Notifications
Clear all
Topic starter
22/06/2026 5:01 pm
TL;DR: Enterprise identity sharing can move beyond screenshot-based verification with verifier-initiated sessions, explicit presenter consent, step-up before sensitive release, single-use tokens, and provenance-aware ID Card rendering, according to Scramble ID. Scramble ID's implementation guide for People Trust Checks defines these controls.
NHIMG editorial — based on content published by Scramble ID: People Trust Checks implementation guide
Questions worth separating out
Q: How should teams prevent oversharing in identity verification workflows?
A: Start by defining a minimum disclosure contract for each workflow and require the presenter to preview the exact fields before release.
Q: When does consent-based identity sharing become more secure than manual verification?
A: It becomes more secure when the workflow binds consent to a specific session, limits the attribute set to what is required, and prevents replay through single-use artifacts and expiry.
Q: What do security teams get wrong about identity provenance?
A: They often treat provenance as metadata instead of a control boundary.
Practitioner guidance
- Define the minimum identity disclosure contract Specify the smallest acceptable field set for each workflow, then lock it in policy so verifiers cannot silently expand collection beyond need.
- Make consent and provenance non-optional Require the preview screen to show exact fields, verifier cues, and verified versus self-asserted markers before any release is allowed.
- Enforce expiry and single-use semantics everywhere Validate that every QR, code, and messaging link expires on schedule, is consumed once, and is rejected on replay or session mismatch.
What's in the full article
Scramble ID's full implementation guide covers the operational detail this post intentionally leaves for the source:
- The exact session start, join, and share flows needed to implement verifier-initiated trust checks without breaking consent.
- The YAML policy examples for enterprise defaults, workflow overrides, and mandatory field enforcement.
- The event schema and telemetry fields used to audit trust-check completion, timeout, denial, and abuse.
- The practical rollout playbook for choosing a first workflow and measuring completion rate over time.
👉 Read Scramble ID's implementation guide for People Trust Checks →
People Trust Checks: are your identity sharing controls ready?
Explore further
22/06/2026 5:14 pm
Consent-led identity sharing is now a governance problem, not a UX problem. People Trust Checks show that enterprises are starting to formalise how identity attributes are requested, reviewed, and released. That moves the control plane from a screenshot or manual call verification model into a policy-bound exchange where assurance depends on session integrity, consent quality, and attribute provenance. Practitioners should treat this as identity governance applied to person-to-person disclosure.
A few things that frame the scale:
- Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap, according to The State of Secrets in AppSec.
- The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities.
A question worth separating out:
Q: Who should be accountable when a verification flow allows oversharing?
A: The accountability sits with the team that defined the workflow contract and the policy owner that allowed the release path. If the request can be broadened, replayed, or shared without step-up, the issue is governance failure rather than user error. That makes IAM, product, and security jointly responsible.
👉 Read our full editorial: People Trust Checks formalise consent-led identity sharing
