Growing Stronger, Building Trust Dear Supporter, Kantara continues to grow, and I'm excited about where we are heading. The release of Version 4 of the NIST Digital Identity Guidelines marks a pivotal moment for our industry, and I'm proud to report that Kantara is already advancing certification criteria to match it — so our community can move forward with confidence. Our Work Groups have never been more active. Since late 2025, five new Groups have formally launched, each tackling a critical frontier: Trusted Transaction Assurance, Shadow AI in the Workplace, Biometric Data, Blinding Identity Taxonomy, and Digital Identity Risk Universe. The energy and expertise our Members bring to these Groups is extraordinary. Interested in shaping the future of digital identity? Kantara Membership gives you the opportunity to charter and lead a Group, influence emerging standards, and connect with a global community of practitioners. Learn more about Membership benefits [here](https://kantarainitiative.org/memberships/). I'm also thrilled that Kantara will be present at several key industry events this summer and autumn — including Identity Week Europe in Amsterdam, Identity Week America in Washington, and our co-sponsorship of The DeepFake Summit. I look forward to seeing many of you at these events. Regards, Kay Chopard Executive Director What the Kantara Initiative accomplished in 2025 Kantara Advances NIST SP 800-63-4 Certification Program Kantara Initiative has published assessment criteria aligned to NIST SP 800-63 Revision 4 — the latest update to the NIST Digital Identity Guidelines. Criteria are now available for: - NIST SP 800-63A-4 — Identity Proofing - NIST SP 800-63B-4 — Authentication and Authenticator Management Revision 4 brings important updates, including stronger requirements for phishing-resistant authentication, expanded support for modern authenticators such as passkeys, and updated expectations for identity proofing and lifecycle management. Organizations can now pursue assessments against these Version 4 criteria, enabling early adoption while demonstrating their commitment to security, privacy, and user trust. In addition, the SP 800-63-4 Base Volume SAC and SoCA have now been published, establishing the foundational organizational criteria that apply across all Revision 4 assessments. The Base Volume incorporates common Kantara Initiative requirements and is intended to be used alongside the applicable functional [c](https://kantarainitiative.org/download-category/service-assessment-criteria-sets/)[riteria sets](https://kantarainitiative.org/download-category/service-assessment-criteria-...). The Common Organizational Service Assessment Criteria (CO_SAC) remains applicable for SP 800-63 Revision 3 assessments, and both Revision 3 and Revision 4 certification suites continue to be available to service providers. Existing Revision 3 Trust Mark holders remain validly certified for the duration of their current certification period and may transition to Revision 4 upon renewal if desired. Organizations seeking certification are required to engage directly with Kantara Initiative, with assessor assignments managed through the program to ensure consistency and impartiality. Additionally, work continues on the development of the NIST SP 800-63C-4 Federation and Assertions criteria. Internal drafting activities are underway, and the criteria are expected to enter public review following completion of the current review cycle. Notices and Documentation Updates Strengthen Program Consistency Several[notices](https://kantarainitiative.org/notices/) were issued during the year to support the consistent operation of the program: - Notice KI#2026-01 formally incorporated passkey requirements into the SP 800-63B-3 criteria, retiring the previous accommodation notice and ensuring support for phishing-resistant authentication technologies. - Notice KI#2026-02 introduced the Assessor Assignment Policy, providing additional transparency and consistency around the engagement and assignment of accredited assessors. - Notice KI#2026-03 provided clarification regarding confirmed address requirements and their interpretation, supporting more consistent application of the criteria by applicants and assessors. Together, these updates continue to strengthen the integrity, transparency, and consistency of the certification process. Updated Documentation and Resources Throughout the year, [several supporting documents and templates](https://kantarainitiative.org/download-category/supporting-templates-service...) were refreshed to improve usability and streamline the assessment lifecycle. These new templates are effective as of their date of publication, and older versions will no longer be available or accepted. Updates included revised: - Application Forms; - Service Description (S3A) templates; - Assessor Report templates; and - Trademark Licence Agreements (TMLA). The website was also enhanced with dedicated publication pages, updated criteria request pages, and a new Notices section, making it easier for