TL;DR: Security and usability can be aligned by making identity the control plane, extending zero trust to vendors, adopting passwordless authentication, tightening shared-device access, and using access analytics and training to reduce workarounds, according to Imprivata. The practical lesson is that identity controls fail when they create friction that users route around.
At a glance
What this is: This is an identity-first security perspective on balancing protection and usability, with identity positioned as the control plane for access, shared devices, vendor access, and workforce workflows.
Why it matters: It matters because IAM, NHI, and human identity programmes all fail when security policy is easy to bypass, hard to use, or inconsistent across users, devices, and third parties.
👉 Read Imprivata's guidance on identity, usability, and Cybersecurity Awareness Month
Context
Identity becomes the control plane when access decisions, device trust, and application permissions are enforced through one policy layer instead of scattered checks. The article argues that organisations can improve security without adding user friction if the secure workflow is also the easy workflow, especially where vendors, shared devices, and frontline access are involved.
This is a human IAM and lifecycle governance topic first, but it has clear spillover into NHI and third-party access because the same governance weakness appears whenever identity controls are allowed to drift from daily operations. In practice, teams are not only managing authentication methods, they are deciding whether users will comply with policy or work around it.
Key questions
Q: How should organisations balance security and usability in identity controls?
A: They should design identity controls so the secure path is also the easiest path to complete work. That means centralising policy, reducing unnecessary authentication friction, and using risk-based checks only where they change the decision. When users can complete tasks quickly and safely, compliance improves and workarounds decline.
Q: Why do passwordless and zero trust programmes fail in practice?
A: They fail when they are introduced as extra steps rather than integrated into existing workflows. If passwordless sign-in, device trust, and access policy do not fit frontline operations, users create exceptions, reuse sessions, or rely on informal shortcuts. The programme then protects the policy document more than the business process.
Q: How do security teams know if identity friction is becoming a risk?
A: They should watch login duration, failed authentication, device utilisation, and the volume of manual exceptions. Rising friction metrics often indicate that users are working around controls or abandoning secure workflows. That is an early signal that the access design is misaligned with how people actually work.
Q: Who is accountable for securing vendor and contractor access?
A: The owning identity and access team is accountable for making third-party access follow the same policy, monitoring, and lifecycle discipline as employee access. Security, operations, and business owners all share execution responsibility, but accountability cannot be delegated away when vendors or contractors touch critical systems.
Technical breakdown
Identity as the access control plane
Treating identity as the control plane means every login, device, and application access decision is evaluated against a consistent policy model. That model combines authentication, role context, device state, and risk signals so access can be granted or stepped up without forcing users into separate, manual approval paths. In mature environments, the control plane is what makes zero trust operational rather than aspirational. The important technical point is that policy is not just a gate at sign-in, it is the orchestration layer for ongoing access decisions across sessions and workflows.
Practical implication: consolidate access policy so identity, device trust, and application entitlement are governed through the same control layer.
Passwordless authentication and shared workstation access
Passwordless access reduces the repetition, credential fatigue, and phishing exposure that make shared workstations and frontline devices hard to secure. Methods such as FIDO-based authentication, passkeys, badge tap, and facial recognition can shorten logon friction while still preserving assurance, but only if they are integrated with device handling and session cleanup. In shared environments, the technical challenge is not just authenticating the person, it is reliably ending one session before the next begins and clearing residual access artefacts between users.
Practical implication: pair passwordless sign-in with strict session reset and device checkout controls in shared environments.
ITDR and access analytics for policy feedback
Identity threat detection and response turns access data into a feedback loop for policy tuning. By monitoring login duration, failed authentications, device utilisation, and anomalous behaviour, teams can distinguish normal workflow friction from risky deviations that warrant stronger controls. Access analytics also expose where policy is causing workarounds, which is often the hidden precursor to shadow IT or weak local exceptions. The technical value lies in using behavioural and operational telemetry to adapt controls without waiting for a major incident.
Practical implication: feed access telemetry into ITDR and policy tuning so friction points and anomalous behaviour are visible quickly.
NHI Mgmt Group analysis
Identity is the only viable control plane when organisations want both security and usability. The article is correct that access policy cannot be treated as a separate security layer from the user workflow. When identity is the coordination point for authentication, device trust, and application access, teams can reduce the gap between policy intent and actual behaviour. That matters because many control failures begin as usability failures, not technical ones.
Security that is harder than the work itself will be bypassed. That is the practical reality underlying the article’s focus on frictionless access and shared accountability. In IAM programmes, every extra step, exception, or manual fallback creates a shadow policy that users will follow instead of the formal one. Practitioners should read that as a governance problem, not a UX problem, because the system users actually follow is the one that governs risk.
