A practical guide for product managers and service owners — from understanding the citizen journey to authoring the artefacts that make your services work through AI agents.
For concept definitions, see the Concept Glossary. For the executive overview, see the Executive Briefing. This document describes the target operating model — how government services should be structured for agent consumption.
The four structured documents that make a service machine-readable. This is the core of what your department will author.
Every transactional government service publishes four artefacts. Together, they form a complete contract between your department and any authorised agent. The agent reads these artefacts, not web pages. It evaluates eligibility from your policy, follows transitions from your state model, requests consent as specified in your consent model, and presents your service to the citizen using metadata from your manifest.
The service's identity card. Who runs it, what it does, what it costs, how long it takes, and where to complain.
"This service exists, here is what it needs, here is what it returns, here is who to contact if something goes wrong."
Machine-evaluable eligibility rules. Each rule is a condition on a data field with a pass/fail outcome and a human-readable reason.
"You are eligible because you meet all conditions. Or: you are not eligible because your licence has been revoked."
The valid sequence of states and transitions. Defines the happy path and all branches: rejection, edge cases, handoff.
"You are at step 4 of 8. Next: consent. If consent is denied, the journey ends here."
Named data-sharing grants with purpose, source, duration, and required/optional status. The citizen sees exactly what they are agreeing to.
"DVLA wants to use your passport photo. Source: HMPO. Purpose: new licence photo. Duration: session only."
The manifest is where you start. It is the simplest artefact to author because it describes information your department already knows: the service name (as citizens should see it), the responsible department, the jurisdictions it applies to, what it costs, how long it takes, and the complaint and appeal routes.
What it tells the agent: "This service exists. It belongs to DVLA. It costs £14. It takes 10 working days. It is available in England, Wales, and Scotland. If the citizen wants to complain, here is the URL. If they want to appeal, here is the process. The data controller is DVLA and the lawful basis is public task."
What product teams decide:
{
"name": "Renew Driving Licence",
"department": "DVLA",
"jurisdiction": "England, Wales, Scotland",
"constraints": {
"sla": "10 working days",
"fee": { "amount": 14, "currency": "GBP" },
"availability": "24/7 online"
},
"redress": {
"complaint_url": "https://www.gov.uk/complain-about-dvla",
"appeal_process": "Contact DVLA directly",
"ombudsman": "Parliamentary and Health Service Ombudsman"
},
"audit_requirements": {
"retention_period": "7 years",
"data_controller": "DVLA",
"lawful_basis": "Public task"
}
}
The policy ruleset is a list of conditions that must all pass for a citizen to be eligible. Each rule operates on a single data field using a simple operator: >=, <=, ==, !=, exists, or in. If a rule fails, the agent shows the citizen the reason_if_failed message — in plain English, written by your team.
What it tells the agent: "Evaluate these rules against the citizen's data. If all pass, proceed. If one fails, explain why and, where possible, redirect to an alternative service."
Two powerful fields make policies more than just gatekeepers:
alternative_service — When a rule fails, point the citizen to the right place. "You need an existing licence to renew" becomes actionable: "Would you like to apply for a provisional licence instead?"triggers_handoff — Some failures are too complex for automated handling. A revoked licence requires human review. The handoff flag routes the citizen to a caseworker with full context.Edge cases are named situations that do not fit the standard flow. They have detection criteria and defined actions. Your team decides what counts as an edge case. A common pattern: "If the applicant is over 70, the renewal is free but requires a medical self-declaration." This is not a rejection — it is an alternative path.
{
"rules": [
{
"id": "age-minimum",
"description": "Applicant must be at least 16",
"condition": { "field": "age", "operator": ">=", "value": 16 },
"reason_if_failed": "You must be at least 16 to hold a driving licence"
},
{
"id": "has-licence",
"condition": { "field": "driving_licence_number", "operator": "exists" },
"reason_if_failed": "You need an existing licence to renew.",
"alternative_service": "dvla.apply-provisional-licence"
},
{
"id": "not-revoked",
"condition": { "field": "licence_status", "operator": "!=", "value": "revoked" },
"reason_if_failed": "Your licence has been revoked.",
"triggers_handoff": true
}
],
"edge_cases": [
{
"id": "medical-condition",
"detection": "medical_conditions",
"action": "Route to medical assessment. DVLA form C1 required."
