Akamai KYA vs Vercel Passport vs Cloudflare AI Identity — what's the difference?

They target different layers of the AI agent identity stack. Akamai Know Your Agent (KYA, launched June 15, 2026) is a transaction-layer protocol for declaring agent identity to external parties during commerce — payments, bookings, transactions. Vercel Passport (launched June 17, 2026) is an enterprise SSO integration that puts internal apps and agents behind a corporate identity provider like Okta or Microsoft Entra. Cloudflare AI Identity (rolling features through 2026) focuses on runtime workload identity for agents running on Cloudflare Workers. KYA is for cross-enterprise commerce, Passport is for intra-enterprise governance, Cloudflare is for runtime workloads.

Are these competitors or complementary?

Complementary. A real production AI agent in 2027 will likely use all three layers: authenticate to its home enterprise via Vercel Passport (or direct Okta/Entra integration), run with a Cloudflare or similar workload identity, and present Akamai KYA assertions when transacting with external merchants or financial systems. The vendors are not competing for the same buyer — Akamai targets merchants and payment networks, Vercel targets enterprise platform teams, Cloudflare targets the edge runtime.

Which should I implement first?

Depends on your role. If you're an enterprise IT or platform team, Vercel Passport (or equivalent Okta/Entra integration) is the first priority — you need to know which agents your employees deployed and what they can access. If you're a merchant, payment processor, or regulated commerce provider, Akamai KYA is more strategic because adversarial agent traffic will hit your transaction layer first. If you're a developer deploying production agents on the edge, Cloudflare's worker bindings address the runtime identity gap. Most companies need Passport-style governance first, KYA-style external identity later.

Will these protocols converge into one standard?

Probably yes within 12-18 months, but slowly. There are competing proposals from W3C, IETF, OAuth WG, Anthropic's MCP identity extensions, and now Akamai's KYA. Vercel Passport sits on top of OpenID Connect (a mature standard) so it's less protocol-novel. Cloudflare's approach uses existing service identity primitives. The most likely convergence path: KYA-style external assertions become an OAuth or DID-based standard; Passport-style enterprise governance keeps using OIDC; runtime identity stays workload-platform-specific. Expect a multi-protocol world for years.

Quick Answer

Akamai KYA vs Vercel Passport vs Cloudflare AI Identity (Jun 2026)

Published: June 22, 2026

Akamai KYA vs Vercel Passport vs Cloudflare AI Identity: Three Layers of Agent Identity

Within one week in June 2026, three major infrastructure vendors shipped AI agent identity products — Akamai (June 15), Vercel (June 17), Cloudflare (ongoing). They’re often discussed as if they’re competitors. They’re not. They operate at different layers of the agent identity stack. Here’s how they fit together.

Last verified: June 22, 2026.

TL;DR

Product	Layer	Use case	Partners
Akamai KYA	Transaction / cross-enterprise	Agent commerce: payments, bookings	Visa, Experian, Skyfire
Vercel Passport	Enterprise SSO / intra-enterprise	Internal apps + agents behind corporate IdP	Okta, Microsoft Entra
Cloudflare AI Identity	Runtime / workload	Agent identity at the edge runtime	Cloudflare Workers / Access

These are not three answers to the same question. They are three layers of the same stack.

The three layers

Picture an AI agent doing real work — say, a SaaS-deployed agent that books vendor demos for a sales team.

Layer 1: Runtime identity (Cloudflare territory). When the agent code executes, what identity does it run under? Service account? Worker binding? Short-lived token? Cloudflare’s worker AI bindings, Access for AI, and broader Zero Trust integrations cover this. It’s the “who is this process” question.

Layer 2: Enterprise governance (Vercel Passport territory). When the agent is deployed inside a company, is it visible to IT? Is access gated by the corporate identity provider? Can employees be deprovisioned and have their agents cease to function? Vercel Passport (and Okta/Entra direct integrations) cover this. It’s the “is this agent part of our company” question.

Layer 3: External assertions (Akamai KYA territory). When the agent transacts with an external system — paying with a card, booking a flight, accessing a partner API — how does the other side know this agent is legitimate and acting under verifiable human authorization? Akamai KYA (and likely future standards) covers this. It’s the “show me your ID at the door” question.

Each layer addresses a problem the others don’t.

Akamai Know Your Agent (KYA)

Launched: June 15, 2026.

What it does: Provides a cryptographic protocol for AI agents to declare their identity, origin, principal (the authorizing human), and intent when transacting with external systems. Akamai’s CDN enforces these assertions at the edge.

Best analogy: Know Your Customer (KYC) for AI agents.

Partners: Visa (payments), Experian (identity verification), Skyfire (agent payment infrastructure), Auth0, Ping Identity.

Use it when: You’re a merchant, payment processor, financial institution, or regulated commerce platform expecting significant AI-agent inbound traffic. You need to distinguish legitimate authorized agents from fraudulent ones at transaction time.

Limit: Only works if both sides speak KYA. Akamai shipped it; the rest of the ecosystem needs to add support on their inbound traffic. Expect 18-36 months for meaningful adoption.

Vercel Passport

Launched: June 17, 2026 (with Vercel Ship London).

