A Digital Identity Digest

Heather explores how the AI vendor landscape reveals deeper challenges in fragmented identity systems and enterprise security architecture. By examining how tools function across identity, signals, policy, and enforcement layers, this episode reframes AI not as a feature but as part of a broader decision-making ecosystem. Understand why distributed decision systems create complexity, how probabilistic AI outputs impact governance, and what questions matter when evaluating identity and security tools. This episode highlights the risks of poor integration, the limits of automation, and the importance of designing systems that produce explainable, consistent access decisions.

Heather explores what to do after a conference talk is accepted, from reading the speaker agreement to planning travel, using the slide template, and choosing a clear presentation approach. She also explains why focus, rehearsal, and audience fit matter for a strong conference talk. This episode offers practical guidance for conference speakers on preparation, delivery, and event participation. It covers common mistakes to avoid, ways to reduce nerves, and how to make your presentation useful, polished, and easy for audiences to follow.

This episode explores age assurance on the internet, where digital identity, privacy, and policy collide. Heather explains why age verification, age estimation, and age assurance are not the same, and why platforms, regulators, and standards bodies are all converging on this complex problem. Discover how current approaches range from self-reported birth dates to cryptographic credentials and browser-level checks. The episode highlights the trade-offs between accuracy, data minimization, interoperability, and security, and why protecting minors online can reshape identity infrastructure across the web.

Heather Flanagan explores how AI agents are moving from browsing the web to buying on behalf of users, and what that shift means for online payments, identity, and digital trust. The episode examines mandates, delegated authority, liability, and the browser’s evolving role in agentic commerce. It also considers why identity standards, consent, and audit evidence matter as AI shopping becomes more common.

Heather Flanagan explores how AI-enabled browsers challenge the traditional definition of web user agents and what this means for digital identity, web architecture, and standards. As browsers evolve from passive tools to active agents, long-standing assumptions about user representation and control are being tested. This episode examines the implications for user safety, automation, and accountability across the web ecosystem. It highlights emerging questions around transparency, permissions, and governance, offering insight into how standards bodies and developers may need to adapt to ensure browsers continue to prioritize and protect user interests.

Heather Flanagan explores how AI browsers are reshaping the definition of a web user agent, challenging long-standing web architecture principles around user control, consent, and interaction. As AI-driven features evolve from assistance to autonomous action, the browser’s traditional intermediary role begins to shift in subtle but important ways. She examines key questions around delegation, accountability, and intent, including how browsers acting on behalf of users blur the line between human interaction and automation. This discussion highlights why emerging AI capabilities in web browsers demand early attention from digital identity, security, and standards communities.

Heather Flanagan explores the complex world of ISO and IEC standards and why these global organizations play a critical role in digital identity infrastructure. From national body participation models to the scale of international standardization, this episode examines how these institutions shape technology far beyond traditional open standards communities. Discover how structures like ISO/IEC JTC1, the PAS transposition process, and national standards bodies influence digital wallets, mobile credentials, and regulated identity systems. Heather explains why identity architects must understand both open standards and ISO/IEC governance as digital identity increasingly intersects with government policy and global interoperability.

Heather Flanagan explores why conference submissions succeed and why many proposals get rejected during call for proposals review. As a content chair, she shares what reviewers look for in an abstract, including clear outcomes, audience fit, and authentic voice over generic buzzwords. Get actionable guidance on using generative AI to polish—not replace—your ideas, plus tips for sharper titles and stronger structure. She also explains how to avoid vendor pitches, spell out acronyms, match format to scope, and use the space provided so your conference proposal stands out.

Heather Flanagan explores how digital identity wallets are shifting from experimental concepts into real infrastructure, as selective disclosure and zero knowledge proofs move from theory into production. Drawing on recent policy, payments, and wallet deployments, she frames the architectural decisions now facing teams building privacy-preserving identity systems. The episode examines where system complexity lives, how correlation risk emerges at scale, and why operational realities matter more than minimal pilots. It highlights trade-offs between credential models, cryptographic approaches, and long-term sustainability for regulators, enterprises, and ecosystem designers.

In this episode, Heather Flanagan examines what truly defines a successful standard in digital identity. While adoption is often treated as the primary measure of success, she explores why that metric alone fails to capture the complexity of standards development and ecosystem coordination. She unpacks the tension between implementation-first cultures and inclusive governance, highlighting how participation, interoperability, and competing implementations shape long-term outcomes. Ultimately, this discussion reframes success as a resilient process that enables credible disagreement and sustainable alignment across diverse stakeholders.