},
{
"id": "over-70",
"detection": "over_70",
"action": "Over-70 renewal is free but requires medical self-declaration."
}
]
}
alternative_service and triggers_handoff fields. Policies do not just say no — they redirect the citizen to the right place. A good policy ruleset means no citizen ever hits a dead end. They either proceed, get redirected to an appropriate service, or are connected to a human who can help.
The state model defines the valid sequence of states and transitions for a service interaction. It is a directed graph with a single entry point (not-started) and one or more terminal states (completed, rejected, handed-off). Every state has a type: initial, intermediate, or terminal. Every transition has a from state, a to state, a trigger, and an optional condition.
What it tells the agent: "The citizen is currently at state X. The valid next states are Y and Z. To reach Y, the trigger 'consent granted' must fire. To reach Z, the trigger 'consent denied' must fire. There are no other options."
What product teams decide: The states, the order, and the branching logic. Start with the happy path. Then ask: what if they are not eligible? What if there is a medical complication? What if they refuse consent? Each of these becomes a branch in the state model.
The state model is enforced deterministically. The agent cannot advance to "payment-made" unless "photo-submitted" has been reached. It cannot reach "completed" without "application-submitted". This is the guarantee that the system is auditable: every journey follows the published state model, and every transition is logged as a trace event.
The consent model defines every data-sharing grant the service requires. Each grant has: an ID, a description (shown to the citizen), the specific fields being shared, the source of those fields, the purpose of the sharing, the duration, and whether it is required or optional.
What it tells the agent: "Before proceeding, you must obtain consent for these specific data-sharing grants. Show each grant to the citizen with its purpose and source. Required grants cannot be skipped. Optional grants can be declined without blocking the journey."
What product teams decide:
{
"grants": [
{
"id": "identity-verification",
"description": "Verify your identity using GOV.UK One Login",
"data_shared": ["full_name", "date_of_birth", "national_insurance_number"],
"source": "one-login",
"purpose": "To confirm you are who you say you are",
"duration": "session",
"required": true
},
{
"id": "photo-sharing",
"description": "Share your passport photo with DVLA",
"data_shared": ["passport_photo"],
"source": "hmpo-passport-office",
"purpose": "DVLA will use your most recent passport photo for the new licence",
"required": true
}
],
"revocation": {
"mechanism": "Contact DVLA or revoke through your GOV.UK account",
"effect": "Application will be cancelled if consent is revoked before completion"
}
}
How the four artefacts work together for one complete service, step by step. Each step shows which artefact is active and whether the action is deterministic, requires citizen interaction, or calls a department API.
The worked example above is the happy path. Here is what happens when things deviate:
Scenario: licence is revoked. At step 3, the policy evaluation fails on the "not-revoked" rule. The triggers_handoff flag is set. The agent explains: "I cannot process a renewal because your licence has been revoked. I am connecting you to DVLA's licensing team who can explain your options." The state machine transitions directly to handed-off. The handoff package includes all data collected so far.
Scenario: citizen is over 70. At step 3, the edge case "over-70" is detected. The agent explains: "Because you are over 70, your renewal is free but you will need to complete a medical self-declaration." The journey continues with a modified flow: the payment step is skipped (fee is £0) and an additional state is inserted for the medical declaration form.
Scenario: citizen refuses consent. At step 5, the citizen declines the identity verification consent grant. Because it is marked as required: true, the journey cannot continue. The agent explains: "I understand. Unfortunately, DVLA requires identity verification to process a renewal. Without it, I cannot proceed with this application. Would you prefer to renew by post instead?" The state machine transitions to withdrawn.
Scenario: DVLA API is unavailable. At step 9, the submission to DVLA fails due to a system outage. The agent explains: "DVLA's systems are currently unavailable. Your application has been saved and I will attempt to submit it again automatically. You do not need to re-enter any information." The case is held in application-pending state and retried.
