The article's central metaphor, which frames a GovStack solution as a donated organ and a government's legal framework as the recipient's body. A mismatch leads to rejection.

Failure occurs when a 'policy-agnostic' technological solution (the organ) is incompatible with the existing legal, institutional, and technical systems of the state (the body). Without a proper cross-match, the technology is rejected, leading to a lack of trust, security breaches, and legal unaccountability.

Donor (GovStack) Organ, No Cross-Match

Ott Sarv
Sep 10
8 min read

Two surgeons in masks prepare for an operation in a brightly lit operating room. — A donor wallet arrives in the theatre without a cross-match to the body of government

The Root of GovStack Failure: 'Policy-Agnostic' Design

The GovStack theatre is bright and cold. A gleaming GovStack Wallet lies on a tray, connected to cables and promise. Teams gather, confident that this donor organ will save time, money, maybe even a nation’s patience. GovStack arrives with vendors in tow. The pitch is familiar. It will fit anywhere. It will work with everyone. It is policy-agnostic, the word that calms committees and opens budgets.

Then the cutting starts. And the body rejects it.

Symptoms of GovStack Failure in Practice

In this story the donor is not a person. It is GovStack and the technology bundle that travels with it, the wallet most of all. It comes with formats and SDKs and quick-start guides. It rarely comes with something more basic: a binding legal floor that grants authority, a conformance regime that can be tested, or worked answers for trust, revocation, recovery and audit. Even the one strong anchor that was on the table, a reference to a living regulatory regime, was taken out in the name of neutrality. The organ arrives with no blood type on the label.

The patient is a living body, not a demo

States are organisms. They have DNA, organs, blood and an immune system. The Seven-Layer Model gives that anatomy names. Legal Authority is the genetic code of public power. Institutional Mandate is the set of organs that own decisions and answer for them. Core Infrastructure is circulation and custody, the systems that keep a country’s digital life moving and must remain under sovereign control. Canonical Registries and Trust Services are the blood and the immune system, the authoritative records and accredited trust anchors that allow anyone to tell a real cell from a pathogen. Regulated Digital Services are the legally recognised actions that issue outcomes and can be appealed. Sectoral Orchestration is the wiring that connects ministries to lawful process without letting a platform rewrite the rules. Public Interfaces are the certified portals and counters where people exercise rights, object, and recover.

Sequence matters. DNA before organs. Blood before movement. Immunity before exposure. When a donor wallet arrives without a match to these layers, the body does what bodies do. It defends itself.

How rejection looks outside the lab

At first the numbers seem fine. A pilot issues credentials. QR codes flash and scanners beep. But trust begins to drift. Verifiers start writing their own acceptance rules because no one ever defined a prescriptive trust model or signed trust lists that others must respect. A driver’s licence issued in one place is silently refused in another. No one can explain why in a way that stands up in court.

Then a breach forces a question that should have been answered on day one. What is revocation. Who can suspend, who can reinstate, how fresh must a status check be, and how do you do it without turning every presentation into a phone-home that lets an issuer follow a life around. The spec had promised flexibility. The adversary takes what is flexible and bends it.

Recovery becomes a coin toss. Someone loses a phone and with it the keys that hold their life. Help desks improvise. A senior official asks for a back door. Developers call it a recovery flow. Lawyers call it liability. Citizens call it fear.

And then there is the room where decisions are challenged. A person presents a receipt and asks a judge to review a denial. The receipt is a screenshot. The registry is a copy.

The workflow is a diagram. None of it carries the weight of an act done under law, by a named custodian, with evidence that can be examined. What looked like a transplant becomes a foreign body.

GovStack Neutrality is not care, it is abdication

Proponents of policy-agnostic wallets describe neutrality as inclusion. Do not force European rules, they say. Do not enshrine any regime at all. Let each country decide. On paper that sounds respectful. In practice it moves the burden from a well-resourced standards group to the least resourced team downstream. Every implementer must now invent a legal mapping, define accreditation and liability, sketch revocation, and guess at recovery. Interoperability becomes branding. Conformance becomes a slide.

There is a better version of neutrality and it looks nothing like a blank page. It looks like a jurisdiction-neutral baseline that makes a few hard, non-negotiable choices and then allows annexes for local law. It chooses a mandatory proof profile for the first release and lists the others as optional. It defines status freshness, nonce rules, holder binding and unlinkability targets in plain language and test vectors. It describes recovery that is humane and safe. It tells a regulator exactly what to look for and how to tell if someone is pretending.

How to Prevent GovStack Failure: A Sequential Approach

Transplants succeed because surgeons check compatibility before they cut. Public wallets need the same discipline. Start where law lives. Enact the basis for purpose, power, limits and remedy. Say how digital evidence works. Refuse to run pilots that create real effects without a lawful foundation, even temporarily. People are not test data.

Name the organs. Stand up a trust and conformance authority with real powers and public accountability. Give it the job of accrediting issuers and verifiers and the courage to revoke when needed. Put a remedy office in the light and measure it on how quickly it answers ordinary people, not insiders.

Compatibility checks happen before the first incision, not after go-live

Secure the bloodstream. Declare which registries are authoritative in law. Publish who stewards them and how changes are made. Treat audit logs as part of the record, not as developer exhaust. If a registry is not canonical, a wallet will circulate stale blood.

Write the immune protocol. Ship a baseline profile that covers accreditation and signed trust lists, clear status semantics for suspend and revoke, presentation freshness and nonces, privacy targets that fight correlation, and recovery that does not rely on escrow or shadow databases. Do not call anything interoperable until it passes a test suite that anyone can run and no one can bluff.

