Summary
- Identity verification is where ARIN account access becomes recognised authority: weak checks invite captured channels and unauthorised signers, while excessive delay taxes succession, mergers, compliance screening and live-service continuity for legitimate.
- The trouble begins with a person who is not trying to buy or sell anything.
The recovery request that changes the economics
The trouble begins with a person who is not trying to buy or sell anything. A regional wireless provider has used the same IPv4 block for years. Its towers still pass traffic. Customers still pay. Reverse DNS has not failed, and the abuse mailbox still reaches a support queue. Then the founder dies, and the company discovers that the old ARIN Online authority was tied to an individual account, an old administrative contact and a corporate habit that nobody had written down because, for a long time, nothing needed to change.
The surviving company can prove that the network exists. It can show invoices, tower leases, customer routes, bank statements and state filings. Its new network manager can maintain BGP sessions and keep customers online. Its bookkeeper can pay bills. Its general manager can talk to vendors. Yet none of those facts alone answers the registry question: who may speak for the holder now?
A different operator meets the same problem without a death. It has merged two subsidiaries and centralised network administration. The signer whose email still works was an officer of a predecessor, not the surviving entity. A university has moved an old engineering network into a central technology office, but the public record still points to a department name and a retired employee. A municipal network has changed its legal authority after a charter reform. A hosting company has replaced a founder-led team with professional management, while the old contacts remain visible because no one wanted to disturb a system that worked. A transfer counterparty, lender or compliance team then asks whether the person in the ticket can bind the organisation whose resources are at stake.
This is where identity verification becomes economic infrastructure. It is not merely a login check. It is not merely a file request. It is the moment at which operational use, corporate authority, registry recognition and market reliance converge. If ARIN accepts a weak claim to authority, an impostor, former employee, compromised mailbox or revived shell company can move valuable resources or alter account control. If ARIN demands too much proof for every authority question, a legitimate holder can lose time, money and continuity because it cannot quickly translate ordinary organisational change into the exact form the registry recognises.
ARIN is a useful case precisely because the North American registry is mature. The issue is not the visible disorder of a collapsing institution. It is the quieter problem of a post-exhaustion registry whose account and authority decisions sit inside an asset-grade IPv4 economy. ARIN maintains Organisation Identifiers, resource records, Points of Contact, ARIN Online accounts, transfer recognition, legacy-resource distinctions, public registration data and service relationships. Its transfer materials require account links to authorised Admin or Tech contacts; specified-recipient transfers require the source to be the current registered holder and to provide officer acknowledgement; merger and reorganisation paths require evidence of acquired assets or legal continuity; Org ID recovery exists when old Admin or Tech contacts have left, but may require evidence that the new requester is authorised to recover the organisation.
Those mechanics are not the thesis. They are exhibits. They show why the authority question has many layers. A holder is not the same as a login. A login is not the same as a Point of Contact. A contact is not the same as a signer. A signer is not necessarily the beneficial controller. A technical manager may be the person who can preserve service, while a corporate officer may be the person who can bind the holder. A sanctions or compliance review may need to know who stands behind an instruction without turning that inquiry into punishment. The economic task is to verify authority narrowly enough to protect the ledger, and quickly enough to avoid making identity friction the hidden price of holding scarce number resources.
Identity friction is the cost of proving present authority
Identity-verification friction should be defined narrowly. It is the cost and delay of proving who may act for the holder now. The word "now" matters. Historical evidence can explain how a resource reached the present holder. Public records can identify the organisation that ARIN currently publishes. Account credentials can show who can enter a portal. Points of Contact can show who is associated with administrative, technical, abuse, routing, DNS or other functions. None of those facts is identical to present authority for a particular action.
The same organisation may need different authority for different decisions. A routine contact update may require one threshold. A transfer request may require a stronger threshold. Org ID recovery after the departure of old contacts may require a different threshold again. A billing correction should not demand the same evidence as a transfer signature. A technical update that preserves current service should not require the same proof as a change in recognised holder. Identity friction becomes economically dangerous when these thresholds collapse into one undifferentiated demand for "proof".
The cost has several components. There is search cost: finding the right officer, secretary, counsel, trustee, estate representative, municipal official or parent-company authority. There is evidence cost: obtaining filings, resolutions, letters, certificates, court papers or other records that show the person has capacity to act. There is translation cost: converting a real organisational structure into registry terms such as Org ID, Admin POC, Tech POC, officer acknowledgement, account link or transfer source. There is timing cost: waiting while the registry reviews the claim, asks follow-up questions or classifies the request. There is continuity cost: deciding which services and account functions remain available while authority is checked.
This is close to documentation burden, but it is not the same problem. Documentation burden is the cost of producing acceptable evidence. Identity friction is the point at which the evidence must answer a narrower question: who has capacity to bind the holder for the requested act? A thick file can still fail if the signatory is not authorised. A leaner file may be sufficient if the current authority chain is clear and the requested act is low risk. The economic hinge is not the volume of paper. It is recognition of agency.
