Workflow friction is the operational resistance created when security controls interrupt normal work. In identity programmes, it often appears as repeated prompts, logout failures, password resets, or exception requests, and it can drive users toward insecure shortcuts if the design is not practical.
Expanded Definition
Workflow friction is the operational resistance created when security controls interrupt normal work. In identity and access programmes, it sits at the boundary between protection and usability: too little friction can normalise unsafe behaviour, while too much friction drives users to bypass controls, delay tasks, or request exceptions.
In NHI and agentic AI environments, workflow friction can appear when service accounts fail during automation, when a pipeline requires repeated approval for routine secret rotation, or when operators face cumbersome recovery steps after a token expires. The concept is related to user experience, but it is not simply about convenience. It is about whether security controls are aligned with how work actually happens. That distinction matters in standards-oriented governance such as the NIST Cybersecurity Framework 2.0, where protection outcomes depend on practical adoption as much as policy design.
Definitions vary across vendors when the term is used to justify either stronger controls or lighter controls, so NHI Management Group treats it as an operational signal, not a reason to weaken security by default. The most common misapplication is assuming all friction is harmful, which occurs when teams ignore the security value of deliberate checkpoints in high-risk identity workflows.
Examples and Use Cases
Implementing security controls rigorously often introduces latency and exception handling, requiring organisations to weigh stronger assurance against the cost of interrupted execution.
- A deployment pipeline blocks release because a workload secret has expired and the rotation process requires manual approval at each environment boundary.
- An AI agent loses access mid-task because token lifetimes are shorter than the job duration, causing retries, failed jobs, and informal workarounds.
- A service account owner must file repeated exceptions because access reviews are not aligned to the actual cadence of the application lifecycle.
- Operators copy credentials into temporary files during incident response because the approved recovery path is slower than the operational deadline.
- Security teams reduce login prompts for humans without considering NHI workflows, then discover that overly rigid controls on machine identities are causing shadow automation.
These patterns are visible in broader NHI governance discussions in the Ultimate Guide to NHIs, which emphasises lifecycle control, visibility, and rotation as practical security measures rather than abstract policy goals. They also align with the NIST view that controls should support reliable, measurable security outcomes, not merely add process steps. For implementation guidance, the issue often shows up in systems that use OAuth, API keys, or service tokens where operational timing and policy timing are not the same.
Why It Matters in NHI Security
Workflow friction becomes a security issue when users and operators start optimising around the control instead of through it. In NHI security, that often means secrets are copied into code, rotation is postponed, or exception requests become a standing operating model. NHI Management Group notes that 79% of organisations have experienced secrets leaks, and 77% of those incidents caused tangible damage, which shows how quickly convenience-driven workarounds can become real exposure. The same research also reports that only 20% of organisations have formal processes for offboarding and revoking API keys, a gap that is often widened when the authorised path feels too slow for day-to-day operations.
For governance teams, the key question is not whether friction exists, but whether it is intentional, proportionate, and tied to risk. The Ultimate Guide to NHIs frames that balance around lifecycle discipline, while the NIST Cybersecurity Framework 2.0 reinforces that security must be operationally achievable to be effective. Organisational failures around workflow friction often become visible only after a pipeline outage, an access review backlog, or a secrets incident, at which point the friction itself has become part of the incident response problem.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AA | Identity access controls must be usable enough to be consistently followed. |
| OWASP Non-Human Identity Top 10 | NHI-01 | Poor NHI workflow design often causes unsafe secret handling and privilege workarounds. |
| NIST AI RMF | AI risk management includes human factors and operational usability in control design. |
Tune identity controls so authorised workflows remain secure, reliable, and repeatable under normal operations.
