Maybe what you want is that any user can generate a fresh seed (that derives privkey/pubkey pairs so that only the user knows the privkeys), where the master pubkey and master chaincode (that are derived from the seed that he generated) must be signed by this organization before this "user account" becomes valid on this network? This implies that new users are at the mercy of this organization, e.g., this organization may refuse to sign a new account unless it receives a bribe on the side. Also, if the signing key of this organization is compromised then all bets are off.
Agree with your initial observvation. You idea sounds fantastic. If I understand correctly, the governing organization would just know the master PUBLIC key and link that to the identify. Perfect.
Perhaps you could explain a bit how the signing by the governing org of the pubkey and chaincode would validate it and the lack of the signing would prohibit use? is this just something that the protocol would need to be coded to support? and can I have more than one of the govening orgs?