Finnosummit 2026 documented the conversation that fiduciaries, insurers, and mid-market banks in Latin America will need to resolve in the next 24 months: agentic commerce is not an interface problem. It is a governance problem. An agent that can negotiate, execute, and report with delegated authority is not regulated the same way as a customer service chatbot.
The concept emerging from that discussion is KYA: Know Your Agent. The regulatory complement to the traditional KYC framework financial institutions already know.
Why KYC is not enough for agents
The KYC framework exists to verify that the counterpart in a financial transaction is who they claim to be, holds the credentials they declare, and acts within the limits regulation allows. It works when the counterpart is human.
AI agents introduce a new complexity: the counterpart can be an autonomous system acting under delegation from a human principal, but making real-time decisions the human does not review before execution. The agent has real authority, not simulated. It can transfer funds, commit contracts, issue payment orders. And it may have been compromised, misconfigured, or acting outside the scope of the original delegation without the principal's knowledge.
Asobancaria and the Superfinanciera do not yet have a formal KYA framework. But regulatory pressure is already felt in the risk committees of institutions exploring real agentic deployments.
What this means for the mid-market financial sector
For fiduciaries, insurers, and mid-sized banks in Colombia and LATAM, the question is not whether to implement agents. It is under what governance architecture to deploy agents that can execute with delegated authority.
That architecture has three elements that mid-market technology teams rarely have defined today: an audited record of every decision the agent made, with the input that produced it and the output it delivered; a mechanism for authority limits the agent cannot cross without explicit human escalation; and an invalidation protocol that allows withdrawing delegation without interrupting the processes that depend on it.
KYA is not regulatory speculation. It is the logical consequence of giving real authority to an AI system in a regulated industry.
The preparation window is now
Institutions that deploy agents with that governance architecture from their first deployment will have a structural advantage when the formal framework arrives: they will not have to rebuild their systems on a retroactive governance foundation. Those that deploy without that foundation will face the same technical debt cost they already know from the IFRS 17 cycle: late compliance, high cost, extended risk window.
Fiducoldex, the trust company of the Ministry of Commerce, operates today with AI agents on Google Cloud under a data governance architecture that LIFE·IN·CO implemented. The foundation of that governance architecture is DocIntel: the platform that processed Fiducoldex's documentary corpus, trust contracts, beneficiary files, KYC records, Superfinanciera reporting documents, converting them into structured, auditable data before any AI agent could operate on top. That sequence is the governance model: document intelligence first, agentic deployment second.