AI 底层逻辑 / 经典论文

AI Digital Identity Wallet：可验证凭证信任架构

本文是学习、架构训练和作品集材料, 不构成法律意见、监管意见、KYC/KYB 合规结论、身份核验合格结论、隐私影响评估结论、模型验证报告、认证方案认证、消费者通知建议或 vendor endorsement。

721 行ai-foundations/papers/134-ai-digital-identity-wallet-verifiable-credentials-trust-architecture.md

AI Digital Identity Wallet / Verifiable Credentials / Trust Architecture 解读

面向对象: Advanced AI PM / Senior BA / Product Architect / Identity Architect / Fraud Risk Architect / Enterprise Architect / AI Governance / Privacy / Compliance / KYC-KYB Operations / Customer Onboarding Lead。核心问题: AI 系统如何安全使用 digital identity wallet、verifiable credentials、DID、passkeys、proofing assurance、relying-party policy、selective disclosure、revocation/status、fraud controls 和 evidence, 同时避免把 AI-inferred attributes 当成 verified identity claims? 学习目标: 建立 AI identity trust architecture、wallet-mediated onboarding、credential verification pipeline、trust framework governance、RP policy decisioning、agent delegation、privacy-preserving disclosure、KYC/KYB evidence chain、fraud/risk monitoring 和 senior PM/architect decision framework。

0. Disclaimer

正式项目必须由 Legal、Compliance、Privacy、Identity and Access Management、Fraud Risk、Financial Crime、Model Risk、Information Security、Data Governance、Customer Experience、Operations、Accessibility、Product Owner、Architecture、Vendor Management、Internal Audit 和必要的外部顾问共同判断。身份核验、KYC、KYB、证明等级、记录保留、客户通知、拒绝/申诉、制裁/AML、消费者保护、跨境数据和可接受凭证要求, 都取决于 institution、product、jurisdiction、customer segment、channel、risk appetite、policy、vendor contract 和 legal/compliance interpretation。

本文不假设 verifiable credentials 必须使用 blockchain。DID / VC / wallet 可以落在多种 registry、resolver、PKI、federated、web、ledger 或 consortium pattern 上。架构判断应基于 trust framework、interoperability、privacy、operability、revocation、evidence 和 customer outcome, 而不是基于某种底层技术叙事。

Source Anchors

Source	Link	用途
NIST SP 800-63-4 Digital Identity Guidelines	https://pages.nist.gov/800-63-4/	用 IAL / AAL / FAL、risk management、fraud controls、subscriber-controlled wallets、passkeys、customer experience 和 continuous evaluation 组织 identity assurance architecture
NIST Digital Identity Guidelines	https://www.nist.gov/identity-access-management/digital-identity-guidelines	用 NIST digital identity guidance 作为 identity proofing、authentication、federation、安全、隐私和 customer experience 的官方锚点
NIST Digital Identity Guidelines project page	https://www.nist.gov/identity-access-management/projects/nist-special-publication-800-63-digital-identity-guidelines	用 NIST 对 SP 800-63 Revision 4 的项目说明连接 identity proofing、authentication、federation、安全、隐私和客户体验
W3C Verifiable Credentials Data Model 2.0	https://www.w3.org/TR/vc-data-model-2.0/	用 issuer / holder / verifier、claim、presentation、status、terms of use、evidence、privacy considerations 和 verifier policy 设计 VC verification pipeline
W3C Decentralized Identifiers DID Core	https://www.w3.org/TR/did-core/	用 DID controller、DID document、verification methods、DID resolution、key rotation、revocation 和 correlation risks 设计 identifier layer
W3C Web Authentication Level 3	https://www.w3.org/TR/webauthn-3/	用 public-key credentials、RP-scoped credentials、authenticator consent、attestation 和 passkey signals 设计 authentication and holder-binding controls
NIST AI RMF	https://www.nist.gov/itl/ai-risk-management-framework	用 Govern / Map / Measure / Manage 组织 AI 使用身份 claims 的风险治理、eval、monitoring、human oversight 和 evidence
ISO/IEC 42001 overview	https://www.iso.org/standard/42001	用 AI management system、policy、roles、operation、performance evaluation、internal audit 和 continual improvement 建立 operating model

一句话:

AI identity wallet architecture is not "let the model ask for ID". It is a trust decision system that separates verified claims, authenticator signals, issuer trust, relying-party policy, inferred attributes, fraud context, consent and evidence.

