Before Trust Travels
The Politics of Building Inter-Institutional Trust
In a companion essay, How Trust Travels Between Institutions, I described what has to be true for a decision made inside one institution to be relied upon inside another.
The answer came in four layers. The receiving institution has to establish that the record is authentic. That it was issued by an authority entitled to issue it. That it is admissible - that it may properly be relied upon for the decision at hand. And that there is some account to be had if the reliance turns out to be misplaced.
Where those four layers are complete across an institutional boundary, a credential, a registration, or an approval can cross it on its own. Trust travels.
That essay was diagnostic. It offered a way to examine any institutional boundary and ask which of the four layers is incomplete.
This essay asks the deeper question underneath it. The layers do not complete themselves. They have to be negotiated, institutionalised, and governed. And that work is slow, conflictual, and deeply political in ways the clean language of “interoperability” often conceals.
Before trust can travel, institutions have to become the kind of institutions between which it can. It is worth being concrete about why this matters, because citizens experience the absence of this work directly.
Consider someone buying a flat in an ordinary Indian city. To complete the purchase and live in it lawfully, she will deal with the registration department, the revenue department, the municipal body, a bank, utility providers, and the tax authority.
Each institution keeps its own records, in its own formats, verified in its own way. And because those institutions have not, for the most part, built the trust required to rely directly on one another’s records, she becomes the connective tissue between them.
She carries the registered sale deed to the revenue office so the property can be mutated into her name. She carries proof of mutation to the municipal body. She carries municipal and bank documents to utility providers.
When two records disagree - a name spelled differently, an extent that does not match, an old owner not yet removed - she is the one who notices. She is the only party with both an interest in the discrepancy and a reason to resolve it. She proves, repeatedly, the same facts about who she is and what she owns to institutions that could, in principle, establish those facts from one another but, in practice, do not.
She is doing unpaid, unacknowledged institutional work. She is the integration layer. The state’s fragmentation is operationally repaired by the citizen. Every document she carries from one office to another represents a missing layer of inter-institutional trust. Where institutions fail to coordinate, they do not absorb the cost of that failure. They externalise it onto her.
This essay is about what it would take for institutions to absorb that cost instead. Not primarily as a matter of technology - the rails for moving records between a revenue office and a municipal body are not difficult to build - but as a matter of institutions agreeing to rely on one another. That is the difficult part, and it is the real subject of everything that follows.
Four Layers, Unevenly Built
Trust between institutions is not one thing. When a decision made inside one institution must be relied upon inside another, that reliance breaks into four separate layers, and they fail separately.
Take the land record behind our flat buyer and watch each layer fail in turn.
The first is authenticity. The municipal body, handed a revenue record, must know it is genuine - that it actually came from the revenue department and has not been forged or altered. When authenticity cannot be established cheaply, verification collapses back onto the citizen: bring an attested copy, produce the original, obtain a seal.
The second is authority. Even a genuine record only matters if the office issuing it was empowered to issue it. Nobody doubts the revenue department is a real authority. The harder question is whether its mandate actually extends to everything its records now contain - whether some authority, somewhere, was ever granted to certify a building’s floor count or its built-up area, or whether those fields simply accumulated over time without anyone being empowered to vouch for them.
The third is admissibility - whether the receiving institution may properly rely on the record for the decision now being made. Authority asks whether anyone was empowered to certify an attribute. Admissibility asks the municipality’s version of the same question, from the other side: of the attributes in front of me, which may I actually act on? At a broad level this is rarely a problem - the municipality already knows the revenue department is the institution that certifies land ownership. The difficulty is granular. Ownership, perhaps. But extent? Built-up area? Number of floors? Land use? The municipality cannot safely act on the record until it knows which attributes carry institutional authority and which are merely descriptive - and it is the municipality, at the moment of reliance, that discovers where that authority runs out.
The fourth is accountability. If the municipality relies on the record and it later proves wrong, who answers for that error? Is there a correction path, a liability framework, a place to escalate? Where there is none, the citizen again becomes the only party with an incentive to resolve the discrepancy.
Where all four layers hold across an institutional boundary, a record crosses it on its own. Where any one is incomplete, the gap does not disappear. It is handed to the citizen, who closes it with her own time, travel, and persistence.
Why Paper Hid the Problem
These gaps are surfacing now not because institutions are newly fragmented, but because paper systems concealed ambiguities digital systems cannot tolerate.
