Why does wallet rejection in production look non-technical?

Production rejection is usually governance failure expressed as inconsistent verifier behaviour, unreviewable denials, fragile recovery, and trust that cannot be corrected under dispute. A technically functioning wallet can still be institutionally incompatible when lawful authority, mandate, records, evidence, and remedy are incomplete.

What is upstream substitution in wallet deployments?

Upstream substitution occurs when downstream artefacts such as wallet defaults, integration patterns, or interface choices start to displace upstream decisions that must remain attributable and enforceable, including lawful authority, institutional mandate, and authorised procedure constraints.

What is the SLM cross-match gate?

The SLM cross-match gate is a readiness check that treats a wallet as deployable public infrastructure only when each governance layer is inspection-ready and reliance remains suspendable, correctable, and reversible under domestic compellability.

What minimum governance elements must exist before a wallet can mediate binding acts?

At minimum there must be lawful authority and scope, a compellable institutional mandate, designated canonical records with correction propagation, attributable service logic aligned to an authorised procedure, execution controls for complete decision records, evidence-grade public interface receipting, and operable oversight with procedural remedy.

Why do verifiers invent acceptance rules in cross-agency verification?

Verifier drift happens when institutional mandate and oversight are under-specified, so relying parties optimise for local liability rather than shared enforceable acceptance rules. A compellable authority is required to keep trust governance consistent across institutional boundaries.

What breaks first during incident containment?

Revocation or status semantics become contested when service logic and execution controls are not anchored to an authorised procedure with attributable decision rights and operable correction and reversal. Binding acts require complete decision records and continuity suitable for review.

Why does recovery after device loss become discretionary?

Recovery becomes a negotiation when decision rights, evidence duties, and remedy operability are unclear. A safe re-establishment procedure needs attributable authority, record linkage, evidence continuity, and enforceable oversight access.

Why do appeals collapse into screenshots?

When an evidence bundle is not engineered as an operable capability, disputes cannot be independently reconstructed from records. An evidence bundle is a governed structure of evidence obligations, retention, correlation, and access that supports review and remedy.

Seven
Layers
Insight

Donor Wallet, No Cross-Match: Why Policy-Agnostic GovStack Wallets Fail in Government

Ott Sarv
Sep 10, 2025
5 min read

Updated: Mar 1

Two surgeons in masks prepare for an operation in a brightly lit operating room. — The rejection, when it happens, is rarely technical. It is governance failure that surfaces later as verifier drift, unreviewable denials, recovery roulette, and brittle trust.

The organ cross-match problem

A wallet can be technically functional and still be institutionally incompatible. In a living government system, a wallet is not merely software. It is a mechanism that mediates binding acts, evidence pathways, and contestation pathways across multiple institutions.

When a programme deploys a wallet before it has constituted lawful authority, accountable mandate, canonical records, enforceable service logic, and operable oversight with remedy, the wallet’s defaults begin to substitute for decisions that must remain attributable and enforceable. The Seven Layer model (SLM) treats this as upstream substitution: downstream artefacts displacing upstream authority.

The sequencing discipline for avoiding upstream substitution is developed in Digital Public Infrastructure: The Law Before the Code.

The SLM cross-match gate

SLM turns critique into a gate. A wallet becomes deployable public infrastructure only when each layer is inspection-ready and the system remains suspendable, correctable, and reversible under domestic compellability.

SLM layer	Cross-match question	Minimum evidence of readiness
Legal authority (Layer 1)	Which legal instrument authorises the function, defines scope limits, and permits legal effect where applicable	A current legal basis that defines what the wallet can do, what it cannot do, and how decisions can be reviewed
Institutional mandate (Layer 2)	Which institution is accountable, compellable, and empowered to order suspension and correction propagation	A named authority with delegation limits, escalation routes, and liability attribution that survives suppliers and staff changes
Canonical records (Layer 3)	Which registry is authoritative for each legally relevant fact, and who is the custodian with correction duties	Declared authoritative records, stewardship rules, correction propagation procedures, and integrity controls
Service logic (Layer 4)	Which authorised procedure is being executed, and how is decision logic kept attributable and inspectable	Workflow logic tied to authorised procedure, with traceable rule changes and inspection access
Execution layer (Layer 5)	Who issues binding acts, how are decision records completed, and how do suspension, correction, and reversal operate	Evidence-grade decision records, auditable event sequencing, and operable suspension and reversal mechanisms
Public interface (Layer 6)	How do people submit requests, receive evidence-grade receipts, and access contestation pathways	Traceable submissions, evidence-grade receipting, and predictable user routes for contestation
Oversight and remedy (Layer 7)	Which oversight bodies can compel access and order suspension, correction, and effective redress	Operable remedy pathways, enforceable oversight access, and the ability to compel correction without discretionary cooperation

Where a programme treats any of these as optional, it is expanding reliance before legality is complete.

