The KALIB Architecture System Map — iProDecisions Research Issue 04

iPRODECISIONS RESEARCH · ORIGINAL FRAMEWORK · ISSUE 04 · Q3 2026

The KALIB Architecture System Map

Know Your Agent (KYA) · Six-Layer Implementation Framework · Agent Identity & Accountability Governance for Regulated Finance

KYA = K · A · L₁ · I · B · L₂

K = Knowledge — Registry & DID

A = Authentication — Zero Standing Privileges

L₁ = Lifecycle — State Machine Governance

I = Intent — HITL Gates · SR 11-7 Aligned

B = Behavior — Probabilistic Baseline

L₂ = Lineage — Cryptographic Chain · FATF Ext.

Knowledge Layer

Agent Registry
& DID Issuance

Every agent receives a W3C DID linked to a named human sponsor, legal entity, and declared capability set. Pre-deployment registry entry is mandatory — no registry entry, no deployment. Cryptographically signed record, not a service account.

W3C DID Core v1.0 Human Sponsor Linkage Capability Manifest Enterprise Registry Gate 60-Day Implementation

KYA
Pillar 1

Authentication Layer

Zero Standing
Privileges

No agent retains access between task executions. OAuth 2.0 extensions issue short-lived, context-scoped credentials per task. SPIFFE/SPIRE workload attestation verifies runtime environment. 81% adversarial attack success rate against agents drops sharply with zero standing permissions (NIST 2025).

OAuth 2.0 Task Tokens SPIFFE/SPIRE Attestation Per-Task Auth Events Credential TTL Enforcement NIST SP 800-207

KYA
Pillar 2

L₁

Lifecycle Layer

State Machine
Governance

Registered → Deployed → Suspended → Decommissioned. Automatic credential expiry at every state transition. Decommissioned state seals the registry record immutably — agents cannot persist beyond their authorized operational context. MetaComp KYA Framework aligned.

4-State Machine Automatic Credential Expiry Registry Reconciliation Decommission Audit Seal

KYA
Pillars
1 + 2

Intent Layer · Critical

HITL Gates &
Scope Validation

Hardcoded human-in-the-loop gates for consequential actions — payments above threshold, SAR filing, sub-agent spawn with elevated permissions, out-of-scope tool invocations. Cannot be bypassed, configured away, or disabled. SR 11-7 / SR 21-8 supervisory expectation fulfilled architecturally.

Hardcoded HITL Risk-Threshold Gates Sub-Agent Spawn Control SR 11-7 / SR 21-8 Non-Configurable

KYA
Pillars
2 + 4

Behavior Layer

Probabilistic
Baseline Monitor

Continuous monitoring for nondeterministic actors — models expected output probability distribution per agent per context. Flags actions outside distribution at defined confidence threshold. Tool invocation audit, permission escalation detection, cross-agent interaction logging. Standard SIEM cannot provide this.

Probabilistic Baseline Tool Invocation Audit Escalation Detection Cross-Agent Logging Continuous · Real-Time

KYA
Pillar 3

L₂

Lineage Layer

Cryptographic
Delegation Chain

Immutable, cryptographically chained record of every authorization, delegation, tool invocation, and HITL decision. 24-hour examiner reconstruction guarantee traceable to named human sponsor. Lineage segment travels with cross-institution agent transactions — FATF Travel Rule extension compliance at every hop.

Cryptographic Chain Immutable Entries 24hr Reconstruction Sponsor Traceability FATF Travel Rule Ext. MRA/MRIA-Ready

KYA
Pillar 4

92%

lack full AI agent
identity visibility
CISO AI Risk 2026

81%

novel attack success
rate against agents
NIST CAISI 2025

enforceable agent identity
standards published globally
Q3 2026

44%

agents using static
API keys — critical gap
CSA / Strata 2026

The Identity Layer Between Compliance Agent (Issue 03) and Stablecoin Rails (Issue 05) · KYA is the prerequisite the series has been building toward

iPRODECISIONS · Full Report · Interactive Tool