28. Governance Before Innovation?
Digital Identity should be all about innovation, but it is dominated by governance. Read on to discover the pitfalls of this approach and how the situation could be resolved.
We know that Digital Identity is in a sorry state (no age assurance, fraud/scams, high costs) . But why?
It is because we are doing it back to front. Traditionally, technology evolved through a simple sequence:
Figure 1: Traditional IT Innovation to Governance Sequence
In Digital Identity, the sequence has largely been inverted:
Figure 2: Inverted Digital Identity Governance to Innovation Sequence
Now, we don’t start with a competition to find the best design. Now, we start with Government directives, regulated accreditation regimes, and standards bodies. Instead of an open competition between competing technologies, innovators increasingly compete in policy forums, standards committees and lobbying efforts rather than competing through demonstrating better solutions.
Identity has become policy-led rather than innovation-led.
In this newsletter I show how these three approaches mentioned above fail to deliver, and then I discuss how we might cure this malaise.
Legislate existing solutions or future architectures?
Legislation normally acts on what we have, but some countries attempt to legislate Digital Identity into existence!
Estonia’s e-ID and India’s Aadhaar illustrate the first approach. Estonia started a project in 1996 that led to a 1998 pilot, and subsequently the Identity Documents Act and Digital Signature Act were passed in 2000, and identity cards were issued in 2002. Aadhaar was operational from 2010 and was given statutory authority in law in the Aadhaar Act 2016. Both gave legal support to clearly defined identity solutions.
In contrast, the EU and several states of the USA have adopted a more ambitious approach. In the EU, Regulation (EU) 2024/1183, better known as EIDAS 2.0, establishes the European Digital Identity Framework. It states:
“The European Digital Identity Wallet should provide natural and legal persons across the Union with a harmonised electronic identification means enabling authentication and the sharing of data linked to their identity.”
This is not merely legislation enabling an identity ecosystem. It legislates key components of the proposed solution, including the digital wallet itself. Off the back of this legislation, the EU has financed architecture development and pilots to well over €100 million. But they are still designing, and have yet to demonstrate a generally accepted authentication architecture capable of supporting a broad range of Digital Identity scenarios. Given that authentication is fundamental to Digital Identity, this is significant.
Several US states are being equally ambitious. In Utah, State-Endorsed Digital Identity (SEDI) is defined in Utah SB 260/275. Utah’s SEDI legislation prescribes architectural characteristics including user-controlled identifiers, open standards, wallet portability, selective disclosure, and anti-correlation protections. Supported by associated policy documents, Utah clearly envisages a distributed identity system.
The distinction is stark: Estonia and Aadhaar have legislated identity solutions, while the EU and Utah have legislated preferred architectural choices before they have been validated through implementation and adoption.
This architectural approach remains unproven. The long and difficult history of the EUDI Wallet project does little to inspire confidence that legislating architectures is an effective way to develop digital identity systems. The willingness of companies to participate in EU-funded pilots is evidence of funding opportunities, but not necessarily of architectural success. Similarly, the existence of strong industry lobbying in support of SEDI does not demonstrate that the architecture itself is technically superior.
Legislating functioning solutions has generally proved more successful than legislating preferred architectures.
Create an accreditation regime and they will come?
Create a level-playing field with accreditation and innovative solutions will emerge?
Canada, Australia, the UK, and the New Zealand all started with the ideological belief that an accreditation framework would create the environment in which innovative identity providers would become accredited and identity solutions would emerge. This future has yet to be realised on any scale, and one country has already changed focus considerably.
Canada has the Digital ID & Authentication Council of Canada (DIACC) and its Pan-Canadian Trust Framework (PCTF). The DIACC is an edifice – just go online and check out the structure (17 board members, committees, goals, papers, policy etc). The PCTF is broad set of policies and recommended processes. Since 2016, the PCTF may have created an environment in which Identity solutions could emerge, but they haven’t. Canada appears to be in limbo waiting for the magical moment to happen.
Australia is the country that started like the others but then changed track. The Trusted Digital Identity Framework (TDIF, 2021) states:
The TDIF is an Accreditation regime which specifies the minimum requirements that Attribute Service Providers, Credential Service Providers, Identity Exchanges and Identity Service Providers are required to meet in order to achieve and maintain TDIF accreditation.
While this was a noble ambition, little progress was made other than by Australia Post (AusPost) which was accredited but has recently abandoned its Digital Identity service. Further, responsibility for Digital Identity moved in 2023 from the Digital Transformation Agency to the Department of Finance, ostensibly to promote solutions, and TDIF was quietly dropped. Searching for TDIF now oftens finds the following result:
In 2024, the TDIF was replaced with the Australian Government Digital Identity System (AGDIS) which is a federated digital identity system centred on government service delivery. That is, Australia moved away from an accreditation framework design (TDIF) to promoting a general identity solution to a prescribed federal government architecture (AGDIS). After almost a decade of trying to get a general accreditation model working, Australia back-tracked to a simpler government-focused solution. Presently, only state and federal entitles can participate!
