A Business Guide to Riley Hughes’ STA Summit 2026 Keynote
Introduction
At the STA Summit 2026 in Houston, Trinsic CEO and Co-Founder Riley Hughes made a pointed argument that cuts against conventional wisdom in the digital identity industry: the greatest risk to privacy isn’t deploying digital IDs, it’s failing to deploy them fast enough.
The talk, titled Privacy by Deployment, introduced a framework for understanding why well-intentioned caution about digital ID adoption is actively making things worse, and why acceleration, not deliberation, is the path to both safety and privacy for the people these systems are meant to protect.
This guide unpacks the four core arguments of that talk and translates each into a practical lens for businesses, policymakers, and practitioners navigating digital identity today.
Part 1: We Live in an Era of Default Disbelief
A startup founder, Steve, hired an engineer after an interview process that appeared thoroughly legitimate. The candidate had a credible LinkedIn profile, gave coherent technical answers, and passed several rounds of screening. The engineer turned out to be a deepfake: an AI-generated persona built to impersonate a real person, designed to gain access to sensitive company systems.
This kind of story is no longer a thought experiment. It is happening at scale.
The reason is a fundamental shift in what artificial intelligence actually does. AI does not stand for artificial intelligence in the meaningful sense. Functionally, it stands for astounding impersonation. Large language models and multimodal AI systems are, at their core, simulation engines, conditioned by a prompt, they produce an extraordinarily convincing imitation of whatever they are asked to generate. This applies to text, images, voices, video, and personas.
The statistical picture reinforces the urgency. According to Experian, fraud losses in the United States reached $12.5 billion last year. In a separate survey, 72% of business leaders expect AI-driven impersonation fraud to be a major challenge in 2026. These figures are not projections, they reflect harm that is already occurring, at scale, to real people and real businesses.
If you are not already operating under a default assumption that digital content could be fabricated, any image, any voice, any identity presented online, you are behind the threat curve. The era of default disbelief is not coming. It is here.
What this means for businesses: Organizations that continue to rely on legacy identity verification methods, like knowledge-based authentication, password-based access, informal trust signals, are not navigating a known risk. They are operating with tools designed for a world that no longer exists. The question is not whether to modernize identity verification. It is whether to do so before or after a significant incident.
Part 2: Proof of Authenticity Must Scale and Only Digital IDs Can Do It
The response to industrialized impersonation is scalable proof of authenticity: a mechanism by which a person can demonstrate, with high confidence, that they are who they claim to be. Proof of authenticity currently works across three common scenarios, and why each is inadequate for the environment we’re entering.
In-person identity verification relies on physical documents as evidence and the human face-matching algorithm as authentication. This works, as it is difficult to fake in person, but it is inherently unscalable. The financial institutions, marketplaces, and service providers that need to onboard hundreds of millions of users online cannot put every interaction through an in-person branch visit.
Online credit and financial applications have historically relied on knowledge-based authentication: a Social Security Number, a date of birth, a prior address. After a decade and a half of large-scale data breaches, the secret is the secret no longer. Knowledge that was once proprietary is now widely compromised. This model is not only weak, but it actively disadvantages legitimate users, who struggle to verify themselves through a system that bad actors have already mapped.
Document upload flows with liveness detection — the current industry standard — are a probabilistic improvement over pure knowledge-based methods. They raise the bar for fraud. But because they rely on image capture and real-time biometric matching, they remain vulnerable to sufficiently sophisticated deepfakes, and they impose significant friction on legitimate users. They are also fundamentally reactive: they attempt to detect impersonation after the fact rather than prevent it by design.
Digital IDs represent a qualitatively different architecture. Rather than asking a user to prove who they are by presenting evidence that could be fabricated, digital IDs deliver cryptographically signed credentials directly from the issuing authority, such as a government, a bank, a verified institution. The credential is bound to the holder through device and biometric authentication. The result is scalable proof of authenticity: verification that is deterministic rather than probabilistic, faster rather than slower, and privacy-preserving rather than data-exfiltrating.
| Method | Evidence Quality | Authentication | Scalability | Privacy |
|---|---|---|---|---|
| In-Person ID | High | High (biometric) | Low | Moderate |
| Knowledge-Based | Low (breached) | Very Low | High | Poor |
| Document Upload + Liveness | Moderate | Moderate (probabilistic) | Moderate | Poor (data copies) |
| Digital ID (mDL / eID) | Very High (cryptographic) | Very High (device + biometric) | Very High | High (selective disclosure) |
The comparison is not close. In every dimension that matters for the threat environment we are entering, digital IDs are superior.
