stage 6 final recommendations part 1

---
layout: raw-data.njk
title: "stage 6 final recommendations part 1"
---

# Stage 6: Final Recommendations (Part 1 - Recommendations)

## Date and Agent
- Date: 2025-11-19
- Agent: general-purpose (opus)
- Scope: Recommendations only (Structure proposal is Part 2)

## Executive Summary

The identification standards review revealed a fundamental misalignment between user goals and content organization. Users come to these standards seeking conformance guidance - "the whole point" according to Tom's observation - yet conformance processes are semantically isolated, hidden in detail expanders, and treated as peripheral. Simultaneously, guidance materials suffer from passive voice that obscures agency ("very vague, very passive"), essential information is buried in collapsible sections, and the separation of standards from implementation guidance creates unnecessary navigation burden.

Our analysis identified eight critical recommendations that will transform these materials from reference documentation into implementation assets. The top priority is reorganizing the entire resource around the conformance workflow, followed by systematic active voice conversion, elimination of content hiding, and integration of standards with guidance. Additionally, we must address critical legal gaps by augmenting biometric authentication guidance with mandatory Privacy Code requirements and adding specific cybersecurity cross-references.

These recommendations are grounded in extensive evidence: 282KB of analysis across five stages, 40+ Tom observations, 23 annotation sets, semantic analysis of 9,374 nodes, and validation against government AI guidance principles. Implementation is feasible within the constraint that core standards text cannot be modified - all recommendations focus on structure, guidance materials, and presentation improvements that respect this limitation while dramatically improving usability.

## Key Findings Synthesis

**Root Cause Identified (Stage 4)**: The identification standards are structured for **conceptual explanation** of identification management as a discipline, rather than **operational implementation** to achieve conformance. This manifests in three critical ways:

1. **Conformance Invisibility**: The conformance process, identified as users' primary goal, has 0 semantic neighbors above 0.75 threshold and is "tucked away" in a separate document with only 8.2 connections per node.

2. **Guidance Superiority Paradox**: Implementation guides score higher in semantic searches than standards (0.911 vs 0.871) and contain more practical content, yet are separated into parallel documents requiring constant navigation.

3. **Content Obscurity**: Passive voice pervades (15+ Tom annotations), detail expanders hide essential threshold information (12+ instances), and the structure assumes linear reading rather than task-oriented workflows.

**Validation from Stage 5**: Government AI guidance strongly validates our approach through modeling - it consistently uses active voice, integrates privacy with technical requirements, keeps all content visible, and emphasizes transparency about processes. This demonstrates that government technical guidance can and should follow these practices.

## Recommended Actions

### Recommendation 1: Conformance-Centered Reorganization

- **Statement**: Transform the entire identification standards resource from topic-based organization to conformance workflow organization, making the conformance process the primary navigation and structural framework.
- **Rationale**: Tom definitively states conformance is "the whole point of even reading the standards." Data confirms this with conformance semantically isolated (0 neighbors) despite being users' primary goal. Users are "coming to the standards to try and conform with them, or to understand others' conformance" (Stage 4, lines 85-86, 509-515).
- **Impact**: High - Aligns structure with primary user goal
- **Effort**: Moderate (3-4 weeks) - Requires comprehensive restructuring but no content rewriting of core standards
- **Feasibility**: High - Does not violate core standards text constraint; reorganization only
- **Evidence**: Stage 4 synthesis shows conformance has 0 semantic neighbors above 0.75 threshold (line 95), only 1,690 semantic connections vs 3,160 for Federation Standard (lines 88-91), and Tom's 12+ annotations about conformance being "tucked away" when it should be central.

### Recommendation 2: Systematic Active Voice Conversion

- **Statement**: Convert all guidance materials (not core standards) from passive to active voice using digital.govt.nz Tone and Voice methodology, directly addressing readers with "you" and clear actor-action constructions.
- **Rationale**: Passive voice makes content "confusing," "very vague," and harder to understand (15+ Tom annotations). Active voice sections are consistently praised as "much clearer." Government AI guidance models active voice throughout, demonstrating this is government standard practice (Stage 5, lines 158-187).
- **Impact**: High - Significantly improves clarity and comprehension
- **Effort**: Easy to Moderate (2-3 weeks) - Systematic rewriting with established methodology
- **Feasibility**: High - Guidance materials can be fully rewritten; core standards text remains unchanged
- **Evidence**: Stage 4 documents passive voice in guidance creates confusion about who does what (lines 118-143), while Stage 5 shows AI guidance consistently uses active voice as government standard (lines 514-519).