Nor is this an abuse-contact problem. A working abuse mailbox lowers the cost of routing allegations and operational notices. It does not prove who can approve a transfer, recover an Org ID, sign an agreement, appoint a voting contact, certify beneficial control or answer a sanctions inquiry on behalf of the legal holder. Contactability is useful, but it is not authority. A reachable engineer may know the network better than anyone else and still lack power to bind the company. A role account may be monitored and still not be a transfer signatory. A billing contact may pay invoices and still have no authority to change the public record.
Identity friction is therefore a settlement cost. The registry is not settling a court case, but it is deciding whose instruction the shared number-resource ledger will recognise. That decision affects transfer finality, account recovery, routine service continuity, merger cleanup, lender confidence, sanctions diligence and customer assurance. When the answer is clear, the market treats the resource as easier to rely upon. When the answer is unclear, counterparties buy protection: longer escrow, wider warranties, legal opinions, special indemnities, delayed closings, service contingencies or discounts. The cost of proving authority appears outside the registry ticket.
The right question is not whether ARIN should verify authority. It must. The question is whether it can treat identity verification as a precise test rather than a broad institutional option. For this action, who is acting? What role is claimed? What evidence proves the role? What risk would weak verification create? What harm would delay create? Which unrelated services should continue? What review path exists if the answer is no? That is the difference between a registry protecting the ledger and a registry letting identity friction become a gate over scarce capital.
ARIN mechanics separate holder, login, contact and signer
ARIN's account structure makes the separation visible. An Org ID represents a business, nonprofit corporation, government entity or qualifying individual in the ARIN database. It is defined by a legal name, postal address and Points of Contact. Directly issued IP addresses and ASNs are associated with an Org ID. Points of Contact can represent a specific person or a role and can serve different functions, including administrative, technical, abuse, network-operations, routing or DNS contact. ARIN Online accounts are individual accounts used to manage records, resource requests, correspondence and certain security functions, and they link to POC records rather than replacing them.
Those distinctions are practical rather than decorative. ARIN says individual ARIN Online accounts should use individual email addresses, not role or group email addresses, while POC records may represent roles. That design recognises a basic security fact: the person who logs in should be identifiable, but the public contact role may need to survive staff turnover. It also recognises a basic authority fact: portal access, public contactability and legal capacity are not the same thing.
A login can submit. A POC can be associated with an Org ID and, depending on role, manage records or receive communications. An Admin or Tech POC can have power to request or modify certain registry records. A billing contact can resolve payment matters. A voting contact can participate in member governance where applicable. A transfer signatory or officer acknowledgement carries a higher authority claim. A legal holder is the organisation whose resources and service relationship are at stake. A beneficial owner or controller may create compliance exposure even when day-to-day account authority appears ordinary.
In a small operator, one person may fill all of these roles. That does not make the distinctions unnecessary. It makes the operator fragile when that person leaves, dies, sells shares, loses email access or becomes disputed. In a larger company, the roles may be distributed across legal, network, compliance, billing and corporate-secretary teams. That reduces single-person risk, but it creates signer mismatch, because the person who knows the registry file may not be the person who can bind the holder.
ARIN's public materials also show how authority escalates with consequence. Org ID creation requires an authorised contact representing an entity ARIN can validate. Modifying an Org ID requires an ARIN Online user account linked to an Admin or Tech POC associated with that Org ID. If the old Admin or Tech contacts have left and a user cannot link to them, the organisation may need Org ID recovery, and ARIN may ask for documentation showing that the requester is authorised to recover the Org ID. Transfer requests require an ARIN Online account linked to an Admin or Tech POC with authority for a valid Org ID. Specified-recipient transfers require the source to be the current registered holder, not in dispute over the resources, and able to provide signed and notarised officer acknowledgement. Merger, acquisition and reorganisation paths require evidence that relevant assets, customers, equipment, networks or legal entities moved.
These rules have a common economic purpose: they keep one channel from becoming total control. A user account should not be enough to sell a block. A public contact should not be enough to alter corporate authority. A signer letter should not make the technical team disappear. A legacy holder without a current agreement may still need to maintain public data and reverse DNS, while different services such as hosted routing security or routing-registry support may depend on agreement coverage. The registry has to know which authority is needed for which act.
Friction arises when the categories are not visible to the holder. A new network manager may think the problem is an account password. ARIN may see an Org ID recovery. Counsel may see a corporate-authority issue. A buyer may see transfer risk. A compliance team may see control uncertainty. A customer may see nothing until a service change is delayed. The same facts are being sorted through different lenses. A mature registry lowers friction by naming the lens: account access, POC validation, Org ID recovery, officer authority, merger continuity, disputed authority, suspected compromise, compliance hold or service-specific eligibility.
