TL;DR: Critical industries are redesigning authentication, shared device workflows, and vendor access because legacy systems, password friction, and opaque third-party pathways are slowing work and widening risk, according to Imprivata. The central issue is not convenience versus security, but whether identity controls can support frontline operations without creating unsafe workarounds.
At a glance
What this is: This is an analysis of how healthcare, manufacturing, and public safety organizations are reworking identity controls to reduce friction while tightening access to shared devices and third-party users.
Why it matters: It matters because IAM teams must balance operational continuity, compliance, and accountability across human users, shared endpoints, and external access paths without driving staff toward risky workarounds.
By the numbers:
- Ransomware attacks on U.S. critical infrastructure increased 9% in 2024.
- The cost of downtime from cyber incidents now averages $49 million and 75 days to recover.
- Clinicians lose an average of 45 minutes per shift to logins, device resets, and manual provisioning.
- 47% of organizations experienced a third-party breach in the past year.
👉 Read Imprivata's analysis of identity, shared devices, and vendor access in critical industries
Context
Identity friction is what happens when security controls make frontline work slower, harder, or less predictable than the environment can tolerate. In critical industries, that friction often produces unsafe shortcuts such as shared credentials, unmanaged device access, and vendor pathways that are difficult to audit.
The article is really about how identity governance has to fit the operating model of healthcare, manufacturing, and public safety rather than forcing those environments into rigid access patterns. The primary keyword here is identity, because the practical question is whether access can be both usable and accountable when work cannot pause for security ceremony.
Key questions
Q: How should security teams reduce credential sharing on shared devices?
A: Security teams should replace slow, user-specific login flows with fast authentication methods that preserve accountability on shared endpoints. The goal is not merely stronger login strength. It is to make the secure path easier than the workaround, while maintaining session attribution, auditability, and support for shift-based work.
Q: Why do third-party users create outsized identity risk in critical industries?
A: Third-party users create outsized identity risk because their access is often broader, less visible, and harder to lifecycle-manage than internal access. When vendors enter through shared credentials or VPNs, organisations lose clarity over who accessed what, whether the access was still needed, and when it should have been revoked.
Q: What breaks when shared mobile programs are not tied to identity governance?
A: Shared mobile programs break when provisioning, deprovisioning, and role assignment are handled inconsistently. Devices then need frequent reconfiguration, user access becomes hard to prove, and PHI or other sensitive data can be exposed through poor session handling. The programme becomes operationally brittle instead of efficient.
Q: Who is accountable for vendor access when a breach or misuse occurs?
A: Accountability should sit with the organisation that granted the access, because it controls the lifecycle, scope, and monitoring of the vendor identity. If access is not named, recorded, and time-bound, it is difficult to prove whether the vendor, the internal owner, or the process failure created the exposure.
Technical breakdown
Why shared device authentication breaks traditional IAM assumptions
Shared workstations and mobile devices do not behave like single-user endpoints. Identity state has to move with the device session, the user role, and the shift context, or else staff fall back to credential sharing and manual resets. That creates audit ambiguity because the person who authenticates is not always the person performing the work. In regulated environments, the control problem is not just authentication strength. It is preserving attribution, reducing reconfiguration, and ensuring that each session is tied to the correct operator without making the workflow unusable.
Practical implication: replace generic shared logins with session-aware access methods that preserve attribution on multi-user devices.
Vendor privileged access and the problem of opaque third-party identity
Third-party access becomes risky when vendors enter through shared credentials, broad VPN access, or accounts with unclear lifecycle ownership. That is not just an access-control issue. It is an identity governance problem because the organisation often cannot prove who had access, when they used it, or whether it was removed at the right time. Vendor privileged access management is designed to restore visibility and scope control by making external access time-bound, recorded, and reviewable. In critical industries, that matters because supplier relationships change faster than traditional entitlement reviews.
Practical implication: require named vendor identities, session recording, and time-bound access before external support is allowed into production systems.
Legacy OT and hybrid environments create persistent privilege drag
Older OT assets and hybrid systems make patching, segmentation, and access control harder because they were not designed for modern identity governance. Privileges tend to accumulate around workaround processes, emergency access, and systems that cannot support fine-grained controls. That creates privilege drag, where the organisation carries access it cannot easily rationalise or retire. The result is a larger attack surface and slower response when controls need to change. For manufacturing and similar environments, the issue is not whether identity exists, but whether it can be governed across systems with different technical generations and operational constraints.
Practical implication: map legacy and OT access paths separately so privileged accounts and exceptions can be reviewed without assuming modern control coverage.
NHI Mgmt Group analysis
Identity friction is a governance failure when staff are pushed toward unsafe workarounds. In critical industries, the organisation does not fail because workers prefer convenience over security. It fails when authentication, provisioning, and device workflows are slow enough that credential sharing becomes the practical escape path. The implication is that access policy has to be judged against how work is actually done, not how it is written in the control catalogue.
