Series 6

A GRACE Framework governance note

Published April 2026 | Author: Andrew Young

This governance note forms part of the Data, Digital Identity & System Governance series (S6) within the System Analysis page. It should be read alongside the GRACE Framework, which defines the governance methodology applied in this analysis, and the preceding S9 notes, which examine how governance systems behave under conditions of distributed authority, partial visibility, and fragmented attribution.

Introduction

Digital identity systems are often presented as administrative or technological tools designed to improve efficiency, reduce fraud, and simplify access to services. In this framing, identity is treated as a neutral input into public systems — a means of confirming who an individual is in order to enable interaction with government, services, and institutions.

From a governance perspective, digital identity performs a structural function within the system.

It defines who is recognised, how access is structured, and how the system responds over time.

This note examines digital identity as a system control layer. It considers how identity operates structurally within governance systems, and how its presence reshapes recognition, access, attribution, and control over time.

Identity as a System Function

All governance systems require a method of identifying individuals. This function exists regardless of whether identity is recorded through documents, registers, institutional knowledge, or digital infrastructure.

Identity exists independently of digital systems. Digital identity changes the precision, persistence, and scope with which identity is applied.

At its most basic level, identity performs three functions:

• Recognition — Determining whether an individual is known to the system
• Access — Determining what the individual is permitted to do
• Consequence — Determining how the system responds to the individual’s actions

These functions define the operational boundary between the individual and the system.

Where identity is weak or fragmented, systems rely on approximation, discretion, and partial information. Where identity is structured and persistent, systems operate with greater consistency and precision.

Digital Identity as Infrastructure

Digital identity systems introduce a structured, persistent, and system-recognised form of identity. Unlike traditional identity methods, which may vary between institutions, digital identity creates a consistent reference point across multiple domains.

This shifts identity from a supporting administrative process into a foundational system layer.

Within this layer, identity is no longer limited to isolated verification events. It becomes:

• Persistent — recognised across repeated interactions
• Transferable — usable across different services and institutional contexts
• Interoperable — capable of functioning across organisational boundaries

Identity operates as an interface between the individual and the system.

It is the point through which the individual is recognised, engaged, and processed by the system.

System Effects of Identity Infrastructure

When identity operates as a structured system layer, it produces a set of consistent effects across governance systems.

These effects do not arise from policy intent. They arise from system design.

Recognition

The system gains the ability to recognise individuals consistently across interactions. This reduces ambiguity and increases operational certainty.

Access

Access to services, entitlements, and processes becomes increasingly dependent on system-recognised identity. Identity becomes the gateway through which participation occurs.

Attribution

Actions, transactions, and interactions can be reliably linked to a defined identity. This increases the system’s capacity to attribute behaviour, responsibility, and activity.

Control

Where recognition, access, and attribution are combined, the system gains the ability to regulate, enable, restrict, or condition participation.

Control is embedded in system design, expressed through access structure, verification, and interaction rules.

Identity and System Structure

Digital identity does not operate in isolation. It is introduced into governance systems that already contain layered authority, institutional complexity, and distributed control.

As a system layer, identity interacts with these existing structures.

It does not simplify them. It makes them more operationally coherent.

This coherence increases the system’s ability to:

• Coordinate actions across domains
• Apply rules consistently
• Track interactions over time

At the same time, it concentrates system interaction at a defined point.

Identity becomes the primary interface between the individual and the system.

Structural Drift and Dependency

Where identity becomes embedded as a system layer, a gradual shift may occur in how systems operate.

This shift is not necessarily deliberate. It emerges through use.

Over time:

• Identity moves from optional to expected
• Expected processes become standardized
• Standardisation reduces alternative routes

As reliance on identity infrastructure increases, systems may become dependent on it as the default mechanism for interaction.

This creates a structural condition in which:

• Participation becomes linked to system-recognised identity
• Alternative modes of interaction become less accessible or less efficient
• Identity infrastructure becomes difficult to avoid in practice

This process is incremental. It is often not visible as a discrete change.