Each of these scenarios is handled by the artefacts you publish. The policy catches the revocation. The edge case handles the over-70 rule. The consent model defines what is required. The manifest specifies retry and fallback behaviour. The better your artefacts, the fewer citizens end up in unexpected situations.
The single most important architectural idea in the system. The language model generates conversation; deterministic code makes every decision that matters.
Using a language model in government creates an obvious question: how do you prevent it from making mistakes that affect people's lives? The answer is the deterministic boundary — a strict separation between what the language model does and what code does.
Every interaction follows a pipeline where the language model and deterministic code have clearly separated responsibilities.
The orange boxes are where the language model operates: understanding what the citizen said, and composing a natural-language response. The green boxes are where deterministic code operates: checking eligibility, moving through the state model, enforcing consent, and submitting data. The language model is sandboxed — it can generate conversational text, but all actions (state changes, data sharing, API calls) are mediated by the deterministic runtime.
If the model suggests something that contradicts the artefacts, the runtime blocks it. If the model tries to skip a state, the state machine rejects the transition. If it tries to submit data without consent, the consent manager blocks it. If it generates an eligibility assessment that differs from the policy evaluation, the deterministic result takes precedence. The model is a communicator, not a decision-maker.
How citizen data is structured, sourced, and trusted. The three-tier model ensures every field carries provenance and every form is as short as possible.
Data from authoritative sources: GOV.UK One Login, HMPO, DVLA, HMRC. Read-only in forms. Displayed with a green checkmark and "Verified" badge. The citizen can see the value but cannot change it. The department receiving the data can trust it completely.
Data the citizen has entered in previous interactions. Pre-filled as suggestions in new forms. Editable — the citizen can update it. Examples: phone number, email, employer details, bank account. Reliable but not verified by a government source.
Information the agent has derived from conversation context. Flagged clearly: "Based on what you have told me, I believe you are self-employed." Never submitted to a department without explicit citizen confirmation. Lowest trust level.
Every data field carries metadata: which department or system it came from, which topic it belongs to (identity, financial, medical, legal), and which tier it falls into. This enables transparency statements like "Your National Insurance number comes from HMRC" and audit trails that show exactly where each piece of data in a submission originated.
When a card is shown, the system follows a strict precedence order:
The result: most forms arrive with the majority of fields already completed. The citizen reviews and confirms rather than typing everything from scratch. For a bereavement scenario where the citizen is completing six services across four departments, this pre-fill logic can reduce total data entry by 80% or more.
Wallet credentials are government-issued digital documents held in the citizen's GOV.UK Wallet: driving licence, passport, veteran status card, disability badge. These are the highest-trust data source. When a service needs to verify that someone holds a driving licence, the wallet credential provides cryptographic proof without exposing unnecessary personal data. The credential confirms the fact ("this person has a valid driving licence") without necessarily sharing all the associated data.
For service designers, wallet credentials simplify the data model. Instead of asking citizens to type in their driving licence number and then verifying it against DVLA systems, the agent can request a credential presentation. The citizen approves the share, the credential is verified, and the relevant fields are populated automatically.
How services relate to each other, how citizens discover them, and how the agent builds cross-departmental plans.
Citizens do not think in terms of departments or service names. They think in terms of life events: "my mother has died", "I am having a baby", "I am leaving the army." The service graph maps 16 life events to the government services relevant to each. When the agent identifies a life event during triage, it looks up all associated services and builds a plan.
The mapped life events include: bereavement, having a baby, moving house, starting a business, retiring, becoming a carer, leaving prison, arriving in the UK, becoming disabled, divorce, starting university, redundancy, turning 16, turning 18, leaving the armed forces, and adopting a child.
Each life event is mapped to between 3 and 15 government services across multiple departments. Bereavement, for example, connects to death registration (GRO), probate (HMCTS), bereavement support payment (DWP), estate notification (HMRC), pension cessation (DWP), council tax adjustment (local authority), and more. The power of the service graph is that a single conversation can identify and sequence all of these, rather than the citizen having to know about each one independently.
For your department: When you publish artefacts for a service, you also specify which life events it belongs to. This is how the graph is built. If your service is relevant to bereavement but you have not tagged it, the agent will not include it in bereavement plans — and citizens will miss it. Life event mapping is as important as the artefacts themselves.
