Every concept in the Agentic Legibility Stack, defined for three audiences: executive leaders, product and service teams, and technical architects.
This glossary describes the target operating model for how UK government services could work through AI agents. Interface examples are drawn from working prototypes that illustrate these concepts in action.
Permanent SecretariesProduct & Service TeamsTechnical Architects
Badges on each entry show which audiences it is most relevant to. All entries are accessible to everyone.
The core ideas that underpin the entire model. If you read nothing else, read these five definitions.
Legibility
ExecutiveProductTechnical
Making a government service machine-readable so an AI agent can understand it, assess eligibility, and act on it for a citizen.
Why it matters: Today, government services are designed for humans reading web pages. When AI agents act on behalf of citizens, they need structured, machine-readable descriptions of what each service does, who is eligible, what data is required, and what consent is needed. Without legibility, agents guess — and guessing about eligibility, entitlements, or legal obligations is unacceptable.
A service is "legible" when it publishes four structured artefacts (see Service Artefact) that tell any authorised agent everything it needs to know to act on that service. Legibility is the supply-side of the agentic equation: departments publish, agents consume.
A fully legible government would mean that a citizen experiencing bereavement, starting a business, or leaving prison could have an agent identify every relevant service, check eligibility for each, and begin acting — across departmental boundaries — in a single conversation.
Service Artefact
ExecutiveProductTechnical
A structured machine-readable file that describes one aspect of a government service to an AI agent.
Why it matters: Artefacts are the unit of work for making services legible. Each department publishes four artefacts per service. Together, they form a complete contract between the department and any agent acting for a citizen.
The four artefact types are:
Manifest — What the service does, which department runs it, input/output schemas, fees, SLAs, and redress routes
Policy Ruleset — Eligibility rules expressed as evaluable conditions, with failure reasons, edge cases, and alternative services
State Model — The valid states a service interaction passes through (e.g. identity verified → eligibility checked → consent given → submitted), with guards on each transition
Consent Model — What data the service needs, from which source, for what purpose, and whether each data-sharing grant is required or optional
What a service artefact contains (manifest example)
Field
Purpose
Example
Service name
Human-readable title the agent presents to citizens
Renew Driving Licence
Department
Which department owns and operates the service
DVLA
Description
What the service does, for agent understanding
Renew a photocard driving licence online
Eligibility summary
High-level conditions the citizen must meet
UK resident, aged 16+, valid licence to renew
Required data fields
What the agent needs to collect or verify
Full name, date of birth, NI number, address, photo
Processing time
Expected service level for completion
10 working days
Redress route
How to challenge the outcome if needed
Contact DVLA; escalate to PHSO
In the target model, departments publish this information through APIs conforming to a standard schema.
Service Graph
ProductTechnical
A connected map of all government services showing which services require, enable, or relate to each other.
Why it matters: Citizens don't experience government as isolated transactions — they experience life events that touch multiple departments. The service graph lets an agent reason about sequences ("you need a National Insurance number before you can apply for Universal Credit") and proactively suggest services the citizen may not know they are entitled to.
The graph contains service nodes with metadata (department, type, eligibility factors) and typed edges:
REQUIRES — Service A must be completed before Service B can begin (prerequisite)
ENABLES — Completing Service A opens up eligibility for Service B (opportunity)
Each service is classified by interaction type: benefit, obligation, registration, application, legal process, document, or grant.
The graph data model used in this architecture builds on the work of Maxwell Riess, whose UK Government Service Graph proof of concept mapped the relationships between government services and demonstrated that a connected, navigable graph of public services is both feasible and powerful. His research provided the foundational graph structure for this prototype.
Life Event
ExecutiveProduct
A significant moment in a citizen's life that triggers interaction with multiple government services across departments.
Why it matters: Citizens don't think in terms of departments or service names. They think "my mother died" or "I'm starting my first job." Life events are the entry points through which an agent discovers relevant services, rather than expecting citizens to know which department to approach.
The model maps 16 life events — including bereavement, having a baby, moving house, starting a business, leaving prison, retiring, and arriving in the UK — to the services each triggers. An agent uses a citizen's situation to identify the relevant life event and proactively surface all connected services.
