In enterprise environments, identity effectively became the control plane once network perimeters broke down (e.g. zero trust, et cetera).

I’m seeing a similar pattern emerging on the public internet via age verification and safety regulation, but with identity moving closer to the access layer itself.

Not just: “Are you over 18?”

But: identity assertions are becoming part of how access is granted at the OS/device/app store level.

From a security perspective, this seems to introduce some new attack surfaces:

• high-value identity tokens at the OS/device level
• new trust boundaries between apps, OS, and third-party verifiers
• incentives to target device compromise or token reuse rather than account-level bypass
• potential centralisation of identity providers as enforcement points

Questions I’m trying to think through:

• Does this effectively make identity providers the new perimeter/control plane?
• How would you model this system (closer to DRM, identity federation, or something else?)
• What are the likely failure modes if this layer becomes centralised?
• Are decentralised / on-device credentials actually viable from a security standpoint, or do they just shift the attack surface?

Curious how people here would threat model this or where the obvious breakpoints are.

I’ve written a long-form analysis on how age-verification laws are pushing identity into internet infrastructure (OS layers, app stores, identity credentials), rather than staying at the application/content layer.

It looks at how enforcement is moving “down the stack”, with governments increasingly targeting platform chokepoints like Apple/Google and device-level controls.

The piece draws on UK identity history, US telecoms, and current global regulation.

Curious how people here think this holds up technically, especially around enforcement, bypass (VPNs, forks, sideloading), and where this creates new attack surfaces.