Heather Flanagan explores why the FIDO Alliance can feel difficult to follow from the outside, and why that silence is often misunderstood. This episode examines how FIDO’s approach to standards development differs from more open processes, and what that means for people working in digital identity, authentication, and passkeys. The discussion unpacks the meaning of open standards, member-driven governance, and the trade-offs between transparency and collaboration. By understanding FIDO working groups, special interest groups, and closed development models, practitioners can better interpret published specifications and anticipate how authentication standards evolve.

Heather Flanagan explores what it really takes to be an effective contributor in standards development and digital identity work. Moving beyond visible roles like working group chairs, the discussion centers on how specifications are actually shaped through collaboration, technical debate, and sustained participation. Discover how contributors add value as subject matter experts, implementers, and reviewers, and why skills like preparation, constructive disagreement, and process awareness matter. This episode explains how consensus works, why reliability outweighs brilliance, and how thoughtful contributions directly influence interoperable, implementable digital identity standards.

Heather Flanagan examines internet fragmentation through the lens of modern internet shutdowns. Using recent, well-documented cases, she explains how connectivity is selectively constrained and why shutdowns are no longer rare emergencies but predictable outcomes of network architecture and governance. Discover how these shutdowns directly impact digital identity systems, from federation failures to lost auditability. Learn why treating the network as neutral and always available is increasingly risky, and why architects, policymakers, and identity teams must rethink assumptions about global interoperability and resilience.

Discover how the OpenID Foundation’s Digital Credentials Protocols Working Group is shaping real-world digital credential issuance and presentation. Learn why standards decisions around interoperability, credential formats, and web-based flows matter for implementers, regulators, and identity architects navigating a complex digital identity ecosystem. Discover how pseudonymous authentication, assurance profiles like HAPE, and conformance testing influence deployments and regulatory alignment. Learn why following the work of the OpenID DCP Working Group offers insight into where digital identity standards are stabilizing, stalling, and reshaping systems.

Learn why the idea of an “AI system” is quietly breaking down under modern AI governance and deployment realities. Heather Flanagan examines how agentic workflows, standards debates, and policy frameworks are exposing gaps between governance language and real-world AI architectures. Discover how this disconnect affects digital identity, accountability, and interoperability, and why unclear definitions create governance risk. Learn why engineers, standards bodies, and policymakers are struggling to align, and why fixing AI language is essential to building enforceable, trustworthy identity and governance frameworks.

In this episode, Heather Flanagan offers a practical field guide to digital identity standards, explaining how organizations like the OpenID Foundation, W3C, IETF, and FIDO Alliance shape specifications, drafts, and published standards through very different processes and cultures. Discover how to interpret standards maturity, understand what a draft really means, and evaluate where work sits in the standards development lifecycle, helping implementers, architects, and policy professionals better assess risk, readiness, interoperability, and real-world impact across the digital identity ecosystem.

Heather Flanagan reflects on Gartner IAM and what it reveals about digital identity decision-making, identity access management priorities, and enterprise buying behavior. The conversation explores how process, not product, often drives outcomes in real-world IAM programs. Learn why overlooked process maturity, invisible identity standards, and interoperability gaps matter, and discover how AI hype distorts expectations across IAM platforms. This episode connects operations, standards, and incentives, offering practical insight for architects, security leaders, and teams navigating sustainable digital identity strategies.

In this episode, Heather Flanagan looks back at the most read Digital Identity Digest posts of 2025, exploring what resonated across digital identity, governance, credentials, and AI. The recap reveals patterns behind shifting priorities, recurring debates, and the questions shaping standards work and system design. Discover how topics like agentic AI and authentication, delegation, decentralization, interoperability, and credential terminology signal where identity architecture is headed. The episode explains why governance matters more than technology alone and why clear language and standards alignment are critical for resilient, trustworthy digital identity systems.

In this episode Heather Flanagan examines how web payments and digital identity are converging at the W3C, exploring digital wallets, browser-based APIs, and regulatory pressure shaping modern payment flows and trust on the web today as standards discussions reveal shifting assumptions across ecosystems. Discover how Secure Payment Confirmation, passkeys, browser-bound keys, and the Digital Credentials API influence fraud prevention, interoperability, and auditability, and why agentic AI, mandate-based consent, and wallet fragmentation make identity design decisions increasingly critical for payments, institutions, and users worldwide.