Identity and Authentication
ExecutiveProductTechnical
How citizens prove who they are before an AI agent can access government services on their behalf — built on GOV.UK One Login.
Why it matters: Trust is the foundation of agentic government services. Without verified identity, the agent cannot access any service, share any data, or take any action. Identity and authentication ensure that only the right person (or their authorised delegate) can instruct the agent, and that departments can trust the identity claims the agent presents. This protects citizens from fraud and misuse, and gives departments the assurance they need to accept agent-mediated interactions.
Citizens authenticate through GOV.UK One Login, which provides a verified identity at the level required by each service. The agent cannot bypass or substitute this step. Once authenticated, the citizen's verified identity flows through to every service interaction, consent grant, and evidence record — creating an unbroken chain of accountability from person to action.
2 Citizen Experience
The citizen experience follows a natural arc: a conversation starts, tasks are identified, data is collected to fulfil them, journeys complete, and plans coordinate multiple services across a life event.
Chat
ExecutiveProduct
The conversational interface through which citizens interact with government services — describing their situation, answering questions, reviewing tasks, and giving consent.
Why it matters: Chat is the primary interface between the citizen and the system. Through a single conversational thread, citizens describe their situation, review what the agent proposes, answer questions, give consent, and confirm actions. Triage — identifying needs, matching services, and proposing a plan — is one of its key capabilities, not its name. The chat also hosts focused service journeys, inline cards, task confirmations, and consent panels.
Chat encompasses two primary modes: triage mode, an open-ended conversation where the agent listens to the citizen's situation, identifies their life event, and proposes relevant services; and journey mode, a focused single-service interaction where the agent collects data, obtains consent, and advances through a service's state model. Cards, tasks, and consent panels all appear inline within the chat — making it the single surface through which the entire citizen experience is delivered.
Citizen app — Service plan proposed in chat
1
Register the death
General Register Office
Agent will complete~15 min
Delegate
2
Tell Us Once
DWP
Agent will notify 9 departments~5 min
Delegate
Apply for probate
HMCTS
Requires: Register the death
Delegate all to agent
Task
ProductTechnical
A discrete unit of delegated work within a journey — something the agent will do or something the citizen must confirm — with a tracked status and an owner.
Why it matters: Tasks are how the citizen stays in control of what the agent does on their behalf. Before the agent submits anything to government, the citizen sees a clear list of tasks: what the agent will do, what choices the citizen has made, and a final confirmation step. Tasks are not forms (that's what cards are for) — they are commitments to action.
Each task has an owner (agent or citizen), a status (accepted, in progress, completed), optional due dates, and may require specific data. Agent tasks describe actions like "submit your UC claim" or "renew your driving licence." Citizen tasks ask for decisions: "which child is this for?" or "do you want to add your partner?"
Before any submission, the citizen reviews all tasks in a confirmation summary — with the ability to change any choice before proceeding.
Citizen app — Task confirmation before submission
Confirm before submitting
By continuing, the agent will submit information on your behalf.
Review what will happen next. You can change your choices before confirming.
A structured data-collection interface embedded within the conversation, replacing traditional government web forms.
Why it matters: Cards allow the agent to collect verified, structured data from citizens within a conversational flow. Fields pre-fill from verified sources (e.g. GOV.UK Wallet credentials), are marked as verified when government-sourced, and only ask for what's genuinely needed.
Card types include generic forms, payment collection, document uploads, and bank details. Each card is defined by a schema specifying field types, validation rules, required/optional status, and conditional visibility (some fields only appear based on answers to others).
Citizen app — Data collection card with verified pre-fill
Full name Verified
Date of birth Verified
Relationship to deceased *
Date of death *
Confirm details
Journey
ProductTechnical
A focused, single-service interaction where the agent collects data, obtains consent, and advances through the service's state model to completion.
Why it matters: Journeys replace traditional government web forms with a conversational, guided experience. The agent knows what data is needed, what has already been verified, and what state the interaction is in — so the citizen never fills in the same information twice.
A journey progresses through defined states (identity → eligibility → consent → data collection → submission → outcome). The agent can only advance through valid transitions — it cannot skip eligibility checks or bypass consent. Progress is shown to the citizen in real time.
