Digital identity is fragmenting faster than trust models can adapt

At a glance

What this is: This is a digital identity guide that maps adoption, trust, infrastructure needs, risks, and reusable identity across regulated industries.

Why it matters: It matters because IAM, risk, and compliance teams increasingly have to govern identity journeys that span human onboarding, federated trust, and reusable credentials without assuming one model fits every use case.

👉 Read SumSub's guide on digital identity, reusable identity, and trust models

Context

Digital identity is the set of methods and infrastructure used to prove a person is who they claim to be online. The operational problem is that adoption is advancing faster than the governance models that decide when identity proofing, trust reuse, and verification should be accepted across sectors.

For IAM and compliance teams, the issue is not whether digital identity will matter, but how to align it with onboarding, fraud controls, and privacy requirements without creating inconsistent trust decisions. That is why reusable identity, federation, and regulator-led schemes need to be judged as governance choices, not just user experience features.

Key questions

Q: How should organisations govern reusable digital identity across multiple services?

A: Treat reusable digital identity as a governed trust decision, not a convenience feature. Set assurance thresholds for the original proofing event, define which relying parties can accept reuse, and require revocation and monitoring rules that match the risk of the transaction. Without those controls, reuse spreads a weak trust decision instead of reducing friction.

Q: Why do digital identity programmes fail when interoperability is weak?

A: Digital identity programmes fail when systems cannot exchange identity assertions consistently, because the organisation loses a reliable basis for trust. Interoperability gaps create duplicate onboarding, inconsistent risk checks, and unclear accountability between issuers and relying parties. The result is not just user friction, but a control environment that cannot be governed cleanly.

Q: When should teams use step-up verification instead of relying on reusable identity?

A: Use step-up verification when the transaction is higher risk than the original proofing event, when the credential is stale, or when the relying party cannot verify revocation and binding with confidence. Reusable identity should reduce repetition, not override risk-based access decisions.

Q: What should security and compliance teams agree on before launching digital identity at scale?

A: They should agree on who owns the trust model, what data is shared, how long assertions remain valid, and what happens when a credential must be revoked. Those decisions need to be explicit before scale arrives, because digital identity failures are usually governance failures first.

Technical breakdown

Centralized, federated, and decentralized digital identity models

Digital identity is not one architecture. Centralized models keep identity data and assertions in one system, federated models rely on trust between issuers and relying parties, and decentralized models shift more control toward the user or wallet. Reusable identity sits across these patterns when a verified credential can be presented multiple times without repeating the full proofing process. The technical question is whether the trust chain, assurance level, and revocation model remain valid as identity moves between systems.

Practical implication: map which identity journeys need centralized control, which can safely use federated trust, and where reusable identity still needs strong revocation and assurance checks.

Reusable identity and the role of assurance levels

Reusable identity promises fewer repeated checks, but it only works when the original proofing event is strong enough to support later reliance. That means the assurance level of the initial verification, the freshness of the credential, and the relying party’s acceptance policy all matter. If any one of those weakens, reuse becomes an efficiency gain with an unclear security boundary. In practice, reusable identity is a trust model, not a shortcut around verification.

Practical implication: define assurance thresholds up front so teams know when a reused credential is acceptable and when step-up verification is still required.

Infrastructure, privacy, and interoperability risks in digital identity

Digital identity systems fail when standards, data handling, and integration models do not line up. Privacy risk appears when too much identity data is shared for a simple transaction, security risk appears when credentials or tokens are overexposed, and interoperability risk appears when schemes cannot work across issuers, wallets, and relying parties. The governance challenge is to make these systems portable without making them over-trustful. That requires clear policies for data minimisation, consent, and technical assurance.

Practical implication: evaluate each digital identity flow for data minimisation, interoperability boundaries, and failure modes before wider deployment.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Salt Typhoon US telecoms breach — Salt Typhoon APT used stolen credentials and Cisco CVE to breach US telecoms.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Digital identity is becoming a governance problem before it is a technology problem. The guide’s real message is that adoption, trust, and infrastructure are now intertwined, so identity teams cannot treat digital ID as a front-end onboarding feature. Once identity proofing is reused across services, the organisation is also reusing assumptions about assurance, consent, and relying-party trust. Practitioners should therefore assess digital identity as a lifecycle governance decision, not a standalone experience layer.

