The decentralised evolution of foundational IDs: is your business ready?

Identity ecosystem expert Lucy Yang dives into the paradigm shift in which a financial institution can verify the validity and authenticity of a customer’s legal identity credential, without needing to call back the issuing authority at every interaction.

A recurring theme in my discussions about digital identity with stakeholders is an alarming confusion regarding the relationship between foundational ID systems and the proof of foundational IDs. The World Bank’s Identification for Development (ID4D) Practitioner’s Guide provides a vital baseline for this distinction: it defines foundational ID systems - such as civil registries and national IDs - as those ‘created to provide identification to the general population for a wide variety of transactions’. These usually serve as the authoritative sources of legal identity for natural persons within a nation.

Essentially, a foundational ID system provides the source of truth, while the credential - whether a physical card, a paper certificate, or a digital credential - is the proof of identity. This distinction is critical; in a digital-first world, we require not only evolved foundational ID systems but also proof of identity in forms that can sufficiently support our ever-increasing digital activities.

Understanding foundational IDs through the lens of digital credentialing

At MOSIP Connect 2026 in Rabat, Morocco, I participated in discussions where the urgency of addressing this distinction was palpable. As over 10 countries - including Uganda, Morocco, Ethiopia, and the Philippines - have moved past pilot projects into national rollout stages with their MOSIP implementations, the conversation has turned toward cross-border interoperability between the MOSIP countries. While this is primarily a policy challenge, the technical discourse can fall into a dangerous trap: the idea of interoperability through ‘connecting’ foundational ID systems or ‘data sharing’ between countries - a concept that rarely reflects the actual intent of those proposing it.

Direct ‘hooks’ between national systems are politically unlikely and architecturally flawed. Allowing foreign direct access to sensitive population data not only risks infringing on national sovereignty but also erodes public trust - the fuel of any Digital Public Infrastructure (DPI) initiative. Furthermore, this approach creates the foundation for an interconnected surveillance web, where every transaction could potentially be tracked back to the authoritative source in real-time.

Interoperability of foundational IDs does NOT require connecting the databases holding the source of truth. The purpose of digitally credentialing legal IDs using open standards is precisely to prevent this system-level integration. It allows us to use digital forms of our legal IDs much like we use physical cards: the proof of identity is controlled by the user, and the verification happens at the ‘edge’, far away from the authority that issued the proof. This is where the world is moving: the central authority maintains the digital system that holds the source of truth, but the individual carries the digital proof.

A paradigm shift: the (not so) intuitive Three-Party Model

Foundational IDs and the digital credentials derived from them are fundamentally different entities. Distinguishing between a record in a government database and a digital credential in the possession of an individual is paramount for modern infrastructure. Using standards-based digital credentials, an architect can ‘extract’ foundational ID data into a cryptographically secured, verifiable format in the user’s hand. This allows for both online and offline verification, where a verifier - such as a digital banking service - can confirm the validity, authenticity, and legitimacy of a digital credential (e.g., a mobile driver’s license) without calling back and potentially alerting the issuing authority at each point of interaction.

This ‘Three-Party Model’ (Issuer-Holder-Verifier) allows the issuer, the holder, and the verifier to fulfil their roles independently, using systems of their choice without requiring interconnected databases. In my work building real-world ecosystems, the biggest hurdle is often the lack of understanding of this paradigm shift.

For professionals who have spent decades building point-to-point integrations, the idea that you can verify government-sourced data without hitting a government API is counter-intuitive. It goes against deeply entrenched professional instincts. However, that centralised API is a high-value target for hackers, and the constant API calls create unnecessary traffic on the web when the transaction is possible solely locally. Decentralising through credentials changes this model, where verifiable, encrypted identity data is pushed to the edge device, making verification instantaneous and more secure.

Currently, we are still at a stage where even after verifiers have successfully set up their own systems, they often ask how they will be notified when the issuer service is ‘down’ or how they can pull additional integrated data from the issuer. This stems from the misconception that they have performed a conventional system integration. In reality, they have simply added a ‘local’ verification capability that is not connected to the issuer’s database or server.