Service A must complete before Service B can start. Example: you need a National Insurance number before you can apply for Universal Credit. The agent enforces this ordering automatically — it will not attempt UC until the NI number is confirmed.
Completing Service A opens eligibility for Service B. Example: once Universal Credit is active, the citizen may be eligible for Carer's Allowance. The agent proactively suggests enabled services when the triggering service completes.
Each service in the graph carries proactivity metadata that tells the agent how to present it:
suggest (optional, citizen might benefit), warn (important, citizen should know), inform (for awareness, no action needed).When persona data shows a service is clearly irrelevant, it is removed from the plan with a human-readable reason. Example: "Council Tax Reduction has been removed from your plan because you do not pay Council Tax (your property is in a council-tax-exempt category)." The citizen can see what was skipped and why. Nothing is hidden.
The system supports both conservative and expansive approaches to service discovery. A conservative strategy includes only services where the citizen clearly meets the eligibility criteria based on known data. An expansive strategy includes services where the citizen might be eligible, prompting them with questions to determine relevance. Departments can specify which approach suits their service: benefits that citizens commonly miss may warrant an expansive strategy, while services with strict prerequisites may work better with a conservative approach.
Services are classified by type, which affects how the agent presents them and what artefact complexity to expect:
The evidence plane. Every action is recorded. Every decision is traceable. Every citizen gets a receipt.
Every action the system takes is recorded as a structured trace event. This is not logging in the traditional IT sense — it is a formal evidence record designed for audit, complaint investigation, and ombudsman review. Trace event types include:
Each event carries: traceId (the overall journey), spanId (this specific action), sessionId (the conversation), userId (the citizen), a timestamp, and structured metadata specific to the event type. Events are append-only — they cannot be modified or deleted.
Receipts are the citizen-facing layer of the evidence plane. After every significant action, the citizen receives a receipt showing: what was done, the outcome, what data was shared, the timestamp, and a unique receipt ID. Receipts are permanent and accessible from the citizen's GOV.UK account at any time.
Every in-flight service interaction is tracked as a case. The case records the current state, the full state history, the data collected so far, and the progress percentage. This enables statements like "Your Universal Credit claim is at step 4 of 6" and allows the citizen to return to a partially completed journey later.
The trace event history enables full replay of any past interaction, event by event. An investigator can reconstruct the exact state of the system at any point: what data was available, what the policy evaluation returned, what the agent said, and what the citizen chose. This is designed for complaints, ombudsman investigations, and departmental audits. It answers the question: "What happened, why, and on whose authority?"
Replay is not just a technical debugging tool. It is the primary accountability mechanism for the entire system. Consider a scenario: a citizen applies for Universal Credit, is assessed as ineligible, and complains. With replay, the investigating officer can:
This level of auditability is not possible with today's government services, where decisions are often made by caseworkers following guidance documents with no structured record of the reasoning process. The evidence plane makes every interaction reproducible.
When the agent stops and hands to a human. Designed to ensure no citizen is left stranded and no vulnerable person falls through the cracks.
The agent escalates to a human when any of the following conditions are met:
triggers_handoff: true.When the agent escalates, it does not simply transfer the citizen to a phone queue. It sends a structured handoff package containing everything the human agent needs:
The human agent can pick up exactly where the automated agent left off. The citizen does not have to repeat their story or re-enter their data.
Your state model should include handed-off as a terminal state, reachable from any state where automated processing might fail. For each transition to handed-off, specify the trigger condition in plain language. Examples:
The handoff destination (phone number, email, team name, opening hours) is specified in the manifest under the handoff field. Ensure this information is kept current. A handoff to a phone line that has been decommissioned is worse than no handoff at all.
For your department: Review your current phone and email escalation paths. Which ones should the agent be able to route citizens to? Ensure each has a clear name, contact details, and hours of operation in your manifest. If your department has specialist teams (medical assessments, complex cases, fraud), these should be separate handoff destinations with appropriate routing conditions.
The three interaction primitives. Everything the citizen sees is built from these.
