Sumsub ships the first KYC platform that lets AI agents configure compliance via MCP

Sumsub, the global verification platform, today launched a Model Context Protocol integration that lets AI agents from Claude, ChatGPT, and other models configure its full KYC and AML stack. The company also published open-source agent skills on GitHub and became the first verification vendor listed on the ChatGPT Apps marketplace. The release turns what used to be a week-long solution architecture project into a same-day conversation with an agent.

Until now, configuring a KYC or AML workflow on a verification platform required a human to read a regulator's policy, translate it into a vendor's settings, and then maintain that mapping as regulations changed. For a global fintech with rules in 40 countries, that is a full-time job. Sumsub's new release puts the configuration layer behind an MCP server, which means a model can read an AML policy document, ask the platform what fields and risk rules are available, and then push a fully configured workflow back into production, all under human review and in a sandbox.

What the Sumsub MCP integration actually does

Model Context Protocol is the open standard that Anthropic introduced in 2024 and that the rest of the industry has since adopted as the default way for agents to call external tools. An MCP server is a small service that exposes a list of tools, in this case configuration and operational actions on the Sumsub platform, to any agent that connects to it. The protocol is simple enough that a vendor can ship a server in a few weeks, which is what Sumsub has now done.

The integration is deliberately model-agnostic. A team can point Claude, ChatGPT, or any other MCP-compatible agent at the Sumsub server and get the same result, because the protocol is the contract. The agent is given a small, well-defined set of tools: read the current configuration, write a new risk rule, attach a document check to a user flow, set a country-specific weighting, preview the change in a sandbox, and finally apply it to production after a human approves. Sensitive actions are not just gated by a permission prompt. They run in an isolated sandbox, separate from the live environment, and a human has to explicitly promote the change. That is the right shape for compliance work, where an incorrect rule can either block legitimate users or let fraudulent ones through.

The release also includes a set of open-source agent skills on GitHub, the same pattern that Anthropic, Cloudflare, and a long list of developer tools have used to make their MCP servers easier to adopt. The skills cover the most common setup tasks, so a developer can install them in a single terminal command and have a working agent in under five minutes. The skills are not required to use the integration. They are a shortcut for the most common patterns.

Andrew Novoselsky, Chief Product Officer at Sumsub, framed the release as a response to the maintenance tax that compliance teams have been paying for the last decade. "Setting up a compliance workflow has always required significant manual effort, and updating it when regulations change requires even more," he said. "Our Agentic experience changes that by connecting an AI agent directly to the configuration layer of the platform." The phrasing matters. The agent is not a chatbot front end on a static web form. It has direct access to the configuration layer, which is the part of the platform that compliance officers actually care about.

The launch is also a clear commercial signal. Sumsub is now the first verification platform officially listed on the ChatGPT Apps marketplace, and the company said it is in active discussions with other major LLM providers about similar listings. For an enterprise KYC buyer, that is a meaningful change. Picking a vendor whose configuration can be exposed to the AI tools the buyer's own teams are already using is a different procurement decision than picking a vendor whose configuration lives in a closed web console.

The configuration layer is the part compliance teams care about

The interesting part of the release is not the model support. It is what the configuration layer can now do. Until today, even the most aggressive AI deployment stories in financial services stopped at the agent helping a human draft a policy or summarize a queue of alerts. Sumsub is the first major vendor to let an agent actually write the platform configuration, in production, with the same primitives a human would use.

For a typical Sumsub customer, a regional payments company, the practical change looks like this. Today, when a regulator in a new market publishes a rule on document freshness, the compliance team reads the rule, opens the Sumsub admin console, and translates the rule into a series of settings. The work is slow, error-prone, and difficult to audit. With the new MCP integration, the same team can hand the regulator's PDF to an agent, ask it to draft the new configuration in the sandbox, have a human review the diff, and push the change. The whole loop compresses from days to minutes, and the audit trail is the same one Sumsub already keeps.

This is a meaningful step for the broader enterprise AI stack. Compliance is one of the last functions in a regulated business where configuration has to be hand-coded by a domain expert, because the cost of a mistake is high and the work is rarely urgent enough to justify automation. AI agents that can read a regulator's policy and translate it into platform configuration, with human review, have been a long-promised but rarely delivered capability. Sumsub's release is the first time a major vendor in a regulated function has actually shipped it.

The release also exposes a real constraint that the AI agent ecosystem has been running into. The bottleneck for most enterprise AI deployments is not the model. It is the lack of MCP servers in the systems the model would need to call. The supply chain gap in the public MCP package ecosystem is real, with 71% of public MCP packages having a single maintainer and 9 of 11 registries failing to detect malicious uploads in recent testing, and security teams have been right to push back on agent deployments that depend on a thin layer of community-built servers. The longer-term answer is for major vendors to ship their own. Sumsub is the first KYC platform to do so, and the pattern matters more than the company.

For practitioners rolling out AI agents in compliance functions, the practical question is whether their existing vendor can do the same thing. Most KYC and AML platforms in 2026 are still configured through web forms and JSON files that no agent has programmatic access to. Teams that want the speedup Sumsub is offering will need to either migrate to a vendor that exposes an MCP server, or build their own integration layer, which is a much larger project and a much harder one to audit. For a deeper look at the broader governance layer that agent-driven compliance changes have to sit inside, the enterprise AI governance checklist on this site walks through the controls a regulated team should expect to have in place before any agent can write to a production system. The MCP security story is also still early. The recent analysis of the public MCP package supply chain is a good reminder that any agent toolchain, including a vendor-shipped one, needs the same source review and runtime controls as any other dependency.

The pattern is general, and other vendors will follow

Sumsub is the first identity verification platform to ship the configuration layer behind MCP, but it will not be the last. The pattern is general, and any vendor whose configuration is a meaningful source of friction for a regulated customer is a candidate. Expect the rest of the major KYC, AML, and fraud prevention platforms to follow within the next two quarters, because the procurement signal is unambiguous. The customers buying these platforms in 2026 are also the customers standardizing on AI agents, and the two roadmaps have to converge.