Citizen app — Journey progress indicator
UC Application ProgressHousing details
✓
✓
✓
4
5
6
IdentityEligibilityConsentDetailsSubmitActive
Outcome
ExecutiveProduct
The formal result of a completed service journey, presented as a department-branded confirmation with a reference number and next steps.
Why it matters: Outcomes give citizens tangible proof that something happened. They carry department branding, official reference numbers, and clear next steps — so citizens know exactly where they stand and can follow up if needed.
Outcome types include payments (scheduled to bank), credentials (added to wallet), registrations (confirmed), documents (issued), and notifications (departments informed). Each carries a unique reference, the issuing department's identity, and a timestamp.
Citizen app — Completed journey outcome
General Register Office
Death certificate — registered
RefGOV-A3F2-81D4
Certificate numberDC-2026-004821
Copies ordered3 certified copies
Fee charged£33.00
✓Registration confirmed
Issued 22 March 2026
Service Proposal
Product
The agent's suggestion of which government services are relevant to a citizen's situation, with a recommended order of action.
Why it matters: Proactive service discovery is one of the most powerful capabilities of the agentic model. Rather than citizens searching for services, the agent proposes them — including services from other departments the citizen may never have heard of.
Two discovery strategies exist to balance caution with comprehensiveness:
Conservative discovery — Surfaces only high-confidence matches where eligibility is clear from the data available. Avoids false positives.
Expansive discovery — Surfaces all potentially relevant services, including edge cases where eligibility is uncertain. Maximises awareness.
The citizen always decides which proposals to pursue. Services are sorted by prerequisite order — foundational services (like getting a National Insurance number) appear first.
Proactivity
ExecutiveProductTechnical
The system's ability to surface services a citizen is likely entitled to or obligated by — before they ask, and sometimes before they know they exist.
Why it matters: Billions of pounds in benefits go unclaimed each year because citizens don't know they're eligible. Obligations are missed because people don't know about deadlines. Proactivity flips government from "find it yourself" to "we'll tell you what you need to know." When a citizen mentions they're having a baby, the agent doesn't just help with maternity pay — it surfaces Child Benefit, Tax-Free Childcare, Sure Start, and the HICBC risk, ordered by priority and urgency.
Each service in the graph carries proactivity metadata:
Mode — suggest (proactively recommend), warn (alert to an obligation or risk), or inform (make available but don't push)
Priority — a numeric ordering that controls which services appear first in plans and proposals (urgent obligations before optional entitlements)
Framing — how the service is presented to the citizen (e.g. "You may be entitled to..." vs "You are required to..." vs "You should be aware that...")
Timing — when the service becomes relevant relative to the life event (immediately, within days, within weeks)
Proactivity also drives auto-skip in plans: when the citizen's verified information shows a service is clearly irrelevant (e.g. provisional driving licence for someone who already drives), the system removes it with a human-readable reason and a "start anyway" override.
Plan
ExecutiveProductTechnical
A personalised, ordered sequence of government services for a life event — derived from the service graph, filtered by the citizen's circumstances, and tracked to completion.
Why it matters: A plan is the bridge between "I need help" and "here's everything you need to do, in the right order." It takes the abstract service graph and materialises it for a specific citizen: removing services they're not eligible for, ordering the rest by dependency (register the death before applying for probate), and tracking progress as services complete. Plans make the cross-departmental nature of government visible and manageable.
Plans are organised by dependency depth — foundational services at the top, dependent services below. Each service in the plan shows:
Its current status: available, in progress, completed, skipped, or locked (waiting on a prerequisite)
Whether it was auto-skipped based on citizen data, with a human-readable reason and the option to override
Personalised hints (e.g. "You left TechCo on 15 January — your employer must issue a P45 within 14 days")
Whether the citizen or the agent will handle it
Citizens can start plans from the Services section of their dashboard, which shows life events as browsable cards. Expanding one reveals the plan's services. Once started, the plan tracks progress with a percentage bar and "X of Y services" count.
Citizen app — Active plan for a life event
Having a Baby
3 of 8 services complete · 38%
Foundations
✓
Register with a GP
NHS
Done
✓
Maternity pay entitlement
HMRC
Done
Entitlements
3
Child Benefit
HMRC · benefit
In progress
4
Tax-Free Childcare
HMRC · entitlement
Start
−
Free School Meals
Auto-skipped: baby is under school age
Household
ExecutiveProductTechnical
A group of related citizens who share a home and whose government entitlements may depend on each other — making the family unit a first-class concept in the system.