Identity as a Control Layer

When identity operates as a persistent, structured, and system-recognised layer, it performs a control function.

This function does not arise from enforcement alone. It arises from how systems are designed to recognise, process, and respond to individuals.

Where identity determines:

• Whether an individual is recognized
• What they can access
• How their actions are attributed

It also determines how the system can act in response.

Control, in this context, is not limited to restriction. It includes:

• Enabling or disabling access
• Prioritising or delaying interaction
• Conditioning participation on verification
• Structuring how and when the system engages

Identity therefore becomes the point through which system behaviour is expressed and observed in practice.

Where identity is structured, persistent, and system-recognised, interaction between the individual and the system becomes more consistent, more traceable, and more dependent on that interface.

This does not change the purpose of governance systems. It changes how that purpose is operationalised over time.

A GRACE Framework governance note

Published April 2026 | Author: Andrew Young

This governance note forms part of the Data, Digital Identity & System Governance series (S6) within the System Analysis page. It should be read alongside the preceding S6 note, which defines digital identity as a system control layer, and the S9 series, which examines how governance systems behave under the structural conditions identified in the S9 series.

Introduction

Where the preceding note establishes digital identity as a structural system layer, this note examines how such systems operate in practice.

Digital identity systems are introduced to enable consistent verification across multiple domains.

Once identity becomes a persistent and reusable system layer, the governance question is no longer limited to functionality.

It becomes a question of scope, linkage, accountability, and control.

Operational Model (Contemporary Systems)

A modern digital identity system typically operates as a layered structure rather than a single unified product.

In practice, this operates as a layered structure:

• An account layer — Through which individuals access services
• A credential layer — Where identity attributes and proofs are stored
• A verification layer — Enabling identity checks to be reused across multiple services
• A trust framework — Defining rules for participation by public and private verification providers

This creates an identity ecosystem rather than a single system.

Identity is therefore not held in one place. It is:

• Referenced across systems
• Verified through multiple actors
• Applied across different institutional contexts

From a governance perspective, this distributed model increases flexibility while introducing complexity in control and accountability.

Core Governance Risks

The primary risks associated with digital identity systems arise not from their existence, but from how they evolve over time.

These risks do not arise from failure of technology, but from how systems expand once embedded.

Systems introduced as optional may become expected, and eventually difficult to avoid in practice.

Expansion may occur into:

• Employment verification
• Housing access
• Financial services

Without explicit democratic mandate or clear boundary setting.

Cross-System Linkage

Where identity operates across multiple domains, the potential emerges for indirect linkage between datasets.

This may include:

• Health
• Tax
• Migration
• Policing

The governance requirement is that linkage remains:

• Lawful
• Transparent
• Purpose-limited

Exclusion

Digital identity systems may create structural barriers for individuals without:

• Access to digital device
• Stable identity documentation
• Digital literacy

Where alternative routes are weak or inefficient, this can result in a two-tier system of access.

Private-Sector Dependency

Where identity verification involves certified external providers, questions arise regarding:

• Market concentration
• Vendor lock-in
• Liability for failure
• Long-term control of identity infrastructure

Error, Lockout, and Misidentification

Identity systems introduce new failure modes:

• False matches
• Account lockouts
• Verification failures

The governance question is whether individuals have:

• Rapid appeal routes
• Human override mechanisms
• Accessible recovery processes

Governance Boundaries and Democratic Control
Digital identity systems require defined statutory boundaries, independent verification, and enforceable mechanisms of democratic control.

Statutory Basis and Scope Control
Digital identity must operate within a defined legislative framework before large-scale implementation.

This framework must:

• Define the purpose of the system in law
• Establish limits on how identity data may be used
• Require parliamentary approval for any material expansion of scope

In particular, cross-database linkage between major datasets must not occur through administrative extension.