Paper systems depended on human intermediaries exercising contextual judgment. Officials interpreted records socially rather than formally, carrying implicit assumptions about what a document did and did not certify.
The record never had to specify precisely what “land” meant, what “ownership” covered, or which attributes carried the department’s authority and which were merely recorded in passing - because human interpretation absorbed the ambiguity.
Electronic transmission removes that intermediary.
A system receiving a record cannot exercise contextual judgment about what the record means. Every attribute must be defined. Every authority relationship must be explicit. What constitutes land? What constitutes ownership? Which office certifies built-up area? Which certifies land use?
These questions often remained unresolved in the paper era because institutions could function despite the ambiguity. Digitisation does not merely place institutional trust on faster rails. It forces tacit institutional knowledge to become explicit institutional ontology.
That is why the deeper layers are difficult.
Authenticity and authority, in the broad sense, are largely problems of capacity: stronger registries, wider verification, legal recognition, operational reach.
Admissibility and accountability are different. They are problems of definition and allocation. They raise questions not about whether something can be verified, but about who gets to define what a record means, whose version of reality prevails, and who bears risk when reliance fails.
This is why fragmentation should not be mistaken for institutional mistrust or corruption. Institutions are often trustworthy already. What is missing is not virtue. It is precise definition, clear allocation of authority, and a credible path for recourse.
The challenge is not making institutions trust each other more. It is making reliance cheap and accountability real.
Why the Hard Layers Redistribute Power
If admissibility and accountability are fundamentally problems of definition and allocation, a natural question follows: why are they so difficult to settle? Definitions, after all, can be written down.
The answer is that the first two layers describe institutional facts. The second two allocate institutional power. Authenticity establishes provenance. Authority establishes entitlement. Neither necessarily changes who depends on whom.
Admissibility and accountability are different in kind. To establish admissibility is to decide that one institution’s outputs will count as authoritative for another’s decisions. To establish accountability is to decide who bears liability when those outputs are wrong.
These are not descriptive choices. They are allocations of authority, dependency, and risk. Shared infrastructure is never neutral. A registry determines which institution becomes authoritative and which becomes derivative. An identity layer determines who mediates access and who is dis-intermediated. These arrangements reshape institutional relationships.
This is why the deeper layers cannot be standardised in a room. Schemas can often be negotiated because they are descriptive. Allocations of authority and liability cannot, because they create winners, dependencies, and constraints. The conflict often surfaces first in seemingly technical questions.
Start with something already true. Revenue records and municipal records are, in most of India, separate systems - which is why a buyer who completes mutation at the revenue office must then apply again at the municipal body to have the same ownership reflected in property-tax records. The two institutions hold overlapping facts and do not propagate between them. The citizen does.
Now imagine that, as apartment ownership becomes the norm, a revenue department begins to record more about the building itself - floors, subdivision, built-up area - inside its property record. On the surface this looks administrative: merely deciding which fields belong in a schema. But the urban local body that issues building permits would have reason to read it differently. If the revenue record becomes the authoritative representation of the building’s form, the permitting authority - the institution actually empowered to certify that form - quietly becomes derivative.
The disagreement, were it to surface, would not really be about schema design. It would be about institutional jurisdiction. Paper systems deferred these conflicts because ambiguity allowed multiple institutions to coexist without resolving the underlying allocation of authority. Digital systems force precision. Precision, however, is diagnostic rather than curative. It exposes unresolved institutional allocations. It does not resolve them.
This is why institutions resist integration arrangements that appear, superficially, to be technical. They are not resisting interoperability itself. They are resisting ungoverned dependency.
A finance ministry worried about fiscal leakage, a regulator worried about concentration of power, a state government wary of central overreach - these are not institutions behaving irrationally. They are institutions responding to real risks.
The achievement of a mature state is not the elimination of this caution. It is the construction of governance arrangements that allow institutions to cooperate despite it. Large governance systems do not operate on blind trust. They operate on managed mistrust: governance structures that make institutional dependence safe without requiring unconditional confidence in the other party.
The real work of interoperability is therefore not technical integration. It is institutional settlement. The pipes matter, but only after institutions have agreed on authority, dependency, liability, and recourse.
Before trust can travel, governance has to.
And until it does, someone still carries the gap by hand - across the city, from counter to counter, proving the same facts over and over. The seamless digital state, when it finally arrives, will not be a triumph of technology. It will be the moment institutions finally stopped asking her to do their coordination for them.
Insightful