with existing identity stacks
Wallets · mDL · Partners
Interop
Paphwey is not a replacement for the wallets enterprises already rely on.
The gateway issues and verifies credentials in the shapes these stacks already consume, so an organization can adopt Know Your Agent without throwing away its existing wallet strategy.
EUDI Wallet
SD-JWT VC presentations via OIDC4VP line up with the European Digital Identity wallet flows defined by the ARF.
Apple Wallet identity · Google Wallet ID Pass
Both platforms are converging on the W3C Digital Credentials API plus OpenID4VP — the same shape Paphwey already speaks.
UK / US mobile driving licence
State-issued mDLs follow ISO/IEC 18013-5 mdoc. The issuer_method taxonomy reserves mdoc_iso18013_5 so presentations carry the right provenance.
Government-issued Digital Identity Wallets
Paphwey plans to integrate with every government-issued Digital Identity Wallet as each programme reaches general availability, so customers can onboard citizens through the wallet their jurisdiction has mandated.
§ · Two industry patterns
Consumer · Enterprise
Two topologies
The same gateway supports two very different deployments.
Whose device holds the wallet, and whose keypair the agent uses, can shift a lot between industries. Paphwey's topology absorbs both — the cryptographic chain from user to agent to relying party stays identical; only the actors wearing each role change.
Consumer pattern
User → phone wallet → consumer agent → merchant
- The user carries the wallet on their own phone.
- They bind a consumer agent — ChatGPT, Claude, Perplexity — with its own ES256 key.
- Spend caps and per-merchant scopes are set at the wallet.
- The merchant verifies the delegation VC and the agent PoP against the gateway's JWKS.
Enterprise pattern
Employee → corp-managed wallet → internal agent → vendor
- The wallet lives on a corporate-managed mobile device or secure element.
- The agent is a specific internal workflow bot with an Ed25519 key rotated by IT.
- Scopes map to per-API allowlists; spend caps are softer, approval thresholds harder.
- Audit anchors feed the enterprise's existing SIEM / receipt pipeline.
Why Paphwey