Why it matters: Government services rarely affect just one person. Universal Credit is assessed at the household level. Child Benefit depends on the highest earner's income. Tax-Free Childcare involves both parents. School admissions depend on address and siblings. The household model lets the agent reason about entitlements, obligations, and risks across family members — not just for individuals in isolation.
A household has members (each with a role: primary, partner, child, dependant), a shared address, and relationship links between members. This enables:
Cross-member risk detection — e.g. alerting a family when one earner approaches the £50,000 High Income Child Benefit Charge threshold
Shared service plans — a bereavement plan that coordinates actions across executor, spouse, and children
The "acting for" pattern — a parent sees their children's services alongside their own on the dashboard
Delegation
ExecutiveProductTechnical
The ability for one citizen to act on behalf of another — a parent for a child, an executor for a deceased person, a carer for a vulnerable adult, or an attorney for someone who lacks capacity.
Why it matters: Government services are rarely used by individuals in isolation. Parents manage services for children, families coordinate shared entitlements, executors handle the affairs of the deceased, and attorneys make decisions for those who cannot. The delegation model makes these real-world relationships a first-class concept, with scoped permissions and a full audit trail of every action taken on someone else's behalf.
Delegation is built on formal relationship types — each carrying default permissions that reflect the legal reality:
Parent / Guardian — full authority over a minor child's services
Executor — can view data, submit forms, make payments, and correspond on behalf of a deceased person's estate
Attorney (LPA) — can view data, submit, manage consent, make payments, and correspond — reflecting Lasting Power of Attorney
Carer — can view status and receive alerts, but not submit or make decisions without explicit additional grants
Spouse / Partner — view status and receive alerts by mutual agreement; further permissions require explicit consent
Representative — can view status, view data, and correspond — suitable for advice workers and support organisations
Every delegated action is logged with who acted, on whose behalf, what they did, and when. This creates an auditable trail for safeguarding and legal accountability.
Relationship Permissions
ProductTechnical
Scoped, granular permissions that control exactly what one person can do on behalf of another — from view-only access to full authority.
Why it matters: "Acting on behalf of" is not binary. A spouse viewing your benefit status is different from an executor submitting a probate application is different from a carer appealing a PIP decision. Relationship permissions ensure that delegation is precise, auditable, and matches the legal authority the person actually holds.
Permission scopes include:
view_status — see the current state of a service journey
view_data — see personal data held about the subject
submit_on_behalf — submit forms and applications
receive_alerts — get notifications about status changes
manage_consent — grant or revoke data-sharing consent
make_payments — authorise fees and payments
appeal_decisions — challenge outcomes on the subject's behalf
correspond — communicate with departments
full_authority — all of the above (expands automatically)
Permissions can be time-limited (e.g. an executor's authority expires when probate completes) and service-filtered (e.g. a carer can only view health-related services).
Citizen app — Task card with family member selection
Who is this Free School Meals application for?
Select the child you are applying for.
3 Data Architecture
How citizen data is structured, sourced, trusted, and controlled throughout the system.
Citizen Data Model
ProductTechnical
A unified, citizen-owned data structure that holds personal information, entitlements, and relationships — drawn from multiple departments but controlled by the citizen.
Why it matters: Today, every department holds a fragment of a citizen's data. The citizen data model brings these fragments together from the citizen's perspective — so the agent can pre-fill forms, check eligibility across departments, and avoid asking for information the government already holds.
The model includes a base profile (identity, address, employment, finances, vehicles, children, benefits, health) and life-situation extensions (bereavement details, immigration status, criminal justice status, childcare needs, etc.). Every field carries metadata about its source department and trust tier.
Data Tiers
ExecutiveProductTechnical
A three-level trust classification for citizen data: verified (government-sourced), submitted (citizen-entered), and inferred (agent-derived).
Why it matters: Not all data is equally trustworthy. A National Insurance number from HMRC's systems is more reliable than one typed by a citizen, which is more reliable than one inferred by an agent. Data tiers let the system and the citizen see exactly how confident each piece of information is.