Another misconception verifiers often have is that issuers can see the activities in a holder’s digital wallet. While the issuer may also be a wallet provider, in this three-party model, issuers don’t and shouldn't track wallet activities. If the wallet provider is a separate entity, they can also be required to encrypt wallet activities.

To simplify: there is a fundamental difference between a user sharing data stored on their own device and an issuer, such as a government agency, sharing data from their database on the user’s behalf. This distinction is at the core of what many call Decentralised Identity today. It is an ideological and architectural shift toward disintermediation, where government agencies and large platforms can be removed from transactions where they are not strictly needed. It accomplishes one of the goals of human-centric identity while retaining issuer authority.

Moving into production: opportunities unlocked by credentialing

The market is moving past the pilot phase into production. For those of us who have attended MOSIP Connect for two consecutive years, this year in Rabat felt significantly more ‘real’. More countries are taking the stage to talk about the scale of their foundational ID systems. Meanwhile, the growing uptake of MOSIP’s Inji wallet points to the increasing value of credentialing foundational IDs and beyond. MOSIP itself has moved from building foundational infrastructure to a use-case driven mode where their digital credentials and wallet modules become the ‘connective tissue’ between foundational ID systems and real-world use cases in education, supply chain, travel, and healthcare.

As an advisor to California’s mobile driver’s license (mDL) and CA DMV Wallet program, I have experienced this evolution firsthand. In North America, the driver's license is the primary legal ID - a foundational ID in practice. While many are aware of mDL use at Transportation Security Administration’s airport checkpoints, the California Community Colleges (CCC) go-live with the CA DMV Wallet demonstrates how digital credentials improve public service efficiency. As the largest system of higher education in the US, they have adopted the CA DMV Wallet and mDL as a recommended identity verification method in their CCCApply portal. This provides the CCC with a more secure and cost-effective alternative to third-party providers who typically charge per-transaction costs. According to the CCC, this is just a starting point.

While verifiers often begin with the ‘unsexy’ but critical use case of identity proofing for a single purpose - in the CCC’s case, student applications - the success of the first rollout will quickly reveal broader value. This will prompt verifiers to explore additional verification use cases, passwordless authentication use cases, the use of verified attribute data, and the potential of issuing their own functional credentials (e.g., digital student ID cards). This is a perfect example of how the credentialing of legal IDs can inspire broader innovation across the entire ecosystem.

While mDL programs are being rolled out across the US, Australia, and New Zealand, the EU Digital Identity Wallet (EUDIW) is reaching a similar turning point. With the late 2026 deadline (based on the European Digital Identity Framework, Article 5a) for member states to make at least one certified EUDIW available, the EU market is moving toward mandatory acceptance. While some expect delays, it simply means that players in the EU are navigating different regulatory and market dynamics than those in the US and elsewhere.

The next frontiers: business and agentic AI identity

While foundational ID credentials are for natural persons, they also lay the groundwork for business identities and the most forward-leaning topic today: Agentic AI Identity. At the end of the day, humans remain behind business entities and AI agents - whether you are a director of an organisation or the accountable human owner providing prompts to an AI agent.

The old model to call back to an authoritative API for every transaction is a legacy behaviour that creates global data liability and systemic fragility. By adopting the Three-Party Model, when necessary, we achieve something far more valuable than simple interoperability: we achieve resilience. By decoupling the source of truth from the proof of identity, we are solving the paradox of global scale versus local control. As we look toward a future where businesses and AI agents will require the same verifiable trust as natural persons, is your organisation ready to operate in a less intermediated world?

The author would like to thank David Kelts for his thoughtful review and input on this piece.

About Author

 

Lucy Yang is a recognised expert in digital identity, pioneering the global adoption of emerging standards-based credentials. She specialises in navigating complex ecosystems, synchronising high-level policy and technical standards with large-scale implementation for governments and multinational organisations. An active contributor to the international identity landscape, Lucy is dedicated to deploying technology that solves real-world challenges, overcoming intricate market hurdles to shape secure, interoperable digital credential ecosystems on a global scale.