TL;DR: Smart data schemes are moving from policy ambition to delivery, with open banking use by UK consumers and small businesses rising to one in five and 1.3 million self-assessment payments worth £4.7 billion processed in January 2026, according to Raidiam's reflections on the Smart Data Forum 2026. The decisive issue is no longer whether these models work, but whether governance, consent, and identity infrastructure can scale fast enough to support agentic AI and cross-sector interoperability.
At a glance
What this is: This is Raidiam's reflection on the Smart Data Forum 2026, arguing that smart data is shifting from experimentation to delivery and now depends on governance embedded in infrastructure.
Why it matters: It matters to IAM practitioners because the same consent, identity, and API trust patterns that support smart data also shape NHI, autonomous, and human identity governance at scale.
By the numbers:
- In January 2026 alone, 1.3 million people paid their self-assessment tax bills via open banking, settling £4.7 billion instantly.
- The target of at least five active smart data schemes by 2030 and 20 or more by 2035 signals that this is now core industrial policy.
- The agentic AI market is projected to grow from $7 billion today to $52 billion by 2030.
👉 Read Raidiam's reflections on the Smart Data Forum 2026 and smart data delivery
Context
Smart data is the practical layer that lets organisations exchange permissioned data across sectors with trust and accountability. In this article, Raidiam argues that the UK has moved past proof-of-concept thinking and into a delivery phase where governance architecture, not policy aspiration, is the main constraint on scale.
That matters for identity teams because the same infrastructure patterns govern consent, API access, and delegated authority across human users, machine identities, and emerging agentic workflows. The article also links smart data to agentic AI, where access to verified and current data becomes the deciding factor in whether autonomy can operate safely.
The shift is visible in open banking adoption, in public-sector payment use, and in the growing expectation that smart data schemes will become part of core national infrastructure rather than niche innovation. For practitioners, the question is less about whether this model will spread and more about which identity and governance controls will carry it without breaking trust.
Key questions
Q: How should organisations govern delegated data access in smart data schemes?
A: Organisations should treat delegated data access as a lifecycle problem, not a one-time permission event. That means defining consent scope, expiry, revocation, and downstream enforcement before integration goes live. The key control is whether every consuming service can honour withdrawal and change without manual intervention, because trust collapses when revocation lags usage.
Q: Why does smart data create identity governance risk for IAM teams?
A: Smart data multiplies the number of parties acting on a single permission, which stretches accountability across sectors and systems. IAM teams must therefore govern not just authentication, but delegated authority, traceability, and lifecycle termination. The risk is highest when access is technically valid but no longer aligned with the original consent or business purpose.
Q: What breaks when consent and access controls are separated?
A: When consent and access controls are separated, revocation becomes inconsistent and audit evidence becomes fragmented. One system may believe permission still exists while another has already withdrawn it. That creates a trust gap that can undermine both compliance and user confidence, especially in schemes where multiple services rely on the same underlying authorisation.
Q: Who should own accountability in cross-sector smart data programmes?
A: Accountability should sit with the organisation that can actually enforce the control, not only the one that defines the policy. In cross-sector programmes, that usually means the platform operator, scheme owner, or data recipient must be able to prove how consent, access, and revocation are enforced across the lifecycle.
Technical breakdown
Why governance architecture matters more than policy ambition
Smart data programmes fail when governance is treated as a layer added after technical design. The article's central point is that scale depends on embedding rules for consent, security, and accountability directly into the infrastructure. In identity terms, that means the control plane must know who or what is acting, under what authority, and for how long that authority remains valid. FAPI-compliant API security and standards-based identity are part of that design, not optional extras.
Practical implication: design consent and access controls as part of the platform architecture, not as post-launch policy enforcement.
How smart data changes identity and access patterns
Smart data schemes create delegated access paths that resemble modern IAM problems, but at ecosystem scale. A consumer, business, or institution grants permission once, then multiple services may act on that permission across time and sectors. That introduces lifecycle questions around consent expiry, scope, revocation, and interoperability between parties that do not share a single control stack. For identity teams, this is the bridge between human consent, workload identity, and emerging agentic decision flows.
Practical implication: map delegated access lifecycles explicitly so revocation, scope limits, and auditability survive cross-sector sharing.
Agentic AI makes trust infrastructure commercially urgent
The article treats agentic AI as a force multiplier for smart data rather than a separate trend. Agents can only act safely if the data they can access is verified, current, and permissioned. That places identity and data governance at the centre of operational safety, because the system now depends on whether the data source, consent status, and action context are trustworthy at runtime. This is a governance problem as much as a technology one.
Practical implication: validate access context at runtime for any workflow that allows an agent to act on behalf of a person or business.
