TL;DR: Ireland is preparing to prioritise age verification and child online safety during its EU presidency, with digital identity tools and the EUDI Wallet expected to support privacy-preserving age checks while reducing unnecessary data disclosure, according to Sumsub and Biometric Update. The real issue for identity teams is not just proving age, but deciding which identity attributes can be verified without expanding personal data exposure.
At a glance
What this is: Ireland is elevating age verification and digital identity as a policy priority, with the EUDI Wallet positioned as a way to prove age while sharing less personal data.
Why it matters: That matters because age assurance is becoming an IAM and identity attribute problem, not just a platform moderation issue, with implications for privacy, federation, and verification design.
👉 Read Sumsub's coverage of Ireland's age verification agenda and EUDI Wallet angle
Context
Age verification is the process of proving that a user belongs to a required age band without necessarily revealing more identity data than the service needs. In this article, Ireland is signalling that age assurance is moving from a policy debate into a digital identity design problem, with direct consequences for how organisations verify attributes and minimise disclosure.
For IAM, the important shift is that the control objective is no longer simply blocking minors. The harder question is how to bind an age claim to a trustworthy identity process while preserving privacy, limiting data collection, and keeping the verification flow usable across services and jurisdictions.
Key questions
Q: How should organisations implement age verification without over-collecting personal data?
A: Use the minimum attribute needed for the access decision, then prove age through a trusted credential or wallet flow that does not expose the full identity record. Keep the verification result auditable, set retention limits for logs and proofs, and make sure the relying party only receives what it needs to enforce the policy.
Q: Why do digital identity wallets change the age verification model?
A: Wallets can let a user present a verified age claim without sharing unnecessary identity data, which shifts the control from full identity disclosure to selective disclosure. That improves privacy only if the issuer, verifier, and policy framework are trusted and interoperable. Otherwise, the wallet becomes a new delivery channel for the same old data exposure.
Q: What do security and privacy teams get wrong about age checks?
A: They often treat age checks as a simple yes or no control, when the real design problem is trust, minimisation, and auditability. If the system collects more data than the decision requires, it creates avoidable privacy and compliance risk. Good age assurance reduces disclosure while preserving a clear record of the decision path.
Q: How do IAM teams decide whether wallet-based age assurance is ready for production?
A: Check whether the wallet ecosystem supports the required age attribute, whether verifiers can trust the issuer across jurisdictions, and whether the policy can be enforced without full identity disclosure. If those conditions are missing, the rollout will be fragile even if the user experience looks simple.
Technical breakdown
Attribute-based age verification and data minimisation
Age verification systems increasingly rely on attribute-based proofs rather than full identity disclosure. That means a user can demonstrate that they meet an age threshold without handing over a full date of birth, home address, or identity document set. The architecture typically involves a trusted issuer, a verification step, and a relying party that accepts the claim. In privacy-preserving models, the service receives only the attribute it needs, not the entire identity record. That reduces unnecessary data retention and lowers the consequences of compromise, but it also raises trust issues around issuer assurance, claim freshness, and cross-border interoperability.
Practical implication: design age assurance flows so the service receives only the minimum attribute needed for the policy decision.
Digital identity wallets and selective disclosure
The EUDI Wallet concept reflects a broader move toward selective disclosure, where an individual can present a verified credential and reveal only the relevant attribute. Technically, this depends on credential formats, wallet trust frameworks, and verifier policies that can validate claims without reconstructing the full identity. The challenge is governance as much as cryptography: if the wallet ecosystem fragments across member states or providers, policy consistency becomes difficult. For practitioners, the question is whether the wallet is being used as a genuine privacy control or merely as a new transport for the same identity data.
Practical implication: validate how selective disclosure is enforced before treating wallet-based age checks as privacy-preserving by default.
NHI Mgmt Group analysis
Age verification is becoming a digital identity governance problem, not a moderation feature. Once governments push platforms to prove user age, the control boundary moves into identity proofing, attribute release, and auditability. That shifts accountability from content policy teams into IAM, privacy, and compliance functions. The practical conclusion is that age assurance needs identity governance, not just platform enforcement.
Selective disclosure is the right direction, but only if verifier trust is explicit. The promise of revealing less personal information is real, yet it depends on who issued the credential, how it is validated, and whether relying parties can trust the result across jurisdictions. Without that governance layer, privacy improvement can become security theatre. The practitioner conclusion is to treat verifier trust as a first-class control.
