"Everything should be made as simple as possible, but not simpler."

Albert Einstein, Physicist"(1879–1955) 

Pillar I – Identity Foundation – Part 3 of 3:

By Stephan Wolf, Chair of the Board of Trustees at Verifiable.Trade Foundation

March 2026

Consider what happens when an AI procurement agent, operating autonomously on behalf of a multinational, places a multimillion dollar order with a supplier. The transaction appears valid because the supplier’s credentials can still be authenticated and the company identity matches across systems. But the individual whose delegated authority was used to approve the transaction left the organization weeks earlier, and the authorization was never revoked across the connected platforms.

The AI agent has no practical way to recognize this discrepancy. From its perspective, the identity is valid, the credentials are technically correct, and the workflow conditions have been satisfied. The transaction proceeds automatically at machine speed across procurement, logistics, financing, and payment systems. The problem only becomes visible once the goods are shipped, the invoice is disputed, or liability questions arise.

This is the difference between identifying an entity and verifying authority in real time. In an AI driven trade environment, that distinction becomes operationally critical.

In our previous blogs, we explored the foundations of identification, authentication, and authorization. We now turn to a deeper and often overlooked challenge: category errors about identity and why they continue to undermine digital trade, interoperability, and trust across systems.

The Structural Limits of Today’s Digital Trade Architecture

Digital trade has seen no shortage of innovation. Platforms have been built, standards have been defined, and large investments have been made into digitizing documents, workflows, and integrations. Yet despite this progress, the fundamental problem remains. Systems still struggle to interoperate. Data still needs to be reconciled. Trust in counterparty information still needs to be re-established in every new interaction. This was an accepted cost of doing business. It is becoming an unacceptable risk.

The reason is not a lack of technology. Bilateral interfaces and APIs are widely available. Data standards exist for almost every trade-related document. Extensive libraries of message types have been developed for every trade related business interaction. In principle, system A can communicate with system B whenever software vendors support the connection or when a dedicated interface is developed.

In practice, however, this is often not a viable path. Custom integrations take time. They are costly to build and maintain. In many cases, the expected business value of a specific relationship does not justify the investment. Even when the business case exists, organizations frequently face constraints in skilled resources and implementation capacity. As a result, integration does not scale. It remains selective, slow, and fragmented.

The fallback is familiar. Paper documents, PDFs, emails, and manual reconciliation continue to dominate large parts of global trade. Not because better technology does not exist, but because the effort required to connect systems repeatedly for each new interaction remains too high.

This stands in contrast to earlier industrial thinking. In Total Quality Management, supplier relationships were treated as a strategic asset. Companies like Toyota followed for decades the principle of working with a limited number of partners over long periods of time. Stability enabled deep integration, continuous improvement, and mutual trust.

Today, this model no longer holds across many areas of global trade. Supply chains are increasingly shaped by geopolitical tensions, tariffs, regulatory shifts, and crisis-driven reconfiguration. Companies must onboard new partners quickly, switch suppliers when needed, respond with agility to unexpected disruptions, and operate seamlessly across an ever-evolving network of relationships.

At the same time, this environment creates a barrier for innovation. New technologies struggle to gain adoption not because they lack value, but because they are difficult to integrate into existing ecosystems. Many modern approaches, including blockchain-based solutions, require significant changes to current systems and processes and often introduce new layers of intermediaries. Unless entire industries transition in a coordinated way, adoption remains limited.

The attempts to introduce electronic Bills of Lading (eB/L) illustrates this challenge. There is broad agreement among market participants that by 2030 a large share of paper-based processes will be replaced by electronic equivalents. Yet this progress primarily affects a relatively small group of actors within specific segments of the trade ecosystem.

It does not address the broader structural issue. Global trade involves tens of millions of businesses that need to connect, interact, and trust each other across systems, jurisdictions, and contexts. A study by the International Chamber of Commerce Digital Standards Initiative highlights the scale of this challenge, pointing to an ecosystem of approximately 160 million businesses worldwide[1].

The core problem is therefore not the digitization of individual documents or workflows. It is the ability to establish scalable, flexible, and trustworthy connections across a vast and constantly changing network of participants. This requires a level of agility that traditional integration models cannot support.