What it does: Puts internal apps and AI agents behind your corporate identity provider (Okta, Microsoft Entra) by default. Configure the IdP connection once; Passport applies it across every deployment. App and agent deployments are private from the moment they exist; access is authenticated against employee identity.

Best analogy: Okta/SSO for internal AI agents — by default, automatically.

Companion: Vercel Connect (public beta) — replaces static API keys in agents with short-lived OIDC-issued tokens scoped to specific systems (Slack, GitHub, Snowflake, Salesforce).

Use it when: You’re an enterprise platform team and engineers are deploying internal AI agents that touch corporate data. You need to bring those agents under the same SSO governance as everything else, retroactively and prospectively.

Limit: Works best for Vercel-hosted apps/agents. Other platforms have Okta/Entra integrations but require more configuration per deployment. The “shadow AI” problem Passport fixes is real — the question is whether your team is on Vercel.

Cloudflare AI Identity (Workers + Access + Zero Trust)

Status: Rolling out throughout 2025-2026 as Cloudflare extends Workers AI bindings, Cloudflare Access, and Zero Trust to cover agent workloads explicitly.

What it does: Provides runtime workload identity for agents running on Cloudflare’s edge — short-lived credentials, service mesh-style identity, edge enforcement of access policies, integration with Cloudflare Access for human-in-the-loop authorization.

Best analogy: AWS IAM roles or GCP workload identity, but at the edge and AI-native.

Use it when: Your agents run on Cloudflare Workers and you need fine-grained identity for the agent’s runtime process — what APIs it can call, what data it can read, what other services it can talk to.

Limit: Tied to Cloudflare’s runtime. If you run agents elsewhere (Vercel Functions, AWS Lambda, your own Kubernetes), you need that platform’s equivalent.

How they fit together

A realistic production agent in late 2026 / early 2027:

1. RUNTIME (Cloudflare Workers AI binding)
   ↓ Process runs with short-lived workload identity
   ↓
2. ENTERPRISE GOVERNANCE (Vercel Passport or Okta direct)
   ↓ Agent is registered under company SSO
   ↓ Employee authorization scope is tracked
   ↓
3. EXTERNAL TRANSACTIONS (Akamai KYA)
   ↓ When agent presents card to Visa, KYA assertion travels with the request
   ↓ Merchant verifies assertion + employee authorization + intent metadata
   ↓ Transaction approved

A single agent might pass through all three identity layers in a single transaction. None of them duplicates work the others do.

Comparison table

Dimension	Akamai KYA	Vercel Passport	Cloudflare AI Identity
Launched	Jun 15, 2026	Jun 17, 2026	Rolling (2025-2026)
Layer	Transaction	Enterprise SSO	Runtime
Primary buyer	Merchants, banks, payments	Enterprise IT, platform teams	Developers, DevOps
Protocol	KYA (Akamai-led)	OpenID Connect	Workload identity / mTLS / Access
Lock-in	Akamai CDN traffic	Vercel platform	Cloudflare runtime
Standardization path	Emerging, vendor-led	OIDC (mature)	Vendor + open standards
Time to adoption	18-36 months	Immediate within Vercel users	Immediate within Cloudflare users
Adversarial robustness	Strong (cryptographic)	Strong (SSO mature)	Strong (workload identity mature)

Which to deploy first

If you’re an enterprise platform team (Vercel Passport first):

You probably have agents being deployed by engineers without IT visibility.
Passport (or your existing Okta/Entra integration) brings them under governance.
KYA matters later, when your agents start transacting externally.

If you’re a merchant, fintech, payments company (KYA first):

Hostile AI agents will probe your transaction surface first.
KYA gives you a real-time signal at the moment of transaction.
Enterprise governance matters less for inbound traffic.

If you’re a developer deploying agents at the edge (Cloudflare first):

Workload identity is your immediate need — what does this agent’s code execute as?
Add Passport-style enterprise governance once your agents touch corporate data.
KYA matters when your agents make external transactions.

What about Microsoft, AWS, Google?

Hyperscalers will fill the same layers from their own platforms:

Microsoft: Entra ID for AI agents, Microsoft Defender for Cloud Apps for shadow AI detection, Azure AD workload identity. Strong in enterprise, weaker at edge.
AWS: IAM roles for agents, AWS Bedrock guardrails, AWS Verified Permissions. Strong at runtime, less developer-friendly.
Google: Workload Identity Federation, Apigee for agent gateways, Vertex AI security. Strong at GCP, weaker outside.

None of these have shipped a publicly-positioned “agent identity protocol” announcement on the scale of KYA. Expect competing proposals within 6-12 months.

Bottom line

Akamai, Vercel, and Cloudflare didn’t ship competing products in one week — they shipped three layers of the same emerging stack. The companies that built the internet’s identity layer over the last decade (Okta, Auth0, Ping, Cloudflare, Akamai, Vercel) are now rebuilding it for AI agents in parallel.

For most enterprises, start with Vercel Passport-style enterprise governance (because the shadow-agent problem is immediate), watch KYA adoption for when you need cross-enterprise commerce identity, and integrate workload identity at whatever runtime your agents run on.

Sources: Akamai press release (Jun 15, 2026), Vercel blog (Jun 17, 2026), The Register, SiliconANGLE, IDTechWire, Cloudflare documentation. Last verified: June 22, 2026.