When those labels are precise, ARIN can be strict without being expansive. It can say that a person may update a technical contact but not sign a transfer; that an old contact can receive notice but not bind the holder; that a founder's estate can preserve routine service while corporate succession is verified; that a merger file needs a surviving-entity signatory rather than the predecessor's old email; that a compliance review pauses one requested change rather than all account life. The separation of holder, login, contact and signer is not bureaucracy. It is the economic control that keeps verification from becoming arbitrary.
Weak checks turn scarce resources into capture targets
The case for strong identity checks is straightforward. IPv4 scarcity has made old registry lines valuable. Valuable lines attract people who try to control them without legitimate authority. A registry that accepts weak authority signals invites account capture, false transfers, stale-contact hijacking, forged officer claims, shell-company revival and unauthorised instructions. In such a market, loose verification does not make commerce freer. It makes honest commerce harder to trust.
The most obvious risk is the departed employee. A network engineer who once managed ARIN records may retain access to an old POC, domain, mailbox or institutional memory after leaving the company. The person may have no bad intent; the mere existence of the stale authority is a defect. But in a stressed transaction, a hostile departure or a commercial dispute, the same defect can become leverage. If the registry treats old access as current authority, the recognised holder's control can be altered by someone whose relationship to the holder has ended.
Compromised mailboxes create a similar problem. Many older records began with ordinary email habits rather than modern account hygiene. A domain lapses. A personal address is reused. A password is stolen. A support alias forwards to a vendor. If email receipt alone can support account recovery or contact change, a criminal does not need to break the network. It only needs to break the channel that the registry treats as enough.
Fake officers and revived entities are more sophisticated. An attacker may present a letter from a person claiming to be an officer of a holder whose corporate status is old, ambiguous or dissolved. A shell entity may have a name close to a legacy registrant. A predecessor's name may still appear in public records even though the operating business moved. A broker or intermediary may believe the seller's story without verifying the chain. If ARIN accepts the claim too quickly, registry recognition can launder a weak private claim into public state.
Unauthorised transfer instructions are the highest-value case. A buyer wants ARIN recognition because private contract is not enough. It wants the public record to identify the recipient and wants associated services to align with the deal. If ARIN accepts a source instruction from the wrong person, the buyer may acquire a dispute rather than a resource. If ARIN accepts a forged authority file, the legitimate holder may lose public recognition or spend heavily to reverse the harm. If ARIN ignores a rival authority claim, a quick transfer can create apparent finality before the underlying dispute is resolved.
Weak checks also harm small legitimate operators. A weak registry discounts everyone. A rural ISP needs confidence that its record cannot be stolen by an old consultant. A university needs old departmental space protected from opportunists. A family business needs succession recognised through real authority, not through whoever controls an ancient email. Fraud control is a public good for holders who cannot afford litigation.
Sanctions and compliance exposure strengthen the point, but they should not be confused with enforcement. A registry may need to know whether the person giving instructions is the actual holder, a nominee, a sanctioned counterparty, an intermediary acting for someone else or a person lacking authority. That is an identity and control question. It does not mean the registry should become a general sanctions court, publish insinuating public labels or police every commercial relationship. It means weak identity controls can let a prohibited or hidden controller use registry recognition through a clean-looking channel.
The healthy lesson is falsifiability. A strong check asks for facts that can be tested: current legal existence, role in the holder, authority for the requested act, link between old and current entities, authenticity of a signer letter, verified channels, rival-claim scope and legal restraint. A credible system says no to capture without treating every messy history as bad faith.
Heavy checks tax the operators least able to wait
The opposite risk is not imaginary. Identity verification can become too heavy. A registry may avoid capture by making every authority question feel like a closing room, every account recovery feel like a corporate investigation and every role update feel like a high-value transfer. That approach protects the institution from some mistakes, but it pushes delay, legal cost and continuity risk onto holders, counterparties and customers.
Large operators can absorb more authority friction. A cloud platform, national carrier or acquisitive enterprise may have corporate-secretarial staff, in-house counsel, formal delegations, registry specialists, current POCs and contract systems. If ARIN asks who can bind the company, the answer may arrive through a trained legal office.
Small operators face a different cost curve. A rural ISP may have one founder, one engineer and a bookkeeper. A family business may pass control through inheritance before anyone notices that the old registry account still points to the founder. A small hosting company may have grown out of a consultancy and never built formal corporate records around every early address request. A municipal network may have public-authority documents that do not look like private-company resolutions. A university may have legacy space tied to old departments, labs or grant-funded projects. The legitimate story may be real, but the evidence path may be slow.
That slowness has a price. A successor company may need to update contacts so it can maintain services safely. A newly appointed network manager may need access to correct reverse DNS or public contact data. A small transfer may wait while the seller proves signer authority, making legal fees consume a large share of the deal. A lender may postpone funding because the person controlling the account is not clearly the person who can bind the holder. A customer migration may depend on registry-linked service changes that cannot be made until authority is recognised.
Heavy checks are regressive when the evidentiary cost is fixed. The work required to prove who can recover an Org ID or sign for a small block may be similar to the work required for a larger resource. If the smaller holder must hire counsel, pay recovery fees, obtain notarised letters, reconstruct old corporate records and wait weeks for review, the cost per address is far higher. The result is not better fairness. It is a market in which clean files and specialist counsel become sources of bargaining power.