The UK must be described as a cot case, but a cot case that started with the goal of an accredited environment for government services. The solution was GOV.UK Verify which lasted from 2016 to 2023. The intent was for private identity providers to compete in an identity market – the consumer chooses who to use! This open market approach reflected the prevailing political philosophy of the Cameron government. After a 7-year trial costing roughly £175 million, GOV.UK Verify was shut down.
Its replacement, One Login, is a similar governmental access solution to those in many other countries. But that is not the end of the story. The Starmer government then made attempts to legislate into existence a national identity scheme. This has not achieved any political momentum, let alone any results. The UK, once the leader of the accreditation approach, has now attempted to legislate a solution into existence. Now, with an upcoming change of leadership, who knows where the UK will end up.
New Zealand is the last to get its accreditation framework up and running. New Zealand started with Identity Standards published in 2021 before enacting the Digital Identity Services Trust Framework (DISTF) 2023. The DISTF Act created various governing bodies, and was followed by DISTF regulations issued in 2024 and updated in 2026. A unique feature of the New Zealand approach, from the standards to the regulations, is that identity is defined as a service architecture with 5 services: Information, Binding, Authentication, Credential, and Facilitation.
To date, one organization has been accredited. In order to promote further identity development, the GAAP department in the Department of Internal Affairs has developed components of a solution and has, working with Digital Identity New Zealand, driven the development of a Reference Architecture. How this will all play out is yet to be seen, but the New Zealand experience shows similarities to the EUDI Wallet with credential issuance being the starting point and with relying party interfaces still to come, and having not yet answered the question of authentication.
Just as legislatures have not legislated effective identity architectures that lead to identity solutions, regulated accreditation frameworks have not led to the emergence of innovators who develop identity solutions.
Can Standards Bodies Design the Future?
Standards bodies, quasi-official organizations, once played a relatively straightforward role: they standardized functionality that had already demonstrated practical value. Today, particularly in digital identity and telecommunications, standards bodies have proliferated and increasingly compete to lead architectural design.
Once it was about standardizing. Between 2002 and 2014, organizations such as the OpenID Foundation, IETF, and OASIS standardized online federated identity through technologies including SAML, OAuth, and OpenID Connect. These standards established a common approach to online authentication and single sign-on.
Now it is about promoting. W3C, ISO, NIST, the OpenID Foundation and others have gone beyond standardizing an approach, and have promoted Digital Identifiers (DIDs), Verifiable Credentials, mDocs, mobile Driving Licences (mDLs), digital wallets, and related architectures. Yet these initiatives remain works in progress, with limited large-scale deployment and little evidence of broad market convergence.
One has worked, to a degree. Widely adopted from around 2022, FIDO2 and passkeys, an evolution of years of FIDO work, provide phishing-resistant authentication based on operating-system-managed credentials and secure device hardware. FIDO2 has achieved substantial market acceptance because it solves a specific problem in a practical and deployable way.
One respected consultant recently remarked that he had spent ten years working on mobile driving licences and attended more than one hundred standards meetings. Does this represent progress, or process for process’ sake?
Standards bodies have now moved from being a follower to being a leader. For relatively small-scoped problems they can eventually succeed, but for big hairy problems, the consultative, committee based approach seems to foster inaction and a lack of progress.
No Digital Identity solution has emerged primarily from a standards process.
Just as legislatures and regulated accreditation frameworks have failed to lead to the emergence of general identity solutions, standards bodies have failed to deliver meaningful progress.
Why did this happen?
Three approaches and three failures:
Legislating preferred architectures has yet to produce broadly adopted Digital Identity solutions
Accreditation regimes have not yet produced thriving competitive Digital Identity markets
Standards bodies have not produced a broadly adopted and successful Digital Identity architecture
How did invert the process to:
Figure 2: Inverted Digital Identity Governance to Innovation Sequence
I suspect that two factors have contributed. The first factor is that digital identity is increasingly viewed as national infrastructure rather than as simply an IT product. Governments therefore feel compelled to design the architecture rather than to regulate successful solutions.
The second factor is that the digital identity industry has matured into an ecosystem of policy advisers, standards bodies, regulators and consultants. Commercial success increasingly comes from influencing policy rather than from winning an open design competition.
These conjectures are speculative and may lead into another newsletter. I’ve included them here primarily to start a debate.
What to do next?
I cannot end this newsletter, having suggested a problem, without providing a view of how we might do a lot better.
Governing bodies should not attempt to design Digital Identity architectures. Their role is to define the problems society wishes to solve, encourage competing technical solutions, objectively evaluate them and, only then, standardise and regulate those that prove successful.
The first task is defining the solution space. We currently lack a broad perspective of the total identity space, primarily because we lack a common language for identity. Normally a society will inevitably converge on some common themes but in identity we seem to be still floundering around. We must do better.
To following tasks that find solutions, will be unlikely to be achieved through the monolithic multi-year development of identity edifices under state control. They are much more likely to come from ecosystem prototypes that can demonstrate functionality and be open to critique for cost, security, and long-term feasibility.
Innovation before Governance
Regards
Alan