### Recommendation 3: Eliminate All Detail Expanders

- **Statement**: Remove all detail expander syntax (`+++` markers) throughout the documentation, surfacing all content with clear heading hierarchy so nothing is hidden from users or screen readers.
- **Rationale**: Tom's explicit directive: "Get rid of all detail expanders." Essential information is "buried away" (12+ annotations), creating accessibility barriers and causing users to miss critical threshold considerations needed for decision-making (Stage 4, lines 161-203).
- **Impact**: High - Makes critical information visible and scannable
- **Effort**: Easy (1 week) - Find-and-replace plus heading restructuring
- **Feasibility**: High - Straightforward structural change
- **Evidence**: Stage 4 shows detail expanders hide "the main point of the content" (line 164), "essential information" (line 166), and "important threshold considerations" (lines 171-178). Stage 5 confirms this violates accessibility requirements (lines 203-229).

### Recommendation 4: Integrate Standards and Guidance

- **Statement**: Combine each standard with its implementation guide into single cohesive documents, using clear visual distinction (formatting, headings, callout boxes) to differentiate normative requirements from explanatory guidance.
- **Rationale**: Separation creates navigation burden across 2,179 nodes in 8 documents for 4 topics. Implementation guides score higher in semantic searches than standards (0.911 vs 0.871) and are more accessible, yet treated as secondary. Tom asks: "Does having separate pages really help? It's not for reading, it's for working through" (Stage 4, lines 206-270).
- **Impact**: High - Eliminates navigation burden, improves workflow
- **Effort**: Moderate (2-3 weeks) - Requires careful integration and markdown styling
- **Feasibility**: Moderate - Must maintain clear distinction between normative and explanatory content
- **Evidence**: Stage 4 shows guides have more semantic connections (2,568 vs 2,073) and practical content, yet forced separation creates friction (lines 210-223). Stage 5 shows AI guidance models integrated structure (lines 243-268).

### Recommendation 5: Augment Biometric Authentication with Privacy Requirements

- **Statement**: Add comprehensive section "Privacy Requirements for Biometric Authentication" to Authentication Assurance guidance, incorporating key provisions from the Privacy Commissioner's Biometric Processing Privacy Code 2025 (mandatory law from 3 November 2025).
- **Rationale**: Critical legal gap - standards have technical controls (AA9.04, AA10.01, AA10.02) but no privacy requirements. Users implementing biometric authentication per standards could violate mandatory Privacy Code. Tom flagged biometrics importance twice in annotations (Stage 4, lines 575-596).
- **Impact**: High - Ensures legal compliance for biometric implementations
- **Effort**: Moderate (1-2 weeks) - Extract and summarize 5-6 key Privacy Code rules
- **Feasibility**: High - Augments guidance without changing core standards
- **Evidence**: Stage 3 identified Privacy Code as mandatory law with 13 comprehensive rules. Stage 4 confirms gap between technical controls and privacy requirements (lines 577-596). Stage 5 shows privacy-technical integration is government standard (lines 364-392).

### Recommendation 6: Add Specific NCSC Cybersecurity Cross-References

- **Statement**: Create section "Cybersecurity Requirements for Authentication Systems" in Information Assurance guidance with specific NCSC standards cross-references, explaining which standards apply and why they complement identification requirements.
- **Rationale**: Tom's concern: "Linking out to privacy and security standards without specificity is not helpful." NCSC standards specify operational security while identification standards specify assurance levels - both required for complete implementation in public service (Stage 4, lines 597-612).
- **Impact**: Medium - Clarifies security requirements for public service implementers
- **Effort**: Easy (3-4 days) - Research and write 1-page cross-reference section
- **Feasibility**: High - Addition to guidance materials only
- **Evidence**: Stage 3 analysis shows identification standards specify WHAT assurance/controls while NCSC specifies HOW to implement securely - complementary domains (Stage 3 findings). Stage 4 confirms current vague linking is unhelpful (lines 599-600).