Independent Verification and Audit
Independent bodies must be responsible for:

• Auditing algorithmic fairness and bias
• Verifying compliance with data-protection and proportionality standards
• Assessing vendor integrity and procurement risk

Public Visibility and Consultation
Consultation must include:

• Ongoing publication of system use and data flows
• Clear explanation of identity data use
• Mechanisms for public input on scope changes

Commercial Interface and Use of Identity Infrastructure
Digital identity systems do not operate in isolation from economic activity.

Where identity becomes a persistent and widely accepted interface, it may also become a point of commercial engagement.

Governance Requirement:
A clear statutory boundary must exist between public identity function and commercial use.

Risk:

• Opaque commercial engagement
• Public infrastructure generating private value
• Erosion of trust in system neutrality

The governance requirement is that identity remains a public function, not a gateway for commercial access.

GRACE Control Mapping (E–S–V–Z)

Annex E — Risk

• Function creep and expansion of scope
• Cross-system data linkage
• Exclusion and access inequality
• Misidentification and system error
• Perception of surveillance and behavioural impact

Annex S — Fiscal

• High integration costs across legacy systems
• Ongoing operational costs (verification, cybersecurity, support)
• Risk of vendor lock-in
• Cost displacement to local authorities and individuals

Annex V — Visibility

• Clarity on what data is held
• Transparency on who accesses identity data
• User visibility over access logs
• Defined boundaries on data use

Risk arises where data flows are not visible and access is not logged or disclosed to the individual.

Annex Z — Attribution

• Ownership of the system (public vs hybrid)
• Liability for failure or misuse
• Responsibility for decisions and outcomes
• Control over expansion of system scope

Attribution must remain explicit as systems scale.

Gate Taxonomy Application

DCT — Democratic Consent Test

• Was the system explicitly debated and approved?
• Is scope clearly defined and limited?

Risk: introduction through administrative expansion rather than explicit mandate

ARG — Absolute Rights Gate

– Can individuals access essential services without digital identity?

– Are non-digital alternatives fully functional?

Risk: “optional in theory, required in practice”

EG — Economic Case Gate

• Are full costs disclosed (build, integration, operation)?
• Are savings evidenced rather than assumed?

Risk: underestimation of long-term cost and vendor dependency

IG — Implementation Gate

• Are legacy systems compatible?
• Are appeals and safeguards operational at launch?

Risk: system deployed before safeguards are functional

RAG — Risk & Assurance Gate

• Are exclusion rates, errors, and failures monitored in real time?
• Are there automatic triggers for pause or correction?

Risk: system drift without visibility or intervention

VAR — Value Assurance Review

• Does the system deliver measurable benefit over time?
• Are outcomes aligned with stated objectives?

Risk: continued operation despite failure to deliver value

Annex O — Audit and Enforcement

Continuous audit is required to ensure identity systems remain within defined governance boundaries (Annex O).

Audit Scope

• Access and usage of identity data
• Cross-system data linkage
• Exclusion and access metrics
• Error and misidentification rates
• Expansion of system scope

Audit Triggers

Audit should activate automatically where:

• Exclusion exceeds defined thresholds
• Error rates increase
• Unauthorised linkage occurs
• Complaints exceed baseline levels
• New use cases are introduced without approval

Audit Independence

Audit must be:

• Statutorily independent
• Reporting directly to Parliament and the public
• Protected from political or contractual influence

Audit Outputs

• Regular public reporting
• Quantitative metrics (not narrative summaries)
• Clear classification of compliance, risk, and breach

Enforcement Mechanism

Audit must connect to action:

• Automatic pause triggers where thresholds are breached
• Mandatory ministerial response
• Defined corrective action plans
• Escalation to oversight bodies where required

Digital identity systems do not determine their own limits. Their behaviour over time depends on whether governance boundaries, visibility, and accountability mechanisms remain effective in practice.

A GRACE Framework governance note

Published April 2026 | Author: Andrew Young

This governance note forms part of the Data, Digital Identity & System Governance series (S6) within the System Analysis page. It should be read alongside the preceding S6 notes, which define digital identity as a system control layer and examine its governance risks, as well as the GRACE Framework, which provides the methodology applied in this analysis.