In this episode of The Digital Identity Digest, Heather Flanagan explores how two emerging browser APIs—FedCM and the Digital Credentials API—are reshaping the identity layer of the web. Learn why browsers are shifting from passive intermediaries to active participants as privacy reforms and regulatory pressure accelerate. Discover how these APIs differ in governance, user experience, and architectural philosophy, and why their proximity raises questions about future convergence. In this episode, explore what this evolution means for federated login, verifiable credentials, wallet ecosystems, and the broader digital identity landscape.

In this episode, discover how today’s rapidly shifting digital identity landscape is bringing new practitioners into the field and challenging long-held assumptions about IAM, trust frameworks, and governance. Learn why even foundational concepts can feel unexpectedly complex as identity becomes integral to products, security, and global compliance. In this episode, discover how community expertise, evolving standards, and differing approaches to risk shape modern digital identity work. Learn why embracing collaboration, asking better questions, and thinking both locally and globally helps practitioners build resilient, future-ready identity systems that can adapt to constant change.

This episode explores what the “open web” truly means amid shifting standards, AI automation, and evolving economic pressures. Drawing on discussions from IETF 124 and W3C TPAC, it highlights how browser architects, policy experts, and researchers are reexamining long-held assumptions about access, interoperability, and the role of automated agents. Learn why openness isn’t a binary state but a multidimensional spectrum shaped by values such as attribution, consent, and continuity. The conversation offers a grounded look at how technical governance and community norms must adapt to keep the web both usable and sustainable.

Digital identity wallets are becoming a central focus in global identity conversations, driven by regulatory pressure, rapid technical evolution, and growing expectations around interoperability. This episode examines how layered architectures, protocol choices, and platform behaviors shape the user experience in ways that are often misunderstood. Listeners will learn why the Digital Credentials API (DCAPI) is frequently blamed for issues it cannot control, how differing operating system and browser implementations create fragmentation, and why meaningful governance and clear technical boundaries are essential for secure, privacy-respecting digital identity ecosystems.

This episode explores the regulator’s dilemma at the heart of digital infrastructure, where accountability, compliance, and governance reshape the systems they aim to protect. Heather Flanagan examines how modern identity, critical infrastructure, and risk management challenges emerge as digital environments outgrow traditional oversight models. Listeners will learn why compliance-era controls no longer match today’s API-driven reality, how sovereignty contributes to Internet fragmentation, and why resilience now depends on coordination and shared accountability. The discussion offers a clear, thoughtful perspective on evolving digital identity governance.

When every digital system is labeled as critical infrastructure, do we actually make the Internet safer—or just more fragile? In this episode of The Digital Identity Digest, Heather Flanagan examines the growing tension between protection, control, and interdependence in our global digital ecosystem. Through examples from the U.S. and EU, Heather explores how expanding definitions of “critical” can blur accountability, create policy confusion, and undermine true cyber resilience. Listeners will learn why meaningful protection requires prioritization, coordination, and a more selective approach to digital infrastructure security.

When AWS went down, payments failed and digital life froze — exposing how fragile our cloud-based world really is. In this episode of Digital Identity Digest, Heather Flanagan explores why AWS, Stripe, Twilio, and Okta have become the new critical infrastructure of global commerce. Discover how invisible digital dependencies shape resilience, why uptime isn’t true stability, and what “too big to fail” means in the age of APIs. Essential listening for anyone in digital identity, cloud computing, cybersecurity, or tech policy.

For decades, standards development has been anchored in the idea that the Internet is (and should be) one global network. If we could just get everyone in the room—vendors, governments, engineers, and civil society—we could hash out common rules that worked for all.

I've been having an intellectually fascinating time diving into Internet fragmentation and how it is shaped by supply chains more than protocols. There’s another bottleneck ahead, though, one that’s even harder to reroute: people. Innovation doesn’t happen in a vacuum. It requires human talent that builds systems and sets standards.

I had one of those chance airplane conversations recently—the kind that sticks in your mind longer than the flight itself. My seatmate was reading a book about artificial intelligence, and at one point they described the idea of an “infinitely growing AI.” I couldn’t help but giggle a bit.

Many people reading this post grew up believing and expecting in a single, borderless Internet: a vast network of networks that let us talk, share, and build without arbitrary walls. I like that model, probably because I am a globalist, but I don't think that's where the world is heading.