The Structural Misunderstanding of Identity

This is the visible symptom of a deeper structural issue. The underlying problem is not technological, but conceptual. It stems from a misunderstanding of identity. Most digital trade initiatives treat identity as if it were a technical attribute managed within a system. In reality, identity is a contextual and relational construct that exists independently of any single platform. It reflects how participants, objects, and roles are defined and understood within a given interaction.

When these two levels are conflated, a fundamental category error occurs. A structural problem is addressed with local technical solutions. Systems attempt to encode identity within their own boundaries and then reconcile differences through integration and mapping. This approach does not resolve the problem. It reproduces it at scale.

This becomes particularly visible in the way identifiers are handled. Every system creates its own internal identifiers. An ERP system assigns a supplier number. A logistics platform generates a shipment reference. A bank assigns a client ID. These identifiers work perfectly within their respective systems. They are optimized for internal processes and data models. The problem begins when systems need to interact.

At that point, external identifiers are introduced. Legal Entity Identifiers, Business Identifier Codes, Global Location Numbers, tax numbers, registry numbers, and many others are brought in to create a bridge between systems. On the surface, this seems like a reasonable solution. If two systems refer to the same external identifier, they should be able to align their data.

In practice, this is where complexity explodes. Each system must map its internal identifiers to one or more external identifiers. This mapping is rarely one-to-one. A single company may appear differently across systems due to variations in naming conventions, legal structures, or jurisdictional representations. One system may represent a headquarters, another a branch, another a legal entity within a group. The same identifier may point to slightly different attribute sets depending on context. As a result, mapping becomes a continuous exercise in interpretation.

Complex logic is introduced to determine whether two identifiers refer to the same real-world entity. Rules are defined, exceptions are added, Artificial Intelligence is used, and manual interventions are required. Over time, these mapping layers grow into intricate structures that are difficult to maintain and even harder to scale. The financial crisis exposed these weaknesses clearly, particularly in the aggregation of counterparty risk and the inability to consistently identify entities across systems[2].

This creates two types of failure that are rarely visible but highly consequential.

• False positives occur when systems incorrectly assume that two identifiers refer to the same entity. This can lead to transactions being attributed to the wrong party, compliance checks being bypassed, or financial flows being misdirected. In regulated environments, such errors carry significant legal and operational risk. More critically, a false positive in identity matching can cause a system to authenticate credentials belonging to a different entity, including passing a compliance check that should have failed, or granting access to a counterparty who was never actually verified.

  
  

•  False negatives are even more pervasive. They occur when systems fail to recognize that two identifiers refer to the same entity. The result is duplication. The same company is onboarded multiple times. The same checks are repeated. The same data is stored in slightly different forms across systems. This leads to inefficiency, increased cost, and a fragmented and wrong view of reality. The authorization implications are equally significant. The same person or organization may hold valid credentials in one system while being treated as entirely unknown in another. Delegated authority, whether a signatory limit, a role based permission, or a power of attorney, cannot move reliably across systems that lack a shared and consistent identity layer.

Both problems stem from the same root cause. Identifiers are treated as if they were identity. But identifiers are only pointers. They do not carry the full meaning required to establish equivalence across contexts. When systems rely on identifiers alone, they are forced to reconstruct identity through mapping. This is inherently fragile. And every organzation does this on their own, without mapping standards and sharing results.

Authorization introduces a dimension that identification alone cannot address. In trade, it is rarely sufficient to know that a legal entity exists and is who it claims to be. What matters operationally is whether a specific individual acting on behalf of that entity is authorized to do so, and whether that authority is still valid.

A signatory whose mandate expired last quarter, a procurement officer whose responsibilities were reassigned, or a delegated representative who has left the organization are not exceptional situations. They are everyday realities in global trade. Yet many systems continue to treat authorization as a static attribute instead of a dynamic and verifiable state.

The Rise of Agentic AI

This challenge is about to become far more significant. As AI agents, automated workflows, and machine to machine interactions take on an increasing share of trade execution, delegated authority can no longer depend on a human being available to confirm a mandate. The authority itself must become verifiable. It must be cryptographically bound to an identity, limited to a defined context, and revocable in real time.

