Utah's SEDI Summit gathered state leaders, technologists, and policymakers to shape a rights-first framework for digital identity — one that returns individual control while reducing fraud and strengthening public trust.
Lehi, Utah — April 21, 2026
For two days this week at Utah Valley University's Thanksgiving Point campus in Lehi, state leaders, tech and healthcare executives, civil liberties advocates, and local government officials gathered for the SEDI Summit 2026 — a working forum built around a deceptively simple premise: the United States has not yet decided what digital identity should look like, and that window is closing fast.
SEDI, or State-Endorsed Digital Identity, is Utah's answer to that question. The framework places individuals — not governments, not corporations — at the center of their own identity. Using cryptographic proof rather than centralized databases, SEDI allows a person to verify who they are, share only what's necessary, and remain in control of their own data. The summit brought together more than 25 states exploring whether to adopt similar frameworks, alongside industry leaders and policy experts who spent two days pressure-testing the idea from every direction.
What emerged was less a technology conference and more a policy reckoning — one that touched on healthcare infrastructure, child safety, rural government services, civil liberties, and the question of whether America's fragmented identity systems can actually be fixed.
Setting the Stage
Utah Chief Technology Officer Joe Jackson opened the SEDI Summit with a story most people in the room already knew — Hans Christian Andersen's Emperor's New Clothes. The vain emperor, the con artists with their invisible fabric, the courtiers too afraid of looking foolish to say what they could plainly see. The spell broken, finally, by a child with no reputation to protect.
The parallel was deliberate. "Identity is broken," Jackson told the audience. "It's not irreparably broken, but it is broken, and it's going to take all of us together to fix it." The summit, he suggested, exists partly to be that child — to say plainly what the digital identity industry has been reluctant to admit: that the systems currently in place are not working, that fraud is accelerating beyond anyone's ability to accurately measure, and that the window for states to shape what comes next is narrowing.
Jackson made the stakes personal. In the fifteen days before the summit, he had received a breach notification from Columbia University — a school he never attended — informing him that his name and Social Security number had been exposed in a cyber incident the previous May. The letter arrived at an address he hadn't lived at for nearly thirty years. His parents thought it was junk mail. The deadline to activate the credit monitoring services Columbia was offering as compensation had already passed by the time he saw it. That same week, his accountant sent him a link to verify his identity for his tax return using publicly available records — the same records that anyone who had purchased his data from the Columbia breach could have used to answer. And a close friend discovered that someone had fraudulently claimed their child — a child with physical and intellectual disabilities — as a tax dependent, stealing the family's refundable benefits. "There are really sick people out there that don't care who they're hurting," Jackson said. "This is just me, one random average Joe, over the last fifteen days."
The numbers behind those personal stories are staggering. During the pandemic, more than $100 billion in unemployment insurance payments were fraudulently issued. In 2025, the FTC identified identity theft and imposter scams as the two highest categories of reported fraud — and Pew Research found that 74% of online scam victims never report the incident at all, meaning the true scale is almost certainly larger. "We don't really know how big the problem is," Jackson acknowledged. "But it's significant."
Chris Bramwell, Utah's Chief Privacy Officer and the architect of the SEDI framework and this conference, framed the summit's ambition without apology: for SEDI to become "the official United States framework for trusted, privacy and democracy-preserving digital identity — and a model for global standards." That goal, he acknowledged, is large. But he argued that the absence of any competing American vision makes it necessary. And he pressed on a point that rarely surfaces in technical discussions about digital identity: the democratic stakes. As more aspects of civic life move online, the moment will come when Americans are asked to verify their identity digitally in order to vote. "If you build digital identity wrong," Bramwell said, "nothing would be worse than for that system to be compromised and you cannot be able to trust that election process." How identity gets built now — whose principles it encodes, whose infrastructure it runs on — will determine whether that moment strengthens democracy or undermines it.
Senator Kirk Cullimore, Utah's Senate Majority Leader and sponsor of two consecutive unanimous SEDI bills, put the urgency simply: government usually benefits from moving slowly, he said, but digital identity is one area where falling behind would be catastrophic. "This technology is coming, and one day it's going to be implemented, and it's going to be too late if we don't take the lead on this." The private sector, he warned, will not wait for government to catch up — and once commercial systems are entrenched, the principles embedded in them will be nearly impossible to dislodge.
Why Digital Identity, Why Now
Alan Fuller, Utah's Chief Information Officer, framed the core problem: fraud is accelerating, impersonation online is becoming trivially easy, and the credentials most Americans rely on — largely state-issued driver's licenses — were never designed to serve as foundational identity infrastructure. They were designed to confirm someone knows the rules of the road.
Alan Fuller, Utah's Chief Information Officer, expanded on that history. The driver's license became America's de facto identity credential largely by accident, he argued — not by design. States built massive infrastructure to issue and verify those licenses, and that infrastructure quietly became the identity layer for everything from hotel check-ins to TSA screenings. The problem is that a driver's license is a revocable credential; your right to drive can be taken away. Identity, Fuller argued, should not work the same way.
