Equity by Design: Lessons from Modernizing Consumer IAM in Washington State

A case study in balancing privacy, inclusion, and UX to deliver equity by design.

Aug 27, 2025

When I prepared a briefing for the CTO of Washington State on the modernization of our Consumer Identity and Access Management (CIAM) program, one principle rose above all others: digital equity wasn’t a side benefit — it was the driver.

In my recent piece, “Identity is Moving Faster Than Your Roadmap”, I argued that technology outpaces governance if equity and transparency aren’t engineered in. This post builds on that experience by sharing how we approached digital equity as the driver of Washington State’s CIAM modernization.

Where digital equity became policy: Washington State’s commitment to modernizing identity for all residents.

Identity modernization is often pitched as a technology upgrade: stronger authentication, smoother login, lower fraud. But for us, it was about something deeper: making sure every resident, regardless of income, ability, or access to technology, could interact with the state on equal footing. That meant designing for the blind and disabled, the elderly, the unbanked, and the digitally underserved. It meant not just doing no harm, but actively lowering barriers that had excluded people for years.

Today, many vendors are talking about bias in AI and digital equity. It’s become the language of the moment. But unless a company can show independent test results and demonstrate a commitment to equity by design — from the product spec to the demo to the customer references — then talk and philosophy alone are not enough.

This is the story of how we set the bar, how we evaluated vendors, and the lessons others can draw as AI and biometrics rush into the identity ecosystem.

Why Digital Equity Had to Lead

Washington State’s services touch millions of people — renewing a driver’s license, applying for unemployment, accessing healthcare. Yet for too many, access had become a barrier in itself.

45 million Americans lack credit histories, disproportionately young, low-income, and minority. Traditional knowledge-based authentication excluded them before they even started.
Multi-factor authentication, often lauded as secure, was inaccessible to the visually impaired or those without multiple devices.
Biometric systems introduced risks of racial and gender bias, not to mention concerns about surveillance creep.

The reality was simple: if modernization didn’t expand equity, it wasn’t modernization at all.

So from day one, equity wasn’t a requirement buried in an RFP — it was the lens through which every option would be judged.

Inclusive UX testing in action — evaluating digital identity systems for bias, accessibility, and equity.

Setting the Evaluation Criteria

The first step was translating values into hard criteria. We built a transparent, data-driven evaluation framework that measured vendors across bias, privacy, and transparency:

Bias & Inclusion
- Independent third-party bias testing across gender, race, and age groups.
- Usability for visually and cognitively impaired populations.
- Support for residents without smartphones or broadband.
- Explainable AI — no black boxes making automated access decisions.
Privacy & Consent
- Explicit proof of consent for biometric use.
- User control to view how their data is used and revoke consent at any time.
- Permanent deletion of stored data, including selfies used for verification.
- No tolerance for vendors selling data or contracting with federal enforcement agencies.
Compliance & Governance
- Teams supporting engineering, operations, and customer support had to be U.S.-based.
- Full adherence to RCW 40.26.020 (biometric identifiers) and RCW 43.386 (facial recognition accountability).
- Documented incident response and breach notification plans.

Every vendor knew the rules upfront. Equity, privacy, and transparency were not philosophical aspirations — they were measurable requirements.

Beyond Pedestrian Commitments

Here’s where most vendors stumble.

It’s one thing to mention bias or accessibility in a presentation. It’s another to show enterprise-wide commitment. The vendors who passed evaluation didn’t just tack on fairness as a feature. They could demonstrate that equity shaped decisions in engineering, legal, operations, and customer-facing design.

In other words: privacy and equity by design, not as an afterthought.

One vendor, for example, was disqualified outright because of their use of 1:many biometric face matching and the controversy that followed around transparency and user rights.* This was more than a red flag — it was a reminder that identity systems live and die on trust. The lesson was clear: without a stellar track record, you cannot credibly claim to serve all residents.

True equity in identity requires dialogue — agencies, vendors, regulators, and residents all at the table.