### Recommendation 7: Clarify DISTF Relationship Upfront

- **Statement**: Prominently acknowledge DISTF as the primary mandatory use case for these standards in opening sections, while noting broader applicability to other identification scenarios, resolving the current self-defeating ambiguity.
- **Rationale**: Tom observes the paradox: standards "distinguish themselves from DISTF" yet "the only mandatory use of the standards is the DISTF." This creates confusion about relevance and applicability. Federation Standard has highest DISTF connectivity (7,960 Act connections, 2,970 Rules connections) (Stage 4, lines 271-320).
- **Impact**: Medium-High - Clarifies relevance and applicability
- **Effort**: Easy (2-3 days) - Clarifying language and positioning
- **Feasibility**: High - Text additions to guidance sections
- **Evidence**: Stage 4 shows DISTF is only cited mandatory use case (line 283), most users likely coming from DISTF context (line 295), yet relationship is downplayed creating confusion (lines 271-320).

### Recommendation 8: Create User Journey Entry Points

- **Statement**: Develop "Start Here" section with role-based pathways for different user types (credential providers seeking conformance, assessors performing assessment, relying parties, policy makers, technical implementers).
- **Rationale**: No clear entry points across 30 documents. Tom: "When all pages are split... you lose control over how people are approaching the information." Different user types need different pathways through the material (Stage 4, lines 444-508).
- **Impact**: Medium-High - Reduces navigation confusion, improves efficiency
- **Effort**: Moderate (1-2 weeks) - Requires audience analysis and pathway design
- **Feasibility**: High - Addition of navigation aids only
- **Evidence**: Stage 4 identifies 5 distinct user types with different needs (lines 466-473) but no explicit pathways. "About Identification Management" has 74,870 connections suggesting users struggle to find entry points (lines 451-453).

## Priority Matrix

### Critical Recommendations (Must Do)

**1. Conformance-Centered Reorganization** (Recommendation 1)
- Foundation for all other improvements
- Addresses fundamental misalignment
- Tom's top priority: "the whole point"
- Without this, perpetuates core problem

**2. Systematic Active Voice Conversion** (Recommendation 2)
- Legal requirement (Plain Language Act 2022)
- Government standard practice per AI guidance
- Addresses pervasive clarity issues
- Tom's most frequent critique (15+ annotations)

**3. Eliminate All Detail Expanders** (Recommendation 3)
- Accessibility legal requirement
- Tom's explicit directive
- Quick win with high impact
- Unlocks hidden critical information

**4. Augment Biometric Privacy Requirements** (Recommendation 5)
- Mandatory law compliance (Privacy Code 2025)
- Critical gap creating legal risk
- Time-sensitive (law already in force)

### Important Recommendations (Should Do)

**5. Integrate Standards and Guidance** (Recommendation 4)
- Significant usability improvement
- Addresses navigation burden
- More complex integration effort
- Requires careful visual distinction

**6. Add NCSC Cybersecurity Cross-References** (Recommendation 6)
- Addresses Tom's specificity concern
- Important for public service agencies
- Relatively quick to implement

### Beneficial Recommendations (Could Do)

**7. Clarify DISTF Relationship** (Recommendation 7)
- Resolves conceptual confusion
- Easy to implement
- Medium impact on usability

**8. Create User Journey Entry Points** (Recommendation 8)
- Helpful navigation improvement
- Requires more analysis
- Can be refined iteratively

## Essential Content Additions

### Biometric Privacy Code Integration

- **Where**: Authentication Assurance Standard implementation guidance, new section after AA9/AA10 controls
- **Content**:
  - Overview: Legal obligations under Privacy Code 2025
  - 5-6 key rules: Necessity and proportionality, explicit consent requirements, biometric template security, retention limitations, purpose specification
  - Compliance checklist linking technical controls to privacy requirements
  - Reference to full Privacy Commissioner guidance
- **Size**: 2-3 pages estimated
- **Rationale**: Stage 3 identified this as mandatory law effective 3 November 2025. Stage 4 confirmed technical controls exist without privacy requirements. Non-compliance creates legal liability for organizations following standards.

