Access control model for data exchange, how mandate gating becomes real across exchange, wallet, and payments layers

Mandate gating is the discipline that keeps interoperability defensible. Participation in a digital ecosystem creates the capability to request. It does not create entitlement to receive.

An access control model for data exchange turns that principle into production reality by making each disclosure traceable to mandate, purpose, minimum necessary data points, and an enforceable remedy path. When that model is missing, plumbing scales faster than governance, and ecosystem membership starts behaving like permission.

The practical test is straightforward. For any single transaction, the system must prove why the request was allowed, why the disclosure was lawful, and how the outcome can be corrected and reversed when challenged.

The use case registry is the first governance object

A trust framework spanning multiple Digital Public Infrastructures and multiple Digital Public Services needs one shared control surface that decides what is allowed. That surface is the use case registry.

The registry works because it binds the governance variables that matter in court, audit, and oversight. It links a request to the mandate basis for the requesting actor class, the disclosure conditions of the source authority, the authorised attribute allow list, the evidence expectations, and the remedy reach. If any of these are missing, the entry is not authorised, regardless of how well the integration performs.

This is also where the Digital Public Infrastructure: The Law Before the Code discipline becomes operational rather than rhetorical, because the registry becomes the artefact that prevents delivery convenience from becoming implied authority.

Mandate gating becomes attributable only with transaction context

A platform that merely transports payloads cannot protect the ecosystem from informal access. Access decisions must be reconstructable without interpretive heroics.

Attribute-based access control provides a usable pattern: authorisation is evaluated against attributes of the subject, object, operation, and relevant environmental conditions, under explicit policy rules.  That pattern maps cleanly onto mandate gating when the transaction carries context that makes the decision attributable.

A defensible request therefore carries an actor identifier, a use case identifier, an explicit attribute set request, a necessity statement, a recipient constraint that limits onward disclosure, an evidence handle that points to the required log bundle, and a remedy handle that links the transaction to correction and reversal workflows.

The point is not formality. The point is that oversight can replay the decision from evidence.

Data minimisation becomes real only when interfaces are narrow

Minimisation fails in practice when interfaces are broad, because broad interfaces invite over-collection under time pressure. Modern regimes converge on a stable operational rule: collect and disclose only what is necessary for the stated purpose.

In a data exchange setting, this means resisting general search endpoints. A well-governed exchange exposes use case specific endpoints with constrained schemas. A well-governed wallet ecosystem does not treat presentation capability as permission to request. A well-governed payments rail does not let routing authority masquerade as eligibility authority.

If the ecosystem cannot say no as a normal outcome, it has not implemented governance. It has implemented connectivity.

Role allocation prevents plumbing from becoming accidental authority

Mandate gating depends on stable functional roles, even when labels vary by jurisdiction.

The source authority remains accountable for disclosure conditions and authoritative correction. The requesting authority remains accountable for the decision purpose and the consequences of using the data. The operator of exchange, wallet, or payments rails remains accountable for integrity, availability, onboarding discipline, incident response, and evidence of transmission, without inheriting sector mandates.

The failure mode is predictable. When an operator starts defining default attribute bundles, embedding matching logic that changes eligibility outcomes, or shaping retention behaviours that influence downstream decisions, the operator has drifted from courier into decision surface. Governance must treat that drift as a change in authority footprint, not as a minor technical enhancement.

This is the same boundary logic explored in Data Exchange Platform Legal Authority and reinforced by Digital Public Infrastructure: Guidance Without Enforcement Is Not Governance.

How SLM locates access control in the governance stack

The Seven Layer Model for Digital Public Infrastructure: A Governance Architecture for Lawful Digital Public Authority provides a sequencing discipline for keeping authority and accountability intact as systems scale. In SLM terms, mandate gating is not a Layer Five optimisation. It is a cross-layer control that prevents downstream execution from substituting for upstream authority.

Layer One constrains what may exist as lawful authority. Layer Two assigns institutional mandate and compellability. Layer Three establishes canonical records and correction at source. Layer Four defines governed service logic. Layer Six makes access and receipting inspectable at the interface. Layer Seven ensures oversight and remedy remain operable under reliance.

When any one of these is missing, access becomes a technical fact rather than a lawful public act.

For readers who want the terminology boundary between infrastructure, governance, and service delivery made explicit, Digital public infrastructure is not DPG, DPF, or DPS provides a useful frame.

A concrete scenario that exposes entitlement drift

If the requesting institution cannot name the authorised use case, justify why each data point is necessary, and point to a remedy path that can change outcomes, then the transaction is not governance-grade even if it is secure. If the exchange can answer the request without constraining the schema to the authorised allow list, then the interface is too wide. If the authoritative registry can correct the record but the programme cannot reverse downstream effects, then remedy has failed where legal effect is applied.

The more donor-scale the ecosystem becomes, the more this discipline matters. Without narrow interfaces and attributable decisions, the ecosystem will quietly reclassify participation as access.

This is also why consent withdrawal and downstream correction must be treated as system behaviour rather than policy text, as discussed in Data Exchange Safeguards: Consent Withdrawal.

Change control is where ecosystems drift unless it is contained

Any change that alters what can be requested, what can be disclosed, how matching is performed, what gets retained, or what analytics run on payloads changes the effective authority footprint of the ecosystem. Those changes must be treated as mandate-bound governance acts with named ownership, documented scope, regression evidence, and a remedy pathway that still works after release.

The inspection question donors and governments should keep asking

When an institution claims access because it joined the ecosystem, the correct response is not a technical one.

Which mandate covers this purpose, which minimum data points are necessary, who is accountable for the decision effect, and which oversight mechanism can compel correction at source and reversal where legal effect is applied.

Until the system can answer those questions per transaction, interoperability remains a connectivity story rather than a governance architecture.