From the outside, an AI agent executing a transaction may become operationally indistinguishable from a human decision maker. The algorithm itself becomes a subject of decision making and delegated authority. Systems that cannot support this evolution will not be able to participate reliably in the next generation of trade automation.

Standards, while essential, do not fully solve this problem. Standards define structures, formats, and sometimes semantics. They help align how data is represented. But they do not eliminate the need for mapping as long as identity remains embedded within individual systems and competing standards exist. Even when two systems adopt the same standard, they still maintain their own identifiers, their own data models, and their own interpretations of the same entity.

This is why many digital trade initiatives achieve local optimization but fail to deliver global interoperability. They digitize existing silos rather than removing them.

From System-Centric Identity to Shared Identity

A different approach begins by addressing the category error directly. Instead of embedding identity within systems and mapping it across boundaries, identity can be externalized, structured, and made verifiable. Identifiers then become resolvable references to a shared understanding of identity, rather than isolated labels that require translation. In such a model, systems no longer need to guess whether two identifiers refer to the same entity. They can verify it.

Identity is expressed as a set of attributes and relationships that can be independently validated. A legal entity can be described through its registration details, ownership structure, and jurisdiction. A person can be linked to that entity through a verifiable role. These relationships are not inferred through mapping logic. But proven through cryptographic means.

This removes the need for complex reconciliation processes. Instead of building mapping tables, systems consume verifiable identity data. Instead of maintaining duplicate records, they reference a consistent identity layer. Instead of resolving discrepancies after the fact, they prevent them at the source.

This shift also changes how standards are used. Standards remain critical, but they move from being the primary mechanism of alignment to being part of a broader, interoperable framework. They define how data is structured, while identity ensures that data can be trusted and consistently interpreted across contexts.

This is the architectural principle behind a protocol-based approach such as ISTTP. By separating identity from systems and enabling it to be shared, verified, and reused across interactions, ISTTP removes the need for repeated mapping. Participants can connect once and interact with many, without rebuilding identity relationships each time. Trust is established through verifiable data rather than inferred through alignment of identifiers.

The implications are far-reaching:

• Authentication becomes continuous rather than one-time, because credentials are anchored to a shared identity layer that can be queried at the point of transaction rather than established once during onboarding and never re-verified.

• Authentication becomes continuous rather than one-time, because credentials are anchored to a shared identity layer that can be queried at the point of transaction rather than established once during onboarding and never re-verified.

• Integration becomes simpler because systems no longer need to reconcile identities.

• Onboarding becomes faster because participants reuse existing identity information.

• Compliance becomes more reliable because identity can be verified directly rather than inferred indirectly.

• And most importantly, interoperability becomes achievable at scale.

The persistent struggle of digital trade initiatives is not due to a lack of effort or capability. It is the result of solving the wrong problem at the wrong level. As long as identity is treated as a system-specific artifact and identifiers are mistaken for identity itself, mapping will remain unavoidable, and with it the complexity, cost, and risk that follow. Correcting this category error is not a minor adjustment. It is a foundational shift. It is the difference between connecting systems and connecting meaning.

A Call to Rebuild Digital Trade on Shared Identity – Why now and call to action

• Geopolitical fragmentation:

  Supply chains that took decades to optimize are being reconfigured in months. Tariff shifts, sanctions regimes, friend-shoring mandates, and export controls are forcing companies to onboard new counterparties at a pace that existing identity infrastructure cannot support. Every new supplier relationship requires a fresh round of KYC, entity verification, and system mapping. When that process takes weeks and the business decision takes days, identity becomes a bottleneck — not just an inefficiency.

  
  

• Regulatory pressure:

  The regulatory environment is moving faster than most compliance teams realize. The EU Digital Identity framework, DORA, evolving AML directives, and cross-border digital trade regulations are all converging on the same requirement: organizations must be able to demonstrate, on demand, who they transacted with, on what authority, and on what basis that identity was verified. A system-centric model — where identity is inferred through mapping rather than proven through verification — cannot reliably satisfy that burden. The question is no longer whether regulators will ask. It is whether organizations will be able to answer.

