From Pilots to Mandates – Digital ID Becomes Infrastructure

From Pilots to Mandates - Digital ID Becomes Infrastructure

On September 25, the UK government confirmed that by 2029, every employer will be required to use a digital ID system for Right-to-Work checks. The rollout will happen via the GOV.UK Wallet and One Login initiative. While ministers framed it as modernization, the public reaction was immediate and sharp: petitions, press criticism, and a familiar debate about privacy, exclusion, and state overreach.

At the same time, the private sector moved in the opposite direction, leaning in. Mastercard invested in Smile ID to expand identity verification across African markets, while MOSIP deployed on AWS to scale its open-source identity stack for governments. In the enterprise space, Microsoft Entra’s Phase 2 MFA mandate will force service accounts and automation tools into stronger authentication.

Each of these shifts points to the same conclusion: digital identity has crossed from pilot projects and voluntary adoption into policy mandates, regulatory deadlines, and enterprise defaults. This passed the experimentation phase. It’s building infrastructure.

From Experiments to Requirements

For years, digital identity programs carried the “pilot” label. Governments ran trials, banks layered KYC with biometrics, and technology providers experimented with wallets. But few deployments had binding requirements or hard deadlines.

This week changes that narrative. The UK’s 2029 deadline is now a legal horizon that 5.5 million British businesses cannot ignore. We’re moving from whether digital ID will happen, to how it will be trusted and implemented. Public resistance creates a compliance challenge. Only vendors who can demonstrate privacy-by-design at the product level will survive procurement. This filters the field and raises switching costs dramatically.

In parallel, the enterprise sector is hardening. Microsoft’s move to enforce mandatory MFA for service accounts marks the end of treating non-human identities as second-class citizens. This closes a weak link in enterprise identity: automation credentials that live forever, get shared across teams, and rarely rotate. Attackers already exploit this gap systematically. Microsoft just made ignoring it non-compliant. For global enterprises managing tens of thousands of service accounts, this cascades into new identity inventories, rotation policies, and audit demands.

The Capital Signal

Markets are not standing still.

Mastercard’s Smile ID investment underscores how fintech players view identity as the growth lever for financial inclusion and payments in emerging markets. Across Africa, an estimated of 350+ million adults lack formal identification and each one a potential banking customer. Scale identity verification correctly, and you enable millions of transactions that were previously impossible.

MOSIP on AWS provides governments a ready-made, cloud-native infrastructure to roll out national identity at scale. This is the infrastructure play: open-source identity frameworks gaining enterprise-grade backing from hyperscalers. For investors, this signals a maturing vendor ecosystem where governments can deploy at speed without building from scratch.

Compliance spend is locked in. California finalized rules for automated decision-making, risk assessments, and cybersecurity audits, while China imposed new incident-reporting windows. Each regulation raises the bar for verifiable credentials and continuous evidence. The era of “we’ll document that later” is over.

Together, these moves validate digital identity as a market with committed, non-optional buyers: governments under legal mandate, employers facing deadlines, financial institutions expanding addressable markets, and cloud platforms selling infrastructure.

Ecosystem Impact

For enterprises:
The shift is operational and immediate. Digital identity requirements will force companies to adopt device-bound credentials, revocation capabilities, and continuous verification for both human and machine accounts. Identity audits will become routine. Companies without unified identity governance will face material risk in regulatory exams.

For consumers:
The exposure is cultural and political. In the UK, backlash centers on privacy and exclusion: what happens to those without smartphones, digital literacy, or reliable broadband? Providers that design for offline enrollment, assisted access, and zero-knowledge proofs will hold an advantage in public trust and therefore market access. The government may mandate identity, but citizens will punish implementations that feel surveillance-first.

For vendors:
Expect procurement requirements to evolve rapidly. Buyers and regulators will demand proof of native revocation capabilities, short-lived tokens, and data sovereignty controls. Vendors without these features will get filtered at RFP stage—identity is too mission-critical for post-sale customization. Those that treat privacy infrastructure as core product architecture will onboard faster and retain contracts longer. Those relying on consent pages and lengthy privacy disclaimers risk elimination before technical evaluation even begins.

The Interoperability Question

A critical uncertainty remains: are these systems converging or fragmenting? The UK wallet, MOSIP implementations, Microsoft Entra, and enterprise IAM platforms don’t yet share universal standards. However, the EU Digital Identity Wallet framework and OpenID4VC (Verifiable Credentials) suggest movement toward interoperability. For investors, this creates two plays: standards-aligned platforms that will benefit from network effects, and translation-layer vendors that bridge proprietary systems. Both have merit; fragmentation creates consulting revenue, but convergence creates platform value.

The Bottom Line

Digital identity is moving from pilot to infrastructure. The winners will be those who:

Make privacy visible and verifiable. Zero-knowledge proofs, selective disclosure, and revocation UX must be simple enough to explain to both regulators and citizens. Privacy cannot be a whitepaper promise, it must be architecturally demonstrable.

Bind credentials to devices. Wallet-based IDs with hardware-backed keys anchor the system against phishing, credential replay, and account takeover. Software-only approaches will increasingly fail compliance reviews.

Include everyone by design. Offline and assisted enrollment modes will decide adoption curves and political viability. A mandatory ID system that excludes 10% of the population will face lawsuits, protests, and legislative rollback.

Treat non-human identities as first-class assets. Service accounts, bots, and APIs must be covered by MFA, inventoried, and monitored as rigorously as user accounts. The era of immortal API keys is ending.

For investors, this creates a tangible category: verifiable credential platforms, non-human identity management, compliance automation providers, and privacy-preserving ID infrastructure are now part of a mandated market, not an optional one. The TAM is being written into law.