Subscribe to the Non-Human & AI Identity Journal

How should organisations improve employee adoption of security controls without creating more friction?

Start by reducing the number of steps employees must remember and the number of tools they must switch between. Identity controls work better when secure actions are embedded in normal workflows, supported by clear prompts, and available through tools people already use. Adoption improves when the secure path is also the easiest path.

Why This Matters for Security Teams

Employee adoption fails when security asks people to slow down, remember extra steps, or leave the tools they already use. That creates workarounds, shadow processes, and inconsistent control use. Security teams need controls that fit the task flow, not controls that interrupt it. NIST SP 800-53 Rev. 5 Security and Privacy Controls emphasizes usable, repeatable safeguards, and NHIMG’s Ultimate Guide to NHIs — Standards shows how governance improves when control design matches operational reality.

For identity-heavy environments, friction is especially dangerous because users will bypass a cumbersome path even when they understand the risk. That is true for employees, and it is even more pronounced when access decisions depend on service accounts, API keys, or delegated workflows. NHIMG research has found that 97% of NHIs carry excessive privileges, which means weak adoption can quickly become a privilege problem, not just a usability problem.

In practice, many security teams encounter control bypass only after productivity pressure has already turned the policy into an exception.

How It Works in Practice

The most effective approach is to make the secure path the default path. That usually means embedding controls into existing business tools, reducing the number of decisions a user must make, and automating low-risk approvals. Instead of sending employees to a separate portal for every check, teams should use conditional access, SSO, phishing-resistant MFA, and workflow-integrated approvals where the task begins.

Operationally, this works best when controls are designed around the user journey:

  • Place prompts at the moment of risk, not after the action is already underway.
  • Use policy-based decisions so employees are not forced to interpret security rules manually.
  • Minimise repeated authentication for low-risk actions, while stepping up verification when context changes.
  • Provide clear feedback so users understand why a control appeared and what to do next.
  • Measure adoption, override rates, and helpdesk volume as control health signals.

From an implementation standpoint, NIST SP 800-53 Rev. 5 supports this by linking access enforcement, auditability, and configuration management to measurable outcomes. For identity and access workflows, that means aligning approval paths, session controls, and logging with real user tasks rather than layering security on top as a separate process. NHIMG’s Ultimate Guide to NHIs — Standards is also relevant here because the same design principle applies to non-human access: fewer secrets, fewer handoffs, and fewer manual exceptions.

Teams should treat adoption as a control objective, not a communications problem. If a safeguard only works when users remember to comply, it will fail under workload pressure, during incident response, or when staff change roles. These controls tend to break down when organisations bolt them onto legacy systems that cannot pass context cleanly between identity, endpoint, and workflow platforms because the user is forced into duplicate authentication and manual copy-paste steps.

Common Variations and Edge Cases

Tighter control design often increases implementation effort at first, requiring organisations to balance user convenience against governance, auditability, and risk reduction. That tradeoff is real, especially where regulated workflows, privileged actions, or cross-domain approvals are involved.

Current guidance suggests there is no universal standard for how much friction is acceptable. High-risk operations may justify step-up verification, while routine low-risk work should remain as frictionless as possible. The right balance also varies by workforce type: frontline staff, contractors, developers, and administrators have different tolerance for interruptions and different exposure levels.

Edge cases often appear in environments with legacy applications, shared workstations, or fragmented identity stacks. In those settings, the practical answer is not more reminders, but better integration. Where possible, use policy engines, centralized logging, and consistent identity signals so the same control logic applies across SaaS, on-premises systems, and privileged workflows. For broader governance alignment, NIST SP 800-53 Rev. 5 remains the baseline reference for mapping usability-aware controls to audit requirements, while NHIMG research on NHIs is a reminder that every extra manual step tends to create another place for secrets, exceptions, or over-privilege to accumulate.

For security leaders, the lesson is simple: if the secure option feels like the hard option, adoption will stay low no matter how well the policy is written.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
NIST CSF 2.0 PR.AA-1 Identity proofing and access flow design affect whether users can adopt controls smoothly.
NIST AI RMF Risk governance principles apply to human and agentic workflows that need low-friction controls.

Design access paths so authentication and authorization fit the workflow instead of interrupting it.