Identity as the control plane: balancing security and usability

At a glance

What this is: This is a Cybersecurity Awareness Month view on how identity, passwordless access, shared-device controls, and access analytics can improve both security and usability.

Why it matters: It matters because IAM, NHI, and workforce identity teams all face the same adoption problem: controls that add friction often get bypassed, while controls that fit workflows are more likely to hold.

👉 Read Imprivata's Cybersecurity Awareness Month guidance on identity and usability

Context

Identity becomes the control plane when access decisions, verification steps, and monitoring follow the user, device, and application rather than living in separate security silos. For identity security programmes, that means security outcomes depend as much on workflow design as on policy strength, especially where shared devices, vendor access, and frontline users are involved.

The article's core point is not that organisations need more security controls. It is that security controls fail when they are harder to use than the risky behaviour they are meant to replace. That applies across human IAM, third-party access, and machine-mediated workflows where friction often drives workaround behaviour.

Key questions

Q: How should organisations reduce login friction without weakening identity security?

A: Use passwordless authentication, risk-based verification, and shared-device workflows that clear sessions automatically. The goal is not to remove controls, but to place them where users can complete work without resorting to shared credentials, reused sessions, or informal exceptions. Security improves when the secure path is also the fastest path.

Q: Why do vendor and contractor access paths need separate identity governance?

A: Because third-party access often expands trust beyond the internal workforce and is frequently reviewed less rigorously. Vendors and contractors should be governed with the same least-privilege, monitoring, and offboarding discipline as employees, but with tighter scope controls because their access is usually narrower and more episodic.

Q: What breaks when shared-workstation identity controls are too slow?

A: Users bypass them. If device checkout, logout, or reauthentication adds too much delay, people reuse sessions, leave credentials behind, or share access informally. That creates a gap between policy and practice, especially in frontline environments where speed matters and devices are shared across shifts.

Q: How do security teams know if access analytics is improving governance?

A: Look for sustained reductions in login time, failed authentications, and unresolved workflow anomalies after policy changes. If those measures do not improve, the issue is probably control design, not user behaviour. Access analytics should prove whether the secure workflow is actually becoming the easy workflow.

Technical breakdown

Identity as the control plane in zero trust environments

Treating identity as the control plane means access policy, authentication, device trust, and monitoring are enforced from a common decision layer rather than through disconnected tools. In practice, that is how zero trust becomes operational instead of aspirational. The model works best when verification is continuous but invisible to the user, so that approved workflows stay fast while risky deviations trigger stronger checks. The risk is fragmentation: if IAM, endpoint, and access monitoring do not share context, policy enforcement becomes inconsistent and users learn where the gaps are.

Practical implication: align identity, device, and monitoring signals so risk-based access decisions are enforced in one workflow.

Passwordless authentication and MFA in high-friction workforces

Passwordless access reduces both credential theft risk and the operational drag caused by repeated logins, especially in shared-workstation and frontline environments. FIDO-based authentication, device-bound passkeys, and proximity methods work because they reduce dependence on memorised secrets while preserving strong assurance. The key technical issue is interoperability: if passwordless controls do not fit existing systems, users fall back to weaker paths. That makes deployment design, exception handling, and auditability as important as the authentication factor itself.

Practical implication: prioritise passwordless rollout where login frequency and shared endpoints create the highest friction and risk.

Access analytics, ITDR, and shared-device hygiene

Access analytics turns authentication and session data into operational evidence. Login duration, failed authentications, device usage, and access anomalies can show where workflows are inefficient, where controls are being bypassed, and where risk concentrates. ITDR adds response capability by detecting deviations from normal behaviour and escalating when sessions or identities drift outside expected patterns. In shared-device environments, the technical requirement is fast session reset and clear accountability between users, otherwise residual credentials or stale sessions become easy attack paths.

Practical implication: instrument shared-device environments for session reset, anomaly detection, and continuous measurement of access behaviour.

NHI Mgmt Group analysis

Security only works at scale when it is easier than the workaround: That is the real governance test in this article. Identity controls that slow users down create shadow processes, shared secrets, and informal exceptions that expand risk rather than reduce it. For IAM teams, the practical conclusion is that adoption quality is a security control, not a communications problem.