Founder death is the hardest human example. The founder may have been the public face, technical brain, billing contact and ARIN account user. After death, the surviving company may be fully legitimate, but the registry sees a risky request: a new person wants access to an Org ID controlled by someone no longer able to confirm. The wrong answer could let an impostor capture resources. The overcautious answer could leave a live network unable to update records, respond to account issues or prepare a succession transaction. The right answer must be structured, not merely strict.
Heavy checks also create defensive behaviour. Holders may avoid updating contacts because they fear opening a broad review. They may keep a stale but working account because recovery looks risky. They may delay succession planning because the first step appears to invite questions beyond authority. They may prefer intermediaries who know how to manage ARIN rather than counterparties who offer better economic value. A verification system that makes honest repair frightening will produce the very stale authority it later treats as suspicion.
The solution is not lighter checks everywhere. It is proportional checks tied to action and risk. A routine technical update, billing correction, POC replacement, Org ID recovery, transfer signature, merger recognition, suspected compromise and compliance hold should not all have the same burden or consequence. Strictness should rise with the danger of weak verification. Support and timing discipline should rise with the danger of delay.
Account recovery is a continuity test
Account recovery is the moment when identity friction becomes most visible. The holder is asking the registry to restore legitimate control over an account or Org ID whose current authority path is broken. That request is dangerous because it is exactly what an attacker would ask for. It is also essential because real organisations lose access. People leave. Founders die. Domains expire. POCs go unvalidated. A business acquires another business and inherits records nobody has touched in years. A legacy holder discovers that the only person who could approve a link is gone.
A recovery process should begin with a preservation principle. The last verified operational state should remain stable while the authority question is reviewed, unless there is evidence of compromise, fraud, legal restraint or customer-risk that requires narrower action. Existing public records should not be casually rewritten. Existing reverse-DNS and security-related state should not be disturbed merely because account access is uncertain. A transfer can wait. A high-risk role change can wait. Ordinary customer continuity should not become collateral.
That preservation principle protects both sides. It prevents an impostor from using recovery to move resources. It prevents a legitimate holder from being punished for a broken authority path. It tells customers and counterparties that the registry is isolating the uncertainty rather than turning it into a general cloud. It also protects ARIN from the accusation that recovery is a lever for unrelated concessions.
The evidence path should be structured. A recovery request may require current legal existence, proof that the requester has authority inside the holder, evidence that old Admin or Tech POCs are unavailable or no longer authorised, notices to existing contacts where safe, payment history, corporate filings, officer certification, court or estate documentation where relevant, and technical continuity evidence where it helps connect the organisation to the live network. Each piece should answer a named fact. The registry does not need every private business detail to decide whether the requester can recover authority.
The process should also distinguish recovery from transfer. Recovering an Org ID or account link is not the same as recognising a new holder. ARIN's own legacy guidance makes a related distinction: legacy resource holders can update Org ID records without signing a Registration Services Agreement unless resources have moved to a new organisation because of merger or acquisition, in which case a transfer path is needed. That distinction is economically important. A holder that lost account control should not be forced into a transfer theory if the legal holder has not changed. A successor created by a real merger may need the transfer path because the recognised holder has changed. The label decides the proof.
Compromise suspicion needs its own category. If ARIN sees an anomaly suggesting that an account or mailbox has been captured, it should be able to lock vulnerable changes, require re-authentication and notify verified channels. But a suspected compromise should not imply that the holder's entire resource position is illegitimate. The remedy should fit the risk: block actions that would alter recognised authority or services vulnerable to misuse; preserve safe communications; maintain public continuity where facts permit; review the lock on a schedule.
Recovery also needs timing transparency. A holder facing founder death, staff turnover or emergency maintenance cannot plan around silence. It may need to tell customers why a contact cannot be updated, tell a lender whether account access is curable, tell an acquirer whether a closing condition can be met, or tell a court what the registry requires. ARIN need not promise approval before evidence is reviewed. It should be able to say what category the recovery falls into, what fact remains unproven, what evidence could cure it, what functions remain available and when the case will be escalated if it does not move.
The worst recovery design is suspicion by default. It turns an honest succession problem into an adversarial file, encourages over-disclosure and makes small operators fear repair. The second-worst design is trust by default. It lets the person who found the broken channel become the new authority. A mature post-exhaustion registry needs a third design: continuity-preserving, evidence-specific and action-limited recovery. It should restore legitimate control without opening the door to capture or freezing unrelated live services.
Signer mismatch is normal after mergers and officer changes
Signer mismatch is not automatically a red flag. In a mature economy it is normal. Companies merge, spin off business lines, change officers, rename subsidiaries, consolidate technology teams, replace founders, move assets into holding companies and reorganise after acquisitions. Public records, registry records and corporate titles rarely change in perfect sequence. The person whose email remains attached to a POC may no longer be an officer. The person who can sign for the surviving company may not know the registry history. The entity named in the old record may be a predecessor whose business continues inside a new structure.