Passwordless and zero trust only work when they are operationally invisible to the user. If they are introduced as separate projects, they often become bolt-ons that create new breakpoints in frontline workflows. The field lesson is that control strength and workflow fit must be designed together, or the organisation will preserve convenience by weakening enforcement elsewhere.
Shared device and vendor access deserve the same governance discipline as employee access. The article correctly points out that contractors, vendors, and shared endpoints are common paths for misuse and error. For identity teams, the implication is that access lifecycle, session hygiene, and accountability cannot stop at the employee boundary. Lifecycle governance has to extend across every identity that can touch production systems.
Access analytics are becoming a governance signal, not just an operations metric. When teams correlate login times, failed authentications, and device utilisation, they expose where controls are misaligned with real work. That is a stronger signal than policy documentation alone. Practitioners should treat those metrics as evidence of whether identity policy is being honoured in practice or merely approved on paper.
From our research:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared with nearly 1 in 4 for securing human identities.
- That confidence gap makes identity control-plane thinking more urgent, as shown in Ultimate Guide to NHIs , Key Challenges and Risks.
What this signals
Identity control will keep expanding beyond employee login flows. As vendors, contractors, shared devices, and mobile endpoints become more operationally important, the same governance model has to span human access and machine-mediated access. With 85% of organisations lacking full visibility into third-party vendors connected via OAuth apps, the structural issue is not authentication alone but access governance across the full identity surface.
Passwordless programmes should be judged by workflow adoption, not by cryptographic elegance. If frontline teams still need workarounds, the programme is not finished. The useful signal is whether access becomes easier to comply with than to evade, which is the real test of whether the control plane is functioning.
Shared-device environments are where policy becomes visible. Teams that rely on workstations, kiosks, or mobile endpoints should expect friction to surface there first, because those workflows expose whether session reset, role scoping, and access analytics are actually aligned. That is where identity governance either holds together or starts leaking.
For practitioners
- Make identity the single control layer Map login, device trust, and application entitlement decisions into one policy model so users are not forced through parallel approval paths. Use the same control layer to govern employees, vendors, and shared endpoints.
- Deploy passwordless in high-friction workflows first Start with roles that authenticate repeatedly on shared devices or frontline workstations, then add session reset, automatic credential clearing, and fast device checkout so the new method does not introduce residual access risk.
- Extend Zero Trust to third-party access Apply conditional access, monitoring, and lifecycle reviews to contractors and vendors with the same rigor used for employee access. Do not leave external users in a lighter governance lane because they are harder to manage.
- Use access analytics to find workaround pressure Track login duration, failed authentication, and device utilisation together, then investigate where users are compensating for friction with shadow processes or local exceptions.
- Reinforce shared accountability with micro-training Use short, recurring training on phishing, device locking, and logout discipline so secure behaviour becomes the normal workflow rather than an annual compliance event.
Key takeaways
- Identity becomes the control plane when organisations want to align access policy, usability, and security across users, devices, and applications.
- Passwordless authentication and shared-device controls reduce friction only when they are paired with session reset, lifecycle discipline, and telemetry.
- Access analytics and recurring training matter because they reveal where users are bypassing controls and where governance is failing in practice.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST Zero Trust (SP 800-207) and NIST SP 800-63 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-1 | Identity-centric access control underpins the article's control-plane argument. |
| NIST Zero Trust (SP 800-207) | PR.AC-4 | Zero trust is directly referenced for continuous verification and least trust. |
| NIST SP 800-63 | Passwordless and MFA discussion aligns with digital identity assurance and phishing resistance. |
Apply continuous verification to users, devices, and vendor access instead of trusting network location.
Key terms
- Identity control plane: The identity control plane is the policy layer that decides who or what can access a system, under what conditions, and for how long. It coordinates authentication, device trust, and entitlement decisions so security is enforced consistently across workflows instead of through isolated checks.
- Passwordless authentication: Passwordless authentication verifies a user without requiring a reusable password. It typically relies on phishing-resistant methods such as passkeys, biometrics, badges, or device-bound credentials, which reduce friction and lower credential theft risk when integrated correctly into enterprise workflows.
- Identity threat detection and response: Identity threat detection and response is the practice of spotting risky identity behaviour and responding before access abuse spreads. It combines identity telemetry, behavioural signals, and automated response actions to detect anomalies in logins, sessions, and entitlement use.
- Shared workstation session hygiene: Shared workstation session hygiene is the set of controls that ensure one user’s access does not carry over to the next user on the same device. It includes logout enforcement, credential clearing, automatic lockout, and rapid re-authentication to prevent residual access and misuse.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
This post draws on content published by Imprivata: Cybersecurity Awareness Month guidance on identity, usability, and secure workflows. Read the original.
Published by the NHIMG editorial team on 2025-10-28.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
