Digital identity in Australia has spent the better part of a decade in policy documents and limited pilots. In 2026, that is changing. The national digital identity framework, anchored by the myID system (formerly myGovID) and the broader Trusted Digital Identity Framework, is moving from experimentation to mainstream government infrastructure. For IT teams in agencies, this shift carries real architectural and operational consequences.
What the national framework actually covers
The Australian digital identity ecosystem sits across several moving parts. The Digital Transformation Agency (DTA) sets the policy architecture and accreditation rules. Services Australia operates the myID credential used by individuals to access government services. The Australian Taxation Office runs the authentication backbone for the ATO's own portals. And a growing number of accredited third-party identity providers are now admitted into the federation under the government's trust framework.
The Trusted Digital Identity Framework (TDIF) is the rulebook binding all of these together. It defines identity proofing levels, fraud controls, privacy obligations, and the technical standards that accredited providers must meet. The framework allows a credential issued by one provider to be accepted by another participating service, which is what makes it a genuine federation rather than a collection of siloed logins.
For government IT teams already navigating Services Australia's digital transformation agenda, the identity framework is not a separate workstream. It is the enabling layer beneath nearly every citizen-facing service being rebuilt right now.
The myID rollout and what has changed
The rebrand from myGovID to myID in 2024 was not purely cosmetic. It accompanied a deliberate effort to extend digital identity beyond tax and welfare into more service domains, including state government portals, Medicare, aged care, and eventually private sector use cases such as banking and utilities. The underlying credential, linked to the Australian Government Digital Wallet, is designed to support verifiable credentials as the standard matures.
Uptake has grown steadily. Millions of Australians now hold a myID credential at the Standard or Strong identity strength level. The Strong level, which requires document verification against authoritative sources, is the threshold most agencies require for high-value transactions. Driving licence integration and biometric verification options have expanded the number of documents accepted, reducing friction for applicants who previously fell through the gap.
The ATO remains the highest-volume consumer of the credential, but Services Australia has progressively extended myID acceptance across Centrelink, Medicare, and the Child Support agency. The myGov and ATO digital experience depends heavily on this identity plumbing sitting reliably underneath it.
The federation question: private sector inclusion
One of the more consequential policy decisions embedded in the framework is the decision to allow accredited private sector identity providers to participate alongside government-issued credentials. This means a credential established through, say, an accredited bank could theoretically be used to access a government service, and vice versa.
The logic is sound. Australians already carry high-assurance identity credentials issued by banks and telcos. Requiring them to establish a separate government credential for every digital service creates friction and duplicates effort. The federated model lets existing trusted relationships carry weight across the ecosystem.
In practice, the private sector onboarding process is proving slower than anticipated. TDIF accreditation is rigorous, and the liability and privacy obligations attached to participation have given some prospective providers pause. As of mid-2026, the list of fully accredited non-government identity providers remains short, though several financial institutions are at advanced stages of assessment.
What this means for agency IT teams
For agencies building or upgrading citizen-facing services, the framework creates both a mandate and a set of practical constraints. New services procured through DTA channels are expected to integrate with the national identity system rather than build bespoke authentication. That means adopting the OIDC-based integration protocols that the myID platform supports, aligning identity assurance levels to service risk profiles, and ensuring attribute release practices comply with TDIF privacy rules.
Agencies that have historically managed their own identity infrastructure face a harder transition. Legacy directory services, in-house credential systems, and department-specific smart card programs all need a migration path. The DTA has published integration guidance, but the effort involved in retiring legacy identity systems while maintaining service continuity is non-trivial. Workforce identity (staff credentials, privileged access) is largely outside the citizen-facing framework, but agencies are increasingly being asked to demonstrate that their internal identity controls align with the ACSC's identity-related hardening guidance, particularly around phishing-resistant MFA and conditional access policies.
Privacy Act reform and identity data obligations
The Privacy Act reforms moving through the legislative process in 2026 add another layer of complexity. The framework already imposes strict controls on how identity attributes can be collected, retained, and shared. Reformed privacy law tightens those obligations further, particularly around biometric data used in identity proofing and the handling of identity event logs.
Agencies need to ensure that their integration architectures do not inadvertently create centralised stores of identity transaction data that would fall foul of the new data minimisation requirements. The preferred pattern, where identity assertions are validated at point of transaction without the relying party retaining the underlying credential data, is technically achievable but requires deliberate architecture decisions rather than default configurations.
What to watch in the second half of 2026
Several developments are worth tracking over the remainder of the year. The federal government's response to the joint parliamentary committee review of the digital identity legislation will clarify several outstanding questions about liability allocation between identity providers and relying parties. State government integration is also accelerating, with New South Wales, Victoria, and Queensland all at various stages of connecting their service platforms to the federal federation.
The verifiable credentials standard is the longer-horizon item. Pilot programs are underway, but broad adoption of credential-in-wallet architectures for documents like drivers licences and professional certifications is likely to take until 2027 or beyond to reach meaningful scale. For now, the most pressing task for most agency IT teams is completing myID integration for existing services, meeting TDIF obligations, and ensuring their internal identity hygiene can withstand the scrutiny that comes with participating in a national trust framework.
Digital identity is infrastructure, not a feature. The teams that treat it that way early will have a much easier time as the framework expands in scope and in scrutiny.