Digital Identity: Mitigating Fragility
This post draws from my opening keynote at Identiverse® 2025, which served as a chance to reflect on where we are as an industry, and where we need to go next. What started as a set of (relatively!) niche conversations about federation and directory structures has become something far broader: an ongoing exploration of what it means to be known, trusted, protected, and represented in a digital world.
We now face a landscape shaped by overlapping waves of technological innovation, regulatory shifts, and geopolitical complexity. These changes are neither ephemeral nor peripheral. They are structural. And if digital identity professionals are to meet the moment, we’ll need systems designed not just for adoption, but for adaptation; and—as practitioners—the mindset to respond positively to change.
Fragility at Scale
The last few years have made it clear that fragility is not a metaphor. The digital infrastructure we rely on—protocols, code libraries, regulatory frameworks, even the “common sense” of user expectations—is fraying. The fabric isn’t torn, but it’s certainly under strain.
Part of our challenge is uncertainty. It isn’t that we dislike change—on the contrary, some of our best work has emerged in response to it—but uncertainty compounds the difficulty of making robust decisions. It’s not just threat actors we need to worry about, but the cumulative weight of misaligned incentives, technical debt, and shifting norms.
Digital identity is by no means immune to these stressors. But it may be our best hope of mitigating their effects.
Four Shifts Worth Watching
While dozens of innovations and developments compete for attention, four stand out for their potential to reshape how we think about—and implement—identity systems:
1. Artificial Identity
Yes, we’ve all heard more than enough about generative AI. But the shift from tools that produce text and images to systems that can act on our behalf introduces new identity challenges. How do we know whether we’re interacting with a human, a bot, or something in between? If a semi-autonomous agent takes action in your name, what does delegation look like? And when something goes wrong—because something will—how do we establish intent, perform recovery, or correct course?
Some of this work is underway. We’re beginning to understand what trust instrumentation might require, and initiatives like the Content Authenticity Initiative (“CAI”) and the Coalition for Content Provenance and Authenticity (“C2PA”) are making promising progress. But we’re early in the journey, and the speed at which AI capabilities are evolving means the clock is ticking.
2. Non-Human Identity
It’s not just about bots. The identity of devices, workloads, services, and organisations is increasingly central to digital operations. Estimates vary, but a 45:1 non-human to human ratio doesn’t seem far-fetched—and that number is rising.
Workload identity standards like SPIFFE/SPIRE and WIMSE offer useful starting points. But scale, ephemerality, and delegation remain problematic. How do we manage cascading permissions in environments where actions are taken by entities several layers removed from any individual user? How do we monitor and audit at machine speed?
3. Personal Identity
The advent of digital wallets and verifiable credentials is changing how we manage personal identity. There’s a great deal of potential here—for privacy, user experience, and data integrity—but it’s not without its complications.
Wallet proliferation, interoperability gaps, and the thorny issue of recovery (especially when credentials underpin fundamental rights like employment or travel) all pose significant challenges. Add in concerns about proofing creep , surveillance (although the No Phone Home initiative has potential), and the need for inclusive design, and it becomes clear that we have much to sort out—technically, legally, and socially.
4. Continuous Identity
Identity is no longer a static assertion and a binary decision; it’s becoming an ongoing negotiation. Shared signals, event-driven architectures, and context-aware access control together represent a step change in how we manage both authorisation and risk.
Our existing systems, however, aren’t built for this. We have to retrofit responsiveness into architectures never designed to flex. Some of this is feasible, even promising, but we shouldn’t underestimate the effort involved.
Identity as a Lattice
None of these developments exists in isolation. AI agents will rely on credentials. Workload identities will initiate transactions based on shared signals. Wallets will need to respond to context-sensitive authorisation events. And all of them will have to operate within systems that are fragile, patchy, and under pressure.
That sounds daunting. But here’s the opportunity: identity is, by its nature, a connective tissue. It links people, systems, sectors, and jurisdictions. It is infrastructure—hence, teams—that spans boundaries. And that makes it uniquely well-placed to reinforce brittle systems, if we build it right.
Malleability: A Design Principle for the Next Decade
If we want to build systems that last, we’ll need to design for change: not just tolerate it, not just react to it, but expect it.
This means embracing malleability—flexibility within constraints. Think Lego: components designed to interconnect cleanly, with agreed tolerances and predictable behaviour. Not everything will be interoperable with everything else, and that’s fine. But where components are meant to work together, they should do so with minimal fuss and maximum resilience.
This is not a call for complexity for its own sake. It’s a call to apply discipline and humanity to design and humility to implementation. The work we do now—whether in AI, workload identity, verifiable credentials, or continuous authorisation—will shape the digital world for years to come.
One Final Thought
It’s tempting to look at today’s challenges and wish for a pause button. But identity professionals rarely get the luxury of standing still. Instead, we adapt. We build. And we connect. And if we do that well—across disciplines, across borders, across technologies—we’ll not only help manage the fragility of our current systems. We’ll also lay the foundations for something far more resilient.
And that work is worth doing.
If you’re interested in other thoughts I have on digital identity, privacy, and corporate governance, I encourage you to read through this site or follow me on LinkedIn .