Tier 1 — Verified: Government-issued credentials from a department's systems (via GOV.UK Wallet or direct API). Displayed as read-only in forms. Cannot be edited by the citizen or agent.
Tier 2 — Submitted: Data the citizen entered during previous interactions. Used for pre-fill suggestions. Citizen can correct it.
Tier 3 — Inferred: Conclusions drawn by the agent from available data (e.g. "likely eligible for Carer's Allowance based on caring responsibilities"). Always flagged as inferred. Never submitted to departments without citizen confirmation.
Citizen app — Personal data dashboard showing tiers
Every data field in the citizen model carries metadata about which department originally holds or issued it.
Why it matters: Citizens have a right to know who holds their data. Source attribution enables "this comes from HMRC" explanations, supports GDPR right-of-access requests, and lets the agent explain where pre-filled data originates — building trust and transparency.
Each field records its source department (e.g. "HMRC", "DVLA", "Home Office"), its topic classification (e.g. "identity", "financial", "immigration"), and its trust tier. When data is shared with a new service, the consent panel shows where each field comes from.
Wallet Credentials
ExecutiveProduct
Government-issued verifiable credentials held in the citizen's GOV.UK Wallet — digital equivalents of physical documents like driving licences, passports, and veteran status.
Why it matters: Wallet credentials are the highest-trust data source in the system. When a citizen presents a driving licence credential from their wallet, the agent and the receiving department know it's genuine — no manual verification needed. This eliminates the need to post physical documents or visit offices to prove identity.
GOV.UK Wallet
ExecutiveProductTechnical
The citizen's portable store of verified credentials — digital equivalents of documents like driving licences, passports, and benefit entitlements — issued by departments and held by the citizen.
Why it matters: The GOV.UK Wallet puts citizens in control of their own verified information. Departments issue credentials into the wallet; the citizen decides when and with whom to share them. The agent draws on wallet data to pre-fill forms and prove eligibility, eliminating redundant data entry and the need to post physical documents. Because credentials are department-issued and cryptographically verifiable, they carry the highest level of trust in the system.
The wallet holds credentials such as driving licences, passports, National Insurance numbers, benefit entitlement letters, veteran status, and professional qualifications. Each credential is issued by its owning department, carries an expiry date and verification status, and can be selectively shared with other services. The citizen can view, manage, and revoke access to their wallet contents at any time.
4 Consent & Control
How citizens maintain control over their data when an AI agent acts on their behalf.
Consent Grant
ExecutiveProductTechnical
A specific, informed permission from a citizen for the agent to share named data fields with a named department for a stated purpose.
Why it matters: Nothing happens without consent. Every time the agent needs to share citizen data with a government service, it presents a consent grant explaining exactly what data will be shared, where it comes from, why it's needed, and how long the sharing lasts. The citizen explicitly agrees or declines each grant. This is not a blanket "I agree to terms and conditions" — it is granular, informed, revocable consent.
Each grant specifies: a description (what the citizen is agreeing to), the data fields being shared, the source of that data, the purpose, the duration, and whether it's required or optional for the service to proceed.
Consent is always revocable. A citizen can withdraw any previously granted consent at any time. When they do, the system clearly explains the consequences — for example, "revoking this consent will cancel your application" — so the decision is informed. Consent that cannot be withdrawn is not real consent. The full lifecycle of every grant (given, declined, revoked) is recorded in the Consent Audit.
Citizen app — Consent panel for driving licence renewal
Data sharing consent
DVLA needs access to the following to process your renewal.
Verify your identity using GOV.UK One Login
Required
To confirm you are who you say you are
Data to be shared:
full namedate of birthNI number
Source: One Login · Duration: session
✓ I agreeNo thanks
Share your passport photo with DVLA
Required
DVLA will use your most recent passport photo for the new licence
Data to be shared:
passport photo
Source: HM Passport Office · Duration: session
I agreeNo thanks
Consent Audit
ExecutiveProductTechnical
A chronological record of every consent decision a citizen has made — what they agreed to, what they declined, and what they later revoked.
Why it matters: For regulatory compliance and citizen trust. The consent audit gives citizens a complete picture of who has access to their data and why, and gives departments an auditable trail for data protection purposes.