ARIN's transfer categories reflect part of this complexity. A merger, acquisition or reorganisation path asks whether assets, customers, equipment, networks or the organisation as a whole were acquired. A specified-recipient path asks whether the current registered holder is releasing unused resources to a qualified recipient. Inter-registry transfers add reciprocal policy and receiving-registry validation. These are not merely administrative boxes. They decide which authority question is being answered.
In a merger cleanup, the key question is continuity. Did the resources follow the business, network, customers, equipment or legal entity whose successor is now asking for recognition? The signer for the surviving entity may have a title that did not exist at the predecessor. The predecessor's old officer may no longer have authority. The purchase agreement may refer to "network assets" without listing every prefix in a way that satisfies a registry reviewer. ARIN needs enough evidence to avoid recognising a false successor. But it should not treat mismatch itself as proof of bad faith.
Officer changes create a narrower version. A company may have a new president, general counsel or authorised signatory. Public corporate registries may update slowly. The company's internal delegations may use titles unfamiliar to ARIN staff. A parent company may centralise signing authority while the Org ID remains under a subsidiary's legal name. A registry request may therefore appear to come from someone whose title does not match the old file. The question should be whether the person can bind the holder for the action, not whether the file looks historically tidy.
The economic risk of mishandling signer mismatch is high. If ARIN accepts any plausible title, a false officer can move resources. If it treats mismatch as near-fatal, legitimate reorganisations are delayed and resources become less liquid. In acquisitions, delay can affect closing conditions, escrow release, customer integration and lender comfort. In internal restructurings, delay can leave public records misaligned with real authority, creating new risk for future transactions. The registry's caution and the holder's need for continuity are both rational.
A good signer-mismatch review should name the missing link. Is the uncertainty about the legal identity of the current holder? The survival of a predecessor? The authority of a new officer? The scope of a board delegation? The inclusion of resources in acquired assets? The difference between a mere name change and a merger or acquisition? The existence of a rival claimant? Each uncertainty asks for different evidence. A public filing may prove a name change. A merger filing may prove entity continuity. A board resolution may prove signer authority. An asset agreement may prove that resources moved. A court order may define who can act during insolvency. A blanket request for more authority material raises cost without improving trust.
The review should also keep services ordered. A signer mismatch may justify pausing a transfer or a change of recognised holder. It does not automatically justify disrupting existing reverse-DNS maintenance, public contact correction or customer-facing continuity. If the mismatch affects only a high-consequence act, the hold should affect that act. If it suggests account compromise, the registry can lock vulnerable functions. If it reveals that the public record is stale but not disputed, the registry can preserve the last verified state while the holder supplies proof.
Merger and restructuring authority also affects lenders and buyers. A lender financing an address-dependent business wants to know whether the signer can bind the borrower or seller. A buyer wants assurance that a predecessor's resources will not later be claimed by another successor. Clear signer-mismatch categories turn a messy file into a solvable authority problem rather than a general market cloud.
Compliance exposure should identify the speaker, not punish the holder
Identity verification also appears in sanctions and compliance diligence. The issue can be sensitive because compliance language easily becomes enforcement language. A registry may need to know whether the person instructing it is acting for the recognised holder, for a sanctioned party, for a hidden beneficial controller, for a nominee, for an unauthorised broker or for an entity whose legal status has changed. That is a legitimate authority question. It is not the same as punishing conduct, judging a business model or turning a registry file into a public risk narrative.
The boundary matters because compliance checks have economic value and reputational force. A buyer does not want to close a transfer that later proves to involve a prohibited controller, and a lender does not want collateral whose registry recognition depends on a nominee arrangement it cannot understand. But the registry's authority checkpoint should still ask who is speaking, what role is claimed, what legal or control fact is uncertain and which action is affected. It should not become a general review of whether the holder's commercial strategy is attractive, whether leasing is morally approved, whether a transaction is politically popular or whether a customer chain makes the registry uncomfortable absent a defined rule or legal bar. Compliance exposure justifies careful identification. It does not justify open-ended discretion.
Beneficial-control questions should therefore be trigger-based. Routine maintenance does not need the same beneficial-ownership inquiry as a high-value transfer, account recovery after suspicious activity, court-related dispute, sanctions match or unusual representative arrangement. Even when deeper inquiry is justified, the request should identify the control fact being examined. Is ARIN asking whether the named officer can bind the holder? Whether a transfer recipient is legally eligible? Whether a sanctioned person controls the instruction? Whether a power of attorney is valid? Whether a court order restricts changes? Without that precision, compliance becomes a word that can expand to fit any hesitation.
