Friction becomes a problem when it is applied without context, repeated after a user has already proven trust, or triggered by static thresholds that attackers can learn. At that point it starts blocking legitimate users while still missing adaptive fraud. Teams should judge controls by both fraud reduction and customer drop-off.
Why This Matters for Security Teams
Friction is supposed to slow abuse, not punish normal behaviour. When a control creates repeated interruptions, users learn the path around it, support teams absorb the cost, and security loses signal because every challenge starts to look routine. That is especially true when access decisions are based on static thresholds rather than risk context, device posture, or transaction sensitivity. Current guidance in NIST Cybersecurity Framework 2.0 treats governance, identity, and continuous improvement as linked outcomes, not separate problems.
This matters just as much in identity-heavy environments. NHI Management Group has shown that service accounts and other NHIs are often over-privileged and poorly governed, which means teams frequently add friction in the wrong place while leaving high-value pathways weakly protected. The result is a poor tradeoff: more resistance for legitimate users, less resistance for attackers who know how to work around static controls. In practice, many security teams encounter control fatigue only after users have already adopted workarounds or attackers have already mapped the thresholds.
How It Works in Practice
The difference between useful friction and harmful friction is whether the control adapts to context. A login challenge, step-up verification, or transaction review is usually defensible when risk increases, but the same intervention becomes a problem when it is repeated after trust has already been established or when it fires on every low-risk action. That is why teams should measure both fraud reduction and operational drop-off, not just the raw number of blocks or prompts.
For identity and access flows, effective design usually combines policy, telemetry, and exception handling. For example, a high-risk API key action may justify stronger approval than a routine read-only request. In NHI environments, the control emphasis should move toward rotation, scoping, and provenance rather than user-style challenges that machines cannot satisfy. NHI Management Group’s Ultimate Guide to NHIs — Standards is useful here because it frames lifecycle governance as a control objective, not an afterthought.
- Use contextual signals such as device trust, geo-risk, session age, and transaction value.
- Escalate only when the change in risk justifies the interruption.
- Track abandonment, help-desk load, and fraud outcomes together.
- Prefer durable controls, such as least privilege and secret rotation, over repeated human checkpoints.
For broader control design, align the operating model with NIST CSF 2.0 and use feedback from detection and response to tune the threshold. This is where many programmes struggle: they hard-code friction into authentication, but do not continuously adjust it as attacker behaviour, user populations, and business processes change. These controls tend to break down when machine identities, legacy workflows, and customer journeys all share the same approval path because one-size-fits-all friction blocks legitimate automation while attackers shift to the least resistant channel.
Common Variations and Edge Cases
Tighter friction often increases operational overhead, requiring organisations to balance fraud suppression against conversion, productivity, and support cost. There is no universal standard for this yet, especially in mixed human and non-human environments where the same workflow serves staff, partners, and automations.
One common edge case is “security theatre” friction: controls that feel strict but are easy to predict or bypass. Another is over-rotation into convenience, where teams remove too much friction and leave high-risk actions under-protected. Best practice is evolving toward risk-based journeys that preserve user experience for low-risk activity while concentrating resistance around sensitive actions, credential changes, and anomalous behaviour. That approach is more defensible than blanket prompts and more effective than static thresholds.
For NHI and agentic workflows, the answer is not to add more human friction. The better pattern is to secure the identity itself by narrowing privileges, isolating secrets, and validating provenance. NHIs are disproportionately exposed in real environments, and NHI Management Group’s research on TruffleNet BEC Attack — Stolen AWS Credentials illustrates how stolen credentials can bypass controls that were designed for human behaviour. In other words, friction becomes a security problem when it is used as a substitute for trust architecture.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and OWASP Agentic AI Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-63 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | GV.OC-01 | Control outcomes should be tied to business context and user impact. |
| NIST SP 800-63 | AAL | Assurance levels determine when step-up friction is justified. |
| NIST Zero Trust (SP 800-207) | SC-2 | Zero trust reduces reliance on static friction by re-evaluating access continuously. |
| OWASP Non-Human Identity Top 10 | Poorly tuned friction often hides weak NHI lifecycle governance. | |
| OWASP Agentic AI Top 10 | Agentic workflows need context-aware guardrails, not blanket prompts. |
Define acceptable friction by business risk and measure security value against operational cost.
Related resources from NHI Mgmt Group
- When does authentication friction become a security problem?
- Why does scraping become a governance problem instead of just a web security issue?
- When does biometric authentication become a governance problem instead of just an access control choice?
- When do AI-assisted automation mistakes become an access control problem?