Subscribe to the Non-Human & AI Identity Journal

What do organisations get wrong about mDL adoption?

The most common mistake is assuming one wallet or one implementation path will cover all users. In reality, adoption is fragmented across states, device wallets, and state-issued apps, so programmes that do not plan for variability create inconsistent assurance and unnecessary user friction.

Why This Matters for Security Teams

mDL adoption fails when organisations treat it like a single credential project instead of a fragmented trust ecosystem. The real issue is not whether a mobile driver’s licence can be technically presented, but whether the relying party can verify issuer policy, wallet behaviour, device state, and user experience across multiple implementations. NIST’s NIST Cybersecurity Framework 2.0 is useful here because it pushes teams toward repeatable governance rather than one-off integration decisions.

This is where many programmes overfit to a pilot. They assume one app, one wallet, or one state issuer model will generalise cleanly, then discover that assurance varies by jurisdiction, device platform, and presentation method. That creates inconsistent acceptance decisions, support escalation, and unnecessary friction at the point of verification. NHIMG’s Ultimate Guide to NHIs is a reminder that identity systems fail when lifecycle and trust boundaries are not designed up front. In practice, many teams encounter mDL inconsistency only after a rollout has already locked in the wrong verification workflow, rather than through intentional trust design.

How It Works in Practice

Effective mDL adoption starts by separating issuance, presentation, and verification into distinct control problems. The issuer may be a state agency, the wallet may be a platform wallet or state-issued app, and the verifier may be a DMV counter, airport checkpoint, or financial institution. Each layer has different trust assumptions, so organisations need policy rules for what is accepted, what assurance level is required, and what fallback path is allowed when a device cannot present credentials consistently.

Practically, teams should define:

  • Which issuers are trusted and how that trust is refreshed over time.
  • Which wallets are supported, and whether platform wallets and state apps are equivalent for the use case.
  • What identity attributes are required versus merely useful.
  • How to handle selective disclosure, revocation checks, and offline verification.
  • What evidence is logged for audit, dispute handling, and fraud review.

Current guidance suggests that organisations should anchor their trust decisions in public standards and documented verification policy, not brand-name wallet assumptions. The Ultimate Guide to NHIs is relevant because it frames identity as a governed lifecycle, not a one-time enrollment event, which maps well to mDL programme design. When teams need a broader governance baseline, NIST Cybersecurity Framework 2.0 helps translate that into risk, response, and continuous improvement. Organisations that ignore these distinctions often build a verification stack that works in a demo but breaks when different wallets, policy updates, or issuer revocations appear in production because the trust model was never made explicit.

Common Variations and Edge Cases

Tighter verification often increases onboarding friction and support cost, so organisations need to balance user convenience against assurance and fraud resistance. There is no universal standard for every mDL use case yet, so the right approach depends on the transaction risk, legal environment, and whether the organisation can tolerate fallback identity checks.

One common mistake is assuming that all verification flows should behave the same. A low-risk age check at a point of sale is not the same as identity proofing for account recovery, and a state-issued app is not automatically interchangeable with a platform wallet unless the programme’s trust policy explicitly says so. Another edge case is offline or degraded connectivity, where revocation status may be harder to confirm and the verifier may need a documented exception path.

For teams designing at scale, the safest pattern is to publish acceptance criteria that name supported issuers, supported wallets, and allowed fallbacks. That prevents staff from improvising rules at the counter and reduces inconsistent treatment across locations. Organisations that skip this usually discover the problem only when edge cases become the norm, especially in multi-jurisdiction deployments where issuer diversity and wallet differences surface immediately.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0, NIST AI RMF, NIST SP 800-63 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
NIST CSF 2.0 GV.1 Governance is central when mDL trust decisions vary by issuer and wallet.
NIST AI RMF GOVERN mDL programmes need clear accountability for risk, policy, and lifecycle changes.
NIST SP 800-63 Digital identity assurance concepts help frame verification strength and proofing limits.
NIST Zero Trust (SP 800-207) Zero trust thinking supports explicit, policy-based verification across varied wallets.

Verify each presentation event against policy instead of assuming trust from the channel.