Reusable identity only reduces friction when the original trust event is strong enough to survive reuse. That is the central boundary condition hiding inside the guide. If proofing quality, identity binding, or revocation discipline is weak, reuse does not simplify governance, it multiplies the consequences of one bad decision across more transactions. Teams should treat reuse as an assurance distribution model, not as evidence that identity has been solved.

The interoperability challenge is really an accountability challenge. Different identity models can move data and assertions between organisations, but they do not remove responsibility for who accepted what, on which basis, and under which policy. That is where IAM, fraud, privacy, and compliance functions need shared language. The practitioner conclusion is that digital identity programmes fail when no one owns the trust boundary end to end.

Digital identity will increasingly converge with broader access governance. As reusable identity expands, organisations will need to decide when a trusted assertion is enough and when an additional access control step is required. That brings digital ID closer to policy enforcement, not just verification. The field should expect more pressure to connect identity proofing, authentication, and entitlement decisions into one governed trust model.

From our research:

• NHIs outnumber human identities by 25x to 50x in modern enterprises, according to Ultimate Guide to NHIs.
• Only 5.7% of organisations have full visibility into their service accounts, which is why identity programmes fail when ownership and lifecycle data are incomplete.
• That visibility gap is one reason teams should also review NHI Lifecycle Management Guide when extending identity governance beyond human onboarding.

What this signals

Reusable identity will push more organisations toward shared trust infrastructure, but it will also expose weak ownership models faster. When one proofing event is reused across services, the operating question becomes who can rely on it, who can revoke it, and who is accountable when confidence breaks down. The programmes that survive will be the ones that connect identity proofing to lifecycle governance instead of treating them as separate domains.

Digital identity is increasingly converging with non-human identity governance because both rely on durable trust assertions. When teams normalise reusable credentials for people, they often discover the same lifecycle questions that already exist for service accounts, tokens, and certificates. That is why the Ultimate Guide to NHIs , Key Challenges and Risks remains relevant beyond machine identities: it shows how governance breaks when trust is assumed instead of continuously managed.

For practitioners

• Separate proofing assurance from access policy Document which digital identity assertions can be reused and which must trigger fresh verification, especially for regulated onboarding and high-risk transactions.
• Define your trust boundaries for reusable identity Assign ownership for issuer trust, relying-party acceptance, revocation handling, and consent so reuse does not become an unowned control gap.
• Stress-test interoperability before scaling Validate identity flows across wallets, issuers, and relying parties using the same data minimisation and assurance requirements you expect in production.
• Tie privacy decisions to transaction risk Use stronger identity disclosure only where the use case justifies it, and reduce data sharing for low-risk interactions to avoid unnecessary exposure.

Key takeaways

• Digital identity adoption is less constrained by theory than by governance maturity, because trust reuse only works when assurance, revocation, and accountability are explicit.
• Reusable identity reduces friction, but it also amplifies the impact of weak proofing if organisations cannot prove when a credential should still be trusted.
• IAM teams should treat digital identity as an end-to-end trust boundary, linking onboarding, policy, and lifecycle decisions before scaling adoption.

Key terms

• Digital Identity: Digital identity is the set of claims, credentials, and trust mechanisms used to prove a person online. It covers how identity is established, accepted, and reused across systems, and it only works when assurance, binding, and revocation are governed consistently.
• Reusable Identity: Reusable identity is an identity credential or assertion that can be accepted more than once without repeating full proofing each time. It can reduce friction, but the security value depends on the strength of the original verification, the validity period, and the relying party's policy.
• Federated Identity: Federated identity lets one organisation accept identity assertions issued by another trusted provider. It reduces duplicated logins and onboarding, but it also shifts risk to the trust agreement between issuer and relying party, making governance and revocation handling essential.
• Assurance Level: An assurance level is the degree of confidence an organisation has in an identity proofing or authentication event. Higher assurance supports more sensitive transactions, while lower assurance requires tighter limits, step-up checks, or additional controls before the identity can be trusted again.

Deepen your knowledge

Digital identity governance, reusable trust, and lifecycle controls are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your team is extending identity governance beyond human logins and onboarding, it is worth exploring.

This post draws on content published by SumSub: Digital Identity guide covering adoption, risks, and reusable identity. Read the original.