organizations, assessors, and stakeholders to access current information and remain informed of program developments. UK Digital Verification Services (DVS) Update The UK’s Digital Verification Services framework is starting to progress at pace. The government published the pre‑release of Version 1.0 on 6 March 2026. This is the first revised statutory trust framework under the Data (Use & Access) Act, and it replaces the earlier “UK Digital Identity & Attributes Trust Framework” (DIATF). On 9 June 2026, the Department of Science, Industry and Technology (DSIT) published the full statutory release of Version 1.0 and stated that it is expected to come into force on 1 September 2026, which will open the door for certification to begin. Kantara is well placed to meet this timeline, with the processes, expertise, and assessor capacity ready to support providers as soon as the framework becomes formally available for certification. How Version 1.0 Relates to the Data (Use & Access) Act 2025 The Data (Use & Access) Act 2025 is the legislation that brought DVS onto a statutory footing. Part 2 of the Act came into force on 1 December 2025, formally moving the DVS pilot into a legally regulated environment. Key links between the Act and Version 1.0: - The Act establishes the statutory role of the DVS Trust Framework — Version 1.0 is the first publication written explicitly to align with this legal basis. - The Act enabled the creation of a statutory register of certified DVS providers. - The Act underpins the governance, oversight, and enforcement mechanisms that Version 1.0 now builds upon. What is to be introduced in Version 1.0: - A fully aligned statutory name — now formally the UK Digital Verification Services Trust Framework, matching the terminology in the Act. - New rules for Orchestration and Holder Service Providers, including requirements to share metadata about identity confidence, authentication methods, and provenance. - Support for modern authentication, including guidance on passkeys and syncable authenticators. - The new UK CertifID Trust Mark, which providers certified to Version 1 will be able to display. What Does This All Mean? Certification is already mandatory for DBS digital identity checks. Looking ahead, it’s widely expected that certification for Digital Right to Work checks, Holder Service Providers (wallets), Attribute Service Providers, and Orchestration Service Providers may also become mandatory, possibly followed by requirements in areas such as Age Assurance, Smart Data schemes, and for identity providers accessing certain government services. Regardless of these future changes, only certified providers will be eligible to appear on the statutory register — a major trust signal for the market. As of this point in time, ONLY Kantara can add providers to the register. For organisations already certified under Gamma (0.4), this is the moment to begin preparing for the uplift to Version 1.0. For organisations not yet certified, this is the moment to get in touch for us to guide you through the certification process. Five New Work & Discussion Groups: Already Delivering Following approval in late 2025, five new Groups officially launched between January and March 2026. Each addresses a priority area within digital identity: Trusted Transaction Assurance Work Group (Trusted Transaction) Bridging the gap between identity proofing and authorization, this group is developing frameworks that bind verified digital identities to legally significant actions — such as signing a mortgage, granting durable consent for care, or approving a wire transfer. It also aims to reduce market confusion around certifications and ease component integration for Credential Service Providers. The group is currently meeting regularly to develop its preliminary work plan. Digital Identity Risk Universe Discussion Group (DIRU) Already delivering: the DIRU DG has published a major community resource — the Digital Identity Risk Universe – 2026 and an accompanying methodology report, both freely available to the public. See the Publication section below for details. (Note: John is also exploring a video walkthrough of the Risk Universe as a marketing asset.) Shadow AI in the Workplace Discussion Group (Shadow AI) The rapid adoption of generative AI tools — ChatGPT, GitHub Copilot, and others — without IT approval creates real enterprise risk. Chartered in November 2025, this group has moved quickly: it has developed a preliminary outline and is now actively drafting its report, which will map causes, implications, and practical countermeasures, with a particular focus on identity-rooted detection and response. Blinding Identity Taxonomy Discussion Group (BIT) The BIT DG evolves and maintains a taxonomy for identifying and managing PII and quasi-identifiable information (QII) — supporting privacy-preserving data handling and enabling use cases such as filtering data unsuitable for AI training. The group is well into active development: a draft BIT Report 2.0 is already under review, with regular meetings focused on expanding and