Inefficient access in critical industries expands both risk and friction

At a glance

What this is: This analysis shows how access friction in critical industries is widening security exposure across frontline, hybrid, and third-party workflows.

Why it matters: It matters because IAM, PAM, and identity lifecycle teams must reduce shared access, over-privilege, and login fatigue without slowing mission-critical operations.

By the numbers:

• 9% in 2024.
• Clinicians lose an average of 13 minutes per shift just logging in.
• 47% of organizations experienced a third-party breach last year.

👉 Read Imprivata's analysis of access friction, frontline security, and passwordless access

Context

Critical industry access is the point where usability and security collide. In healthcare, manufacturing, and energy, frontline workers still need fast access across shared workstations, mobile devices, and hybrid systems that were not built for current identity and threat conditions.

When login steps become slow, inconsistent, or overly manual, users work around them. That creates credential sharing, session persistence on shared devices, and broader exposure to third-party access paths, which turns identity governance into an operational risk issue for human IAM, PAM, and lifecycle teams.

Key questions

Q: How should security teams reduce login friction without weakening identity controls in critical industries?

A: Security teams should replace repetitive password and MFA steps with phishing-resistant authentication that works in shift-based, shared-device environments. The aim is to preserve fast access while removing the behaviours that cause credential sharing, unlocked sessions, and workarounds. Low-friction design is a security control when operational users cannot afford slow logins.

Q: Why do shared workstations create more identity risk than personal devices?

A: Shared workstations increase identity risk because the session often outlives the person who authenticated into it. That breaks accountability, weakens traceability, and makes session persistence as important as initial login strength. In frontline settings, the device becomes the trust boundary unless sign-out, binding, and handoff controls are enforced.

Q: What do organisations get wrong about third-party access in hybrid environments?

A: They often treat vendor access as a provisioning task instead of a lifecycle control. That leads to over-privileged accounts, unclear ownership, and delayed offboarding. The result is identity debt, where supplier access remains active long after the business need has changed, expanding the organisation’s attack surface.

Q: How can teams tell whether access controls are actually working for frontline users?

A: Look for reduced login time, fewer password-sharing behaviours, lower session reuse on shared devices, and clearer removal of dormant vendor access. If users are still bypassing controls to keep work moving, the programme is secure on paper but brittle in practice. Effectiveness is visible in behaviour, not policy text.

Technical breakdown

Why shared workstations create identity governance gaps

Shared workstations compress many users into the same device and session pattern, which weakens assurance about who is actually behind the keyboard. In critical industries, this makes authentication state, session timeout, and user traceability more important than the login event itself. If users can remain signed in between uses, the device becomes the trust boundary, not the person. That is especially problematic in regulated and shift-based environments where accountability must survive handoffs, break coverage, and emergency response.

Practical implication: enforce per-user session controls and device-aware sign-out rules on every shared endpoint.

How password fatigue turns into credential sharing

Complex passwords and repetitive MFA create friction that frontline users treat as operational overhead. When that friction repeats across shifts, users start sharing credentials, reusing sessions, or leaving devices unlocked to keep work moving. The security failure is not only weak authentication, but the behavioural bypass it induces. In practice, the organisation inherits an identity that is technically protected but functionally shared, which defeats accountability and makes audits less reliable.

Practical implication: replace repetitive login flows with phishing-resistant, low-friction authentication for frontline workflows.

Why third-party access needs lifecycle controls, not just provisioning

Vendor access becomes dangerous when it is easier to grant than to review, scope, and remove. The article’s third-party breach reference aligns with a familiar governance pattern: over-privileged access persists after the business need has changed, especially where manual provisioning and shared credentials are still common. In identity terms, the issue is lifecycle failure, not just access design. If offboarding and entitlement review are weak, vendor access outlives accountability.

Practical implication: tie every vendor account to a named owner, expiry date, and offboarding checkpoint.

Threat narrative

Attacker objective: The objective is to reach sensitive operational systems with enough standing access to disrupt services, steal data, or deploy ransomware.

1. Entry occurs through inefficient access processes that encourage shared credentials, reused sessions, and unsecured shared workstation states in frontline environments.
2. Escalation follows when over-privileged third-party access or persistent sessions give an attacker or insider broader reach than intended.
3. Impact lands as ransomware exposure, operational disruption, and degraded trust in identity controls across critical infrastructure workflows.

Breaches seen in the wild

• LiteLLM PyPI package breach — LiteLLM PyPI supply chain attack, credentials stolen from users.
• Shai Hulud npm malware campaign — Shai Hulud campaign: npm malware exposed secrets on GitHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Access friction is not a convenience issue, it is a control failure. When clinicians, operators, and responders lose time to repetitive logins, the organisation is not merely inconvenienced. It is teaching users to work around identity controls, which increases shared credential use, unlocked devices, and weak session hygiene. The governance lesson is simple: if access takes too long, users will create a shadow access model that the security programme does not formally recognise. The practitioner conclusion is that authentication design is part of operational resilience.

