Writing at the intersection of governance, identity, and the architecture of digital power. Focused on decentralised coordination, human rights infrastructure, and the legal semantics of emerging systems.
Writing at the intersection of governance, identity, and the architecture of digital power. Focused on decentralised coordination, human rights infrastructure, and the legal semantics of emerging systems.
Share Dialog
Share Dialog
Subscribe to Gareth Farry — Law, Culture & Technology
Subscribe to Gareth Farry — Law, Culture & Technology
<100 subscribers
<100 subscribers
We move constantly between digital systems. We log in. A password, a biometric, a signature.
The system confirms who we are. And then, without pause, it lets us act.
As if identity were enough.
This works. Until it doesn’t.
Most digital systems are built on a quiet assumption: once a user is authenticated, they are authorised. Verification becomes a gateway through which action flows automatically. The distinction between being recognised and being permitted collapses into a single step.
But the collapse runs deeper than that.
Authentication confirms who you are. Authorisation defines what you may access. Mandate defines the capacity in which you act – under what conditions, for how long, and with what obligations attached.
Modern digital systems rarely distinguish between the three. What remains is a single gate, and the assumption that passing through it is sufficient.
We are who we say we are.
But who do we say we are acting as?
Under what authority, for how long, and with what obligations?
Outside digital systems, identity has never carried that weight. The same individual can occupy radically different positions depending on context. An employee does not hold the same authority as a director. An agent acts within the limits of a mandate. A trustee is bound by obligations that do not apply to a beneficiary.
Consider what it means when a trustee acts outside their mandate. The action may be technically possible. The trustee controls the assets. They have access.
And yet the act is a breach.
Not because identity was wrong, but because capacity was exceeded. The legal consequences exist because the structure of authority was clear enough to be violated.
In digital systems, that structure is almost never encoded.
There is nothing to violate. There is only access.
In each case, what matters is not who someone is, but the capacity in which they act.
Identity is relatively stable. Authority is relational.
Even where identity is self-sovereign, authority remains relational.
That distinction has been shaped over centuries of legal and institutional practice. Action does not begin at the point of registration. It emerges from prior relationships, obligations, and recognised forms of capacity. The act carries its conditions within it.
Legal and institutional systems do not assume that identification confers permission. They define roles, relationships, and constraints through which authority is expressed. Action is always situated.
Digital systems rarely make this structure explicit.
A wallet address can transfer assets because it holds a key. A user account can access data because it has logged in. An API can execute instructions because it presents a valid token.
In each case, possession becomes a proxy for permission. Control is inferred from access, rather than grounded in a defined relationship.
Possession has become a stand-in for authority.
This substitution is subtle, but it carries consequences. Systems can verify that an action occurred and trace it to an identity. What they struggle to represent is whether that action was exercised within an appropriate mandate.
The question of authority is displaced, assumed, or ignored.
As digital systems begin to mediate more complex forms of coordination, this gap becomes harder to ignore. Actions now carry financial, legal, and organisational weight, yet the underlying models remain thin.
When an autonomous agent can act across platforms, execute transactions, and communicate on behalf of its principal, the question of authority becomes immediate. The system must be able to distinguish between actions that fall within an authorised mandate and those that do not.
Without that, autonomy operates without intelligible authority.
This is not a problem that more sophisticated identification will solve.
What is missing is a way of expressing capacity and authority directly within the system itself – not as an afterthought, but as a structural layer beneath every action.
Not a credential that confirms who you are, but a framework that encodes in what capacity you act, within what limits, and under what conditions that authority may be varied or revoked.
The problem is not technical sophistication. It is the kind of question the system is designed to answer.
Current infrastructure answers: who is this?
What is needed is infrastructure that can also answer: by what authority do they act?
Until that distinction is made legible within the architecture itself, verification will continue to stand in for something it was never designed to represent.
If a system can confirm who acted, but cannot express under what authority they acted, what exactly is it verifying?
The question is not rhetorical. It points toward a different kind of infrastructure – one that treats authority not as something assumed at the point of login, but as something that must be represented, bounded, and capable of being seen.
This essay forms part of an ongoing research series exploring identity, authority, and governance in digital systems.
