Kia ora
May has been a busy one for the Digital Identity New Zealand community – some useful global learnings, real momentum locally, and a few shifts in the broader system settings worth noting.
This month I’m just back from a trip across India and Utah, and the throughline was sharper than I expected: the conversation everywhere has moved from proving who you are to proving what’s true about credentials, objects, supply chains, and increasingly the actions of AI agents. The infrastructure question underneath it is no longer abstract. It’s being decided now, in real systems, by whoever moves first.
Locally, we’ve welcomed a new Council member, opened registrations for the Hui Taumata, and seen genuine member progress worth celebrating. There’s also a meaningful change in the machinery of digital government to flag.
Digital identity has a cold start problem, and it’s worth naming plainly.
In New Zealand we’re building a voluntary ecosystem – no mandate, no big-bang switchover. That means everyone waits: issuers wait for relying parties, relying parties wait for useful credentials, and consumers wait for both. Working groups help, but demand is what moves the system.
That’s why DINZ is putting weight behind our Trusted Credential Adoption (TCA) Group: getting real relying parties ready to accept credentials, so issuance turns into real-world utility.
The good news is the ground is starting to shift. This month brought genuine regulatory modernisation – the kind that turns “someday” credentials into “this year” ones.
System settings: where the rails are being laid
On 13 May, the bill enabling digital driver licences passed its third reading – making a digital licence an optional alternative to the plastic card, alongside digital warrants of fitness and registration. Together with alcohol licensing reform, two of the most common “prove it” moments (driving and buying alcohol) are moving into scope for verifiable credentials.
But issuance is only half the job. The unlock is acceptance capability at scale – banks and large verifiers building this into production systems, not endless pilots.
Trust lifecycle is where it gets real: proving a credential came from an accredited issuer and is still valid. NZ’s emerging approach relies on PKI – a VICAL (verified issuer certificate authority list), signed and published so verifiers can check provenance.
We also advocated for digital public infrastructure investment over buying back legacy assets→.
Finally, a sovereignty flag worth raising: as agencies move to issue credentials, we should resist defaulting to offshore trust roots and registries. The Digital Identity Services Trust Framework (DISTF) exists so we can build NZ-grounded trust infrastructure with Te Tiriti as a design principle – and we should reach for it first.
DINZ Update
Welcome Andrew Dodd
We’re pleased to welcome Andrew Dodd to the DINZ Executive Council. Andrew brings strong leadership and practical experience driving industry collaboration in the banking sector, exactly the kind of capability that helps accelerate responsible digital identity adoption.
Andrew will be joining monthly Council meetings and contributing through the Trusted Credential Adoption Group. Welcome aboard, Andrew.
India + Utah: trip highlights and outtakes
India highlights
- Digital Public Infrastructure (DPI) is a political project, not a technical one. The hardest parts aren’t standards choices; they’re governance, grievance pathways, and who ultimately controls the rails. For NZ, that sharpens the focus on how Te Tiriti is embedded in governance from the start.
- Consent infrastructure is the most transferable lesson. India’s Account Aggregator model treats consent as a first-class, auditable, revocable object highly relevant to NZ’s Consumer Data Right and to Māori data sovereignty design.
- India is positioning DPI as soft power. Conversations with Observer Research Foundation (ORF) reinforced that DPI is now an export narrative as much as a domestic capability creating both partnership opportunities and a need for NZ to engage on our own terms.
- The operating model matters more than the code. India’s success has been driven by regulated interoperability and a public-infrastructure/private-innovation split. The cautionary tales such as exclusion, last-mile failures are largely governance and delivery issues, not technology ones.
Why it matters for NZ: India is the only jurisdiction to build DPI at population scale, and the US is now reading those lessons in real time. NZ can add value by translating what’s transferable into a Te Tiriti-based setting, and leaving behind what isn’t.
Compare and contrast: NZ and Utah
The two jurisdictions are arriving at the same destination from opposite directions, and that’s what makes the comparison useful.
New Zealand has built top-down: a legislated trust framework (the DISTF), a regulator-recognised path from issuer to verifier to wallet, and Te Tiriti embedded as a design principle rather than a later consultation. The architecture exists; the adoption curve is the work ahead.
Utah has built bottom-up: state-led legislation establishing first-person control over identity data as a default, with the momentum now spreading across multiple states. The political will and the consumer and fiduciary duty of care framing are well advanced; the interoperable architecture is still being assembled.