Identity federation will matter more than biometric intensity in this policy wave. Governments can mandate age checks, but the operational success of those checks depends on whether identity systems can exchange a small, trusted claim instead of a full identity dossier. That makes wallet interoperability, attribute governance, and relying-party acceptance the real design constraints. The practitioner conclusion is to prepare for attribute-first identity flows.
Age assurance exposes the gap between policy intent and identity architecture. Regulators want less underage access, but the implementation problem is whether systems can verify the right attribute without over-collecting data or creating a new surveillance layer. That tension will shape which models survive at scale. The practitioner conclusion is to align age verification design with minimisation, federation, and retention limits.
Ultimate Guide to NHIs , Regulatory and Audit Perspectives is relevant here because identity controls increasingly have to satisfy both access decisions and audit expectations. The same governance discipline that applies to NHIs also applies when attributes, credentials, and proofs are exchanged between organisations. The practitioner conclusion is to build age verification as an auditable identity control, not a standalone compliance widget.
From our research:
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to the Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which shows how weak identity inventory still is across many environments.
- For a broader lifecycle view, NHI Lifecycle Management Guide covers provisioning, rotation, and offboarding patterns that also apply when identity attributes are exchanged through wallet-based flows.
What this signals
Age verification will increasingly be judged as an identity architecture decision, not a policy slogan. If organisations cannot prove which issuer supplied an age claim, how long the claim remains valid, and what was disclosed to the relying party, the control will be hard to defend in audit or incident review.
With 90% of IT leaders saying properly managing NHIs is essential for a successful zero-trust implementation, identity programmes are already moving toward proof-based trust models that minimise exposure while preserving access decisions.
That makes the next phase of age assurance about governance quality: verifiable claims, explicit trust registries, and retention discipline rather than simply stronger checks.
For practitioners
- Define the minimum age claim needed Map each service to the smallest age signal it actually needs, then prohibit collection of full identity data where an age threshold is sufficient.
- Validate verifier trust before rollout Document which issuers, wallets, and identity providers are acceptable, and require policy checks for claim freshness, revocation, and jurisdictional fit.
- Align age assurance with retention controls Set retention limits for age-check artefacts, logs, and proofs so verification evidence does not become a separate privacy risk.
- Prepare for attribute-based access policies Update IAM and privacy teams to govern age as an attribute-based decision, with clear audit trails for why access was granted or denied.
Key takeaways
- Age verification is converging with IAM governance because the core problem is proving an attribute without over-disclosing identity data.
- Wallet-based selective disclosure can improve privacy, but only when issuer trust, verifier policy, and jurisdictional fit are explicit.
- Organisations should treat age assurance as an auditable identity control with retention, trust, and minimisation requirements from day one.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST SP 800-63, NIST Zero Trust (SP 800-207) and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST SP 800-63 | Age proofing depends on identity assurance and attribute release decisions. | |
| NIST Zero Trust (SP 800-207) | PR.AC-4 | Selective disclosure supports least-privilege access decisions based on attributes. |
| NIST CSF 2.0 | PR.DS-1 | Age assurance should minimise sensitive data collected and retained. |
Reduce stored identity data by collecting only the attribute needed for the access control decision.
Key terms
- Age assurance: Age assurance is the set of controls used to confirm that a person or account falls within a required age band. In identity programmes, it is not just a moderation feature. It is an attribute verification and data minimisation problem that must balance privacy, trust, and auditability.
- Selective disclosure: Selective disclosure is a credential pattern that reveals only the specific attribute a verifier needs, such as age, without exposing the full identity record. It is valuable because it reduces unnecessary data sharing, but it only works when issuers, wallets, and verifiers share a trusted validation model.
- Digital identity wallet: A digital identity wallet is a user-controlled container for credentials and verified attributes that can be presented to services on demand. In practice, it can support privacy-preserving proof of age or eligibility, but the governance model matters as much as the technology because trust and interoperability determine whether the claim is usable.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
This post draws on content published by Sumsub: Ireland puts age verification at the top of its EU presidency agenda. Read the original.
Published by the NHIMG editorial team on 2026-06-15.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
