There are many ways to do it.
If you are ok requiring opt-in as part of the KYC process, then indeed, you can use a group of two transactions where one of them is done by the KYC authority account.
If you want more flexibility, you can have the KCY authority sign the whitelisted addresses and the smart contract will check this signature using the opcode ed25519verify.
Use a KYC key/value pair into users’ local state that is False by default and could be turned True only by a KYC provider (a regular account or another KYC dApp).
Using ed25519verify does not require you to know the rounds where the transaction will be issued.
But actually @cusma’s solution is even better in most cases, except if you absolutely want to prevent non-KYC users to opt-in (in which case the solutions are highlighted are most likely needed - but it’s unclear why you would like such a strong restriction)