Introduction

The preceding notes establish digital identity as a structural system layer shaping attribution, access, and control.

This note examines attribution, consent, and system power within that structure.

Where identity becomes persistent and embedded across domains, the relationship between the individual and the system is no longer defined solely by access or verification.

It becomes defined by how identity is used to attribute behaviour, condition participation, and structure interaction over time.

In this context, the central governance question is not whether identity systems function effectively, but how power is distributed within them, and whether individuals retain meaningful agency within a system that increasingly relies on identity as its primary interface.

Attribution and the Structuring of Identity

Digital identity systems enable consistent attribution of actions, interactions, and outcomes to a defined individual.

This represents a significant shift from fragmented or context-specific identification, where attribution may be partial, uncertain, or limited to a single domain.

Where identity is persistent, attribution becomes continuous. Actions taken in one context may be linked, directly or indirectly, to identity across others. This creates a system condition in which behaviour can be recorded, interpreted, and acted upon with increasing coherence.

Attribution enables accountability and consistent application of rules.

Attribution also defines how responsibility is assigned, how behaviour is interpreted, and how system responses are triggered.

Where attribution is comprehensive, the system gains the capacity to construct a continuous representation of the individual’s interaction with it. This representation may influence access, prioritisation, or decision-making in ways that are not always visible or easily understood by the individual concerned.

The question is therefore not whether attribution occurs, but whether its scope, use, and consequences remain bounded, transparent, and subject to oversight.

Consent in Structured Identity Systems

Digital identity systems are often framed as voluntary or user-driven. Individuals are presented with choices to create accounts, verify identity, and consent to the use of their data.

In practice, however, the meaning of consent becomes more complex as identity systems become embedded within governance structures.

Where access to services, employment, housing, or financial systems increasingly relies on digital identity, participation may become conditional on engagement with the identity system itself.

In such circumstances, consent operates within constrained conditions.  The individual may formally agree to the use of identity infrastructure, but the absence of viable alternatives may limit the practical ability to refuse.

This creates a distinction between formal consent and functional necessity, where participation becomes dependent on identity infrastructure.

Where digital identity becomes the default interface for interaction, consent may remain formally valid while becoming substantively limited.

The governance question is therefore whether individuals retain genuine choice, or whether consent becomes a procedural step within a system that cannot reasonably be avoided.

System Power and Control Dynamics

Digital identity concentrates interaction between the individual and the system at a defined point.

As established in the preceding notes, identity determines recognition, access, and attribution. When these elements are combined, identity becomes a central mechanism through which system power is exercised.

This power does not require overt enforcement. It is embedded in system design.

The system can enable or restrict access, prioritise or delay interaction, and condition participation based on identity status, verification outcomes, or associated data.

These actions may occur automatically, through predefined rules, or indirectly, through system dependencies and integration across services.

As identity becomes more widely adopted, the scope of this control expands. It extends across administrative, economic, and social domains, linking previously separate interactions into a more coherent system of engagement.

From a governance perspective, this creates a shift from discrete decision-making processes to continuous system-mediated interaction.

The individual does not encounter isolated points of authority. They engage with a system that operates through identity as a persistent interface.

This defines how power is exercised, who defines the rules of interaction, and how individuals can challenge or influence system behaviour.

Asymmetry and Visibility

A defining characteristic of digital identity systems is the potential for asymmetry between system visibility and individual visibility.

The system may have extensive capacity to observe, record, and interpret individual behaviour across domains. The individual, by contrast, may have limited visibility over how identity data is used, how decisions are made, or how interactions are linked.

This asymmetry may arise through system design, complexity, or aggregation over time. 

Its effect is structural.

Where visibility is uneven, the system gains informational advantage. It can act with greater awareness than the individual can access or contest.

This has implications for accountability.

If individuals cannot see how identity is used, they cannot meaningfully challenge its application. If attribution is opaque, responsibility becomes difficult to trace. If decisions are not transparent, control cannot be effectively scrutinised.

The governance requirement is therefore not only that systems function correctly, but that their operation remains visible, understandable, and open to challenge.

