The DPI trap: when governance guidance becomes a platform launch
- Ott Sarv
- Sep 29, 2025
- 6 min read
In many capitals, the first artefact of a national Digital Public Infrastructure (DPI) is not a legal inventory, a mandate instrument, or an operable remedy pathway. It is a demo. A dashboard. A procurement plan. The system works, the integration looks clean, the timeline ends with a launch, and the story is easy to repeat.
Then the harder question arrives: who is accountable for the legal effect produced when a public institution executes a digital act, and what happens when that act is wrong.
A major multilateral development agency has helped popularise DPI as foundational digital systems enabling secure, seamless interactions across society, and it has paired that narrative with practical playbooks and safeguards. The tension is that country programmes can still experience the posture as technology-first, not because the doctrine is build-first, but because delivery incentives often reward visible technical outputs sooner than they reward inspection readiness.
The boundary problem most programmes skip
Category mistakes are the most expensive DPI mistakes because they harden early and become difficult to reverse under reliance expansion. The fastest route to clarity is to keep the following terms distinct, and to treat the boundary between them as a governance control rather than a semantic debate.
Term | What it is | Boundary that matters under reliance |
Shared, cross-domain capability foundations and trust mechanisms, defined by reuse and governance scope | DPI is not a sector platform and does not carry legal effect by default | |
A public-facing outcome in a specific domain delivered under lawful authority and an authorised procedure | A DPS consumes DPI but remains anchored in accountable outcome delivery, not in the platform | |
A procedure-bound public act such as eligibility determination, registration update, certification issuance, enforcement action, or validation decision | A DPF must remain attributable to a competent institution with decision rights and evidentiary duties | |
A reusable artefact such as software, specifications, or reference implementations | A DPG does not provide lawful authority, institutional mandate, or remedy operability by default |
The institutional guidance that defines DPI as foundational systems is useful for mobilisation, but it is not procurement-grade by itself because it does not resolve who is authorised to act, who is compellable to correct, what evidence must exist, and how remedy reaches every relying party.
Two drifts that create the technology-first feeling
When programmes blur DPI, DPS, DPF, and DPG, two drifts appear. One drift turns governance into a retrospective overlay. The other turns domain solutions into pseudo-infrastructure.
Drift | What it looks like on the ground | What breaks first | Why it becomes hard to reverse |
Governance drift | Procurement defaults, interface flows, or vendor workflow begin to substitute for lawful authority, institutional mandate, and authorised procedure | Decision rights become ambiguous, evidence quality becomes non-admissible under dispute, and remedy becomes discretionary | Once multiple agencies rely on outcomes, suspension and correction propagation become politically costly and operationally fragile |
Boundary drift | Domain entitlements and decision logic are embedded into shared rails, turning reuse into cross-government coupling | Canonical record semantics and service logic become sector-shaped, reducing modular replaceability | Sector rules harden into infrastructure, making policy change dependent on changing shared capability rather than changing the domain service |
The Universal DPI safeguards work takes a lifecycle view and explicitly treats risk as spanning governance, design, deployment, and use, not as a post-launch checklist. That lifecycle framing aligns closely with what drift looks like in practice: drift is an event, not a theory.
Why governance-forward doctrine can still drive build-first sequencing
The same institution that promotes DPI as foundational systems also publishes a DPI playbook positioned as a practical resource for inclusive, rights-based adoption. It also frames digital governance risk in terms of fast-moving technologies outpacing legal safeguards and oversight.
So why do some programmes still feel like a platform rollout?
A plausible explanation is measurement asymmetry. A programme can demonstrate a wallet, an exchange, a login service, or an API gateway in weeks. It often cannot demonstrate, with the same immediacy, that oversight can compel evidence, order corrective intervention, and make remedy operable across every dependency surface. Safeguards exist on paper, but operability tests are not treated as sequencing gates.
This is not an argument against delivery acceleration. It is an argument about legal sequence: legality must be a prerequisite, not a retrospective check.
The use case temptation
The SDG-facing DPI narrative is deliberately broad, mapping DPI to cross-sector impacts and showcasing domain use cases to mobilise support and funding. That breadth is politically useful. It also creates a boundary hazard: when an inspiration compendium becomes a procurement template, domain use cases can become infrastructure requirements, and the easiest technical artefact to ship becomes the thing everyone calls DPI.
