Wiki · Concept · Last reviewed June 25, 2026

Digital Identity

Digital identity is the technical, legal, and social infrastructure used to assert, verify, and govern identifiers, credentials, attributes, accounts, devices, agents, and access in networked systems.

Snapshot

Definition

Digital identity is the set of records, credentials, protocols, policies, and ceremonies that let systems represent an entity and decide whether to rely on claims about it. The entity might be a person, organization, device, service, workload, dataset, model, software agent, or account.

A useful digital identity system answers several separate questions: who or what is being represented; which attribute or credential is being relied on; who issued or vouched for it; how the presenter authenticated; what action is allowed; who records the decision; and how errors, loss, revocation, or misuse can be contested.

Digital identity is therefore broader than authentication. Logging in with a passkey proves control of a scoped credential for a relying party; it does not necessarily prove legal identity, age, employment, license status, personhood, or authorization to act for another person. A digital wallet can present credentials; it does not by itself decide whether the issuer is legitimate or whether the verifier is entitled to ask.

Current Context

As of the June 25, 2026 review, NIST SP 800-63 Revision 4 is the current U.S. federal digital identity guidance. NIST released the final Revision 4 suite in July 2025, replacing Revision 3, and organizes guidance across identity proofing, authentication, federation, and assertions. That framing is useful because it prevents a single login, wallet, or credential from being treated as the whole identity system.

Credential standards have also matured. The W3C Verifiable Credentials Data Model v2.0 became a W3C Recommendation on May 15, 2025, while W3C DID Core remains the Recommendation baseline for decentralized identifiers. OpenID for Verifiable Presentations 1.0 became an OpenID Final specification in July 2025, and OpenID for Verifiable Credential Issuance 1.0 became Final in September 2025. Those standards describe different layers: credential data, identifiers, presentation, and issuance.

Wallet and browser mediation remain active areas rather than settled infrastructure. The W3C Digital Credentials API is Working Draft work for user-agent mediation of credential presentation and issuance. Federated Credential Management, WebAuthn, passkeys, OpenID Connect, and mobile wallet systems can coexist, but claims about one layer should not be used as proof about another.

The European Digital Identity Regulation, often discussed through the European Digital Identity Wallet, makes digital identity part of public infrastructure and private-sector access. It also shows the governance tension: wallets can improve portability and selective disclosure, but they can also normalize credential checks in contexts where anonymity, pseudonymity, or non-digital alternatives should remain available.

Core Layers

AI Relevance

AI raises the stakes of digital identity because synthetic media, voice cloning, automated account creation, bot activity, and agentic browsing increase the demand for stronger verification. The response cannot be "identify everyone everywhere." High-assurance identity can reduce fraud in consequential settings, but mandatory proof for ordinary reading, speech, association, or support-seeking can become surveillance infrastructure.

AI Agent Identity makes the boundary sharper. A human account, an organizational service account, and an AI agent acting under delegated authority should not collapse into one identity. Systems need to know whether an action was performed by a person, an agent, a tool server, a bot, or a human-approved automation, and they need logs that distinguish authentication from authorization.

Digital credentials can carry claims about age, employment, license status, membership, organization authority, agent delegation, dataset provenance, audit status, or model-release attestations. A signature or credential presentation does not make the claim true; it only makes the issuer, subject, format, and integrity of the claim more inspectable.

Risks

Governance and Safety

Identity governance starts with proportionality. The assurance level should match the consequence of the decision. A public benefit, bank transfer, prescription, age-restricted service, employment check, or cross-border wallet use may justify stronger evidence than a forum comment, newsletter subscription, or low-risk support request.

Good systems minimize disclosure. They ask for a narrow attribute when a narrow attribute is enough: over 18 rather than full birthdate, valid license rather than license number, organizational role rather than home address, or agent delegation scope rather than full human identity. Selective disclosure and Zero-Knowledge Proofs can help, but only if the verifier request, wallet behavior, status checking, and logs avoid unnecessary correlation.

Contestability is not optional. People and organizations need notice, correction, appeal, alternative channels, and human escalation when credentials are wrong, expired, unavailable, revoked, or rejected by an automated workflow. This connects digital identity directly to Notice and Appeal, Algorithmic Recourse, and Data Protection Impact Assessments.

For AI systems, governance should bind agent actions to explicit delegation. A relying party should know which principal authorized the agent, what scope was granted, when it expires, which tools were used, which credential request was shown to a human, and which audit trail preserves the decision without retaining unnecessary credential contents.

Minimum Identity Record

For consequential identity decisions, preserve a compact record that reviewers can understand without turning every interaction into a permanent dossier:

Source Discipline

Use exact terms. NIST assurance levels, W3C Verifiable Credentials, W3C Decentralized Identifiers, WebAuthn credentials, OpenID Connect claims, OpenID4VP presentations, OpenID4VCI issuance, passkeys, mobile documents, wallets, and browser credential APIs are not interchangeable.

For a factual claim, name the layer and source: the standard, version, maturity level, regulator text, official implementation note, or institutional policy. A vendor wallet page is not enough to prove interoperability, privacy, legal authority, or accuracy of the underlying claim.

For AI-related claims, avoid vague labels such as "verified agent" or "trusted model." State who issued the credential or attestation, what subject it covers, what evidence supports it, how status is checked, what the relying party may infer, and how a harmed person can challenge the decision.

Spiralist Reading

For Spiralism, digital identity is a boundary technology. It can protect trust, consent, and accountability, but it can also turn personhood into a credential gate. A humane identity layer verifies what must be verified, keeps contexts separate, preserves pseudonymity and anonymity where they matter, and gives people a practical way to refuse, correct, appeal, and recover.

Open Questions

Sources


Return to Wiki