Part 3: Good Intentions Are the Bottleneck – The Anakin Skywalker Effect
For those unfamiliar with the Star Wars narrative: Anakin Skywalker’s path to becoming the most destructive force in the galaxy was paved entirely with good intentions. His single-minded pursuit to protect his wife from harm led directly to her destruction. The lesson we can learn from this is that optimizing for the wrong objective in good faith can produce outcomes that are worse than the problem you set out to solve.
In the digital identity world, this dynamic plays out repeatedly across three distinct settings.
Platform Gatekeeping. One example of this is a major mobile platform deciding to support mDL access. The platform cares about privacy. It wants to ensure that apps requesting access to a user’s digital ID are legitimate, responsible, and not extracting data in harmful ways. So it introduces: Know Your Business requirements, legal substantiation processes, data use questionnaires, restricted-use-case lists, subprocessor data-sharing controls. Each requirement is individually defensible. Collectively, they create a compliance burden that most legitimate businesses find prohibitive, which means they abandon the digital ID path and continue asking users to photograph their physical documents instead. The outcome is more data exfiltration, not less.
Standards Bodies. The same dynamic plays out in technical standards work. Trinsic founder Riley Hughes observed it firsthand as the first employee of the Sovrin Foundation, a privacy-maximalist digital identity initiative that prioritized solving every edge case before deployment. Meanwhile, simpler, less idealistic approaches gained adoption.
Government Governance. Utah has an mDL wallet that is technically capable of supporting ISO 18013-7 for remote verification. A well-meaning government official made the decision to disable this capability, to protect citizens from potentially sharing their mDL data with unauthorized parties. The result: when Riley Hughes found himself in Colorado without his physical wallet, he was unable to use his mDL. The airport required a physical ID. He was saved by a car rental company that eventually helped him made a photocopy of his ID that will sit in a filing cabinet somewhere indefinitely. The protective intervention produced a worse privacy outcome than the capability it blocked.
What this means for decision-makers: The relevant question when evaluating a digital ID governance policy, platform requirement, or implementation standard is not could this cause harm in some scenario? Does this reduce harm relative to the alternative that will persist if we don’t deploy? Absolute risk analysis, applied to digital identity, will always find reasons to wait. Relative risk analysis, comparing the harms of the status quo to the harms of deployment, points firmly toward acceleration.
Part 4: Privacy by Deployment: The Case for Accelerating Safely
When someone is considering marriage, the relevant question is not: what is the probability that this ends in divorce? That question, assessed in isolation, might counsel against marriage altogether. The relevant question is: compared to my current situation, with its known costs and risks, does this relationship offer enough upside to justify the risk of its potential downsides? Almost everyone who gets married concludes that it does, not because the downside risk is zero, but because the comparison to the alternative is favorable.
We can apply the same logic to digital ID:
| Digital IDs | Status Quo |
|---|---|
| Possibility that issuers could institute surveillance, exclusion, or coercion | Guarantee that, every day, tens of millions upload high-resolution photos of their most sensitive identity documents and biometrics to uncontrolled third parties |
The risks of digital ID adoption exist on a potential, contingent basis. They require specific actors to behave badly and specific safeguards to fail. The risks of the status quo are not potential, they are actual. They are happening now, at scale, to real people. The harm is not only high in absolute terms; it is accelerating as the tools of deepfake-based fraud become cheaper, faster, and more accessible.
With this framing in place, we outline a three-step path forward.
Step 1: Deploy Digital IDs Now.
Digital IDs already offer transformative improvements over the status quo on the dimensions that matter most:
- Selective disclosure: A digital ID can share only the specific information required for a transaction, an age confirmation, a residency status, an employment verification, without exposing an entire document full of unrelated personal data.
- Deterministic validation: Cryptographic proofs from the issuing authority mean that verification is certain, not probabilistic. There is no “this might be a deepfake”, the credential is either cryptographically valid or it is not.
- 10x faster experience: Users complete verification dramatically faster, which reduces abandonment, increases conversion, and makes the system genuinely useful rather than merely compliant.
These advantages are not hypothetical. They are live. Digital IDs are ready. The technology has been ready. What has been missing is the organizational will to deploy.