Use case move | When it stays within DPI boundaries | When it steps outside DPI boundaries | A simple classification test |
Sector onboarding through a wallet or exchange | The sector service consumes DPI capabilities through governed interfaces while retaining domain decision rights | Sector eligibility and exceptions are encoded into shared rails | Can the sector service be replaced without changing the shared rail’s rules, logs, and custodianship |
Consent-based access | Consent is treated as a legally recognised act with withdrawal handling, scope proof, and admissible disclosure trails | Consent becomes a toggle that substitutes for authorised procedure | Does withdrawal propagate across dependent systems with inspection-ready evidence |
Unified portals | Interface provides procedurally governed access, receipting, and timelines linked to an authorised procedure | Portal experience substitutes for lawful access logic and becomes implied authority | Can a user obtain a contestation-ready receipt and initiate procedural remedy through the interface |
A separate governance assessment framework for data exchange systems exists precisely to keep policy, regulatory, and institutional arrangements central, which reinforces that the doctrine is not purely technical. The recurring gap is not the absence of governance language; it is whether governance artefacts block reliance expansion when they are not operable.
A governance-first sequence that still moves fast
A practical way to make governance real is to anchor delivery in the Seven Layer Model for Digital Public Infrastructure (SLM), which sequences legal authority, institutional mandate, canonical records, governed rule execution, binding issuance, public interfaces, and independent oversight so that digital acts remain attributable and contestable under pressure.
The table below expresses that sequence as gates that can be tested at first reliance.
SLM layer | Sequencing gate and minimum artefact | Operability test at first reliance | Evidence expectation |
L1: legal authority | Legal origin is inspection-ready through a maintained legal inventory linking each Digital Public Function to lawful authority and legal effect boundaries | A competent authority can demonstrate the competence chain for each binding act and the authorised procedure that makes the act valid | Decision provenance includes authority reference, procedure reference, and effect boundary traceability |
L2: institutional mandate | Mandate and decision rights are enforceable through a mandate instrument allocating custodianship, supervision, and correction duties to a named institution | The named institution can compel compliant operation, order correction propagation, and execute lawful suspension without discretionary cooperation | Accountability chain is reconstructable across institutions and dependency surfaces |
L3: canonical records | Canonical records are governable through registry governance, correction procedure, and retention rules | A lawful correction propagates downstream without shadow registries becoming de facto truth | Record state history and linkage are reconstructable over time with evidence-grade integrity |
L4: service logic | Service logic is attributable through versioned decision logic mapped to procedure states, exceptions, and change control | Rule change, rollback, and test replay can be demonstrated without vendor negotiation and without redefining the procedure in code | Rule versions and exception paths link to outcomes with auditable traceability |
L5: execution layer | Binding execution is controlled through a governed execution environment and finalisation controls for binding acts | The system can prove which workflow ran, when, under which rule version, and with complete logging | Execution traces are complete, attributable, reviewable, and suitable for independent inspection |
L6; public interface | Procedural access is contestable through receipting, timelines, inclusive access channels, and transparency controls | A user can obtain a contestation-ready receipt and initiate procedural remedy through a defined pathway | Interface events correlate reliably to the decision record and disclosure trail |
L7: oversight and remedy | Oversight and remedy are operable through supervisory powers and operational redress procedures | Oversight can compel evidence, require corrective action, and verify correction propagation in practice | Inspection readiness is continuous and does not rely on ad hoc reconstruction after incidents |
This is the difference between guidance and enforceability: safeguards become effective only when they change what can happen under dispute, not when they exist as principles.
The core critique...
The strongest critique is rarely that the major multilateral development agency is publishing a build-first doctrine. Its DPI definition, its playbook, its safeguards framing, and its broader digital governance positioning all emphasise governance, institutional responsibility, and risk management across the lifecycle.
The sharper critique is that its DPI narrative operates across two audiences at once. One audience needs mobilisation and visible results, so the story is told through rails and use cases. Another audience needs enforceable sequencing discipline, so the same story must be read through legal sequence, decision rights, evidentiary duties, and remedy operability. When delivery incentives privilege the first audience’s signals over the second, governance drift and boundary drift become indistinguishable from a technology-first approach.