1. Thesis

AI 系统使用数字身份钱包和 verifiable credentials 的核心价值, 不是把 onboarding 表单换成更酷的钱包弹窗。真正的架构变化是:

from: customer says / uploads / AI infers
to: issuer-attested claim + holder-mediated disclosure + verifier policy decision + evidence replay

成熟架构必须同时回答八个问题:

谁签发了 claim, 签发机构是否在本产品的 trust framework 内?
claim 指向哪个 subject, holder 是否有权展示它?
credential 是否未过期、未撤销、schema 可理解、proof 可验证?
relying party 是否只请求完成业务目的所需的最小 claim?
passkey / WebAuthn / session / device signals 证明了什么, 不能证明什么?
AI 推断出的属性是否被清楚标记为 inference, 并禁止当成 verified identity claim?
高风险 onboarding、KYC、KYB、account recovery、agent delegation 和 fraud review 是否有 human/accountability boundary?
事后能否重放 consent、presentation、verification、policy、AI run、risk score、人工决定和客户最终看到的内容?

关键原则:

Verifiable does not mean acceptable.
Authenticated does not mean proofed.
Wallet-held does not mean legally sufficient.
AI-inferred does not mean verified.
Blockchain-based does not mean trusted.

VC 可以让 claim 更 machine-verifiable, 但是否可以依赖, 取决于 verifier policy、issuer trust、assurance mapping、claim freshness、business purpose、risk tier、status check、fraud context 和合规解释。

2. Why It Matters

金融零售 AI 的 identity problem 正从“表单 + KYC vendor + 登录 MFA”升级为多方 trust architecture:

Pressure	表现	架构含义
Customer onboarding friction	客户重复上传 ID、地址、收入、企业文件、资格证书	Wallet 和 VC 可复用可信 claims, 但必须控制 issuer trust、freshness、status 和 consent
Fraud industrialization	synthetic identity、deepfake proofing、account takeover、credential replay	VC 不能替代 fraud controls; 需要 proofing、authentication、device、behavior、graph 和 human review
AI personalization	模型想使用年龄、职业、收入、资产、资格、企业角色	必须区分 issuer-attested claim 与 AI-inferred segmentation
Agentic workflows	AI agent 代表客户或员工提交资料、申请、交易、KYC package	需要 delegated authorization、purpose-bound disclosure、agent identity 和 revocation
Privacy and minimization	传统 KYC 要求大量字段, 但 AI 系统容易过度收集	需要 selective disclosure、claim minimization、retention separation 和 consent receipts
Cross-ecosystem trust	政府、银行、雇主、学校、平台、企业 registry 都可能是 issuer	需要 trust framework, 不只是技术 verification
Relying-party accountability	出错时客户问“为什么你相信/拒绝这个凭证?”	需要 RP policy、reason code、evidence bundle、appeal/exception path

AI 放大了身份系统的两类错误:

False reliance: 模型看到 credential proof valid, 就把 claim 当成产品可接受、合规充分、风险低。
False inference: 模型从行为、语言、设备、地址、购买记录或公开资料推断身份属性, 并把推断当成 verified fact。

高级 PM / Architect 的目标不是让 AI “识别用户是谁”。更成熟的问题是:

What claims can the institution rely on for this purpose,
under which assurance and trust policy,
with which customer-mediated disclosure,
and what evidence proves the decision was proportionate, private and auditable?

3. Claim Taxonomy for AI Systems

AI 系统中的 identity-related information 至少分成六类。混用这些类别是身份架构的高风险根源。

Information class	Example	Trust status	AI use boundary
Issuer-attested verified claim	government-issued age-over-18, bank account ownership, professional license, business registration	可验证签名、issuer、status、schema, 仍需 RP policy 接受	可作为 policy engine 输入, 但要检查 purpose、freshness、status、issuer trust
Relying-party observed fact	customer logged in with passkey, device bound, transaction initiated, account tenure	本机构系统事实	可用于 risk/context, 不能自动证明真实世界身份属性
Customer-declared attribute	job title, expected income, beneficial owner statement, address	自述, 可作为申请资料	需要 evidence/proofing policy 判断是否可依赖
AI-inferred attribute	likely student, affluent segment, vulnerable, business owner, age band, nationality proxy	推断, 有误差和偏差	只能作为 low-stakes UX/support signal; 不得当成 verified identity claim
Third-party risk signal	device risk, sanctions screening hit, fraud consortium signal, document risk score	风险信号, 取决于来源和模型	用于 review/routing; 高影响动作需要 policy and human boundary
Authentication signal	WebAuthn assertion, MFA method, session age, authenticator assurance, device attestation	证明控制某个 authenticator/session	不等同 identity proofing; 可作为 AAL/context 输入