Public status language should be careful. A private compliance hold may need to exist. A transfer may need to pause. A status may need to signal that a court order or legal restriction affects changes. But a vague public label can do severe damage. Counterparties price it, customers worry about it, lenders discount it and competitors may exploit it. "Authority review pending" is different from "fraud suspected". "Legal restraint affects transfer" is different from "holder risky". "Sanctions screening in progress" is different from a finding. The words should describe the state and its practical effect, not imply more than the evidence supports.
Confidentiality is part of the same discipline. Compliance files may include passports, officer data, ownership charts, legal opinions, bank information, law-firm letters and private transaction material. The registry may need selected facts to protect the record. It does not need to turn private evidence into public insinuation. It should limit access, record purpose, accept redactions where they do not impair proof, and avoid using material supplied for one authority question as a general source for unrelated inquiry.
The continuity rule should remain in place. A sanctions or compliance concern about a transfer may justify pausing that transfer, but it should not automatically disrupt routine service, public-record maintenance, billing or technical updates unless the same concern affects those functions. If law or court order requires broader restraint, the restraint should be named and scoped.
Least-privilege authority lowers fraud and delay
The constructive design principle is least privilege. Not every registry-facing role should carry the same power, and not every role should require the same evidence. Technical, billing, abuse, voting, transfer, legal and account-administration functions are different. Separating them reduces fraud because a captured channel cannot do everything. It also reduces delay because a low-risk action does not need high-consequence proof.
Technical authority should be enough for narrow maintenance that preserves current service, but not enough to sell resources. Abuse authority should make complaint routing real, but it should not become proof that the desk can approve a merger or certify control. Billing authority should resolve invoices and fee questions without becoming transfer authority. Voting authority should represent the member in institutional decisions without altering resource control. Legal or compliance authority should be scoped to the question: counsel may submit a file, a power of attorney may cover one transaction, and a compliance officer may answer control questions without becoming the holder.
For transfer roles, the proof should be stronger. Transfer recognition changes market state. The source must be the current registered holder or be connected through an appropriate merger or succession path. A signatory must be able to bind the source for the transfer. The recipient must satisfy applicable requirements. Dispute status matters. Officer acknowledgement matters because the action is economically final in a way that routine maintenance is not. Strong proof here is not overreach; it is the condition of trustworthy settlement.
External representatives should be recorded with scope, expiry and a confirmation channel. A broker or lawyer can help the holder navigate a transaction without becoming the holder. A delegate can carry authority for one act without receiving general account power.
Account-administration roles sit between these categories. Someone must be able to add or remove POCs, recover an Org ID, link accounts and manage access. That role is powerful because it can change who controls the channels. It should therefore require stronger authentication than ordinary contactability, but it should be structured enough that honest succession is possible. Secondary contacts, verified organisational channels, periodic authority review and recovery receipts can reduce single-person risk.
Least privilege also improves status design. If a transfer signatory is unverified, pause the transfer. If a billing contact is outdated, repair billing access. If an abuse mailbox fails validation, fix the contact path. If a technical contact leaves, replace the role. If an account compromise is suspected, lock vulnerable changes while preserving safe service. If an Org ID recovery is pending, preserve last verified state. Each action gets the remedy that fits its authority risk.
The economic benefit is predictability. A buyer can know which authority must be verified before closing. A holder can maintain operations while a higher-risk act is reviewed. A small operator can update routine records without fear that every correction will open a full transfer file. A lender can distinguish account hygiene from legal capacity. ARIN can defend strict transfer verification because it has not made every role equally onerous. Least privilege keeps the cost of authority proportional to the risk of the act.
Status categories are cheaper than a general hold
The most expensive status is ambiguity. "Under review" may be accurate inside a support queue, but it tells the market too little. A buyer does not know whether a transfer is delayed by a missing officer acknowledgement, a disputed holder, an unpaid fee, a sanctions screen, an account compromise, a court order, a stale POC, a merger-document gap or staff backlog. A lender does not know whether the risk is curable. A holder does not know which evidence would solve the problem. Customers do not know whether service continuity is implicated. Everyone prices the worst plausible explanation.
A mature registry should use authority status categories because categories lower uncertainty without requiring disclosure of private files. Routine confirmation should mean a low-risk role or information check with easy cure. Enhanced authority review should mean a higher-consequence act, such as transfer signature, Org ID recovery, merger recognition or external-representative scope, where a named fact remains unproven. Disputed authority should mean competing claims or evidence that a predecessor, successor, estate, court representative or rival officer may contest control; the last verified state should be preserved while the disputed act is isolated. Compromised account should mean possible unauthorised access, with vulnerable changes locked, verified channels notified and the status reviewed on a timetable. Sanctions or compliance hold should identify the relevant action and the control concern without public insinuation. Cured status should say when authority, contactability, recovery or a false positive has been resolved, so old doubts do not remain as market residue.
Categories should also include timing expectations. Routine confirmation, POC validation, Org ID recovery, transfer authority review, merger authority review, disputed authority and compromise recovery do not deserve one average. They differ in evidence, consequence and urgency. Aggregate timing data would help the market distinguish a normal queue from a structural bottleneck.