"The internet was built IP address to IP address," Fuller told the audience, quoting Microsoft's former identity architect Kim Cameron. "It did not have a human trust layer." SEDI, he said, is an attempt to build that layer — to change the way trust works online at a fundamental level.
Fuller drew an analogy to Utah's road system, a $36 billion asset that costs over a billion dollars annually to maintain. Nobody drives on I-15 and thinks about the infrastructure beneath them — they just drive. Digital identity, he argued, needs to become the same kind of invisible, reliable public infrastructure. The state's role isn't to own or surveil that identity. It's to establish foundational trust, the way a notary public certifies a document without becoming party to the transaction itself.
Healthcare: The $6 Trillion Test Case
Day 2 opened with perhaps the summit's most technically dense session: a panel on digital identity in healthcare, moderated by Ryan Howells of the CARIN Alliance.
The panel traced a decade-long arc: the 2009 HITECH Act pushed healthcare into electronic records, spending roughly $35 billion to get patient files off paper and into databases. What it didn't build was a secure infrastructure for moving that data between systems. The 2016 21st Century Cures Act tried to fix that gap by mandating APIs and prohibiting "information blocking" — but the regulation was largely unenforceable because Congress never funded the agencies responsible for enforcement. That changed under the current administration, which has begun using CMS funding to actively penalize organizations that block data access. Enforcement actions are expected later this year.
Scott Stuewe of DirectTrust described what the current trust model in healthcare actually looks like in practice: organizations connect to each other the way a hotel concierge connects a guest to their room. The concierge knows who sent the guest. The room doesn't know who the guest is, or whether the concierge vouched for them correctly. That model, replicated across billions of monthly healthcare transactions, is what passes for security.
Karla McKenna of the Global Legal Entity Identifier Foundation (GLEIF) described how her organization has spent more than a decade solving organizational identity in financial services — making it possible to definitively identify which "St. Mary's Hospital" is which, across a global network. The same infrastructure, she argued, can be extended to healthcare and layered with individual identity credentials using the same cryptographic standards underlying SEDI.
Jared Jeffery, CEO of healthKERI and a brain cancer survivor who has spent years on both sides of the healthcare data problem, made the stakes concrete. He described an alleged case in which a mass tort lawyer accessed a nationwide patient data network by presenting fraudulent clinical credentials. The network had no way to verify that the person was who they claimed to be, or that their stated purpose — clinical care — was genuine. Billions of transactions, monitored by a handful of people. The result, he said, is a system where the question is no longer "can we connect?" but "can we trust that connection?"
The CARIN Alliance's Ryan Howells closed with an optimistic frame: the administration's "Kill the Clipboard" initiative, launched last year, is pushing Medicare and Medicaid toward biometric identity proofing at scale. Utah's SEDI framework, he suggested, represents version two of that effort — the moment where state-level credentials and federal healthcare infrastructure start to converge.
A Commissioner, a Birth Certificate, and Balsa Wood
The summit's most memorable moment may have come from Amelia Powers Gardner, a Utah County Commissioner who arrived in government from a 15-year career in automotive engineering at Caterpillar and has spent the years since applying an engineer's intolerance for broken processes to county government.
In 2019, Gardner launched the first completely online marriage license system in the world. Utah County went live in January 2020 — six weeks before COVID-19 made in-person government services impossible nationwide. The county made $1.3 million in its first year as counties across America had no alternative. It now generates about $2 million annually, suppresses property tax rates, and created, as a byproduct, the first verifiable digital credential ever issued for a vital record.
But the story that stopped the room happened last summer. A state legislator texted Gardner from Botswana. He was at a border crossing with his wife and two daughters, passports in hand, when officials informed him that children also needed birth certificates. He hadn't brought them. DHL shipping would take 13 days.
Gardner improvised. She called the county health department director to pull the children's birth certificate images. She called the IT director to run them through the verifiable credential system built for marriage licenses. She had the legislator authenticate his identity remotely through the marriage license portal's facial recognition system — stopping just before the payment screen, which wasn't necessary. Two and a half hours later, the family crossed the border.
"We were literally using balsa wood and duct tape and bailing wire," Gardner told the audience. "The only reason he was able to do that is because he happens to have the commissioner's cell phone number. Every one of my 780,000 constituents should have that ability."
That story — part triumph, part indictment — captures exactly what the SEDI summit is trying to solve. The technology to make verifiable digital identity work already exists. The infrastructure to make it universal does not.
Gardner was direct about what that means beyond convenience. She pointed to data showing that 24% of Americans aged 18–24 believe political violence is justified, a number she attributed in part to eroding institutional trust. "The ease of interaction with our government directly correlates to how much they trust our government," she said. "This is more than just convenience. This is more than just about money. It's literally stabilizing our society."
Andy Pierucci, a Riverton City Council member, echoed the theme with smaller-scale examples that nonetheless illustrated the same underlying friction: residents lining up in person every January 2 to reserve community center space for December events, because city staff have no secure way to verify residency remotely. Sports league registration fraud. Business licensing delays. The cumulative weight of interactions with government that could be frictionless but aren't.