设计上建议每个 identity input 都有以下 metadata:

source_type
issuer_or_observer
assurance_level
verification_method
status_checked_at
freshness_window
business_purpose
allowed_decision_uses
prohibited_decision_uses
ai_inference_flag
human_review_requirement
evidence_reference

字段命名要避免暗示模型推断等同事实:

Use	Avoid
`verified_age_over_18_claim`	`user_is_adult_from_ai`
`issuer_attested_business_role`	`looks_like_owner`
`wallet_presentation_status`	`identity_verified`
`authenticator_control_signal`	`real_person_confirmed`
`ai_inferred_support_need`	`verified_vulnerable_customer`
`rp_policy_acceptance_result`	`credential_truth`

4. Trust Architecture Model

参考架构:

issuer / authority / enterprise registry
  -> credential issuance and lifecycle controls
  -> holder wallet / credential repository
  -> wallet UX: purpose, consent, selective disclosure
  -> verifier / relying party presentation request
  -> credential verification service
  -> issuer trust and assurance mapping
  -> status / revocation / freshness check
  -> holder binding and authentication context
  -> relying-party policy engine
  -> fraud and risk orchestration
  -> AI product workflow / agent workflow
  -> human review / exception / appeal
  -> evidence ledger and governance monitoring

关键组件:

Component	Responsibility	Senior design question
Issuer governance	谁可签发哪些 credential, assurance 与 liability/operations 如何定义	issuer trust 是 contract / law / consortium / internal policy / market reputation 哪一种?
Credential profile	schema、claim semantics、proof suite、status method、terms of use、evidence fields	RP 是否能机器理解 claim, 还是只能验证一段签名 JSON?
Wallet / holder repository	保存、展示、选择披露、恢复、备份、撤销授权	客户是否理解自己披露给谁、为什么、保留多久?
Presentation protocol	RP 请求哪些 claims, holder 如何授权, 是否支持 selective disclosure	是否避免 over-collection and bundled consent?
Verification service	验证 proof、issuer、subject、schema、status、expiration、holder binding	是否把 cryptographic verification 与 business acceptance 分开?
RP policy engine	判断该凭证在该产品/地区/风险等级是否可接受	是否有 versioned policy、reason code、exception route?
Authentication layer	passkeys/WebAuthn、session、device、step-up、AAL context	是否清楚 authentication != proofing != authorization?
Fraud/risk layer	synthetic identity、credential replay、presentation velocity、device graph、behavior risk	VC 是否被纳入 fraud threat model, 而非 bypass fraud controls?
AI orchestration	缺口解释、文档预检、风险总结、下一步建议、agent action	AI 是否只消费 grounded claims, 不扩展为 unsupported identity conclusions?
Evidence ledger	保存 consent、VP、verification result、status check、policy decision、AI trace、human decision	事后是否可重放并解释为何依赖或拒绝凭证?

这套架构的关键是把 trust 分层:

cryptographic validity
  != issuer trust
  != subject binding
  != claim freshness
  != business acceptability
  != legal sufficiency
  != fraud risk acceptability

5. DID / VC / Wallet Patterns Without Blockchain Assumption

Verifiable credentials 是一种 claim expression and verification pattern, 不是 blockchain 产品类别。DID 也是 identifier and verification-method pattern, 不是必须上链。

Pattern	适合场景	风险/取舍
DID:web / web-origin anchored issuer	企业、学校、银行、政府可通过 HTTPS domain trust 发布 DID material	依赖域名和 web PKI, operationally familiar, 但要管理域名、key rotation、resolver trust
DID:peer / pairwise identifiers	高隐私 bilateral relationship, agent-to-agent, wallet-to-RP	有利于降低 correlation, 但恢复、备份和跨设备体验复杂
Consortium / trust registry	多机构互认 issuer、schemas、assurance、status endpoints	需要 governance、membership、audit、liability 和 change management
Ledger-anchored DID method	公共可解析、不可变 registry 或 ecosystem 需要	可能带来 correlation、成本、治理、可删除性和 operational dependency
Non-DID signed credentials	JWT / SD-JWT / mdoc / X.509-like patterns	可更易集成现有 IAM, 但 interoperability and holder-control 模型不同

架构原则:

先定义 trust framework, 再选择 DID method 或 credential format。
先定义 RP policy 和 evidence needs, 再选择 wallet UX。
先定义 privacy/correlation threat model, 再决定 identifier persistence。
先定义 revocation/status model, 再决定 issuer operations。
先定义 recovery and accessibility paths, 再决定 mobile-only wallet。

判断底层技术时, 问题不是“去中心化程度够不够”, 而是:

Can the relying party verify the issuer, credential, subject binding and status;
can the holder disclose the minimum necessary;
can the ecosystem rotate keys and recover wallets;
can fraud teams detect abuse;
can governance teams audit decisions;
and can customers understand and contest outcomes?