Citizen app — Consent history timeline
Consent History
✓
Consent given22/03/2026, 10:31
Identity verification for DVLA
full namedate of birthNI number
✗
Consent denied22/03/2026, 10:32
Optional marketing data for HMRC
↩
Consent revoked22/03/2026, 14:15
Address sharing for DVLA
5 Accountability
How the system records what happened, why, and for whom — creating an auditable evidence trail for every agent action.
Evidence Plane
ExecutiveProductTechnical
A separate, append-only audit layer that records every action the system takes — independent of the control logic that makes decisions.
Why it matters: When an AI agent acts on behalf of a citizen with government services, there must be an unimpeachable record of what happened. The evidence plane is the system's answer to "prove it." It is separate from the logic that drives decisions, so it cannot be retroactively altered by the same system that made the decision.
The evidence plane records trace events, generates citizen-facing receipts, maintains a case store for in-flight journeys, and supports full replay of any past interaction. It is the foundation for accountability, complaints, appeals, and regulatory compliance.
Trace Event
ProductTechnical
A single, timestamped record of something the system did — invoked a capability, evaluated a policy, transitioned state, granted consent, or called the language model.
Why it matters: Trace events are the atoms of accountability. Each one says what happened, when, in which session, and with which context. Together, they reconstruct the complete story of any interaction — essential for auditing, debugging, and responding to complaints or appeals.
The standard event taxonomy includes: capability invoked/result, state transition, consent granted/denied/revoked, policy evaluated, LLM request/response, credential presented, receipt issued, error raised, handoff initiated, and field extracted. Each event carries trace, span, and session identifiers for correlation across the full interaction.
Receipt
ExecutiveProduct
A citizen-facing record of an action taken by the agent, showing what was done, the outcome, and what data was shared.
Why it matters: Receipts are the citizen's proof. They translate the technical trace into human-readable confirmation: "Applied for Universal Credit on your behalf. Status: submitted. Data shared: name, NI number, address, bank details." Citizens can review, download, and use receipts as evidence.
Citizen app — Receipt for a service action
Your Receipts
Submitted UC claim to DWP
Universal Credit application
success
22/03/2026, 11:42:18
Data shared: full nameNI numberaddressbank details
Receipt reference: GOV-UC-2026-04821
Case Store
ProductTechnical
A ledger of in-flight service cases, continuously updated from trace events, showing current state, history, and progress for every active journey.
Why it matters: Citizens and departments need to see where a case stands at any moment. The case store enables the dashboard to show "your UC claim is at step 4 of 6" and allows a human call centre agent to pick up exactly where the AI agent left off.
Replay
Technical
The ability to step through a past interaction event by event, reconstructing the exact state of the conversation, data, and decisions at each point.
Why it matters: When a citizen complains, an ombudsman investigates, or a department audits decisions, replay shows precisely what happened and why. It transforms accountability from "trust us" to "see for yourself."
Agent Reasoning
ExecutiveProduct
A transparent view of the agent's internal thinking process — why it chose a particular service, how it evaluated eligibility, and what it plans to do next.
Why it matters: Citizens and auditors should be able to understand not just what the agent did, but why. The reasoning panel exposes the agent's thought process in plain language, building trust and enabling scrutiny. If the agent is wrong, the reasoning makes it clear where the error lies.
Citizen app — Agent reasoning panel
Agent Reasoning
Sarah mentioned her mother passed away on 2 January. She is named executor in the will.
I will propose the bereavement life event services. The death must be registered within 5 days, so that is the first priority. Tell Us Once can run in parallel. Probate requires the death certificate, so it comes after.
Sarah's mother's estate value (~£380,000) is below the IHT threshold (£325,000 + £175,000 residence nil-rate band = £500,000), so no IHT liability. I will confirm this with the policy evaluation before telling Sarah.
6 Orchestration
How the system coordinates between the AI language model and deterministic government logic — ensuring the agent follows the rules.
Deterministic Boundary
ExecutiveProductTechnical
The strict separation between what the AI language model decides and what code decides — the model generates natural language; code enforces rules.
Why it matters: This is the architectural guarantee that the agent cannot hallucinate eligibility, skip consent, or invent entitlements. The language model handles citizen-facing conversation (explaining, clarifying, summarising). All consequential decisions — "is this person eligible?", "has consent been given?", "is this state transition valid?" — are made by deterministic code that evaluates the published policy and state model. The model cannot override this boundary.