### NCSC Cybersecurity Standards Reference

- **Where**: Information Assurance Standard implementation guidance, new section on operational security
- **Content**:
  - Relationship overview: How NCSC standards complement identification standards
  - Specific cross-references: Which of the 10 Minimum Standards apply to identification systems
  - Implementation notes: When to apply NCSC requirements vs identification requirements
  - Example scenarios showing both frameworks in practice
- **Size**: 1 page estimated
- **Rationale**: Stage 3 found NCSC standards address operational security while identification standards address assurance levels - both needed for complete implementation. Current vague linking unhelpful per Tom's feedback.

### EIVA Brief Mention

- **Where**: Overview/introduction section discussing legal frameworks
- **Content**: Brief note that "The Electronic Identity Verification Act 2012 (EIVA) establishes the EIVA Service as one specific government implementation. These identification standards are technology and implementation neutral, applying regardless of whether organizations use the EIVA Service."
- **Size**: 1 paragraph (3-4 sentences)
- **Rationale**: Stage 3 found EIVA is separate system with narrow scope, not essential for identification management practice. DISTF Act explicitly separates frameworks. Brief mention sufficient to acknowledge without overemphasizing.

## Implementation Considerations

### Constraints

**Immutable Core Standards Text**: The four core standards (Federation, Information Assurance, Authentication Assurance, Binding Assurance) cannot have their normative text, requirements, controls, or in-text reference numbers modified. This is absolute - these are linked to downstream controls and assessments.

**Structural Changes Only for Core Standards**: We can reorganize, improve hierarchy, add navigation aids, enhance markdown formatting, and integrate with guidance - but the actual requirements text must remain unchanged.

**Guidance Materials Fully Modifiable**: All implementation guides, process guidance (Conforming, Assessing Risk), and supporting materials can be completely rewritten, restructured, and enhanced.

### Dependencies

**1. Conformance reorganization must precede other structural changes** - It defines the overall architecture

**2. Markdown style guide (Stage 8) must be complete before content integration** - Need visual distinction conventions for standards vs guidance

**3. Active voice conversion can proceed independently** - No dependencies on other changes

**4. Privacy Code integration should be prioritized** - Legal compliance issue

**5. User pathways depend on conformance structure** - Create after main reorganization

### Risks

**Risk 1: Stakeholder Resistance to Conformance-Centered Approach**
- Mitigation: Demonstrate with pilot section showing improved usability
- Validation: Test with Adele (usability) and Joanne (conformance assessment)

**Risk 2: Visual Distinction Between Standards and Guidance**
- Mitigation: Develop clear markdown conventions in Stage 8
- Validation: User testing to ensure distinction is clear

**Risk 3: Privacy Code Summary Accuracy**
- Mitigation: Coordinate with Privacy Commissioner for review
- Validation: Legal review of privacy requirements section

**Risk 4: Scope Creep in Content Additions**
- Mitigation: Strict page limits (2-3 pages privacy, 1 page NCSC)
- Validation: Focus on essential requirements only

## Success Criteria

Phase 2 implementation will be successful when:

1. **Conformance Process Centrality**: Conformance workflow is immediately visible as primary organizing framework, with assessment checklists as navigation tools

2. **Active Voice Prevalence**: 80%+ of guidance material uses active voice with direct address to readers

3. **Complete Content Visibility**: Zero detail expanders remain; all information accessible via clear heading hierarchy

4. **Integrated User Experience**: Users can access standards requirements and implementation guidance without document switching

5. **Legal Compliance**: Biometric privacy requirements clearly integrated; Plain Language Act requirements met

6. **Clear Entry Points**: New users can identify their role and find appropriate pathway within 30 seconds

7. **Verified Traceability**: All content maintains DocRef citations to source materials

8. **Stakeholder Validation**: Positive usability testing with Adele; conformance process validation with Joanne

## Next Steps

Part 2 of Stage 6 will provide a detailed structure proposal for the reorganized identification standards resource, including:

- Specific document architecture with section hierarchy
- Integration approach for standards and guidance
- Visual distinction conventions using markdown
- Detailed conformance workflow structure
- Navigation strategy and cross-linking approach
- Content retrieval plan for Phase 2 Stage 10

The structure proposal will demonstrate how these eight recommendations translate into a concrete, implementable documentation architecture that can be systematically executed in Phase 2.