Explore the work:
SILT Core specification and documentation
https://siltcore.org
Technology, governance, and identity projects
https://www.garethfarry.com/technology
Advisory and engagements — garethfarry.com/advisory
Human Rights DAO pilot
https://www.amnesty.org.nz/dao
We move constantly between digital systems. We log in. A password, a biometric, a signature.
The system confirms who we are. And then, without pause, it lets us act.
As if identity were enough.
This works. Until it doesn’t.
Most digital systems are built on a quiet assumption: once a user is authenticated, they are authorised. Verification becomes a gateway through which action flows automatically. The distinction between being recognised and being permitted collapses into a single step.
But the collapse runs deeper than that.
Authentication confirms who you are. Authorisation defines what you may access. Mandate defines the capacity in which you act – under what conditions, for how long, and with what obligations attached.
Modern digital systems rarely distinguish between the three. What remains is a single gate, and the assumption that passing through it is sufficient.
We are who we say we are.
But who do we say we are acting as?
Under what authority, for how long, and with what obligations?
Outside digital systems, identity has never carried that weight. The same individual can occupy radically different positions depending on context. An employee does not hold the same authority as a director. An agent acts within the limits of a mandate. A trustee is bound by obligations that do not apply to a beneficiary.
Consider what it means when a trustee acts outside their mandate. The action may be technically possible. The trustee controls the assets. They have access.
And yet the act is a breach.
Not because identity was wrong, but because capacity was exceeded. The legal consequences exist because the structure of authority was clear enough to be violated.
In digital systems, that structure is almost never encoded.
There is nothing to violate. There is only access.
In each case, what matters is not who someone is, but the capacity in which they act.
Identity is relatively stable. Authority is relational.
Even where identity is self-sovereign, authority remains relational.
That distinction has been shaped over centuries of legal and institutional practice. Action does not begin at the point of registration. It emerges from prior relationships, obligations, and recognised forms of capacity. The act carries its conditions within it.
Legal and institutional systems do not assume that identification confers permission. They define roles, relationships, and constraints through which authority is expressed. Action is always situated.
Digital systems rarely make this structure explicit.
A wallet address can transfer assets because it holds a key. A user account can access data because it has logged in. An API can execute instructions because it presents a valid token.
In each case, possession becomes a proxy for permission. Control is inferred from access, rather than grounded in a defined relationship.
Possession has become a stand-in for authority.
This substitution is subtle, but it carries consequences. Systems can verify that an action occurred and trace it to an identity. What they struggle to represent is whether that action was exercised within an appropriate mandate.
The question of authority is displaced, assumed, or ignored.
As digital systems begin to mediate more complex forms of coordination, this gap becomes harder to ignore. Actions now carry financial, legal, and organisational weight, yet the underlying models remain thin.
When an autonomous agent can act across platforms, execute transactions, and communicate on behalf of its principal, the question of authority becomes immediate. The system must be able to distinguish between actions that fall within an authorised mandate and those that do not.
Without that, autonomy operates without intelligible authority.
This is not a problem that more sophisticated identification will solve.
What is missing is a way of expressing capacity and authority directly within the system itself – not as an afterthought, but as a structural layer beneath every action.
Not a credential that confirms who you are, but a framework that encodes in what capacity you act, within what limits, and under what conditions that authority may be varied or revoked.
The problem is not technical sophistication. It is the kind of question the system is designed to answer.
Current infrastructure answers: who is this?
What is needed is infrastructure that can also answer: by what authority do they act?
Until that distinction is made legible within the architecture itself, verification will continue to stand in for something it was never designed to represent.
If a system can confirm who acted, but cannot express under what authority they acted, what exactly is it verifying?
The question is not rhetorical. It points toward a different kind of infrastructure – one that treats authority not as something assumed at the point of login, but as something that must be represented, bounded, and capable of being seen.
This essay forms part of an ongoing research series exploring identity, authority, and governance in digital systems.
Explore the work:
SILT Core specification and documentation
https://siltcore.org
Technology, governance, and identity projects
https://www.garethfarry.com/technology
Advisory and engagements — garethfarry.com/advisory
Human Rights DAO pilot
https://www.amnesty.org.nz/dao
No activity yet