By NHI Mgmt Group Editorial TeamPublished 2026-01-27Domain: Governance & RiskSource: Descope

TL;DR: Insurance CIAM must now handle passkeys, federated login, delegated access, and AI agent permissions as insurers move toward mobile claims and embedded partnerships, according to Descope. The governance gap is no longer just customer friction, but whether identity controls can distinguish people, partners, and autonomous tools at runtime.


At a glance

What this is: This is a Descope guide arguing that insurance CIAM must evolve to support fast customer experiences, multi-party access, and AI agent governance at the same time.

Why it matters: It matters because insurers and their IAM teams have to secure customers, brokers, partners, and AI-driven workflows without breaking access, auditability, or regulatory alignment.

By the numbers:

👉 Read Descope's guide to insurance CIAM, delegated access, and AI agent risk


Context

Insurance identity is no longer just about logging customers in. The pressure now comes from mobile claims, embedded partnerships, delegated access, and AI agents that can touch customer data and internal systems, which means old CIAM assumptions about a single user, a single session, and a single portal no longer hold.

That matters for IAM teams because insurance environments mix human users, partner identities, and emerging machine-driven access paths in the same workflow. The governance question is whether the platform can keep authentication, authorization, and auditability aligned as those actors multiply.


Key questions

Q: How should insurers govern delegated access in customer-facing workflows?

A: Insurers should treat delegated access as a time-bound, relationship-specific entitlement, not as a permanent role. The important controls are clear scope, explicit expiry, and revocation when the relationship changes. That approach reduces over-provisioning while preserving the flexibility needed for brokers, caregivers, and other authorised third parties.

Q: Why do AI agents complicate insurance identity governance?

A: AI agents complicate governance because they can act through APIs, shared tokens, or backend workflows without behaving like a human user. That makes accountability, revocation, and session tracing harder. IAM teams need to govern the machine path as a distinct access class rather than assuming human-style login controls will cover it.

Q: How can security teams keep insurance login flows secure without hurting conversion?

A: Use adaptive authentication so low-risk sessions stay smooth and high-risk actions trigger stronger checks only when needed. Passkeys, step-up verification, and contextual risk signals let teams reduce password friction without lowering assurance for claims, payout, or account-change activity.

Q: Who should own auditability for third-party access in insurance CIAM?

A: Ownership should sit with the identity programme, not with application teams alone. Auditability needs to cover authentication, delegated authorisation, and the actions taken after access is granted. If logs cannot connect the actor, the relationship, and the transaction, the access model is not fully governable.


Technical breakdown

Adaptive authentication in insurance CIAM

Adaptive authentication adjusts the verification step to the risk context rather than forcing the same challenge on every login. In insurance, that means a known broker device may be allowed to proceed with minimal friction, while an unfamiliar session from a different region can trigger step-up checks. The value is not just user convenience. It is that the authentication decision becomes sensitive to session anomalies, device signals, and transaction type, which is essential when claims, beneficiary changes, and payouts carry different risk levels.

Practical implication: tie step-up policies to action risk, not just login risk, so sensitive insurance transactions receive stronger proof than routine portal access.

Scoped delegation and relationship-based access

Insurance access is often delegated, not direct. Parents act for children, brokers act for clients, and partner firms may need limited visibility into policy or claims data. RBAC gives the broad role, ABAC adds attributes such as geography or license level, and ReBAC ties access to a specific relationship. That combination matters because insurance workflows are dynamic and contextual. Without scoped delegation, organisations end up over-provisioning access or forcing manual exceptions that create both risk and operational drag.

Practical implication: model delegated access as a time-bound, relationship-specific entitlement rather than as a permanent role assignment.

AI agent access in customer identity workflows

The article treats AI agents as a new class of actor that may access APIs, retrieve customer data, or assist in backend tasks. The core issue is not whether the system is automated, but whether the agent has bounded permissions, traceable activity, and revocable access. Shared credentials and hardcoded tokens blur accountability because the organisation cannot easily tell what the agent did or whether it stayed within scope. That turns CIAM into a control plane for both human and non-human access paths.

Practical implication: use scoped tokens, short-lived credentials, and audit logging for AI-driven workflows so agent activity remains attributable and revocable.



NHI Mgmt Group analysis

Insurance CIAM is becoming a governance layer for mixed identity populations, not just customers. The article is really describing a control environment where policyholders, brokers, third parties, and AI-driven workflows all share the same access fabric. That changes CIAM from a login problem into an entitlement and accountability problem. The practitioner takeaway is that insurance programmes now need to classify who or what is acting before deciding how access should be granted.