refining the taxonomy. Biometric Data Discussion Group (Biometrics/BDDG) Addressing the management, security, and privacy of biometric data from collection to destruction, this group will produce practical recommendations and best practices that translate complex existing standards into accessible, real-world guidance — with a focus on GDPR compliance. The group has developed a preliminary outline and is actively expanding its work plan. To participate in any of Kantara’s Groups, complete Kantara's [Group Participation Agreement (GPA)](https://kantarainitiative.org/gpa-signup/). https://kantarainitiative.org/work-groups/ancr/ New Publication: The Digital Identity Risk Universe – 2026 The Digital Identity Risk Universe Discussion Group (DIRU DG) has formally published a major new community resource: - The Digital Identity Risk Universe – 2026 (DIRU): A comprehensive spreadsheet mapping risks across the full credential lifecycle — from creation and enrollment through holder management and verification. It introduces a specialized taxonomy for emerging AI Agent/Agentic Identity risks. - The Accompanying Report: Explains the methodology behind the framework and serves as a practical guide for risk management teams building their own internal Risk Registers. Both files are published under Kantara's Non-Assertion Covenant IPR and are freely available to the public. [Download both files here.](https://kantarainitiative.org/reports-recommendations/) Editor: John Fiske https://kantarainitiative.org/work-groups/ancr/ Transparency Performance Indicators Published in IEEE — and Recognized Across the Global Stage The Anchored Notice and Consent Receipts (ANCR) Work Group's Transparency Performance Indicators (TPIs) — a Kantara Recommendation developed under the leadership of Work Group Chair and Kantara Member Salvatore D'Agostino of IDmachines — have been [published in IEEE Xplore](https://ieeexplore.ieee.org/document/11486335) following their presentation at the 2025 IEEE Symposium on Privacy Expectations (ISoPE). The paper proposes a methodology for measuring PII Controller compliance using consent record structures mapped to both technical and legal frameworks (ISO/IEC 27560:2023, GDPR, Council of Europe 108+, and others). But the TPIs haven't stopped at publication — they're already being put to work, and recognized at the highest levels. At CPDP 2026 (Computers, Privacy and Data Protection), one of the most significant annual gatherings in the global privacy community, Kantara Member and ANCR Work Group Editor Mark Lizar joined a distinguished panel — including the UN Special Rapporteur on the Right to Privacy — to present Transparency by Default: An Internet Transparency Code of Practice. The panel highlighted the urgent need for operational transparency frameworks that make accountability inspectable before identification is demanded and data begins to flow. Lizar's presentation drew directly on the Kantara TPI Recommendation as the foundation for exactly this kind of internet-scale transparency infrastructure — grounded in Council of Europe Convention 108+, a framework covering 2.5 billion people. It was a powerful call to action: the work Kantara's community has been quietly building is now being named as the solution the world needs. Meanwhile, the TPIs are also finding their way into award-winning commercial products. IDmachines, in partnership with Ones Technology (Ankara, Turkey) and Intel RealSense, applied the TPI framework to add a notice and consent layer to a real-world biometric credentialing and access control deployment. The result — [the BioAffix Vision Platform](https://www.youtube.com/watch?v=Vmiwu1M_TLQ) — earned an [Honorable Mention in the Biometrics category at the 2026 SIA New Products and Solutions Awards](https://www.securityindustry.org/2026/03/25/security-industry-association-an...) at ISC West in Las Vegas. Publication. Standards recognition. A UN-level call to action. Commercial deployment. This is what it looks like when Kantara Work Group outputs reach deeply into the world. DOI: 10.1109/ISoPE67098.2025.00019 | Publisher: IEEE https://kantarainitiative.org Meet Kantara at Upcoming Conferences Kantara will be represented at three approaching significant events this year. We'd love to connect with you at any of them: The DeepFake Summit 2026 — Washington, D.C. September 1, 2026 · Kantara is a co-sponsor. An executive forum on deepfakes, synthetic identity, and agentic AI threats. Identity Week America 2026 — Washington, D.C. September 2–3, 2026 · 3,000+ professionals across biometrics, digital ID, AI, and authentication. 2026 Federal Identity Forum & Exposition (FedID) — Chantilly, VA September 15–16, 2026 · A two-day immersive forum uniting identity professionals from the federal government, private sector, and academia for strategic planning, information sharing, and collaboration. Find us at all three events. To get in touch, contact us [here](https://kantarainitiative.org/contact-us/). JOIN US! Sign up for membership of Kantara Initiative at www.kantarainitiative.org/membership