Third-party access remains one of the most dangerous trust extensions in enterprise identity: The article correctly points to vendors and contractors as a breach vector because external access often receives weaker lifecycle discipline than employee access. The governance issue is not simply who gets in, but how quickly that access is reviewed, scoped, and withdrawn when the relationship changes. Practitioners should treat third-party access as a permanent governance surface, not a temporary exception.

Shared-device and frontline identity require controls built for context, not ceremony: Badge tap, facial recognition, SSO, and automatic session clearing are not convenience features when devices are shared across shifts, they are the mechanism that keeps policy usable. Where these workflows are absent, teams either reuse sessions or avoid proper authentication steps, which undermines both accountability and data protection. The conclusion is simple: if the control does not fit the work pattern, it will not hold.

Access analytics changes IAM from static governance to measurable operations: Login duration, device utilisation, and authentication failure patterns show whether policy is working in practice or only on paper. That matters because most control drift appears first as friction, then as bypass behaviour, then as exposure. Security leaders should use these measures to identify where policy design is forcing unsafe user behaviour rather than preventing it.

Shared accountability is the missing layer between policy and behaviour: The article's strongest point is cultural, not technical. Training, simulation, and reinforcement matter because users are part of the control system in identity-centric environments. For practitioners, the implication is to manage identity programmes as operating models, where governance, workflow, and user behaviour have to reinforce one another.

From our research:

• 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
• Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.
• That confidence gap is a signal to re-evaluate third-party and workload identity governance through Top 10 NHI Issues and the access-review assumptions behind identity programmes.

What this signals

Friction is now a governance variable: when users cannot complete secure access quickly, they create bypasses that look operationally harmless until they become security debt. Identity programmes should be measured against adoption and handoff behaviour, not just policy completeness.

The governance gap is widening where human, third-party, and device access intersect. Teams that still manage those paths separately will miss the fact that the same workflow friction can create different risks across employee IAM, vendor access, and shared-device operations.

Access analytics can expose whether the secure path is actually becoming the normal path. If login duration and failed-authentication rates remain high after deployment, the control is not embedded well enough to be relied on as a core governance mechanism.

For practitioners

• Map friction hotspots before changing controls Baseline login duration, failed authentication rates, and device handoff issues across shared workstations, vendor access paths, and frontline roles. Use those metrics to identify where users are most likely to work around security controls.
• Extend zero trust to non-employee access paths Apply the same access review, monitoring, and least-privilege discipline to vendors and contractors that you use for employee identities. Recheck scope whenever support relationships, device access, or privileged workflows change.
• Prioritise passwordless rollout in high-frequency access workflows Start where users authenticate repeatedly and where credential reuse is most likely, such as shared devices and shift-based environments. Pair deployment with audit capability, fallback design, and clear exception handling.
• Instrument shared devices for session reset and accountability Automatically clear credentials, enforce reauthentication between users, and track device assignment from checkout to return. That reduces the chance that residual sessions or stale privileges survive a handoff.
• Use access analytics as a governance signal Review utilisation, login failures, and workflow anomalies alongside operational output so you can spot controls that are technically sound but operationally failing. Treat repeated friction as evidence that policy needs redesign.

Key takeaways

• Identity works as a control plane only when the secure workflow is also the operationally simplest workflow.
• Third-party access, shared devices, and repeated logins are the points where friction most often turns into governance failure.
• Access analytics should be used to prove whether identity controls are reducing risk in practice, not just satisfying policy design.

Key terms

• Identity as the control plane: An identity-centric operating model where authentication, authorisation, and monitoring are coordinated through the same access decision layer. It reduces inconsistency across apps, devices, and users by making identity the place where trust is established and continuously checked.
• Passwordless authentication: An authentication approach that removes memorised passwords and uses stronger factors such as passkeys, biometrics, or device-bound credentials. In practice, it reduces credential theft and login friction, but only if the deployment fits existing workflows and supports auditability.
• Shared-device access: A workforce access pattern where multiple users authenticate to the same workstation or mobile device across shifts or tasks. It needs fast session clearing, clear handoff controls, and strong identity assurance because residual access state creates both security and accountability risk.
• Access analytics: The analysis of login, session, and device-use data to identify control effectiveness, user friction, and abnormal behaviour. It turns access events into governance evidence, helping security teams see whether policy is actually working in day-to-day operations.

Deepen your knowledge

NHI governance, machine identity security, and identity lifecycle management are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an identity security programme, it is worth exploring.

This post draws on content published by Imprivata: Cybersecurity Awareness Month guidance on balancing security and usability. Read the original.