  
  

• AI agents and autonomous workflows:

  This is the force that changes the problem qualitatively, not just quantitatively. When a human initiates a trade transaction, there is at least the possibility of a phone call, an email, a manual check. When an AI agent initiates that transaction autonomously — routing a payment, issuing a purchase order, triggering a letter of credit — there is no human in the loop to catch an identity error. The authorization chain becomes entirely non-human. A supplier whose credentials have expired, a representative whose mandate was revoked, a counterparty that has been restructured since onboarding: none of these will trigger an alert in a system that cannot verify identity dynamically. The scale of exposure from a single mapping error multiplies accordingly.

The implications of this category error are no longer theoretical. They directly affect the cost, speed, and resilience of global trade. Senior management must recognize that continued investment in system-centric integration models will only compound complexity rather than resolve it. Instead, they should prioritize architectures that externalize identity, enable reuse of verified data, and reduce dependency on bilateral mappings.

Standard-setting bodies are encouraged to extend their focus beyond data structures and semantics to include interoperable identity frameworks that allow consistent interpretation across contexts.

Ministries and public sector leaders should treat verifiable organizational identity as digital public infrastructure, creating the legal and regulatory conditions for its cross-border recognition and adoption.

Strategy units across institutions should reassess their digital roadmaps through this lens and actively support pilot implementations that demonstrate how verifiable identity can replace reconciliation with verification.

The call to action is clear: stop optimizing the exchange of identifiers and start enabling the exchange of meaning. Only then will interoperability in global trade become scalable, resilient, and economically viable.

[2]        Thematic Review on Implementation of the Legal Entity Identifierhttps://www.fsb.org/uploads/P280519-2.pdf

[1]        https://tradetreasurypayments.com/podcasts/podcast-in-roadmaps-we-trust

Glossary of Key Terms

Verifiable.Trade Blog Series — Why Most Digital Trade Initiatives Struggle: A Category Error About Identity

This glossary defines the core technical and conceptual terms used throughout the Verifiable.Trade blog series. It is intended for readers who may be encountering these terms for the first time, as well as for practitioners who want a precise, source-referenced definition. Each entry links to its authoritative source.

Term                          

Definition and Source

Authentication

The process of verifying that an identity claim is genuine. Authentication confirms that the party presenting the identity controls it, typically through cryptographic mechanisms such as digital signatures. It answers the question: can this claim be trusted?Source: NIST SP 800-63-3 – Digital Identity Guidelines

Authorization

The process of determining what an authenticated actor is allowed to do in a given context. Authorization is dynamic and depends on roles, timing, conditions, and transaction state. It answers the question: is this actor empowered to act?Source: NIST SP 800-63-3 – Digital Identity Guidelines

Category Error

A logical mistake in which something is treated as belonging to the wrong category. In this context, the mistake is treating identity as a technical property of systems rather than as a shared, contextual relationship that exists independently of platforms. Local technical fixes such as mapping only reproduce the problem at larger scale.Source: Verifiable.Trade Foundation

Cryptographic Proof

A mathematical mechanism that proves integrity, authenticity, or control without requiring a trusted intermediary. Cryptographic proof allows trust relationships to be demonstrated rather than inferred.Source: W3C Verifiable Credentials Data Model 2.0 – Proofs

Decentralized Identifier (DID)

A globally unique identifier that is created and controlled directly by its subject without centralized registration authorities. DIDs enable cryptographic verification of identity claims.Source: W3C Decentralized Identifiers (DIDs) v1.0

Delegated Authority

The permission granted for one party to act on behalf of another under defined conditions. In digital trade this includes employees, representatives, software systems, and increasingly AI agents acting for organizations.Source: GLEIF vLEI Ecosystem Governance Framework

eB/L (Electronic Bill of Lading)

A digital version of the traditional paper bill of lading. The article uses the limited adoption of eB/L as an example of digitization efforts that struggle when underlying identity problems remain unresolved.Source: UNCITRAL Model Law on Electronic Transferable Records (MLETR)