The Nash Equilibrium of Stakeholders

The deeper lesson is that equity in identity isn’t one-dimensional. It’s a balancing act across multiple stakeholders:

Residents who need access without barriers.
Agencies that must meet service delivery mandates.
Regulators demanding compliance.
Vendors seeking to grow responsibly.

I often described this as finding a Nash Equilibrium — a state where no single stakeholder’s needs could be met by disadvantaging another. Achieving this balance came at real cost. Some vendors simply weren’t able to bear it. Those who did earned credibility that philosophy alone could never buy.

Facilitating cross-agency workshops to translate values into requirements — where equity becomes design, not afterthought.

My Approach as an Advisor: The Playbook

When people hear “vendor evaluation,” they picture an RFP, a demo, and a scoring sheet. In practice, what I led was closer to an archaeological and sociological excavation.

We weren’t just comparing features. We were interrogating culture, governance, and commitment to equity under pressure.

Here’s how I structured the process:

1. Market Analysis
We began by mapping the CIAM, IDM, and IDV landscape. It wasn’t about who was trending in analyst quadrants, but who had demonstrated credibility in public-sector contexts — without scandal, without hidden tradeoffs. Doing no harm and preserving trust was non-negotiable.

2. Workshops with Agencies
Each administrative agency had its own reality. Some served urban populations with smartphones; others reached rural communities with limited broadband. We convened workshops to capture these needs directly. Equity wasn’t abstract — it was grounded in personas and barriers that residents faced daily.

3. A Data-Driven Evaluation Framework
I developed a transparent, weighted model that scored vendors across functionality, privacy, transparency, and usability. Everyone saw the rules. No vendor could hide behind glossy decks or vague assurances.

4. Privacy Reviews with Counsel
We put attorneys from both sides in the room. That meant parsing terms of service, breach obligations, and data residency policies line by line. Privacy wasn’t allowed to be a compliance afterthought.

5. Deep Dives and UX Assessments
Beyond demos, vendors faced scenario testing and independent accessibility reviews. Could a visually impaired resident reset their password without calling a help desk? Could someone without a smartphone verify their identity? These weren’t edge cases — they were essential.

6. Customer References
We validated with customers — not just curated references, but independent sources who could speak candidly. Did commitments hold up in production? Did the vendor respond to real-world challenges with transparency and speed?

This was more than evaluation. It was a playbook for exposing culture and intent. Vendors who treated equity as marketing didn’t survive the process. Those who embedded it into their DNA did.

Lessons Learned

Several insights stand out from this experience:

Independent validation is everything. Vendors’ claims mean little without third-party testing and references.
Equity is measurable. It can be designed into evaluation frameworks and scored — not just spoken about.
Privacy and equity by design separate leaders from laggards. Bolted-on fairness is not fairness at all.
Compliance is table stakes. The differentiator is whether equity and transparency are core to the business model.

Call to Action

For CIOs, CISOs, and policymakers evaluating identity platforms today, the lesson is simple: don’t settle for vendor philosophy. Demand proof.

Ask for independent bias testing. Ask to see how consent is captured and revoked. Ask where operations teams are located, and whether customer references validate the promises.

Digital equity in identity is not a philosophy — it’s engineered, tested, and proven. Anything less is just noise.

* Footnote: One vendor (ID.me) was disqualified from consideration in Washington State due to use of 1:many biometric face matching and subsequent controversy. Their case underscored the importance of transparency, consent, and trustworthiness as non-negotiable prerequisites for public identity systems.

Additional Resources

7 Strategic Insights from My CIAM Modernization Webinar with Okta

Steve Tout

May 15

7 Strategic Insights from My CIAM Modernization Webinar with Okta

Last week, I had the opportunity to join Mat Keller from Okta and Deb Snyder for a timely conversation on CIAM modernization in the public sector. The “No Wrong Door” webinar wasn’t about buzzwords or platform features. It was about real-world barriers, organizational friction, and what it takes to modernize resident IAM without breaking the systems—or …

Read full story