KYE/Protocol
Open protocol · Version 0.1 · Apache-2.0

Know Your Entity. Know its state.

KYE Protocol™ is the open identity, authority, relationship and state protocol for AI vendors, data processors, software suppliers and the agents that act on their behalf.

Static "vendor approved" rows are dead. Subscribe to a vendor's live state. Enforce authority at runtime.

Apache-2.0 · Maintained by the KYE Protocol Working Group · v0.1 (2026)

Four pillars. State first-class.

Most identity protocols stop at "who is this entity". KYE answers "can this entity act, right now, under what authority, in what state" — because authority is meaningless without state.

Pillar 1

Identity

Verifiable identifier (DID, DNS, GLEIF, organisation number) + cryptographic public key. The thing every other pillar hangs off.

Pillar 2

Relationship

Edges to other entities — controller→processor, provider→deployer, parent→sub-processor, principal→agent — with role-typed semantics.

Pillar 3

Authority

What this entity is permitted to do, on whose behalf, in what scope, until when. Authority is data, not magic.

Pillar 4

State

Current operational status — active / suspended / verified / expired / restricted / revoked / under_review. Authority is meaningless without state.

Seven steps. One protocol.

Step 1 of 7 · Identify

Establish the entity's verifiable identifier (DID + DNS + GLEIF + organisation registry).

Six entity kinds. Six state vocabularies.

KYE Entity Lifecycle™ defines a controlled state vocabulary per entity kind. Click an entity to see its valid states.

Organisation · valid states

🏢 Organisation

registeredverifiedactivesuspendeddissolvedunder_reviewhigh_riskblocked

Each state transition emits a KYE State Transition Event™ — signed, replayable, audit-trail-ready.

Event-sourced. Signed. Replayable.

Current state is derived from events, not stored as a mutable row. Every change carries who asserted it, when, on what basis, with what evidence — so an auditor can replay the history byte-for-byte.

Vendor lifecycle — example
  1. 1submittedunder_reviewDDQ accepted
  2. 2under_reviewapprovedEvidence verified by auditor
  3. 3approvedconditionally_approvedSub-processor change pending review
  4. 4conditionally_approvedactiveSub-processor re-attested
  5. 5activeexpiredISO 27001 cert lapsed (auto)
  6. 6expiredsuspended30-day grace exceeded
  7. 7suspendedoffboardedCustomer terminated contract

State drives runtime authority.

Policies don't just check "is this entity registered". They check the live state graph: entity_state = active AND authority_state = valid AND evidence_state = current.

ActorActionDecisionWhy
Vendor Xprocess EU personal dataDenyvendor_state = expired · DPA missing
Agent Zsubmit AI Act docsAllowagent_state = active · authority valid · evidence current
AI System Yserve high-risk inferenceDenyai_system_state = restricted · post-incident review pending
Sub-processor Sstore payment dataDenyPCI AOC expired · trust_score < threshold

What's in v0.1.

Open spec — Apache-2.0. The protocol semantics are public + free to implement. Reference implementations welcome from any vendor.

Identifier scheme

DID + DNS + GLEIF + organisation-number resolution. Backwards-compatible with did:web, did:plc, ENS.

Attestation envelope

W3C Verifiable Credentials JSON-LD with EIP-1271 / Ed25519 signatures. Replayable + revocable.

KYE State Graph™

Per-kind state vocabularies (Organisation, Vendor, AI System, Agent, Compliance Posture, Payment Authority) + controlled transition model.

KYE State Transition Event™

Event-sourced state changes — from_state, to_state, reason, asserted_by, evidence, timestamp, audit_event_id.

KYE Authority State™

Authority is a state, not a static fact. Includes scope, validity window, delegation chain, revocation status.

Trust score

Open scoring formula combining completeness, freshness, attestation strength, incident decay, and live state.

Subscription protocol

WebSub-compatible feed of state transitions + attestation changes. Subscribe to a vendor; auto-receive updates.

Runtime authority check

/v1/kye/check { actor, action } → allow/deny + reasons, all derived from the live state graph.

Adopt it. Issue it. Verify against it.

Apache-2.0. Open repository. Implementations welcome.

KYE Protocol™, v0.1 (2026).
KYE Protocol Working Group · https://kyeprotocol.com