Status categories are not a demand for public exposure. Many details must remain private: identity documents, officer data, ownership charts, account logs, legal correspondence, transaction terms and fraud signals. The public and the counterparty often need only the bounded meaning: which action is affected, whether the last verified state continues, whether cure is available, whether the status is temporary, and whether review exists. Precision can coexist with confidentiality.
The cost saving is real. A small operator can tell a lender that account recovery is pending but services continue. A buyer can distinguish a missing signer letter from a rival claim. A customer can know that public records remain stable while a transfer is reviewed. ARIN can avoid the market damage of vague adverse labels. A registry that classifies uncertainty makes uncertainty cheaper.
Appealability turns verification into infrastructure
Identity verification should be appealable because mistakes are inevitable. A registry may reject a signer whose title is unfamiliar but valid. It may misread a public-sector authority. It may receive a false claim from a former employee. It may treat a power of attorney as too broad when it is actually transaction-specific. It may suspect compromise because an account changed after a long silence, when the real cause is founder succession. It may miss a hidden controller. Review does not weaken verification. It makes verification defensible.
Appealability begins before a formal appeal. The first notice should explain the record or action at issue, the role claimed, the fact not yet proven, the evidence that would cure the concern, the consequence of non-response, the status of unrelated services and the path for escalation. A notice that merely asks for more proof forces the holder to guess. Guessing produces over-disclosure, delay and resentment.
The review path should be proportionate to consequence. A routine POC validation problem may need only ordinary support review. Org ID recovery after the departure of old contacts may need senior review if the evidence is rejected. A transfer hold, suspected compromise, disputed authority, compliance hold or refusal to recognise a signer should have a clearer escalation path, because the economic cost can be large. The reviewer should be able to see the evidence, the risk of weak verification, the harm of delay and the reason lesser remedies were or were not sufficient.
Independence matters, but it need not mean a courtroom for every case. Internal separation between the staff member who raised the concern and the person who reviews a high-consequence decision may be enough for many files. More severe cases may need a defined appeal panel, arbitration mechanism, court recognition or other external forum depending on the nature of the dispute. The key is that the holder can contest the decision without relying on informal persuasion or institutional goodwill.
Auditability matters as much as appeal. ARIN should have a decision record for high-consequence authority actions. What was requested? Who acted? What role was claimed? What evidence was offered? What fact remained uncertain? What risk would acceptance have created? What harm would delay create? What unrelated services were preserved? What cure path was given? What review occurred? Such records protect holders, but they also protect ARIN. They let the registry show that it rejected an impostor for specific reasons, paused a transfer because authority was unproven, or restored an account because evidence met the standard.
Appealability should also include preservation. If a holder appeals a transfer-authority refusal, the transfer may remain paused. That does not mean ordinary maintenance must stop. If a holder appeals an account-recovery denial, the last verified public state can remain stable. If a compliance false positive is under review, the affected transaction can be held without public insinuation. The appeal process should not itself become a continuity shock.
An appealable identity system makes strong verification cheaper. Holders are more likely to accept demanding evidence when they understand the fact in dispute and can contest mistakes. Buyers and lenders are more likely to price a pause as curable when categories and review exist. Staff are more likely to resist real fraud when their decisions are recorded and reviewable. Fraudsters face a clearer wall because the wall is built from facts, not from unspoken unease.
A practical authority test
A constructive identity-verification test should begin with the action. What is ARIN being asked to do? Update a POC, replace account authority, recover an Org ID, approve a transfer, recognise a merger, process a name change, enable a service, alter billing access, accept an external representative, respond to a compliance concern or preserve a disputed state? The action sets the consequence. The consequence sets the proof.
The second question is who is acting. Is the person a current officer, employee, technical manager, Admin POC, Tech POC, billing contact, voting contact, counsel, broker, estate representative, trustee, parent-company officer, successor-entity representative or outside representative? The registry should not infer authority from familiarity, email access or technical knowledge. It should identify the role claimed.
The third question is what role is required. A technical manager may be sufficient for technical maintenance. A billing contact may be sufficient for payment matters. An Admin or Tech POC may be sufficient for some record management. An officer or legally authorised signer may be required for transfer acknowledgement. A court-appointed representative may be required during insolvency or estate matters. A compliance officer may provide control information without being the transfer signer. The required role should be named before evidence is demanded.
The fourth question is what evidence proves the role. Evidence may include current corporate filings, officer certificates, board resolutions, public-sector authority records, court orders, estate documents, notarial materials, payment history, verified organisational channels, existing account links, notices to old contacts, technical continuity, merger filings, asset-transfer language or a limited power of attorney. The evidence should match the fact. If the fact is officer authority, ask for officer authority. If the fact is successor continuity, ask for successor continuity. If the fact is account compromise, use account and channel evidence.
The fifth question is what harm weak verification would create. Could an impostor move resources? Could a former employee capture account control? Could a compromised mailbox change services? Could a false officer sell a block? Could a hidden controller bypass legal restraint? Could a rival claimant be deprived of review? Could public records become misleading? The stronger the harm, the stronger the proof.