6. Proofing Levels, Authentication Signals and Relying-Party Policy

NIST SP 800-63 的 IAL / AAL / FAL 对 AI wallet architecture 的价值在于拆开三个常被混淆的问题。

Dimension	It answers	It does not answer
IAL / proofing	申请人与真实世界身份/属性之间的绑定强度	当前 session 是否被本人控制, 该 claim 是否适用于具体产品
AAL / authentication	当前 claimant 对 authenticator 的控制强度	真实世界身份属性是否已经核验, 客户是否未受胁迫
FAL / federation/assertion	federation assertion 的保护强度和信任交互	issuer 的业务可信度、claim 业务含义、fraud risk

Passkeys / WebAuthn 的关键价值:

使用 RP-scoped public key credentials 降低 phishing and credential stuffing 风险。
通过 authenticator 提供用户同意、本地验证、attestation/context signals。
给 wallet access、credential presentation、high-risk disclosure 和 agent delegation 提供 step-up authentication signal。

但 passkey 信号不能回答:

客户是否就是证件上的人。
企业实控人是否真实。
年龄、收入、居住地、许可证是否仍然有效。
客户是否被诈骗或受胁迫。
AI agent 是否被授权执行某个业务动作。

Relying-party policy 必须把 proofing/authentication/federation 分开建模:

required_claims
acceptable_issuers
minimum_assurance
acceptable_credential_formats
freshness_window
status_check_required
holder_binding_required
authentication_context_required
fraud_review_threshold
manual_exception_path
retention_and_evidence_rule
customer_explanation_rule

弱设计:

if credential_signature_valid then approve onboarding

强设计:

if signature valid
and issuer in accepted trust framework
and schema matches product policy
and claim status is current
and proofing assurance meets journey risk
and holder binding/auth context is sufficient
and fraud signals are within appetite
then accept claim for this purpose
else route to exception/review/fallback

7. Credential Verification Pipeline

Credential verification 不应由 LLM 自己完成。它应该是 deterministic verification service + policy engine + AI assist。

Step	Control question	Evidence
Parse and normalize	是否识别 credential format、schema、claim names、language、version?	parser version, schema id
Verify cryptographic proof	proof suite、signature、key material、DID resolution 是否有效?	proof result, verification method, resolver response
Verify issuer trust	issuer 是否在产品/地区/claim-type 的 accepted list or trust registry?	issuer policy id, trust registry snapshot
Verify subject/holder binding	presentation holder 是否有权展示该 credential?	VP proof, nonce/challenge, auth context
Check status	credential 是否 revoked, suspended, expired, refreshed, superseded?	status endpoint/list version, checked_at
Check freshness	claim 是否在业务要求的时效内?	issuance date, effective date, last verified date
Check terms/evidence	terms of use、evidence、assurance、proofing method 是否满足用途?	terms id, evidence refs
Apply RP policy	对该产品、风险、jurisdiction、channel 是否可接受?	policy decision, reason code
Run fraud/risk checks	是否存在 replay、velocity、issuer compromise、device/session anomaly?	risk score, fraud reason
Produce decision artifact	接受、请求补充、人工复核、拒绝使用该 claim	decision record, customer-facing explanation

AI 可以参与:

向客户解释缺少哪些 claim。
把 issuer status code 翻译成内部可读原因。
总结 credential package for reviewer。
比对 customer-declared data 与 verified claims 的差异。
生成 exception queue 的 case summary。
识别 presentation pattern anomalies for review。

AI 不应单独:

判断 credential 是否 cryptographically valid。
决定 issuer 是否在 trust framework 内。
把 invalid / stale / revoked credential 改写为可接受。
生成 KYC/KYB 合规结论。
伪造或补全缺失 claim。
给客户暴露内部 fraud rules。

8. Verified Claims vs AI-Inferred Attributes

这一节是 AI identity architecture 的核心。AI 系统必须把 verified claims 和 inferred attributes 做成不同 data class、不同 UI、不同 policy path。

Scenario	Verified claim	AI-inferred attribute	Control
Age-gated product	issuer-attested `age_over_18`	从头像、购物、语言推断年龄	只接受 verified claim 或 institution-approved proofing; inference 不可用于资格判断
Student discount	university credential / enrollment status	邮箱域名、行为像学生	inference 可提示客户上传/展示凭证, 不可直接给/拒绝资格
Accredited/investor-like status	institution-approved evidence or verified credential	AI 从资产、职业、收入推断	inference 不可替代 suitability/eligibility evidence
KYB authorized representative	business registry / board authorization credential	AI 从 LinkedIn 或邮件签名推断 officer	inference 只做 prefill/review suggestion
Sanctions/PEP/fraud risk	screened identity attributes under policy	AI 从名字相似或新闻摘要推断	高影响动作需 screening policy and human review
Vulnerability/accessibility support	customer-stated preference/accommodation	AI 从停顿、年龄、语气推断	只触发 soft support; 不当成身份或能力事实