In practice: the language model proposes a state transition; the orchestrator checks it against the state model and rejects it if invalid. The model suggests a citizen is eligible; the policy evaluator runs the actual rules and may disagree. This separation is what makes the system trustworthy enough for government use.
State Machine
ProductTechnical
A formal model of the valid states a service interaction can be in, and the valid transitions between them — preventing the agent from skipping steps.
Why it matters: Government processes have mandatory sequences. You cannot submit a benefits claim before verifying identity. You cannot make a payment before confirming the amount. The state machine enforces this at the system level, making it impossible for the agent to skip, reorder, or shortcut steps — no matter what the citizen asks or the language model suggests.
Policy Evaluation
ProductTechnical
Running a citizen's data against the published eligibility rules for a service, returning a definitive pass/fail with reasons.
Why it matters: Eligibility is not a matter of opinion — it is a matter of rules. Policy evaluation means the agent does not guess whether someone qualifies. It evaluates conditions (age ≥ 18, income ≤ threshold, residency = UK) and returns a clear answer with specific failure reasons if ineligible. When eligibility is uncertain, it identifies which data is missing rather than speculating.
Policies also define: edge cases (recent bereavement, name discrepancy, overseas applicant), alternative services if ineligible, and triggers for human handoff when a case falls outside automated rules.
Field Collection
ProductTechnical
Tracking which data fields a service requires versus which have already been collected or verified — so the agent only asks for what is genuinely missing.
Why it matters: Citizens are frustrated by forms that ask for information the government already holds. Field collection cross-references the service's requirements against verified credentials, previously submitted data, and facts already gathered in the conversation — then only asks for the gap.
Capability Invocation
Technical
A single gateway through which every service action passes — ensuring that every invocation is policy-checked, consent-verified, and trace-recorded.
Why it matters: Without a single integration point, individual components might skip consent checks, bypass policy evaluation, or fail to record actions. The capability invoker acts as a unified service gateway, guaranteeing that nothing reaches a government service without passing through the full accountability pipeline.
Model Context Protocol (MCP)
Technical
The open standard for connecting AI agents to external tools and data sources, providing a uniform interface for service discovery and invocation.
Why it matters: Without a standard protocol, every department would need to build bespoke integrations with every agent. MCP provides a common language: each department's services are exposed as MCP tools, allowing the agent to discover available services, understand their inputs and outputs, and invoke them through a single standard interface. This means a new department can become agent-accessible by publishing MCP-compliant tool definitions, without requiring changes to the agent itself.
In this architecture, the MCP server exposes each legible service as a tool with a typed schema describing its inputs (required data fields), outputs (expected results), and metadata (department, service type, prerequisites). The agent's MCP client discovers these tools at runtime and invokes them through the capability invocation gateway, which enforces policy, consent, and evidence recording regardless of which protocol carries the request.
7 Safety & Escalation
How the system protects citizens by knowing when to stop and hand over to a human.
Handoff
ExecutiveProductTechnical
The structured escalation of a citizen's case from the AI agent to a human, with full context about what has already been done.
Why it matters: AI agents will not be able to handle every case. Complex situations, edge cases, distressed citizens, and safeguarding concerns all require human judgement. Handoff ensures that when the agent reaches its limits, it transfers to a human with everything they need to continue — the citizen never has to start over.
The handoff package includes: the citizen's identity, the urgency level, the reason for escalation, steps completed so far, what is blocked, data collected, all trace events and receipts, and suggested next actions for the human agent. Urgency levels range from routine to safeguarding-level immediate response.
Citizen app — Handoff to human with context
Priority handoff
This application has an edge case that requires specialist review — the estate value is close to the Inheritance Tax threshold and involves overseas property.
HMCTS Probate
Phone: 0300 303 0648
Mon–Fri 8am–6pm
Your case reference and everything the agent has collected will be available to the specialist. You will not need to repeat any information.
Safeguarding
ExecutiveProduct
Automatic detection of distress, self-harm indicators, or vulnerability in a citizen's messages, triggering immediate escalation to human support.
