Identity Belongs to the Individual, Not the State
At the core of Utah’s approach is a clear position on control: Identity exists independent of government, and individuals — not agencies — must ultimately control it, Bramwell said.
“Whoever controls the key controls the identity,” he told attendees, arguing that digital identity systems must be designed so individuals retain control of cryptographic keys while the state provides endorsement and protection.
Bramwell cautioned against identity models that allow governments or third parties to revoke identity outright, particularly when identity is tightly coupled to licenses or privileges. Even individuals who lose certain rights, he said, still retain identity — a distinction he described as fundamental to American values and constitutional norms.
He also warned against centralized national identity systems, citing both political resistance and cybersecurity risk. A single point of failure, Bramwell said, could undermine public trust if compromised at scale, particularly during sensitive events such as elections. States, he argued, are better positioned to anchor identity systems while coordinating through shared frameworks.
The Utah model also preserves anonymity and pseudonymity, which Bramwell described as essential to free expression and civic discourse. He criticized proposals that would require full identity disclosure to access online platforms, calling them incompatible with historical American principles.
READ MORE: States must appoint data privacy officers.
Data Governance as the Foundation for Digital Identity
Bramwell placed digital identity within a broader effort to modernize government data practices, arguing that identity cannot function properly without strong data governance. He said most government entities lack clear rules for data disposal, defined purposes for data use and consistent processes for notifying individuals when those purposes change.
Those gaps, he said, stem from decades of technology modernization that failed to translate traditional records management laws into technical requirements. The result is mounting public distrust and growing operational risk as governments move toward automation and artificial intelligence-driven decision-making.
Utah’s strategy addresses those challenges through three pillars: comprehensive data governance, verifiability and automation. The first pillar establishes a clear legal basis for data use, retention limits and modern data schemas capable of supporting immutable public records and verifiable credentials. Utah is currently the only state with a comprehensive government data privacy law that applies to every public entity statewide, Bramwell said.
The second pillar focuses on verifiable, accurate data and reliable identity proofing; prerequisites, Bramwell said, for responsible automation. Only after those foundations are in place can governments safely deploy AI systems with appropriate human oversight, appeal mechanisms and bias protections.
DIVE DEEPER: Here’s a guide to AI governance for state and local agencies.
Open Standards, Right to Paper and a Multistate Path Forward
SEDI is being designed to support multiple credential formats, including both long-lived credentials for life events such as property ownership and education, and more ephemeral credentials for short-term interactions. Bramwell emphasized that open standards and open protocols are central to the framework, allowing any individual to understand how their identity functions.
He also stressed the importance of preserving a “right to paper,” warning that citizens should not be forced into a fully digital existence. Physical documents, he said, must remain available and strengthened alongside digital systems to maintain public trust and accessibility.
By grounding digital identity in law, transparency and shared values rather than technology alone, Bramwell said Utah hopes to provide a replicable model for other states.