The conversational surface. Everything happens here. The citizen types (or speaks), the agent responds. Cards and tasks appear inline within the conversation — they are not separate screens or modals. This means the citizen never loses context. They can see the conversation that led to each card, and they can ask questions about what they are being shown.
The agent's conversational ability comes from a language model, but it is constrained by the service artefacts. The agent can rephrase, explain, and empathise, but it cannot make policy decisions or alter the data requirements. Chat is the how; artefacts are the what.
A task is a unit of delegated work. It represents something that needs to happen for a service journey to advance. There are two types:
Agent tasks are actions the agent will take on the citizen's behalf, with their explicit consent. Examples: "Submit your Universal Credit claim to DWP", "Share your passport photo with DVLA", "Notify HMRC of the death". The citizen sees what the agent will do and approves it before it happens.
Citizen tasks are decisions only the citizen can make. Examples: "Which bank account should we use for payments?", "Which child is this claim for?", "Do you want to use your existing passport photo or upload a new one?". The agent cannot answer these — it must ask.
Tasks have lifecycle states: proposed (agent suggests), accepted (citizen agrees), in progress (being executed), completed (done, with receipt), and blocked (dependency not met). Before any submission, all tasks are displayed in a confirmation summary so the citizen can review everything at once.
A card is a structured data surface that appears inline in the chat. It replaces the traditional form page. Cards are how the system collects information, displays verification status, and handles payments. There are several card types:
Generic form card — Labelled fields with validation rules. Supports text, select, date, and number inputs. Fields can be pre-filled from persona data and marked as verified (read-only) or editable.
Payment card — Sort code, account number, amount, and payee. Used for both fees (citizen pays) and benefits (citizen receives).
Document upload card — For evidence that cannot be sourced from credentials. Medical certificates, tenancy agreements, court orders.
Bank selector card — Choose from connected accounts. Displays partial account numbers for identification.
Key feature: verified fields. When a field value comes from a Tier 1 source (see section 4), it is displayed as read-only with a "Verified" badge. The citizen can see the value but cannot change it. This prevents accidental errors and provides assurance to the department receiving the data. The source of every field is traceable.
Conditional fields: Cards support conditional visibility rules. A field like "Expected due date" only appears if the citizen has indicated they are pregnant. This keeps forms short and relevant, just as a good caseworker would only ask questions that apply to the situation.
Card resolution: The system decides which card type to show based on the current state in the service's state model and the data requirements defined in the consent model. Service designers do not need to build cards — they define the data fields and the system renders the appropriate card.
How citizens experience government through an AI agent. Two modes, one continuous conversation.
When a citizen opens the GOV.UK app and speaks to their agent, the conversation operates in one of two modes. Understanding these modes is useful context for designing services that work within the agentic model.
An open-ended conversation where the citizen describes their situation in their own words. The agent identifies the life event (bereavement, having a baby, starting a business), proposes relevant services across all departments, and builds an ordered plan with dependencies. No single service context — the whole of government is in scope.
Focused on completing one service. The agent collects data using structured cards, obtains consent with named grants, advances through the service's state model with deterministic progression, and delivers a concrete outcome with a receipt. Every step is auditable.
The two modes switch naturally. Triage proposes a plan; the citizen accepts it; journey mode begins for the first service. When that journey completes, the agent returns to the plan and moves to the next service. If the citizen mentions something unexpected mid-journey ("actually, I also need to update my address"), the agent can briefly re-enter triage mode before resuming.
Why this matters for service design: Your service does not control when or how a citizen arrives. They may come via a life-event triage ("my mother has died") or directly ("I need to renew my driving licence"). Your artefacts must support both paths. The manifest tells the agent what your service does; the policy tells it who is eligible; the state model tells it what steps to follow. The agent handles the conversation around these structures.
How the system handles one person acting on behalf of another. A large proportion of government interactions involve someone acting for someone else — this is not an edge case, it is the norm.
A parent applying for Child Benefit for their newborn. An adult child helping their elderly mother with Attendance Allowance. An executor notifying HMRC about a deceased person's estate. A carer managing a disabled person's PIP renewal. A solicitor submitting a probate application on behalf of beneficiaries. These are not unusual situations — they represent a significant proportion of all government service interactions. The system must be multi-player from the start.