Externalized Identity

An approach in which identity exists independently of any single platform and can be shared, verified, and reused across interactions. Externalized identity reduces the need for bilateral mapping by providing a consistent and verifiable identity layer.Source: Verifiable.Trade Foundation

False Negative (Identity Mapping)

An error where two identifiers referring to the same entity are not recognized as equivalent. This leads to duplicated onboarding, repeated checks, fragmented records, and inconsistent counterparty views.Source: FSB Thematic Review on LEI Implementation (2019)

False Positive (Identity Mapping)

An error where two different identifiers are incorrectly assumed to refer to the same real-world entity. In trade environments, this can misdirect transactions, bypass compliance controls, or attribute actions to the wrong party.Source: FSB Thematic Review on LEI Implementation (2019)

Identification

The act of referencing an entity within a given context using an identifier. Identification answers the question: who or what is this? It does not verify authenticity or authority.Source: NIST SP 800-63-3 – Digital Identity Guidelines

Identity

The structured set of attributes that describe an entity within a given context. Identity is contextual and relational. The same entity may appear differently depending on the system or interaction. The article argues that treating identity as a system-specific artifact rather than a shared external construct is the fundamental category error in digital trade.Source: ISO/IEC 24760-1:2019 – A framework for identity management

Identity Mapping

The process of establishing equivalences between identifiers across systems using rules, logic, or AI-assisted reconciliation. The article argues that mapping is inherently fragile and becomes increasingly unmanageable at global scale.Source: Verifiable.Trade Foundation](https://www.verifiable.trade?utm_source=chatgpt.com)

Identifier

A label or code used to reference an entity within a system or context. An identifier is not identity itself. It is a pointer to identity data. The same entity may have multiple identifiers across different systems. Part 3 argues that confusing identifiers with identity is the root cause of mapping complexity in digital trade.Source: ISO/IEC 24760-1:2019 – A framework for identity management

Interoperability

The ability of systems, organizations, and jurisdictions to exchange and use information across boundaries without requiring custom bilateral integration. The article argues that true interoperability requires externalized and verifiable identity.Source: ISO/IEC 25010 Systems and software quality models

ISTTP (International Secure Trade and Transport Protocol)

An open protocol infrastructure for digital trade that enables interaction across systems using verifiable identity, delegated authority, and cryptographically secure trade objects. The article positions ISTTP as the architectural response to the identity category error.Source: Verifiable.Trade Foundation

KYC (Know Your Customer)

A regulatory process requiring organizations to verify the identity and risk profile of counterparties. Repeated KYC checks across systems are presented as a direct consequence of fragmented identity models.Source: FATF Guidance on Digital Identity

Legal Entity Identifier (LEI)

A 20-character alphanumeric code identifying legal entities participating in financial transactions. The article explains that while LEIs are valuable external identifiers, they still require mapping if used without a broader verifiable identity framework.Source: GLEIF – Global Legal Entity Identifier Foundation

Object-Based Trust

A trust model in which authenticity and integrity are attached directly to the data object itself rather than provided by the surrounding platform or network.Source: Verifiable.Trade Foundation

Revocation

The process of invalidating a credential or authorization before its expiration. Without revocation checking, systems cannot reliably determine whether authority is still valid at transaction time.Source: W3C Verifiable Credentials Data Model 2.0 – Validity Checks

vLEI (Verifiable Legal Entity Identifier)

A cryptographically verifiable form of the LEI that includes organizational role credentials. The vLEI enables machine-verifiable representation of delegated authority.Source: GLEIF – Introducing the Verifiable LEI

Verifiable Credential (VC)

A cryptographically signed digital statement issued about a subject. Verifiable credentials allow parties to independently verify authenticity and integrity without contacting the issuer.Source: W3C Verifiable Credentials Data Model 2.0

Verifiable Identifier

An identifier that can be cryptographically verified as belonging to its controller without relying on a central registry.Source: W3C Decentralized Identifiers (DIDs) v1.0

This glossary will be updated as the blog series develops. Terms specific to individual pillars will be added as each article is published. For questions or suggested additions, contact the Verifiable.Trade Foundation at www.verifiable.trade/contact.

© 2026 Verifiable.Trade Foundation