NHI Mgmt Group analysis
Governance architecture, not policy ambition, is the real delivery bottleneck. The article is right to frame smart data as an infrastructure problem rather than a consultation problem. When consent, security, and identity are bolted on after the fact, interoperability scales faster than trust. The practitioner lesson is that delivery programmes must be designed so governance is executable inside the platform itself.
Smart data is becoming an identity delegation problem at ecosystem scale. A consumer or business grants permission once, but the resulting access path can span multiple services, sectors, and decision points. That changes the meaning of lifecycle control, because revocation, scope, and auditability must survive downstream use. The implication is that IAM teams need to treat smart data schemes as delegated-authority systems, not simple API integrations.
Agentic AI turns verified data access into a control requirement, not a convenience feature. The article's AI examples show that autonomous or semi-autonomous workflows only remain safe if the underlying data is permissioned and current. That means the identity model and the data model now fail together if either is weak. The practitioner conclusion is that smart data and agentic AI should be governed through the same trust architecture.
Cross-sector interoperability will expose weak ownership models immediately. The more sectors participate, the harder it becomes to rely on informal accountability or one-off integration contracts. The article's emphasis on infrastructure, incentives, and performance measurement points to a broader truth: ecosystem growth depends on operational ownership, not just regulatory intent. Practitioners should expect that schemes without clear accountability will stall before they scale.
Smart data creates a new form of trust debt when governance trails usage. As adoption rises, the gap between what policy promises and what identity controls can enforce becomes more visible. This is especially true where consent, API access, and delegated authority are managed by different teams or different systems. The practitioner takeaway is that delivery speed now depends on reducing that trust debt early.
From our research:
- The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
- Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap, according to GitGuardian & CyberArk.
- The practical next step is to connect lifecycle controls to the control plane, as explored in the Ultimate Guide to NHIs , Key Research and Survey Results.
What this signals
Trust debt is the best way to describe what smart data teams are carrying forward. The longer governance sits outside the platform, the more difficult it becomes to prove that access, consent, and revocation are aligned in real time. For identity leaders, that means delivery speed will increasingly depend on how quickly they can collapse policy, control, and audit into one executable model.
The article also reinforces that agentic AI will pressure existing IAM assumptions sooner than many programmes expect. Once an agent can act on verified data on behalf of a person or business, the question is no longer simply who authenticated. It becomes whether the delegated authority is still valid at the moment of action.
With 27 days to remediate a leaked secret in our research, the gap between governance intent and operational enforcement remains large. Smart data programmes should assume the same failure mode will appear wherever identity, consent, and machine access are not governed together.
For practitioners
- Embed consent expiry into access design Define how long delegated access remains valid, how it is renewed, and which system owns revocation when a user or business withdraws consent.
- Treat API trust as an identity control Tie FAPI-style security, audience validation, and identity binding into the same control path so that permissioned data use is enforceable at runtime.
- Build revocation into downstream integrations Require every consuming service to respect consent changes and propagate revocation without waiting for manual intervention from the originating scheme.
- Separate policy intent from platform execution Document which governance decisions are made by regulation, which are enforced by controls, and which fail if the platform cannot execute them automatically.
Key takeaways
- Smart data delivery now depends on governance that is executable inside infrastructure, not layered on top of it.
- Delegated access becomes harder to govern as more services act on the same consent, which raises lifecycle and accountability risk.
- Identity teams should treat smart data and agentic AI as one trust problem when access, data, and revocation must stay aligned.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST Zero Trust (SP 800-207), NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST Zero Trust (SP 800-207) | PR.AC-4 | Smart data depends on continuous authorization and scoped access across services. |
| NIST CSF 2.0 | PR.AC-1 | The article centres on governance embedded in infrastructure and access accountability. |
| NIST AI RMF | Agentic AI in the article depends on trustworthy data and delegated action boundaries. |
Document access ownership, enforcement, and audit paths as part of the control design, not after deployment.
Key terms
- Smart data scheme: A smart data scheme is a governed framework that allows data to be shared across organisations with defined consent, security, and accountability rules. It is more than an API integration because it includes lifecycle control over who can access what, for how long, and under what purpose.
- Delegated authority: Delegated authority is permission granted to one party to act on behalf of another within defined limits. In identity governance, the critical question is whether that authority can be revoked, scoped, and audited consistently across every system that consumes it.
- Trust infrastructure: Trust infrastructure is the set of technical and governance controls that make permissioned data sharing safe at scale. It includes consent enforcement, identity binding, API security, auditability, and revocation paths that must work together rather than independently.
- Governance architecture: Governance architecture is the way policy, controls, and accountability are built into a platform so they can be executed, monitored, and enforced. For identity programmes, it determines whether rules are merely documented or actually operable in production.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
This post draws on content published by Raidiam: The Delivery Decade Has Begun: Reflections on the Smart Data Forum 2026. Read the original.
Published by the NHIMG editorial team on 2026-06-22.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