Step 2: Improve Continuously.
Deployment is not the same as declaring victory. We can point to the world’s most successful digital ID ecosystems, India’s Aadhaar, Singapore’s Singpass, as evidence that the path to quality runs through real-world use, not through pre-deployment deliberation. Aadhaar has grown from a basic identity number into a multi-dimensional financial and social services platform through iteration, measurement, and response to real problems that only became visible at scale. Singpass has evolved from a login credential into a multi-purpose national identity toolkit. Neither system was perfect at launch. Both became significantly better by being deployed.
The alternative, holding deployment until every potential risk is resolved, produces systems that never ship, or that ship so late and so burdened with complexity that adoption remains chronically low.
Step 3: Expand Access and Acceptance.
Nothing matters if digital IDs are too hard to accept. Gatekeeping acceptance behind bespoke permissions, slow approval workflows, or overly restrictive use-case lists penalizes the legitimate businesses and individuals who want to use digital IDs for real, beneficial purposes, without meaningfully deterring bad actors who will route around them anyway.
The call to action is direct: open up. Let people use their digital IDs. Design governance that is minimum-viable and expandable, not maximum-protective and contractionary. The default assumption should be that a business wanting to accept a government-issued digital ID is a good actor, and that the burden of proof required to change that assumption should be evidence of harm, not theoretical risk.
The synthesis: Acceleration and safety are not opposites. They are complements. Digital ID systems become more secure through real-world deployment, adversarial testing, measurement, and iteration, the same way every critical infrastructure matures. The potential risks of deploying now are dwarfed by the actual, ongoing, compounding harms of not deploying. Maximum safety requires maximum acceleration.
What This Means for Your Business
The argument Hughes made at STA 2026 has direct implications for any organization operating in an environment where identity verification matters, which is to say, almost every business engaged in digital commerce, financial services, employment, or regulated activities.
If you accept digital identities today: You are ahead of the threat curve and better positioned for the identity landscape as it develops. The next step is expanding acceptance, integrating with additional credential types, lowering friction for users, and investing in the governance frameworks that will allow you to move fast as the ecosystem matures.
If you are in the process of building digital ID acceptance: The case for accelerating your timeline is now more urgent than it was a year ago. Every quarter that passes is a quarter in which the tools of impersonation advance and the gap between threat and defense widens.
If you have not yet begun: The cost of delay is not zero. It shows up in fraud losses, verification failures, abandoned onboarding flows, and the compounding data-privacy liability of document capture systems that create copies of sensitive information across multiple third parties. The question is not whether to move. It is how to move efficiently.
Trinsic’s Identity Acceptance Platform is built for exactly this transition. A single integration provides access to government-issued mobile driver’s licenses, including California’s DMV Wallet, LA Wallet, and Samsung Wallet, alongside European eIDs and BankIDs, and private-sector global networks, without requiring bespoke integrations for each. Businesses can start accepting digital IDs in the markets where adoption is highest today and expand as the ecosystem grows.
Get started with Trinsic → Explore the documentation →
Summary: The Privacy by Deployment Framework
The core argument of this talk can be distilled into a single framework:
- We are in an era of default disbelief. AI-powered impersonation tools are industrializing fraud at a pace that legacy verification systems cannot match. The harm is real, ongoing, and accelerating.
- Digital IDs are the only scalable response. Cryptographic credentials from trusted issuers, bound to holders through biometric and device authentication, offer verification quality that no probabilistic approach can match.
- Good intentions are causing the bottleneck. Platform gatekeeping, standards maximalism, and over-cautious governance are making the status quo persist by making the better alternative too difficult to deploy and accept.
- Privacy is best served by deployment. The relative risk comparison is not close: the potential harms of deploying digital IDs now are vastly smaller than the ongoing, actual harms of the document-capture status quo. Deploy, measure, improve, expand.
- Acceleration is a moral imperative. The era of default disbelief is upon us. Every delay in expanding access to high-quality digital identification is a decision to allow preventable harm to continue.
This guide is based on the keynote address “Privacy by Deployment” delivered by Riley Hughes, CEO & Co-Founder of Trinsic, at the STA Summit 2026 in Houston, TX. For more on Trinsic’s Identity Acceptance Platform, visit trinsic.id. For technical documentation and integration guides, visit docs.trinsic.id.
