Notifications
Clear all
Topic starter
12/06/2026 9:45 pm
TL;DR: Digital identity wallets are making verified identity data portable, so banks, employers, universities, and other issuers can reuse proof beyond the original onboarding event, according to Curity. That shift matters because authorization still has to turn trusted claims into context-aware access decisions at runtime, especially for people, apps, and AI agents.
NHIMG editorial — based on content published by Curity: Digital identity wallets and runtime authorization decisions
By the numbers:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
- Only 5.7% of organisations have full visibility into their service accounts.
- 80% of identity breaches involved compromised non-human identities such as service accounts and API keys.
Questions worth separating out
Q: How should security teams use digital identity wallets without weakening access control?
A: Treat wallet-presented credentials as trusted evidence, not as automatic authorization.
Q: Why do digital identity wallets matter for IAM programmes?
A: They make verified identity data portable, which means identity proof can be reused outside the original issuer.
Q: What should teams do when a valid credential is not enough for the action being requested?
A: Use step-up evidence at the transaction boundary.
Practitioner guidance
- Separate verification from authorization Design wallet acceptance so the verifier checks credential authenticity and issuer trust first, then passes only validated claims into the authorization engine for context-based decisions.
- Define transaction-level evidence thresholds Map sensitive actions to the extra evidence they require, such as proof-of-possession or a wallet presentation, instead of using a single assurance level for every request.
- Review delegated authority paths Trace where humans, apps, and AI agents can reuse the same claim across workflows, then identify where the authority boundary should be rechecked before the action completes.
What's in the full article
Curity's full article covers the operational detail this post intentionally leaves for the source:
- How wallet-based credential presentation changes trust flows between issuers, verifiers, and authorization servers.
- Where verifiable credentials fit in OAuth-style runtime decision paths for people, apps, and AI agents.
- How just-in-time authorization uses stronger evidence only when transaction risk increases.
- Why portable identity becomes more relevant as organizations reuse verified claims across multiple contexts.
👉 Read Curity's analysis of digital identity wallets and runtime authorization →
Digital identity wallets and verifiable credentials: what changes now?
Explore further
13/06/2026 12:03 am
Portable proof creates a governance gap whenever teams confuse verification with authorization. Wallets make verified claims easier to carry, but the governance problem shifts to deciding when a claim is strong enough for a specific action. That matters across human, NHI, and agentic workflows because the same credential can support very different authority decisions. The practitioner conclusion is simple: portable identity only works when the access decision remains separate from the proof.
A few things that frame the scale:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
- Lifecycle Processes for Managing NHIs becomes more relevant when portable credentials must still be provisioned, reviewed, and revoked with precision.
A question worth separating out:
Q: Who is accountable when portable identity proof is accepted too broadly?
A: The organisation operating the authorization decision is accountable, because the failure is usually in policy design rather than in credential format. Teams should document which claims are accepted, which actions they cover, and where extra evidence is mandatory.
👉 Read our full editorial: Digital identity wallets make verified proof portable for runtime access