建议数据治理:

verified_claim_store: 保存可验证 claim metadata and evidence references。
inference_feature_store: 保存 AI/risk feature, 明确 model/source/uncertainty。
decision_policy_store: 规定哪些 use case 可以用哪类输入。
customer_explanation_store: 保存客户可理解的原因, 避免暴露 fraud secret。
appeal_exception_store: 保存客户补充证明、人工复核和纠正路径。

推断属性进入 AI 模型前应带上限制:

inferred_attribute = true
not_for_identity_proofing = true
not_for_eligibility_decision = true unless policy-approved
requires_human_review_for_high_impact_use = true
source_and_uncertainty_required = true

钱包 UX 不是一个“Connect Wallet”按钮。它是客户授权、最小披露、信任理解和证据生成的关键控制点。

UX moment	Good design	Risk if weak
Presentation request	明确 verifier、purpose、requested claims、optional claims、retention、next step	客户不知道披露给谁, 形成 bundled consent
Selective disclosure	默认最小字段, 支持 age-over-X / status / role 等 abstract claims	RP 过度收集全证件、全地址、生日、证书编号
Authentication step-up	高风险披露前用 passkey / platform authenticator / session check	被盗设备或恶意 agent 展示 credential
Claim preview	客户能看见将披露的 claim, 不暴露内部 cryptographic noise	客户误以为披露更多会提高通过率
Consent receipt	保存 disclosure receipt: who, what, why, when, retention, revocation route	投诉/审计无法证明授权与最小化
Recovery / backup	清晰处理换机、丢失设备、passkey sync、wallet provider failure	客户被排除或 credentials 丢失
Accessibility	screen reader、keyboard、large text、language、assisted channel	高风险身份流程排除残障或低数字能力客户
Fallback	提供 institution-approved non-wallet path	wallet outage 或无智能手机客户无法服务

客户文案应避免:

"AI will verify your identity."
"Sharing this credential guarantees approval."
"We only need your wallet."

更好的文案:

We will request only the claims needed for this application.
Your wallet will show what is being shared and with whom.
We will verify the credential and apply our product policy.
Some products may require additional review or evidence.

Consent 要与 authorization 区分:

Consent: 客户允许展示或使用某些 claims for a purpose。
Authentication: 客户证明当前 session / authenticator control。
Authorization: 客户或员工允许某个 action 发生。
RP acceptance: 机构决定 claim 是否满足该业务政策。

10. Revocation / Status / Refresh

Revocation 和 status 是 VC 生产架构中最容易被低估的部分。签名有效只说明 credential 没被篡改, 不说明 credential 仍可接受。

Concept	Meaning	Architecture control
Expiration	credential 到期或 claim freshness 过期	RP policy 检查有效期和 freshness window
Revocation	issuer 宣布 credential 不再有效	status check, cached status rules, incident handling
Suspension	临时不可用, 可能恢复	decision state 区分 suspended vs revoked
Refresh	credential 可被更新或重新签发	wallet and issuer refresh UX
Supersession	新 credential 替代旧 credential	duplicate and version handling
Status privacy	status check 可能向 issuer 暴露使用场景	privacy-preserving status mechanisms, proxy/caching policy

设计问题:

status endpoint unavailable 时, 是否 fail closed、fail open、manual review、grace window?
status check 是否会产生 verifier-customer correlation?
revocation reason 是否可对 RP 或客户可见?
credential 被撤销后, 已完成 onboarding 的账户如何做 lifecycle review?
issuer key compromise 时, RP 如何批量识别受影响 cases?
wallet 丢失、设备被盗、holder key rotation 如何处理?