Why it matters: Citizens interacting with government services are sometimes in crisis — facing eviction, fleeing domestic violence, experiencing mental health emergencies. The system monitors for safeguarding triggers and immediately routes to appropriate human support when detected, overriding any service journey in progress.
Edge Case Detection
ProductTechnical
Identifying when a citizen's situation falls outside the standard path defined by a service's policy — and knowing what to do about it.
Why it matters: Real-world cases are messy. Policies define named edge cases (missing documents, name discrepancies, overseas complications, very recent events) with specific handling instructions: extend a timeline, add a fee, request additional evidence, or hand off to a specialist.
8 Administration
How departments publish, manage, and monitor the legibility of their services.
Gap Analysis
ExecutiveProduct
A department-level view showing how many services have been made legible versus how many remain to be done.
Why it matters: Gap analysis turns the legibility programme from an abstract goal into a measurable one. Departments can see exactly where they stand: "12 of your 201 services have full artefacts. 189 are catalogued but not yet legible." This drives prioritisation and resource allocation.
Legibility Studio — Department coverage dashboard
1,544
Total Services
28
Full Artefacts
2%
Coverage
1,516
Need Artefacts
Coverage by Department
HM Revenue & Customs201 services
8 full / 193 catalogue4%
DWP115 services
6 full / 109 catalogue5%
Home Office178 services
4 full / 174 catalogue2%
Service Coverage
ExecutiveProduct
A per-service assessment of which of the four artefacts (manifest, policy, state model, consent) have been published, and which are missing.
Why it matters: Coverage answers "what does my department still need to do?" at the individual service level. A service with a manifest but no policy can be described but not triaged for eligibility. A service with no consent model cannot share citizen data. Coverage drives the work plan for making services fully legible.
Services are classified by source: Full (all artefacts published, ready for agent use), or Catalogue (known to exist on GOV.UK but not yet legible). They are prioritised as demo-critical, transactional, or reference.
Legibility Studio
ExecutiveProduct
A department-facing platform where service owners author, publish, and monitor the legibility artefacts for their services.
Why it matters: Making services legible must be as straightforward as possible for departments. The Legibility Studio provides tools for authoring manifests, defining policy rules, mapping state models, and specifying consent requirements — alongside gap analysis, evidence audit, and the ability to test how agents will experience a service before it goes live.
The studio also gives departments visibility into how their services are actually being used: which personas access which services, how often journeys complete versus hand off, and where the evidence trail shows friction. This closes the loop between publishing and operating legible services.
Persona
ExecutiveProduct
A richly modelled citizen profile representing a real-world life situation — with verified credentials, family relationships, employment history, health conditions, and a specific life event triggering their interaction with government.
Why it matters: Personas are how the system is tested and demonstrated. Each persona exercises a different cross-section of government services, relationships, and edge cases. They prove that the architecture works not just for simple transactions but for the complex, messy reality of citizens' lives — bereavement with overseas property, immigration with language barriers, prison release with housing deadlines.
Eight personas represent the breadth of government interaction:
Sarah Okafor — Bereavement. Executor dealing with death registration, probate, IHT, and notifying multiple departments.
Amina Hassan — Refugee arriving in the UK. Needs NI number, right to work, Universal Credit, GP registration.
Marcus Taylor — Prison leaver. Universal Credit, approved premises deadline, DBS disclosure, driving licence.
James Whitfield — Child with special needs. EHCP appeals, PIP, tribunal, legal aid.
Daniel Obi — Self-employed. Making Tax Digital, Self Assessment, VAT registration, tax refunds.
Zara Begum — First-time government user. Student finance, first passport, NINO, provisional licence. Low institutional literacy.
Fatima & Tomasz Nowak — Household with multiple children. EU licence exchange, secondary school transfer, HICBC risk, household UC.
Each persona carries full data across all tiers (verified credentials, submitted data, inferred facts), family relationships, and field source attribution — making them realistic enough to exercise the entire system end-to-end.
Using this glossary
This document defines the target operating model, not a specific technology implementation. The concepts described here represent what government services could look like when they are designed to be consumed by AI agents acting on behalf of citizens.
Interface examples are drawn from working prototypes that illustrate each concept in practice. They demonstrate the citizen experience and administrative tools that emerge from these concepts.
Agentic Legibility Stack · Concept Glossary · March 2026