The delegation model recognises several relationship types, each with different default permissions and verification requirements:
Full authority over the child's government interactions. Can submit applications, manage consent, make payments, and receive notifications. The child cannot override until they turn 16, at which point permissions transition gradually.
Legal authority over a deceased person's affairs. Can view data, submit applications (probate, estate notification), make payments, and correspond with departments. Permissions are fixed by the grant of probate or letters of administration.
Limited delegated authority over a cared-for person's services. Default permissions are view-only with notifications. The cared-for person controls which additional permissions to grant, such as submitting forms or managing consent.
Specific legal delegation defined by the LPA document. Permissions match the scope of the attorney — a property and financial affairs LPA grants different access than a health and welfare LPA. Verified through the Office of the Public Guardian.
Additional relationship types include: spouse or civil partner (mutual visibility by default, each partner controls independently), cohabiting partner (no default permissions, explicit grant only), guardian (legal guardian of a child who is not their biological parent), adult child of elderly parent (no default permissions, parent controls what to delegate), and professional representative (solicitor or advice worker acting under formal instruction).
Each delegation relationship carries a set of permission scopes that control what the related person can do:
If your service accepts applications from people acting on behalf of others (and most do), your artefacts should account for delegation. This means:
Eight personas that exercise different cross-sections of services, relationships, and edge cases. Use them to test your artefacts.
Each persona represents a real pattern of need. They are designed to stress-test the system across departmental boundaries, surface edge cases, and ensure no common citizen journey is broken. When you author artefacts for your department, pick the personas whose life events touch your services and walk through the journey end to end.
| Persona | Life Event | Key Services | Edge Cases |
|---|---|---|---|
| Sarah Okafor | Bereavement | GRO death registration, HMCTS probate, DWP bereavement benefits, HMRC estate notification | IHT threshold, executor duties, joint accounts |
| Amina Hassan | Refugee / immigration | NI number application, UC, GP registration, ESOL enrolment | Language barriers, right to work verification, biometric residence permit |
| Marcus Taylor | Prison leaver | UC, approved premises, DBS check, bank account opening | Housing deadline (28 days), disclosure requirements, licence conditions |
| Priya Anand | Growing family | Childcare (Tax-Free), free school meals, child benefit, maternity allowance | Maternity pay vs allowance, UC childcare element, partner income |
| James Whitfield | Special needs child | EHCP application, PIP (child), tribunal appeal, Disability Living Allowance | Appeals process, legal aid eligibility, multiple assessments |
| Daniel Obi | Self-employed | Making Tax Digital, Self Assessment, VAT registration, state pension forecast | Tax refund claims, invoice requirements, MTD-compatible software |
| Zara Begum | First-time adult | Student finance, NI number, first passport, voter registration | Low institutional literacy, no prior interaction history, guardianship transition |
| Fatima & Tomasz Nowak | Family household | EU licence exchange, school transfer, UC, child benefit (HICBC) | High Income Child Benefit Charge, multi-child claims, cross-country transitions |
Sarah Okafor exercises the most complex cross-departmental journey: bereavement. Four departments, strict sequencing (death must be registered before probate can begin), and the emotional sensitivity of a citizen dealing with loss while navigating bureaucracy. Tests: multi-department plans, REQUIRES edges, handoff for IHT complexity, delegation (executor acting on behalf of the deceased's estate).
Amina Hassan exercises the immigration and settlement pathway. Tests: language accessibility, right-to-work verification, the NI number as a prerequisite for everything else, and how the system handles a citizen with very little existing data (no Tier 1 credentials initially).
Marcus Taylor exercises time-critical services with legal constraints. Tests: the 28-day housing deadline after release, DBS disclosure complexity, how the system handles a citizen who may have limited digital access and needs frequent handoffs.
Priya Anand exercises the parenting services cluster. Tests: ENABLES edges (child benefit enables tax-free childcare), the maternity pay/allowance distinction (edge case in DWP policy), and UC interactions with other benefits.