Third-party access without tight lifecycle control is still one of the clearest blind spots in identity governance. The article’s vendor-access examples show the same pattern we see repeatedly: external users arrive through broad, hard-to-audit pathways, and organisations struggle to prove whether access is still appropriate. That is a governance issue, not a tooling issue, and it remains especially dangerous in environments where vendors support production systems and operational technology.
Shared devices expose an attribution gap that traditional user-centric IAM does not fully close. When one workstation serves many users across shifts, identity assurance must follow the session, not just the account. Otherwise, audit trails become weak, accountability blurs, and compliance evidence turns into reconstruction work after the fact. Practitioners should treat shared-device governance as a distinct operating model, not a variation of desktop login policy.
Identity friction: the point at which security controls are technically compliant but operationally unusable. This concept matters because critical-industry users will route around controls that obstruct urgent work. Once that happens, the formal IAM design and the real access model diverge. Practitioners need to measure the gap between control intent and frontline behaviour, because that gap is where risk compounds.
Critical-industry IAM has to be evaluated through resilience, not just control completeness. The post’s strongest signal is that security controls are being adopted when they reduce time loss, improve accountability, and support continuous operations. That is the right frame for healthcare, manufacturing, and public safety. The lesson for the field is that identity governance that cannot survive operational pressure is not mature enough for critical work.
From our research:
- 92% of organisations expose NHIs to third parties, raising concerns about supply chain security, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which is why external access and machine identity governance converge in the same control gap.
- If shared devices and vendor pathways are already stretching governance, the next step is to compare that risk with the 52 NHI Breaches Analysis and identify which failure mode is most common in your environment.
What this signals
Identity friction will keep surfacing as an operational risk, not just a user-experience issue. Organisations that cannot make secure access fast enough will continue to see workaround behaviour, especially on shared devices and in shift-based environments. The practical signal is simple: if users are bypassing controls to get work done, the governance model is misaligned with the work model.
With 92% of organisations exposing NHIs to third parties, per Ultimate Guide to NHIs, external access governance is now part of mainstream identity risk management rather than a niche control area. That same pattern is visible in critical industries where vendor support and internal operations overlap.
The most durable programmes will treat badge-based authentication, vendor PAM, and device lifecycle controls as one operating model. That is how identity teams reduce downtime pressure without pushing staff toward unmonitored access paths.
For practitioners
- Redesign authentication for shared endpoints Use badge tap, proximity sign-in, or equivalent fast authentication on shared workstations and mobile fleets so clinicians and frontline staff do not revert to shared passwords or manual resets.
- Separate vendor access from generic support pathways Require named vendor identities, session recording, and explicit approval before third parties reach production systems or operational technology, especially where VPN access is still common.
- Measure friction as an identity risk indicator Track time lost to logins, reconfiguration, and lockouts on shared devices, because repeated delays are usually a leading signal that users are bypassing intended controls.
- Treat legacy OT access as a separate governance domain Inventory old systems, emergency exceptions, and privileged accounts independently so access reviews do not assume the same control model applies across modern IT and older operational systems.
Key takeaways
- The core risk is not simply weak authentication, but security friction that drives staff toward credential sharing and other unsafe workarounds.
- The evidence shows that critical industries face both large operational costs and measurable third-party exposure, making identity governance a resilience issue as much as a security issue.
- The practical response is to align authentication, shared-device management, and vendor access with the way frontline work actually happens.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Third-party access and unmanaged credentials map to NHI lifecycle and exposure risk. |
| NIST CSF 2.0 | PR.AC-4 | Shared devices and vendor access depend on access management and least privilege. |
| NIST Zero Trust (SP 800-207) | AC-4 | Continuous verification is relevant where vendors and frontline users access sensitive systems. |
Inventory vendor-facing NHIs and enforce lifecycle ownership, review, and revocation before access persists.
Key terms
- Shared Device Authentication: An access pattern where multiple people use the same workstation or mobile device across shifts, roles, or locations. The control challenge is preserving attribution and session integrity so the organisation can prove who did what without forcing users into slow, unsafe workarounds.
- Vendor Privileged Access Management: A governance approach for granting external parties tightly scoped, monitored, and time-bound access to internal systems. It reduces the risk created by generic credentials, broad VPN routes, and unclear accountability by tying every support session to a named identity and a defined purpose.
- Identity Friction: The operational drag created when access controls slow work enough that users look for shortcuts. In practice, it is a governance signal, because repeated friction usually produces credential sharing, informal exceptions, and weaker audit evidence even when the formal policy looks sound.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
This post draws on content published by Imprivata: identity, shared mobile devices, and vendor access in critical industries. Read the original.
Published by the NHIMG editorial team on 2025-12-09.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