Attribution of Power and Responsibility

As digital identity systems expand, the question of attribution extends beyond individuals to the system itself.

Key governance questions arise:

Who controls identity infrastructure? 
Who is responsible for errors, exclusion, or misuse? 
Who determines how identity is applied across domains?

In distributed identity ecosystems, responsibility may be shared between public authorities, private providers, and hybrid governance structures.

This distribution can obscure accountability.

Where multiple actors participate in identity verification, data processing, and system operation, it may become unclear where responsibility ultimately resides.

This creates a risk that power is exercised without clear attribution, while responsibility is diffused across the system.

From a governance perspective, attribution must remain explicit and enforceable.

Control, decision-making, and liability must be clearly defined, even where systems are technically distributed. Without this clarity, individuals may face system outcomes without a clear path for challenge or redress.

Identity, Participation and System Dependency

As identity becomes embedded across domains, participation in social and economic systems may become increasingly dependent on identity infrastructure.

This dependency is not introduced as a single decision. It emerges incrementally, as systems align around a common method of identification and verification.

Over time, identity becomes the default gateway to interaction.

This has practical implications.

Individuals who cannot engage with the identity system, whether due to access barriers, documentation gaps, or digital literacy constraints, may experience reduced access to services or increased friction in participation.

Even where alternatives exist, they may be less efficient, less accessible, or less widely supported.

This creates a structural condition in which identity is formally optional but operationally central.

The governance question is whether systems remain accessible to all individuals, or whether dependency on identity infrastructure creates new forms of exclusion.

System Mapping — Institutional Structure and Control

Digital identity systems do not operate as a single institutional function. They map across multiple layers of government, each of which interacts with identity in a different way.

At the policy level, central government defines the legislative basis, scope, and intended function of identity systems. This includes determining the legal framework within which identity data may be collected, verified, and applied across domains.

At the departmental level, identity is integrated into operational systems. Departments such as taxation, health, welfare, migration, and policing may rely on identity infrastructure to verify individuals, process access, and apply rules within their respective domains.

At the delivery level, identity systems are experienced through services. Local authorities, public bodies, and contracted providers implement identity verification as part of service access, often acting as the point at which identity requirements become operational in practice.

At the technical and verification level, identity systems may involve private-sector providers responsible for credential verification, authentication, and system integration. These actors operate within defined trust frameworks but may hold operational control over key components of identity infrastructure.

This creates a distributed system of control across policy, administration, delivery, and technical infrastructure.

From a governance perspective, this distribution has two effects.

First, it increases system capability. Identity can be applied consistently across domains, enabling coordination and interoperability.

Second, it complicates accountability. Where multiple actors participate in identity verification and use, responsibility for outcomes may become diffused.

The central governance requirement is therefore not simply that each layer operates correctly, but that the system as a whole remains coherent, visible, and attributable.

This requires clear alignment between:

• Legislative authority (who defines scope)
• Operational control (who applies identity)

• Technical control (who enables identity)
• Accountability (who is responsible for outcomes)

Where this alignment is weak, system power may expand without corresponding clarity in responsibility.

Where alignment is strong, identity systems can operate as a coordinated but accountable governance structure.

Digital identity systems structure interaction between the individual and the system through persistent attribution, conditioned participation, and defined control interfaces.

Their operation over time depends on whether attribution, consent, and visibility remain effective in practice.

Where these conditions weaken, system behaviour changes accordingly.

A GRACE Framework governance note

Published April 2026 | Author: Andrew Young

This governance note forms part of the Data, Digital Identity & System Governance series (S6) within the System Analysis page. It should be read alongside the preceding S6 notes, which define digital identity as a system control layer and examine its governance risks, and the Transparency, Accountability & Public Trust series (S9), which examines how governance systems behave under the structural conditions identified in the S9 series.

Introduction

Digital identity systems are now moving from policy concept into operational reality. The United Kingdom has established a legislative and technical framework for digital identity, alongside an active programme of implementation across public services.

