Executive Summary - Identification Management

Executive Summary: Identification Standards Consolidation Project

What Was Done

Over three days in November 2025, the New Zealand Identification Management Standards were restructured from 30 separate documents into a single consolidated resource. The work used AI-assisted analysis and content creation, with human oversight and review throughout.

Why It Was Needed

The identification standards are used by government agencies and service providers who must demonstrate conformance when implementing digital identity solutions. However, the existing 30-document structure created barriers:

  • Conformance information was hard to find: The core purpose of the standards—helping organisations conform—was spread across multiple documents and often buried in collapsible sections
  • Navigation was difficult: Users had to move between separate documents for standards, guidance, and checklists
  • Language was indirect: Passive voice made it unclear who should do what
  • New legal requirements were not reflected: The Biometric Information Privacy Code (effective November 2025) was not incorporated

How It Was Approached

The project proceeded in three phases:

Phase 1: Analysis

AI tools searched across the 30 documents to identify patterns and issues. This analysis was informed by 81 specific observations from a prior manual review. The analysis resulted in 8 recommendations for improvement and a proposed 9-section structure.

Phase 2: Content Creation

AI agents retrieved relevant content from each source document and synthesised it into the new structure. Four key constraints were observed:

  • Text of the four core standards could not be changed
  • All content must be traceable to source documents
  • Required external content (Biometric Privacy Code, cybersecurity standards) must be incorporated
  • Hidden "detail expander" content must be made visible

Phase 3: Manual Review

The project lead reviewed the output section by section, using AI tools to verify statements against source documents, and corrected any inaccuracies found.

What Was Produced

A single consolidated document of approximately 7,000 lines organised into 9 sections:

  1. Understanding Conformance (entry point)
  2. Assessing Identification Risk
  3. Selecting Assurance Levels
  4. Federation Assurance Standard & Implementation
  5. Information Assurance Standard & Implementation
  6. Authentication Assurance Standard & Implementation
  7. Binding Assurance Standard & Implementation
  8. Demonstrating Conformance (largest section)
  9. Reference Materials

Key Constraints Observed

The four core standards (Federation, Information, Authentication, Binding) contain 109 specific controls. These controls are referenced by downstream compliance materials. All 109 controls were preserved exactly as written—word-for-word verification confirmed no changes to the normative text.

Changes were limited to:

  • Structure and organisation
  • Heading hierarchy and navigation aids
  • Guidance material (rewritten in active voice)
  • Integration of standards and guidance together
  • Addition of external requirements (Biometric Privacy Code, NCSC cybersecurity standards)

External Requirements Incorporated

Biometric Privacy Code

The Privacy Commissioner's Biometric Information Privacy Code became mandatory on 3 November 2025. This was identified as a gap—the identification standards had technical controls for biometrics but no privacy requirements. Six pages of privacy code requirements were integrated into the Authentication Assurance section.

NCSC Cybersecurity Standards

The National Cyber Security Centre's 10 Minimum Cybersecurity Standards were referenced in the original documents but without specifics. Two pages of specific mappings between cybersecurity standards and identification controls were added to the Information Assurance section.

Electronic Identity Verification Act

This legislation was evaluated and determined to be a separate framework with no conformance relationship to the identification standards. It receives brief mention only.

Time Invested

  • Active work time: Approximately 11 hours across 6 work sessions
  • Calendar duration: 3 days (November 19-21, 2025)
  • Work distribution: Analysis (3 hours), Content creation (4 hours), Manual review (4 hours)

Verification

The consolidated document was verified across multiple dimensions:

  • All 109 core standard controls preserved unchanged
  • Over 400 citations to source documents maintained
  • All hidden content now visible
  • Guidance converted to active voice (303 instances of direct address)
  • Structure aligned with government content design guidance

Next Steps

The consolidated document requires stakeholder review before deployment:

  1. Usability testing: Verify the new structure works for different user types
  2. Conformance review: Validate technical accuracy and terminology
  3. Technical review: Subject matter experts review implementation guidance

This transparency package provides full documentation of the process, source materials, and outputs to support informed review.

Project Lead: Tom Barraclough Coordination: Government Chief Digital Officer (GCDO) office Date: November 2025