Subscribe to the Non-Human & AI Identity Journal

Why do customer identities need different controls from workforce identities?

Customer identities behave at much larger scale and under far less organisational context than workforce identities. That changes recovery, assurance, privacy, and user-experience requirements. A control that works for an employee can create abandonment or compliance issues for a customer, so the design must reflect the identity subject and the business outcome.

Why This Matters for Security Teams

Customer identities need a different control model because the identity subject, risk tolerance, and operational context are not the same as for employees. Workforce controls can assume device management, SSO enforcement, HR-driven lifecycle events, and mandatory recovery paths. Customer access, by contrast, must support self-service recovery, lower-friction assurance, and privacy-by-design without creating abandonment. NIST Cybersecurity Framework 2.0 frames this as governance and identity assurance being tied to business outcomes, not one-size-fits-all controls.

For customer-facing systems, a strict workforce-style step-up flow can suppress conversion, while a weak recovery flow can become the easiest takeover path. The control set also has to account for scale: NHI Mgmt Group notes that NHIs outnumber human identities by 25x to 50x in modern enterprises, which is a reminder that identity programs fail when they are designed around the smallest, most managed user group. In practice, many security teams discover this only after account recovery abuse, support overload, or fraud losses have already exposed the mismatch.

How It Works in Practice

A practical customer identity design starts by separating assurance policy, recovery policy, and session policy from the controls used for staff. Workforce identities are typically anchored in managed endpoints, directory joins, and role assignment. Customer identities are usually anchored in email, phone, passkeys, federation, or progressive profiling, with assurance based on the transaction being attempted rather than a fixed job role.

That means the control stack should be intent-aware. For low-risk actions, the system may allow lightweight authentication and short sessions. For high-risk actions such as changing payout details, exporting data, or resetting MFA, the system can require stronger proof, step-up verification, or delayed approval. This is consistent with the direction of the NIST Cybersecurity Framework 2.0, which emphasizes adaptive governance and risk-based protection.

Customer identities also need recovery paths that are safe at scale. That usually means:

  • Self-service account recovery with strong anti-enumeration controls
  • Short-lived verification codes or magic links with strict replay resistance
  • Passkeys or phishing-resistant options where the user base can support them
  • Risk-based throttling, fraud checks, and device or session binding for sensitive events
  • Privacy-minimised logging and retention so assurance does not become surveillance

NHIMG guidance on Ultimate Guide to NHIs is relevant here because the same lifecycle discipline applies: define issuance, review, revocation, and visibility for every identity class, even when the control implementation differs. Teams also need to watch for abuse patterns that resemble secrets exposure, as seen in incidents such as the JetBrains GitHub plugin token exposure and the ASP.NET machine keys RCE attack, where overly durable or broadly usable credentials created outsized blast radius. These controls tend to break down when customer recovery is forced through workforce-style help desk processes because the volume, fraud pressure, and privacy requirements are fundamentally different.

Common Variations and Edge Cases

Tighter customer identity controls often increase support cost and friction, so organisations have to balance fraud resistance against conversion, accessibility, and privacy obligations. There is no universal standard for this yet, and best practice is evolving around risk-based orchestration rather than fixed recipes.

Some customer journeys justify stronger controls than others. Banking, health, and payments often need more assurance than media or retail account access. Likewise, a B2B customer portal may sit between workforce and consumer patterns, which can create ambiguity about whether the account should follow customer rules, enterprise federation rules, or a hybrid model. That distinction matters because the wrong recovery path can turn a legitimate user into a fraud case or a compliance issue.

The most common edge case is shared identity behavior across channels. If the same customer can authenticate through web, mobile, and support-assisted flows, the policy has to stay consistent even when the user experience changes. NHIMG research shows that secrets and identity weaknesses often persist because organisations treat each access path as a separate problem instead of one lifecycle. For identity programmes that span customers and partners, the operational answer is to define the subject first, then choose the assurance and recovery controls that fit that subject, not the internal directory model.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST SP 800-63 set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
NIST CSF 2.0 PR.AA Customer identity assurance must match business risk and user context.
OWASP Non-Human Identity Top 10 NHI-05 Different identity classes need separate lifecycle and access governance.
NIST SP 800-63 Digital identity guidance supports tailoring assurance to subject and transaction risk.

Map customer flows to the right assurance level and recovery method instead of reusing workforce controls.