Shared workstations create an identity accountability problem that conventional MFA does not solve. MFA can verify a login, but it does not guarantee that the right person still owns the session ten minutes later on a shared endpoint. That is why frontline environments need controls for session continuity, device binding, and rapid revocation on handoff. The failure mode is not missing authentication, it is over-trusting the authenticated session after the human context has changed. Practitioners should treat shared endpoints as high-risk identity surfaces.

Third-party access without lifecycle discipline becomes identity debt. The article’s vendor breach signal fits a broader pattern in which access is granted for speed and then left to drift. Manual provisioning, shared credentials, and weak offboarding allow access to outlive the business need that justified it. Identity blast radius: once vendor access is over-scoped, every additional system entitlement increases the reach of a single compromised account. The practitioner conclusion is that third-party access must be governed as a lifecycle, not an exception process.

Frontline IAM is now a Zero Trust and PAM problem as much as an authentication problem. The environment is hybrid, device-shared, and operationally time-sensitive, so least privilege must extend to session length, device trust, and vendor scope. NIST CSF, Zero Trust Architecture, and identity lifecycle controls all point to the same conclusion: access must be narrow, observable, and removable. The practitioner conclusion is that frontline identity design should be measured by how quickly privilege can be limited, not just how fast users can sign in.

From our research:

• Systems with least-privileged AI access had a 17% incident rate vs 76% for over-privileged systems, according to The 2026 Infrastructure Identity Survey.
• Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.
• Track the Ultimate Guide to NHIs for the governance model that connects access scope, lifecycle, and accountability.

What this signals

Identity friction is becoming an operations signal, not just a user-experience complaint. When frontline teams spend time fighting login flows, they compensate in ways that weaken governance. The programme risk is not only slower work. It is the normalisation of shared access, unlocked sessions, and informal credential reuse across critical workflows.

Frontline IAM needs to be designed around handoffs, not just authentication events. Shared endpoints, rotating shifts, and mixed device estates make access continuity the real control problem. Teams that focus only on login strength miss the bigger issue: whether the right person still owns the session after the work context changes.

With 70% of organisations already granting AI systems more access than human employees in similar roles, per the 2026 Infrastructure Identity Survey, the same over-privilege pattern is emerging across machine and human access models. That should push identity teams to treat access scope as a shared governance problem, not a separate silo for each actor type.

For practitioners

• Replace repetitive login flows with phishing-resistant access methods Use tap-and-go badges, biometrics, or device-bound passkeys for shift workers where shared devices and rapid handoffs are normal. The goal is to remove the incentive to share passwords or leave sessions open while preserving speed at point of use.
• Apply session controls to every shared workstation Bind sessions to the individual user, force sign-out at handoff, and shorten inactivity windows on devices used across shifts. Shared endpoints should never behave like persistent personal devices.
• Re-scope third-party access to named owners and expiry dates Map every vendor account to a business owner, a specific purpose, and a removal checkpoint. Manual provisioning without an expiration path creates standing access that is difficult to review and harder to remove.
• Measure login friction as a security metric Track time-to-access, failed login retries, and session re-use on frontline systems. If friction rises, users will bypass controls in ways that increase both operational delay and identity risk.

Key takeaways

• Access friction in critical industries becomes a security issue when users compensate with shared credentials, persistent sessions, and informal workarounds.
• Third-party access remains a high-risk gap because manual provisioning and weak offboarding let vendor entitlements outlive the business need.
• Identity teams should measure success by reduced login friction, tighter session control, and faster removal of unused access, not by login policy complexity.

Key terms

• Shared Workstation Session: A shared workstation session is a login state used by more than one person across a shift or handoff. It is risky because the authenticated session may outlive the user who opened it, so accountability depends on sign-out, device binding, and traceability rather than login strength alone.
• Identity Friction: Identity friction is the operational burden created by repeated logins, complex passwords, and cumbersome MFA. In frontline environments, friction often triggers workarounds such as shared credentials or leaving devices unlocked, which turns usability failures into security exposure.
• Third-Party Access Lifecycle: Third-party access lifecycle is the full path of vendor entitlements from approval through review, scope changes, and offboarding. It matters because access that is easy to grant but hard to remove creates standing privilege, unclear ownership, and unnecessary attack surface.
• Session Handoff Control: Session handoff control is the governance that ensures one user’s access does not silently continue into another user’s shift or task. It is especially important on shared devices because the risk is not just initial authentication, but who retains control after the operational context changes.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Imprivata: The Impact of Inefficient Access for Critical Industries and Frontline Workers. Read the original.