James Whitfield exercises the special educational needs and disability pathway. Tests: the EHCP tribunal process (legal_process service type), appeals, PIP assessment edge cases, and how the system handles services where outcomes are uncertain and timescales are long.
Daniel Obi exercises HMRC self-employment services. Tests: Making Tax Digital obligations, quarterly reporting cycles, VAT threshold edge cases, and how the system presents obligations (things you must do) differently from benefits (things you can claim).
Zara Begum exercises first-time interactions. Tests: how the system handles a citizen with no existing government data, no prior service history, and potentially low confidence in dealing with official processes. Everything must be clear, nothing assumed.
Fatima & Tomasz Nowak exercise the household model. Tests: delegation between family members, EU licence exchange (DVLA), the High Income Child Benefit Charge (a cross between HMRC and DWP), and how the system handles multiple children with different service needs.
You should create personas specific to your department's services. A good persona includes:
The practical "what to do" section. Eight steps from identifying your services to publishing artefacts.
Start with the GOV.UK service register. How many transactional services does your department run? Which are citizen-facing? Which have the highest volume? List them. You likely have between 10 and 200. Not all need artefacts immediately — but you need the complete list to prioritise.
Start with services that appear in the most life events. A service like "Apply for a National Insurance Number" touches immigration, turning 16, bereavement, and more. Use the Legibility Studio's gap analysis dashboard to see which of your services are most requested and least covered.
Start here. Name, department, jurisdiction, input/output schemas, fees, SLA, redress routes. This is information you already have — it is in your service standard documentation, your performance dashboards, and your complaints procedure. It takes an afternoon.
Write eligibility rules as conditions. For each rule, think about: what data field does it check? What operator? What value? What should the citizen see if they fail? Where should they be redirected? Your policy team already knows these rules — they are in your guidance documents.
Draw the happy path first: what sequence of states does a successful application pass through? Then add branches: what if they are not eligible? What if there is a medical issue? What if they need to be handed off? Each branch needs a terminal state (rejected, handed-off, or withdrawn).
For each data field the service needs: where does it come from? Why do you need it? Is it required or optional? How long do you hold it? Your data protection team already knows the answers — this is often the quickest artefact to author because the DPIA has already been done.
Pick 2–3 personas whose life events touch your service. Walk through the journey step by step. Does the policy catch the edge cases? Does the state model allow the right transitions? Does the consent model cover all the data fields? Where are the gaps?
Submit your artefacts to the Legibility Studio. Review them in the gap analysis dashboard. Test them with agents. Iterate. Artefacts are versioned — you can update them as your service evolves, as edge cases are discovered, and as policy changes.
The Legibility Studio is the administrative dashboard where departments author, review, and publish their artefacts. It provides:
Authoring artefacts is a cross-functional activity. Here is who typically owns each piece:
The first service typically takes the longest as the team learns the artefact format. The second service is significantly faster. By the third, most teams have established a pattern and can author a complete set of artefacts in under a week.
"What if our service has different rules in Scotland?" Create separate artefacts. A single manifest can specify jurisdiction, but if the policy rules or state model differ materially between jurisdictions, separate artefact sets are clearer and less error-prone. The service graph handles routing citizens to the correct jurisdiction automatically based on their address.
"What if our eligibility rules change frequently?" Artefacts are versioned. When your policy changes, publish a new version of the policy ruleset. The system handles the transition: in-flight journeys complete under the rules they started with; new journeys use the updated rules. The version history is visible in the Legibility Studio.
"What about services that require third-party verification?" If your service needs to verify information with an external party (e.g. employer confirmation for statutory sick pay), model this as a state in the state model with an appropriate waiting state. The agent can explain to the citizen: "Your employer needs to confirm your employment dates. This usually takes 2–3 working days."
"How do we handle services that are partly automated and partly manual?" The state model can include states where the department processes something offline. The citizen sees "Application submitted — awaiting department review" and receives a notification when the next transition happens. The agent does not need to automate every step internally; it needs to know the citizen-facing sequence.
Every service you make legible is one less phone call for a citizen in crisis. One less form filled in for the twelfth time. One less deadline missed because nobody told them it existed.