Convenience Stores on the Front Lines
The summit's retail panel brought a different kind of urgency. Chad Kobayashi, Sr Director Retail & Logistics Technology at Maverik — which operates 800 stores across 20 states — and Matt Durand of the National Association of Convenience Stores painted a picture of an industry collectively representing 152,000 retail locations and $895 billion in annual sales, much of it involving age-restricted products, that is currently held together by the judgment calls of 16-year-old cashiers during the lunch rush.
In Texas, the consequences land directly on the individual employee, not the store. A first offense for selling to a minor carries a $1,500 fine — roughly 100 hours of work at a $15 hourly wage, paid out of pocket by the cashier. A second offense escalates to a misdemeanor, with the possibility of jail time. These are not hypothetical risks: they are the legal reality facing the teenager or young adult behind the counter trying to manage a lunch rush, keep shelves stocked, and monitor the gas pumps — all at once.
As Gray Taylor noted, no employer leads with that information in a job interview, because nobody would take the job. And yet society has effectively deputized convenience store clerks as the primary enforcement mechanism for age-restricted sales, with personal criminal liability attached, while giving them few reliable tools to do it accurately. The burden, panelists argued, is not just unfair — it's unsustainable.
Texas-based Gray Taylor, who helped launch the TruAge age verification initiative out of exactly this frustration, described how the convenience store industry arrived at distributed verifiable credentials as their preferred solution — a system built to preserve customer privacy while giving clerks a fast, reliable verification tool.
That approach has since gained broader validation: the World Wide Web Consortium recently incorporated TruAge's underlying technology into its Verifiable Credentials standard, a development that aligns squarely with SEDI's own commitment to open standards and interoperability. The problem, Kobayashi noted, is that without a framework like SEDI, retailers are still caught in an impossible bind: the only tool currently available to ensure compliance is scanning physical IDs, which raises its own privacy concerns. A broadly adopted, privacy-preserving digital identity standard, the panel agreed, would let retailers do the right thing on both sides of the counter simultaneously — protecting minors without building a surveillance apparatus around every gas station purchase.
The Civil Liberties Question
The summit didn't shy away from skepticism. A Monday afternoon panel brought together a California assemblymember, an ACLU senior policy analyst, and a director from the libertarian-leaning Libertas Institute to examine what concerns them about digital identity frameworks — including SEDI.
Utah's legislative record on SEDI is unusually bipartisan: the framework passed with unanimous support in two consecutive legislative sessions, with backing from organizations as ideologically distant as the ACLU and Eagle Forum. Senator Kirk Cullimore and Representatives Paul Cutler and Kristen Chevrier described a process of sustained stakeholder engagement that built consensus around rights-first principles before moving to votes.
The SEDI framework itself includes several structural protections designed to address civil liberties concerns: cryptographic verification without centralized transaction databases, a "Duty of Loyalty" requiring entities that accept SEDI credentials to use personal data only for disclosed purposes, and an explicit Digital Identity Bill of Rights. The framework does not require adoption — individuals retain the choice of whether to obtain or present a SEDI credential.
Whether those safeguards are sufficient is a live debate. The civil liberties panel pushed on questions of scope creep, government access to verification data, and what happens when voluntary systems become practically mandatory for participation in digital life. Those questions didn't resolve — which seemed to be the point. The summit's organizers structured the discussion to surface disagreement, not paper over it.
The Road Ahead
The summit's Tuesday sessions focused on what comes next: model legislation, shared governance frameworks, technical guidance for states considering adoption, and a multi-state consortium coordinated through the Kantara Initiative, a global nonprofit membership organization focused on making digital identity systems trustworthy, interoperable, and accountable. It sits between governments, technology vendors, and the public — certifying that identity services actually do what they claim to do.
The summit named Kantara as the organizational home for the multi-state SEDI consortium going forward. That's a significant choice — it means states adopting SEDI won't be relying on Utah alone to govern the framework. Kantara provides a neutral, established, internationally recognized governance structure that already has relationships with both the US and UK governments. For states wary of one state setting the rules for everyone, routing the consortium through Kantara offers a credible answer to the question of who's in charge.
The summit's implicit argument, running beneath two days of sector-specific panels, is that the United States is at an inflection point. Healthcare, financial services, retail, local government, child safety — every sector represented in Lehi this week is wrestling with the same foundational problem. Identity online is broken. The question is who fixes it, and on whose terms.
Utah is making a bet that states, acting together and grounded in constitutional principles, can answer that question before centralized platforms or foreign models answer it for them. Whether 20-plus states can align around a shared framework is an open question. But the conversations at UVU's Lehi campus this week suggested that the appetite for an American alternative — one built on individual control, open standards, and public trust — is real, and growing.
The SEDI Summit was hosted at Utah Valley University's Thanksgiving Point Campus in Lehi, Utah, on April 20–21, 2026.
Learn more at sedi.utah.gov