Cross-chain identity credentials: what it means for IAM teams

TL;DR: Reusable, privacy-preserving KYC credentials across Ethereum, Arbitrum, Avalanche, Polygon and Base are being introduced through SumSub’s partnership with Chainlink, letting users prove claims on-chain without exposing raw personal data while supporting permissioned access and reusable identity across wallets. The bigger issue is that on-chain identity is becoming a governance layer, not just a verification step.

NHIMG editorial — based on content published by SumSub: Sumsub and Chainlink to enable privacy-preserving KYC credentials across Ethereum, Arbitrum, Avalanche, Polygon, and Base

By the numbers:

• Only 5.7% of organisations have full visibility into their service accounts.
• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.

Questions worth separating out

Q: How should security teams govern reusable identity credentials across blockchains?

A: Security teams should treat reusable identity credentials as governed assets with explicit issuance, binding, revocation, and re-authorisation rules.

Q: Why do privacy-preserving KYC credentials still need strong lifecycle controls?

A: Privacy-preserving KYC reduces what is exposed, but it does not remove the need to control how long a claim remains valid, who can rely on it, or when it must be withdrawn.

Q: What breaks when a wallet-linked credential is reusable without revocation discipline?

A: Reusable credentials without revocation discipline create lingering access risk.

Practitioner guidance

• Map credential lifecycle ownership Assign a single owner for issuance, revocation, and policy changes for reusable on-chain credentials so accountability does not disappear when the credential is reused across wallets or chains.
• Define where eligibility is enforced Document whether access is checked at credential presentation, protocol entry, or issuer validation, then test that decision path across Ethereum, Arbitrum, Avalanche, Polygon, and Base.
• Limit claim scope to minimum necessary attributes Issue only the claims required for the access decision, such as age or residency, and avoid overloading the credential with reusable assertions that expand downstream exposure.

What's in the full analysis

Sumsub's full article covers the operational detail this post intentionally leaves for the source:

• How the CCID credential is issued after wallet ownership is proven by message signing
• Which initial chains and wallet environments are included in the Phase 1 rollout
• How future phases may shift from retail users to asset issuers and third-party data authorisation
• Why the partnership is positioned for permissioned access in regulated digital asset workflows

👉 Read SumSub's analysis of privacy-preserving KYC credentials across chains →

Cross-chain identity credentials: what it means for IAM teams?

Explore further

View Full Forum →  |  NHI Foundation Course →