How rejection looks outside the demo

Most pilots prove that credentials can be issued and presented. Adoption fails when the ecosystem must rely on the wallet under stress, dispute, and audit.

Operational moment	What breaks first	SLM diagnosis	What must exist before reliance expands
Cross-agency verification	Verifiers invent acceptance rules	Institutional mandate and oversight are under-specified, so each verifier optimises for local liability	A compellable authority for trust governance, plus enforceable acceptance rules shared across relying parties
Incident containment	Revocation and status semantics become contested	Service logic and execution controls are not anchored to an authorised procedure	Status vocabulary, suspension and revocation authority, propagation rules, and evidence-grade timestamps
Device loss and re-establishment	Recovery becomes discretionary	Decision rights and evidence duties are unclear, so recovery becomes a liability negotiation	Safe re-establishment procedure, accountable decision rights, key rotation and re-issuance rules, and complete records
Appeal or review	Evidence collapses into screenshots	Canonical records and evidence bundles were not engineered as first-class outputs	Canonical record designation, verification receipts, decision provenance, and an operable remedy pathway

The practical implication is that policy-agnostic posture does not create neutrality in production. It creates variance in the deeper layers where governments cannot tolerate variance.

Mandate gating is the difference between plumbing and authority

Wallets sit at the junction of identity, eligibility, authorisation, and data exchange. At that junction, trust is not a purely technical property. It is a mandate property.

The mandate gating discipline is developed in Access Control Model: Data Exchange Mandate Gating. The legal authority framing for data exchange ecosystems is developed in Data Exchange Platform Legal Authority.

In wallet deployments, mandate gating is the practical control that stops the ecosystem from drifting into de facto authority based on convenience, integration speed, or donor reporting milestones.

Govstack Safeguards that cannot be enforced are not safeguards

Compatibility checks happen before the first incision, not after go-live

A governance document can be beautifully written and still be operationally irrelevant if the system cannot enforce it and produce evidence that enforcement occurred.

That enforcement posture is developed in Digital Public Infrastructure: Guidance Without Enforcement Is Not Governance.

A common failure mode is interface-only safeguards, especially around consent. A toggle is not withdrawal if the stop condition cannot propagate across relying parties and cannot be reconstructed as evidence under review. This is treated as a testable failure mode in Data Exchange Safeguards: Consent Withdrawal.

A jurisdiction-neutral floor is better than policy-agnostic theatre

A workable neutrality posture is not a blank space. It is a jurisdiction-neutral floor that forces completeness conditions, then allows jurisdiction annexes. The floor is not technology. It is inspection-ready governance content: lawful authority, enforceable mandate, canonical record stewardship, evidence duties, and operable oversight with remedy.

This is also the practical meaning of sovereignty in public digital systems: not hosting choices, but the ability to suspend, correct, and reverse under domestic compellability. That sequencing is developed in Achieving Digital Sovereignty: The Critical Sequence for DPI.

Procurement and donor decisions that prevent predictable failure

If governance cannot be procured and tested, it will be postponed. If it is postponed, the programme will drift into irreversibility.

Decision domain	The non-waivable question	Minimum acceptance condition aligned to SLM
Authority	What is the legal perimeter of the wallet’s effects, including limits and reviewability	A current legal basis and a living inventory of authorised functions and limits
Mandate	Who is compellable for trust governance, status operations, and incident response	A named accountable authority with delegation limits and escalation routes
Canonical records	Which records are authoritative for each claimed fact	Declared authoritative registries with correction propagation and stewardship duties
Evidence	Can an independent body reconstruct a disputed outcome from records, not screenshots	Evidence bundle baseline, provenance requirements, and audit access
Conformance	How do we prove verifier behaviour is consistent across relying parties	A mandatory profile and repeatable test evidence before any reliance expansion
Remedy	Can affected people obtain correction, suspension, or reversal within predictable service levels	Operable complaint and appeal pathways with receipting and deadlines
Exit and sovereignty	Can the state suspend, correct, and reverse without negotiating with suppliers	Rehearsed takeover, migration, and reconstruction under domestic control

The category errors that cause procurement to fund assets when it needed governed capabilities are clarified in DPI vs DPG vs DPF vs Digital Public Infrastructure.

......

GovStack-style wallet building blocks can be useful as delivery accelerators only when they are treated as execution and interface material that must conform to upstream legal authority, institutional mandate, canonical records, evidence duties, and enforceable oversight with remedy.

The cross-match is not a philosophical preference. It is the minimum condition for a binding act to remain attributable, reviewable, and correctable under real government scrutiny.

If a programme cannot name the legal basis, the accountable institution, the canonical records, the evidence bundle, and the operable remedy route, it is still in demo mode, even if the QR scans perfectly.