Scoped delegation is the named concept insurance teams should focus on here. The article shows that insurance access is frequently indirect, relationship-based, and temporary, which makes permanent roles too blunt for the job. ReBAC and time-bounded delegation are not conveniences in this context, they are the only way to avoid over-provisioning in multi-party claims and servicing flows. The practitioner takeaway is to treat delegated insurance access as a governed entitlement lifecycle.

AI agents turn CIAM into a control point for machine identity as well as human identity. Once an agent can call APIs, handle customer data, or move through backend workflows, the old assumption that CIAM only governs people stops being useful. This is an NHI-style access problem even when the frontend still looks like customer identity. The practitioner takeaway is to align CIAM, secrets handling, and audit trails so machine activity is governed with the same traceability expected of privileged human access.

Compliance pressure now sits on the relationship between authentication strength, authorization scope, and auditability. The article links insurance CIAM to NYDFS, DORA, and HIPAA requirements, but the practical issue is whether controls are consistent across portals, partners, and delegated flows. If identity events cannot be traced cleanly, the programme may satisfy a login policy while still failing governance expectations. The practitioner takeaway is to test whether access logs, consent records, and privilege boundaries line up across the insurance journey.

From our research:

  • Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation, according to AI Agents: The New Attack Surface report.
  • 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials.
  • For a broader control lens, OWASP Agentic AI Top 10 helps teams connect agent behaviour to identity and privilege boundaries.

What this signals

Insurance teams should expect CIAM to absorb more of the governance burden as embedded distribution and AI-assisted servicing expand. With 98% of companies planning to deploy even more AI agents within the next 12 months, the access model will be forced to distinguish human intent from machine execution far more often than legacy portals were designed to do.

Scoped delegation debt: when partner, broker, and proxy access accumulates faster than expiry and review cycles, the CIAM layer becomes harder to certify than the application it protects. Teams that already rely on relationship-based access should review whether those entitlements remain traceable under partner churn and AI-assisted workflows.


For practitioners

  • Map every insurance actor class Separate policyholders, brokers, partner firms, internal staff, and AI-driven workflows into distinct identity and access models so the programme does not apply one access pattern to all users.
  • Convert delegated access into scoped entitlements Define who can act on behalf of whom, for which data, and for how long, then make expiry and revocation part of the default access lifecycle.
  • Tighten AI agent access to customer systems Issue short-lived tokens, restrict agent permissions to specific API calls, and require audit logs that show which workflow, dataset, or customer record the agent touched.
  • Align authentication with transaction sensitivity Use adaptive MFA and step-up checks for high-risk actions such as claims changes, payout events, and beneficiary updates, while keeping routine self-service low-friction.

Key takeaways

  • Insurance CIAM is shifting from login assurance to full access governance across customers, partners, and AI-driven workflows.
  • The biggest operational risk is no longer only weak authentication, but delegated access that outlives the relationship it was meant to represent.
  • Teams should tighten scope, auditability, and expiry together, because insurance identity now spans human users and machine actors in the same journey.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-03AI agents and scoped tokens raise NHI lifecycle and access control issues.
NIST CSF 2.0PR.AC-4Insurance CIAM depends on restricting access by role, relationship, and transaction risk.
NIST Zero Trust (SP 800-207)SC-7Adaptive authentication and delegated access fit zero trust segmentation and verification principles.

Track non-human access lifecycles and ensure tokens, secrets, and permissions expire with the workflow.


Key terms

  • Customer Identity and Access Management: CIAM is the discipline for handling external user identity at scale, including registration, login, consent, and access decisions. In insurance, it also has to support brokers, partners, and delegated actors, which means the scope extends beyond consumer UX into relationship-aware authorization and auditability.
  • Relationship-based Access Control: ReBAC grants access based on a specific relationship between the actor and the resource, such as broker to client or parent to dependent. It is useful when roles are too broad and attributes alone do not capture the context needed to make access safe and auditable.
  • Adaptive Authentication: Adaptive authentication changes the strength of verification based on contextual risk signals such as device, location, or session behaviour. In insurance, it helps keep routine access smooth while increasing assurance for claims, payouts, and other high-risk account actions.
  • AI Agent Access: AI agent access is the use of scoped credentials, tokens, or API permissions by a machine actor that can perform tasks in backend systems. It requires identity governance because the agent is not just a tool caller, it is an actor whose actions must be bounded, logged, and revoked.

What's in the full article

Descope's full guide covers the operational detail this post intentionally leaves for the source:

  • Step-by-step examples of adaptive MFA and step-up authentication for insurance customer journeys
  • Implementation guidance for RBAC, ABAC, and ReBAC in multi-party insurance ecosystems
  • Operational patterns for delegated access, self-service administration, and audit logging
  • Practical treatment of AI agent access, token lifecycle controls, and scoped API permissions

👉 Descope's full post covers authentication patterns, authorization models, and AI-driven insurance access workflows.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-01-27.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org