When not distracted by AI (which, you have to admit, is very distracting) I’ve been thinking a lot about delegation in digital identity. We have the tools that allow administrators or individuals grant specific permissions to applications and service.  In theory, it’s a clean model.

With the right motivation, even I will write a blog post on a dare. And the dare I got was to write a post about what librarians and pirate captains have in common, and why it matters for standards development. (If you can’t have fun when writing, what’s the point?)

Google recently gave us something we’ve been waiting on for years: hard numbers on how much energy an AI prompt uses. According to their report, the median Gemini prompt consumes just 0.24 watt-hours of electricity — roughly running a microwave for a second — along with some drops of water for cooling.

We’ve been talking about identity and access for people for decades (millennia if you think outside tech). Policies, role assignments, reviews, zero trust — these are familiar tools. The assumptions that go into them, however, don't quite work when the "user" is no longer a person." Enter in the AI Agent.

We don’t spend much time thinking about the roads we drive on—until one cracks, collapses, or dumps us somewhere we didn’t mean to be. Identity in the age of agentic AI? Same deal. It’s infrastructure. Like a good road, it needs to be ready for traffic we can’t imagine.

Let’s start with a confession: I love bots. Or at least, I love the idea of them. They’re efficient, tireless, and, if designed well, can be downright helpful. (They can also be downright unhelpful, but that's a topic for a different blog post.) But the incentives around bot traffic are completely out of balance, and that makes things messy.

This one’s for everyone who’s ever said, "I’m not technical enough to participate in standards development." If you’ve wondered what working group chair skills actually matter, I have news for you: you don’t need to be a spec-writing wizard to be effective. I do get it, though.

If you want to follow what's happening in AI, it helps to know where the conversations are happening. That doesn't just mean the headlines and white papers; it means the standards bodies, working groups, and protocol discussions shaping the infrastructure AI systems will have to live with (and live inside).

Disinformation. Misinformation. Malinformation. These terms get used interchangeably, but they’re not the same thing. That distinction matters when designing resilient infrastructure that supports trust. Most of our efforts to address these problems focus on content, activities like fact-checking, moderation, and takedown requests.

I went to Geneva to understand what, if anything, people were saying regarding digital identity and standards in a governance-focused forum. My brain is now full. I adore the topic of identity and the standards development process; everything from the brilliant minds, the challenges, and the intense edge cases.

Much like "the cloud" or "the superhighway", the metaphor of a "wallet" has become convenient shorthand for a tangle of technical, policy, and usability decisions. As we keep building out digital identity ecosystems with verifiable credentials, identity wallets, and cross-jurisdictional trust models, I ask: is the metaphor still helping us?

What do you think of when someone says "digital identity"? Biometrics? Login credentials? A string of JSON data? Your social media account? The answer probably depends on where you are, how old you are, and/or how tech-savvy you are.

There’s been renewed attention lately on mobile driver’s licenses (mDLs) and the ISO/IEC specification that defines them. One of the more surprising aspects of the specification is that it allows the entity verifying a credential to contact the issuer directly in real time, a capability known as "phone home."

Resilience is on my list of the top ten buzzwords of the year. Whether we’re looking at geopolitical turmoil, AI disruption, or yet another IdP outage, it’s clear that the infrastructure we’ve relied on for decades is straining under new (and not-so-new) pressures.

Once upon a time, digital systems were built around a beautifully simple idea: one user, one identity, one device, one intent. That model worked, for some value of "worked." Mostly, it was good enough to solve 80% of the use cases.

Since I wrote last week about MCP and the need for a more structured standards development process, this week I feel like diving into what it means to build an open standard. Unfortunately, "open standard" is a term that often gets thrown around and means entirely too many different things.

MCP is 'an open protocol that standardizes how applications provide context to LLMs.' If we’re moving toward a world where AIs are expected to do All The Things, interfacing with our applications and services, then having a universal adapter that lets AIs talk to everything is undeniably powerful.

Most digital systems were built around a simple model: one user, one identity, one device, one intent. If you need more than that, that's what password sharing is for, right? (Note: that was sarcasm.) Who needs delegation? Reality, which has definitely included sharing passwords, has always been messier.

The tech is ready for decentralization. The governance is not. This is the final post in a four-part series exploring decentralization not as a buzzword, but as a series of hard tradeoffs that digital infrastructure teams, architects, and strategy leads must navigate.

What if centralized dominance is just what success looks like in our current system? Today, I want to take a step back and ask: Why is it so hard to justify decentralization in the first place? What are we really rewarding when we call a system “successful”?