These measures define how identity systems operate: verification standards, certification of providers, and interoperability across departments. They do not, in their current form, define the full scope within which identity systems may be used over time.

Current Framework

The current framework establishes the operational model of digital identity. It includes legislative provisions, technical standards, and a trust framework governing verification providers and system interoperability.

Identity systems are being integrated across services, enabling consistent verification and reuse of identity credentials. This creates a unified access layer across multiple domains of public administration.

The model is presented as optional and user-driven. In practice, as integration expands, identity becomes increasingly embedded within service access and administrative processes.

The Governance Gap

The current framework defines how identity systems function.

It does not fix the boundary of what those systems may become.

As identity becomes embedded across services, the governance question shifts from operation to scope.

The issue is not whether identity systems operate effectively, but whether their expansion remains bounded, visible, and subject to explicit control.

Identity as a System Control Layer

As established in the preceding S6 notes, identity functions as a system control layer.

Where identity determines recognition, access, and attribution, it also determines how systems can enable, restrict, or condition participation.

The scope of identity is therefore not a technical detail. It defines the operational boundary of system control.

Where scope expands, control expands. Where scope is undefined, control becomes difficult to trace.

System Behaviour and Structural Drift

Series 9 demonstrates that governance systems depend on visibility, attribution, and enforceable control.

Where system scope expands without explicit boundary, these conditions weaken.

Visibility may reduce as systems become more complex. Attribution may become distributed across institutions and providers.

This creates a condition of structural drift, where system behaviour evolves beyond its original definition without a corresponding change in democratic mandate.

Democratic Consent and Control (Section 21)

This is a question of democratic control.

Section 21 of the Green Paper establishes that governance systems must remain subject to democratic consent, accountability, visibility, and enforceable limits.

Where system scope is not defined in law, these conditions become difficult to maintain in practice.

The issue is therefore not whether digital identity systems are introduced, but whether their scope remains subject to the same standards of consent, transparency, and control that apply to other forms of public authority.

Where scope is not fixed, consent cannot be meaningfully exercised.

Consultation Question

Should the scope and use of digital identity systems be fixed in primary legislation, with any expansion requiring explicit parliamentary approval?

The issue is not whether digital identity systems are introduced.

It is whether their scope remains defined, visible, and subject to enforceable democratic control as they expand.

Where scope is not fixed, control is not bounded.

This raises a corresponding question of system design.

Where digital identity becomes the primary interface through which individuals are recognised, verified, and processed, an equivalent standard of visibility and attribution must apply in the opposite direction.

The visibility of system behaviour depends on the ability to map it.

The preceding S9 series establishes a method of structurally mapping government functions across financial and non-financial domains, institutional actors, and operational environments.

This mapping is not descriptive. It provides the basis for attribution.

Crucially, this includes the identification of control and influence structures within the system, including conflicts of interest, politically exposed persons, beneficial ownership, contractual relationships, and procurement chains.

These elements determine not only how systems operate, but who benefits from their operation and where influence may be exerted.

When applied alongside digital identity systems, this enables a transition from isolated verification events to a structured understanding of how the system operates as a whole.

Within the GRACE Framework, this structural mapping supports the Annex V visibility layer and the Annex Z reconciliation mechanism, allowing system behaviour, cost, risk, and influence to be identified, attributed, and corrected in practice.

Without this mapping, visibility remains partial. With it, system behaviour becomes governable.

This raises a corresponding question of system symmetry.

Where individuals are required to verify identity in order to access services, an equivalent standard of visibility must apply in the opposite direction.

One possible expression of this is a public-facing identity layer for the State itself, through which taxpayers can observe the structure, cost, and operation of government systems in an integrated form.

Such a mechanism would enable individuals to reconcile, in practice, how public funds are allocated, how risks are distributed, and how decisions are implemented across departments over time.

In GRACE terms, this would represent a direct extension of the Annex V visibility layer and the Annex Z reconciliation mechanism into a form accessible to the public, allowing system behaviour to be examined, understood, and tested beyond periodic budgetary or parliamentary cycles.