The instructive part is the overlap. Both are betting that legitimacy: clear legal grounding, recognisable governance, public-interest framing is the scarce asset in this next layer, not the technology, which is increasingly commoditised.
Where NZ has framework-first and Utah has movement-first, the jurisdictions that combine both will set the reference standard others adopt.
Utah highlights
At the SEDI Summit in Utah, the signal was clear: the internet’s missing “identity layer” has become the opening for industrial-scale fraud, synthetic identities and deepfakes, and the global response is accelerating. The SEDI movement has moved beyond a single state experiment to more than 12 states actively engaged, positioning “state-led legitimacy” as the emerging US path.
Three trust models, one direction of travel
Across the trip, three distinct models for establishing trust came into focus and notably, they’re converging rather than competing:
- Framework-led (NZ/DISTF): Trust flows from a legislated, multi-stakeholder framework with accreditation and conformance. Top-down legitimacy, regulator-anchored.
- State-led (US/SEDI): Trust flows from sub-national legislation establishing first-person primacy, scaling state by state. Bottom-up legitimacy, momentum-driven.
- Infrastructure-led (India/DPI): Trust flows from open, regulated public rails – identity, payments, and commerce designed to interoperate. Adoption-led legitimacy, scale-driven.
The common thread: each is an attempt to put neutral, accountable governance underneath identity before a platform or a single state writes the default for everyone.
Outtakes
One of the strongest through-lines across the programme: the centre of gravity is shifting from “prove who you are” to “prove what’s true about anything” credentials, objects, supply chains, and AI outputs. Verifiable provenance is emerging as the next DPI layer.
And a line that stuck from the technical floor: “OAuth’s threat-model doc is now ~100 pages. That’s a casualty list, not a security framework.” The momentum toward self-certifying identifiers (e.g. KERI) is growing fast.
Digital Trust Hui Taumata 2026 — Super Saver tickets end 31 May
Tickets are now live for the Digital Trust Hui Taumata 2026 – Towards Universal Trust – Aotearoa’s flagship gathering for digital identity, trust technology, and the governance frameworks that underpin them.
This year opens with a joint keynote from Drummond Reed and Dr Karaitiana Taiuru bringing global trust architecture together with tikanga-informed digital governance and Māori data sovereignty followed by practical sessions focused on real-world adoption and interoperability.
Super Saver tickets are on sale now (until 31 May), including a Member Launch Special for DINZ and Tech New Zealand community members.
Learn more + register here→
Member News
Air New Zealand digital ID pilot
Congratulations to the Air New Zealand team on a successful digital ID pilot – exactly the kind of practical, real-world progress that builds confidence, especially when designed around privacy, security, and customer control.
It’s also encouraging to see learnings being shared with IATA as the work looks toward broader trials across more ports. Read the announcement→.
Lumin: new data on identity fraud
DINZ member Lumin (and Platinum sponsor of Digital Trust Hui Taumata 2026) has released new survey findings on identity fraud across the US, Australia and New Zealand. Among 1,000 business decision-makers surveyed, 56% experienced identity fraud in the last 12 months, 94% believe agreement workflows are vulnerable to AI-powered fraud, and 51% say eSignature security needs improvement.
Lumin’s Expert Insights roundtable series (with leaders from Lumin, Air New Zealand, MBIE, and MATTR) unpacks what this means in practice. Explore + download the report→.
Welcome new member: Attain Insight
A warm welcome to new member Attain Insight, a leader in identity resolution, biometric search, analytics, data security and location intelligence. Their solutions help clients make smarter, data-driven decisions while meeting compliance requirements – a strong addition to the DINZ community.
Industry News
Digital government update – GDDA established (from 1 April 2026)
From 1 April 2026, the Government Chief Digital Office (GCDO) functions moved into the Public Service Commission as the new Government Digital Delivery Agency (GDDA).
GDDA brings together system leadership, delivery support, and capability functions to strengthen digital public services – a meaningful shift toward more coordinated digital delivery across government. Read the announcement→.
I enjoyed speaking at the GovTech Aotearoa 2026 summit in Wellington last week. Thank you for the warm response from leading lights in our Public Service. You can read my musings here→.
Ngā mihi nui,
Andy Higgs
Executive Director,
Digital Identity New Zealand
Read full newsletter here: Yeah Nah: The Ultimate Cold Start Problem | May Newsletter