If all control keys are lost:

1. User (or guardian) triggers recovery flow using the recovery scheme:
   • guardian signatures
   • hardware fallback device
   • multi-party recovery protocol
2. A new control key (or set of keys) is issued.
3. Policies are updated to reflect new control + possibly new recovery scheme.
4. A new state_commitment is computed and published.

At no point is a new identity created; we simply move to a new state.