Identity fragmentation and the maturity model, explained

Think about the last time you became someone's customer. You proved who you were to sign up. Then you proved it again to log in, again to change a detail, again when you called support. Same you, same company, starting from scratch every time. On the business side, that has a name: identity fragmentation. Each part of a business verifies a customer separately, and zero checks are reused. For the customer it is repetitive and annoying. For the business it is a running cost, and a reason people give up before they finish. This piece explains what identity fragmentation is, how a company's handling of identity matures through five stages, and how the two ideas fit together.

What identity fragmentation is

Start with what a regulated business actually does with identity. Every time a customer interacts with your business, there is a moment where they have to prove who they are and you have to decide whether to trust it. Opening an account. Logging in. Confirming a payment. Signing a contract. Resetting access. Calling support.

In most companies today these checks are not connected to each other. A customer opens an account. They photograph their ID, record a short video of their face, set a password, confirm a code sent by text. A few months later they log in on a laptop and confirm another code. They call support and give a date of birth, an address, and the answer to a security question they set up earlier and have forgotten. They sign a document through a separate link with its own login. Same customer, same company, verified from scratch each time.

That is identity fragmentation: several separate identity systems running side by side, none of them reusing the result of the others. Each of those checks was added for a good reason, usually fraud or a regulation.

The problem is their compounding effect. Being asked to prove themselves repeatedly is one of the most common reasons customers abandon a process before the business earns anything from them. In our April 2026 study of 4,000 people across Belgium and the Netherlands, 64% said that being asked to record a video of themselves with their ID during sign-up would be enough to make them stop. Not the price. Not the product. The verification step itself.

The maturity model

So, how can we measure how well a company handles identity? The concept of identity fragmentation already makes clear that this doesn’t depend on the strength of any individual verification method. A company can have excellent face recognition in its app and still verify the same customer five separate times across its other channels. What decides maturity is how close the company is to verifying a customer once and reusing that everywhere.

The Identity Maturity Model sets this out in five stages, from identity rebuilt at every step to identity verified once and accepted everywhere. The fragmentation does not simply vanish as a company moves up. At each stage it takes a different form.

1. Legacy. Identity is verified in a mix of physical and digital ways that are not connected. The customer might open an account online but still bring their ID card into a branch, or sign a contract on paper while logging in with a password. The in-person checks and the digital checks each happen on their own, with no link between them. The fragmentation at this stage is the split between physical and digital.
2. Conservative. The in-person step is gone and verification is digital throughout, but the digital checks are still separate from one another. A password to log in, a code by text, a document upload to onboard, sometimes a card reader. Each was added on its own and none builds on the rest. The fragmentation here is the number of separate digital credentials a customer has to keep proving, one after another.
3. Standard. Identity is finally reused, but only in one place, usually the mobile app. Inside the app the customer is recognised and logs in at once. On the website, on the phone line, or with a partner, they are verified again, because those channels do not reuse what the app already established.
4. Progressive. The company offers several strong ways to prove identity at the same time. Its own app, an outside identity app, a passwordless link … . For the customer this is genuinely good. They pick whichever they prefer and it works. The company is now running and paying for several identity systems at once, each needing its own maintenance, monitoring, and security review.
5. Stellar. One verification is accepted everywhere. The same proof works across the company's own channels, across other companies, and across borders, without anyone being verified again. No single business reaches this stage alone, because it depends on an identity that many organisations agree to accept and reuse.

Companies move to the next stage when the current way of proving identity stops working. It usually shows up first as a cost or as customers complaining, and only later as a security and complexity problem. Each new check is added to fix the immediate issue, which is exactly how a company ends up with several systems running in parallel.

How the two ideas connect

You might expect that as a company matures, fragmentation goes away. It does not. What changes is who does the repeated work, and what it costs.

At Legacy, the company does the work by hand. It is slow and expensive, and everyone can see it. At Conservative and Standard, it is the customer who repeats the work, and experiences friction each time they are asked to prove themselves again. At Progressive, the customer's experience is excellent, and they no longer notice the repetition. For the company, however, there are still several identity systems to maintain, monitor, and secure, plus support and fraud handling.

This is the tricky part: because customers stop complaining, the company decides identity is handled. Only at Stellar does the repetition actually end completely.

The year of the Wallet

Every EU member state has to make a wallet available to citizens by the end of 2026, giving people a government-backed way to prove who they are. The duty to accept it arrives later and unevenly. Banks are clearly covered, because they already have to use strong authentication under existing payment rules. For other sectors the duty only applies where strong authentication is already required by law or contract, which is why many of them, insurers included, are in no hurry.

Either way, the European Identity Wallet does not move a company up the maturity model by itself. It gives you one more reusable method to accept. Reaching the higher stages is about reusing a single verification across everything a customer does with you, and that is still a choice each company makes. You can add the wallet as one more login option and stay where you are, or use it to stop verifying the same person again and again.

What reusable identity looks like in practice

This is not a future idea. In Belgium it already runs at national scale. Around 8 million people, close to the entire adult population, use itsme to prove who they are to their bank, their insurer, their telecom and energy providers, and the government. It is one verified identity, reused at each of those moments instead of rebuilt every time. itsme verifies people to a legal standard that holds up in court, and it is aligned with the European Digital Identity Wallet.

That makes itsme the clearest working example of the reuse the maturity model describes. For a regulated business it is also the practical way to do it. Rather than adding the wallet as one more method and maintaining yet another identity system, you connect once to an identity your customers already have and already use. The same verification works across onboarding, login, signing, and support.