Reconnect the nerves. Describe issuance and presentation as legal acts that can be assisted and done offline. Build a standard route for appeal with deadlines and receipts that hold up under review. Protect people who are at risk. Write the interface copy as if it were a right, not a product tour

Then, and only then, choose the implant. Technology belongs to the sixth layer for a reason. It should fit the body, not the other way around. Pick one proof and crypto profile as the floor and let others ride as options later. Publish reference verifiers, trust-list resolvers and status responders with exact error codes, not just examples. Let continuous integration run the conformance tests in public.

After the operation comes aftercare. Put the regulator behind the glass with live telemetry. Publish revocation latency and appeal times in a dashboard people can read. Recertify issuers and verifiers on a schedule and make the results public. When you trip, write the post-mortem where citizens can see it. A body stays healthy when those who care for it refuse secrecy.

What success feels like to a perso

The measure is simple. A person presents once and discloses the minimum. A decision arrives in seconds. The receipt is real and usable in appeal. A lost phone is an inconvenience, not an erasure. Crossing a border or an agency boundary is ordinary because trust lists and status checks are consistent, signed and fresh. Accountability is visible. Names are on doors. Complaints have clocks.

None of this requires importing someone else’s law. It requires writing your own and insisting that software respect it.

The choice on the table

We can keep treating GovStack plus vendor code as a universal donor and learn about incompatibility in production. Or we can adopt the Seven-Layer cross-match and operate with discipline. Legal Authority first. Institutional Mandate next. Core Infrastructure under control. Canonical Registries and Trust Services defined and accredited. Regulated Digital Services that create real outcomes and allow real appeals. Sectoral Orchestration that follows the law rather than rewrites it. Public Interfaces that preserve legal effect and show people where to object.

Sovereign systems are not imported. They are enacted, assigned and supervised. Do that, and the donor organ stops being foreign. It becomes part of the body.

GovStack, Vendors, and Sovereignty. The Questions That Matter

If a spec is written in a hurry it serves the seller, not the state. GovStack can help only when law, mandate, trust, and conformance come first. The questions below test those claims without euphemism.

What is the vendors marketplace (GovStack) problem?

A small circle of donors funds “reference” solutions and invites vendors to supply the specs, code, and demos. The result is a marketplace where the offer is fixed before the public authority defines its needs. Countries end up selecting from prebuilt kits rather than designing for law, mandate, and service outcomes.

Why do vendor-written specs look attractive but fail later?

They optimize for short sales cycles. That means fast pilots, broad claims of interoperability, and vague governance. Missing pieces like revocation, recovery, audit, and legal remedy are deferred. The gaps show up in production, when the project team is gone and the vendor is already selling the next module.

What are the red flags that a spec is vendor-led?

It uses words like policy-agnostic and globally reusable while avoiding a conformance floor. It lists many “supported standards” but chooses none as mandatory. It defers trust, revocation, and recovery to a future version. It measures success by pilots and workshops rather than appeal rates, revocation latency, and inclusion.

How do donors contribute to the problem?

Funding windows are short and tied to visible launches. That encourages shipping demos, not institutions. When donors ask for deployments rather than legal baselines and accreditation, vendors follow the money.

What harm does a policy-agnostic spec cause in a real state?

It shifts risk to the weakest actor. Local teams must improvise law, accreditation, and evidence rules. Verifiers drift. Courts struggle to review digital decisions. Citizens face recovery roulette when devices are lost. Costs rise as each agency patches the same gaps.

How do we force a proper cross-match before deployment?

Set gates that no vendor or donor can skip. Law in force. Institution named and accountable. Canonical registries declared. Trust model, revocation, and recovery defined and testable. Only then talk about pilots.

What must a contract require from any GovStack or wallet vendor?

One mandatory baseline profile with test vectors. Signed trust list handling. Status freshness and nonce rules. Holder binding and privacy targets. Escrowless recovery and key rotation. Public conformance results before go-live. Failure to pass means no payment.

How do we prevent vendor lock-in disguised as open source?

Demand reproducible builds, independent test suites, and full documentation of trust lists, status responders, and recovery flows. Require that another implementer can pass the same tests on a different stack within a fixed time. If not, it is open code but closed control.

What should procurement measure beyond price and features?

Measure enforceability. Can a judge rely on the receipts. Can the regulator see live telemetry. How fast does revocation propagate. How many appeals succeed. How many recoveries complete safely. If these metrics are missing, the system is not public infrastructure.

How can a country keep sovereignty when donors pay for hosting and ops?

Write location, custody, and control into law and contract. Keep keys, logs, and trust lists under domestic jurisdiction. Ban shadow registries. Require regulator access. If an external host is used, define exit and takeover within a fixed notice period and rehearse it.

What does a country do if a donor insists on “framework agnostic”?

Accept the donation only with a binding baseline attached. Replace generic neutrality with a jurisdiction-neutral floor: a legal basis, an accreditation body, signed trust lists, revocation and recovery rules, a mandatory proof profile, and a public conformance suite. No floor, no fit.

What outcomes prove the system serves the country, not the vendor?

Decisions that stand up in review. Recovery that is safe and routine. Verifications that work across agencies without phone-home tracking. Transparent metrics that improve over time. The ability to switch implementers without losing legal effect or public memory.

What is the single best safeguard against the donors marketplace?

Sequence. Law before code. Institutions before integrations. Trust before tokens. Recovery before release. When that order is enforced, sales cycles cannot override the needs of the state or the rights of its people.