Evidence 需要记录:

credential_id_or_hash
issuer_id
status_method
status_list_version
status_checked_at
status_result
cache_policy
freshness_policy
policy_decision
exception_reason

11. Fraud and Risk Architecture

Wallet + VC 不会自动消灭欺诈。攻击面会改变:

Threat	Attack pattern	Control
Credential replay	截获 presentation 或复用旧 VP	nonce/challenge, audience binding, single-use presentation
Wallet takeover	攻击者控制客户设备/wallet/passkey	device risk, authenticator step-up, recovery hardening, transaction monitoring
Issuer compromise	issuer key 泄露或错误签发	trust registry monitoring, issuer incident feed, key rotation, bulk re-check
Fake issuer	攻击者创建相似 issuer DID / domain	issuer allowlist, trust registry, domain verification, UI warning
Subject mismatch	holder 展示他人 credential	holder binding, biometric/proofing where policy requires, fraud review
Synthetic credential package	多个 credentials 看似一致但主体是 synthetic	identity graph, source diversity, lifecycle behavior, financial crime review
Over-disclosure phishing	恶意 RP 请求全量 PII	wallet trust cues, RP registration, purpose display, customer education
AI prompt injection	客户或恶意文档让 AI 忽略 verification failure	deterministic verification service, policy enforcement, tool guardrails
Agent overreach	AI agent 代表客户展示 credentials 或提交申请超过授权	delegated authorization, user-mediated consent, action-bound approval

Fraud monitoring 指标:

presentation velocity by wallet / issuer / device / RP。
issuer error or revocation spike。
credential package inconsistency rate。
stale credential acceptance attempts。
wallet recovery followed by high-risk action。
manual review overturn rate。
synthetic identity escape rate among wallet-onboarded customers。
high-risk RP request abandoned after over-disclosure warning。

12. Agent Delegation and AI Wallet Use

Agentic AI 会让身份边界更复杂:

customer
  -> wallet
  -> customer-facing agent
  -> relying party
  -> verification service
  -> downstream onboarding / KYC / KYB system

设计原则:

Agent 不应直接持有客户长期 wallet private keys 或完整 credential vault。
Agent 可以准备 presentation request、解释缺口、组织申请材料, 但 disclosure 应由 holder-mediated consent 完成。
高风险提交需要 action-bound approval: what, to whom, for what purpose, using which claims。
Agent identity 与 human identity 必须同时进入 trace。
Agent 只能消费 verification result and accepted claims, 不应自行决定 cryptographic validity。
撤销 customer consent、agent capability、workflow run 或 RP session 时, 后续 presentation and tool calls 必须停止。

Agent delegation claim set:

Field	Purpose
`human_subject`	客户或员工主体
`agent_id`	AI agent 身份
`workflow_run_id`	本次申请/操作
`purpose`	onboarding、KYC refresh、KYB update、benefit eligibility
`requested_claims`	需要展示的 claim set
`disclosure_approval_id`	客户/员工批准记录
`rp_id`	relying party
`time_bound`	授权有效期
`action_hash`	防止批准后参数被替换
`revocation_reference`	撤销入口

弱模式:

Agent asks user to upload all documents and "handles identity verification".

强模式:

Agent explains required claims,
wallet mediates selective disclosure,
verification service validates credentials,
RP policy accepts or routes exceptions,
agent drafts next-step communication,
human/customer approves high-impact actions.

13. KYC / KYB and Customer Onboarding

Wallet-based onboarding 可以显著减少重复输入, 但不能把 VC 技术结果直接翻译成 KYC/KYB 合规结论。具体要求取决于机构、产品、jurisdiction、客户类型、风险等级、政策和法律/合规解释。

13.1 Individual Onboarding

Need	Wallet/VC contribution	Remaining control
Identity attributes	name, DOB, address, government ID status, age-over-X claim	proofing assurance, source acceptability, freshness, sanctions/AML screening policy
Address/residency	utility, government, bank, postal credential	jurisdiction-specific acceptability and update rules
Income/employment	payroll, employer, tax, bank income credential	product policy, affordability/suitability review where applicable
Account ownership	bank account ownership credential	account verification, payment risk, account age
Authentication	passkey-bound login and wallet access	recovery, device risk, AAL context, step-up
Consent/evidence	presentation receipt and claim minimization	retention, customer notices, complaint/appeal

13.2 Business Onboarding / KYB

Need	Wallet/VC contribution	Remaining control
Legal entity existence	business registry credential	jurisdiction and registry acceptance
Authorized representative	officer/director/signatory credential	authority scope, freshness, beneficial ownership policy
Beneficial ownership	verified owner claims or registry package	institution policy, legal interpretation, risk review
License/permit	professional or operating license credential	status, jurisdiction, product relevance
Bank account control	business account ownership credential	transaction risk and fraud review
Delegated agent	employee/agent authorized to submit KYB package	scope, role, expiration, corporate authorization evidence

AI 的角色:

prefill application from accepted claims。
identify missing or inconsistent evidence。
summarize KYB package for operations。
explain why additional proof is needed。
route higher-risk cases to review。
maintain evidence pack across refresh cycles。

AI 不应:

宣称 KYC/KYB “已合规完成”。
自行接受 AI-inferred beneficial owner。
因 claim 缺失自动做不可申诉拒绝。
使用客户未授权的 credential for cross-sell or unrelated profiling。

14. Product / Architecture Decisions

Decision	Weak answer	Strong architecture answer
What claims to request?	“Ask for full ID credential”	Request minimal purpose-specific claims, e.g. age-over-X, residency state, authorized role
Which issuers to trust?	“Any W3C VC issuer”	Product-specific issuer allowlist/trust registry with assurance mapping and monitoring
Blockchain required?	“VC means on-chain identity”	Choose DID/registry method based on trust, privacy, status, interoperability and operations
How to use AI?	“AI validates wallet credentials”	Verification service validates; AI explains, summarizes, detects gaps and routes review
How to handle inferred attributes?	“Model can enrich identity profile”	Inferences are separate low-assurance signals with prohibited uses and uncertainty
How to authenticate holder?	“Wallet connected means user approved”	Use session, passkey/WebAuthn, nonce, holder binding and step-up for sensitive disclosure
How to handle revocation?	“Check signature only”	Status/freshness checks, cache policy, issuer incident runbook and lifecycle recheck
What if wallet fails?	“Manual upload fallback”	Approved alternate proofing with accessibility, evidence and fraud controls
How to measure success?	“Lower onboarding time”	Balance completion, fraud loss, privacy minimization, review accuracy, complaints and evidence completeness

15. Control Matrix

Control objective	Control activity	Evidence
Accept only trusted issuers	Maintain issuer allowlist/trust registry by claim type, product, jurisdiction and assurance	trust registry snapshot, approval record
Verify credentials deterministically	Use verification service for proof, DID resolution, schema, status, holder binding	verification result, resolver log, schema id
Separate verification from acceptance	RP policy engine decides whether verified claim fits business purpose	policy decision id, reason code
Minimize disclosure	Request abstract/selective claims where possible	presentation request, disclosed claim set
Preserve consent	Show verifier, purpose, claims, retention and fallback before presentation	consent receipt, UI text version
Control AI inference	Label inferred attributes, restrict decision use, require human review for high impact	data dictionary, policy rule, eval evidence
Prevent credential replay	nonce, audience binding, challenge, single-use presentation	challenge id, VP proof
Manage status/revocation	Check status and freshness; define outage and cache rules	status checked_at, cache policy
Bind authentication context	Use passkey/WebAuthn/session/device signals proportionate to risk	auth event, AAL/context
Detect fraud patterns	Monitor velocity, issuer anomalies, wallet recovery, synthetic packages	fraud dashboard, case evidence
Govern agent delegation	Use purpose-bound, time-bound, action-bound agent approvals	approval id, run id, agent id
Preserve audit replay	Store credential, AI, policy, human and final customer communication evidence	evidence bundle, complaint link

16. Metrics

Metric family	Examples
Onboarding outcome	completion rate, time to onboard, drop-off at wallet prompt, fallback completion
Trust and assurance	accepted issuer coverage, status-check success, expired/revoked credential attempts, issuer incident rate
Privacy minimization	average claims requested, full-document request rate, selective disclosure rate, over-collection defects
Fraud/risk	synthetic identity escape, credential replay attempts, wallet takeover after recovery, manual review overturn
AI governance	hallucinated identity conclusion rate, inferred-attribute misuse rate, unsupported KYC/KYB conclusion defects
Authentication	passkey adoption, step-up success, failed holder binding, high-risk disclosure with weak session
Operations	exception queue SLA, review productivity, evidence completeness, issuer outage impact
Customer trust	complaints about consent, unclear request, wrong identity decision, accessibility failure, appeal outcomes
Evidence	consent receipt completeness, VP verification trace completeness, status check capture, final-channel capture

Balanced executive dashboard:

Friction: customers disclose less and finish faster.
Trust: accepted claims come from governed issuers with current status.
Risk: fraud and synthetic identity do not bypass controls.
Privacy: RP requests only what is needed.
AI safety: inferences are not treated as verified facts.
Evidence: every reliance decision is replayable.