The sixth question is what harm delay would create. Would delay freeze escrow, postpone financing, interrupt customer migration, prevent contact repair, expose a rural network after a founder's death, leave public records stale, stop reverse-DNS maintenance, block account security cleanup, extend legal fees or damage lender confidence? Delay cannot force ARIN to accept weak evidence. But it should affect priority, communication, interim status and preservation of services.
The seventh question is which unrelated services should continue. If the dispute concerns a transfer signature, ordinary public records and existing services should usually remain stable. If the issue is a compromised account, vulnerable changes may be locked while safe communications continue. If the issue is Org ID recovery, the last verified operational state should remain. If law or court order requires more, the scope should be stated. Preservation prevents verification from becoming leverage.
The eighth question is what review path exists. Can the holder ask for senior review? Can it submit substitute evidence? Can it know why evidence failed? Is there a deadline? Does a transfer counterparty receive only the necessary status without private details? Is there a record that a later reviewer, court or board can inspect? High-consequence identity decisions should not depend on guesswork.
The ninth question is how cure is recorded. If authority is verified, for what role and for how long? If a signer is accepted, does that acceptance apply only to one transaction or to a class of acts? If a POC is repaired, is validation complete? If a false compliance match is cleared, is the hold removed? If account recovery succeeds, are old contacts retired safely? A system that never records cure leaves friction in place.
This test is not soft on fraud. It is harder for fraudsters because each claim must map to a role, action and evidence standard. It is also fairer to legitimate holders because the registry cannot expand a narrow uncertainty into a general inquiry. It gives small operators a checklist they can understand, large counterparties a way to price risk, and ARIN a defensible basis for strict decisions.
The authority question
The mature post-exhaustion registry has to live with a difficult truth. It is still a bookkeeper for number resources, but the book is now read by markets, lenders, customers, security systems, courts, acquirers and compliance teams. A small authority decision can change whether a block is transferable, whether a merger cleanup is routine, whether an account can be recovered, whether a customer promise looks safe and whether a lender treats address-backed revenue as reliable.
That does not mean ARIN should become larger than the ledger. It means the ledger function must become more disciplined. The registry should protect uniqueness, accurate records, authorised changes, transfer recognition, account security, service continuity and legal restraint. It should reject impostors, false officers, captured accounts and forged instructions. It should not use the identity checkpoint to decide which business models deserve liquidity, which holders deserve suspicion, or which transactions should be slowed for reasons not tied to a defined registry duty.
The difference is easiest to see in the small-operator case. A founder dies. The network continues. Customers still need service. The surviving company needs account authority restored. The registry must not hand the account to the first person who appears with an email and a story. It must also not make the surviving company prove every aspect of its business before it can repair the authority map. The right question is narrower: who can speak for the holder for this act, how do we know, what is protected while we check, and how can an error be reviewed?
The same question applies to a merger. A predecessor name may remain in the public record while the successor holds the business. A signer title may not match the old file. A transfer may depend on officer acknowledgement from the current holder. ARIN should insist on the missing authority link. It should not treat normal corporate change as suspicion by default. It should pause the act that depends on the link, not the entire life of the network.
It applies to compliance. A sanctions or beneficial-control concern may justify deeper identity review. The registry should know whether a hidden or prohibited controller is using a clean channel. It should not publish vague risk language or widen a transaction-specific concern into a general judgement unless law, court order or defined rule requires that scope.
It applies to role design. Technical, billing, abuse, voting, transfer, legal and account-administration roles should be distinct. A captured mailbox should not be enough to move resources. A technical manager should not need transfer-level proof for routine maintenance. A billing contact should not become the signer. An external representative should have scope and expiry. A strong registry recognises roles because roles are cheaper than suspicion.
It applies to status. Routine confirmation, enhanced authority review, disputed authority, compromised account, compliance hold and cured status are different states. Each should have a meaning, timing expectation, evidence target and preservation rule. The market can price a named status. It fears an unbounded hold.
ARIN's strongest identity role is therefore strict and modest. Strict, because scarce IPv4 resources cannot be protected if authority can be stolen through stale contacts, old emails, forged officer claims or shell entities. Modest, because the registry's legitimacy comes from knowing who may act for the holder, not from turning every identity check into discretionary power over the holder's capital.
If identity checks are too weak, the ledger becomes unsafe. If they are too heavy, the ledger becomes a toll gate. The durable middle is an authority system that names the act, verifies the role, accepts fit-for-purpose evidence, preserves unrelated services, records status, allows review and recognises cure. In that system, identity verification becomes infrastructure. It lets buyers rely, lenders discount less, small operators survive succession, reorganised entities clean up records, compliance teams screen without public theatre and customers remain insulated from disputes that do not affect their service.
The final authority question is simple. Does ARIN verify who can speak for the holder, or does identity friction become the quiet price of holding scarce number resources?