17. Failure Modes

Failure mode	Why dangerous	Better control
Signature-valid = business-accepted	Accepts credentials from untrusted issuers or wrong assurance	issuer trust + RP policy
Wallet-connected = identity-proofed	Confuses session control with real-world identity proofing	proofing assurance and claim acceptance checks
AI-inferred age/role used for eligibility	Bias, unfairness, unsupported decision	verified claims only for eligibility; inference as prompt to request evidence
Full credential over-collection	Privacy harm and breach blast radius	selective disclosure and abstract claims
No revocation/status check	Stale or revoked claims accepted	status/freshness policy
Blockchain immutability assumption	Correlation and deletion/privacy issues ignored	technology-neutral registry threat model
Mobile-only wallet path	Excludes customers without devices or with accessibility needs	assisted and alternative proofing
LLM parses credentials directly	Prompt injection, hallucinated verification	deterministic verifier + grounded AI output
Agent holds wallet secrets	Unauthorized disclosure, hard revocation	holder-mediated presentation and delegated authorization
Complaint lacks AI/credential trace	Unable to explain or remediate	evidence bundle links consent, VP, policy and final message

18. Interview-Ready Takeaways

Q1: VC 签名有效是否等于身份可信?

不等于。签名有效只证明 credential 没被篡改且可由某个 issuer key 验证。是否能依赖, 还要看 issuer 是否在 trust framework 内、proofing assurance、claim freshness、status/revocation、holder binding、product policy、fraud context 和合规解释。

Q2: AI 系统如何使用钱包凭证才专业?

AI 不应该自己验证凭证或做身份结论。架构上由 verification service 验 proof/status/schema, 由 RP policy engine 判断可接受性, AI 负责解释缺口、总结证据、识别不一致、辅助人工复核和生成客户沟通草稿。所有 inferred attributes 必须和 verified claims 分开。

Q3: Passkeys 在身份钱包里解决什么问题?

Passkeys / WebAuthn 主要证明当前用户控制某个 RP-scoped authenticator, 降低 phishing 和密码风险, 可用于钱包访问、presentation step-up 和 holder binding。它不证明真实世界身份属性, 也不证明客户未被诈骗或 credential 业务上可接受。

Q4: 如何避免 VC 钱包变成过度收集 PII 的新入口?

用 purpose-bound presentation request、selective disclosure、abstract claims、claim minimization、consent receipt、retention rules 和 fallback path。默认不请求完整证件, 只请求当前业务需要的最小 claim。

Q5: KYC/KYB 能否直接用 wallet credential 自动完成?

技术上可以减少采集和验证摩擦, 但不能直接得出合规结论。KYC/KYB 要求取决于机构、产品、jurisdiction、客户类型、风险等级、政策和 legal/compliance interpretation。钱包凭证是 evidence input, 不是最终合规判断。

19. Practical Templates

19.1 Credential Acceptance Card

Field	Example
claim_purpose	age-gated account feature
required_claim	age_over_18
accepted_issuers	government ID issuer trust registry v2026-06
minimum_assurance	IAL mapping per product policy
acceptable_formats	VC 2.0 / SD-JWT profile / mdoc profile approved
status_required	yes, checked within session
holder_binding	VP nonce + wallet auth + passkey step-up
freshness_window	issued or refreshed within policy-defined period
prohibited_inputs	AI age inference, profile photo estimate, marketing segment
exception_path	manual review or alternate proofing
evidence	presentation id, verification result, policy decision, final message

19.2 AI Identity Input Classification

Field	Design rule
input_name	`verified_business_registration_status`
source_type	issuer-attested / RP-observed / customer-declared / AI-inferred / third-party risk
assurance	cryptographic proof + issuer trust + freshness
allowed_uses	onboarding prefill, RP policy decision
prohibited_uses	unrelated marketing, unsupported eligibility, model training without approval
human_review	required when claim conflict or high-risk decision
customer_visibility	explainable in customer language
retention	evidence retention per policy

19.3 Wallet Presentation Request

Verifier:
Business purpose:
Requested claims:
Optional claims:
Why each claim is needed:
How long evidence is retained:
Whether data is used for AI model training:
Fallback path:
Customer review/withdrawal route:
Credential status check required:
Authentication step-up required:

19.4 Relying-Party Policy Decision Record

Decision ID:
Customer / business case reference:
Credential presentation ID:
Issuer:
Credential schema and version:
Claims accepted:
Claims rejected:
Verification result:
Status result:
Authentication context:
Fraud/risk result:
AI assistance used:
Human reviewer:
Decision reason:
Customer-facing explanation:
Retention/evidence reference:

20. Final Operating Principle

成熟的 AI digital identity wallet architecture 可以用一个问题检验:

Can the institution accept only the minimum verified claims it needs,
from issuers it has decided to trust,
under policy it can explain,
with authentication and fraud controls proportionate to risk,
while keeping AI inferences separate,
preserving customer consent and privacy,
and replaying the evidence behind every reliance decision?

如果答案不清楚, 企业不是缺一个 wallet integration。它缺的是 issuer trust、credential verification、relying-party policy、AI governance、fraud controls、privacy minimization、agent delegation 和 evidence replay 组成的 trust architecture。