NHS digital maturity shows the gap between capability and access

At a glance

What this is: The NHS Digital Maturity Assessment shows that digital capability and user experience can diverge sharply, with access friction emerging as a core barrier to useful transformation.

Why it matters: For IAM, NHI, and human identity programmes, this matters because insecure or fragmented access undermines adoption, workflow efficiency, and security at the same time.

👉 Read Imprivata's analysis of NHS digital maturity and user experience gaps

Context

The core problem is not whether organisations have bought digital tools, but whether people can use them consistently enough for those tools to change practice. In the NHS context, digital maturity describes what is deployed, while digital experience describes how that environment behaves for clinicians in real workflows.

That distinction is directly relevant to identity and access management because access is the first control point every user encounters. When authentication is slow, inconsistent, or fragmented, organisations create workarounds, weaken security, and reduce the value of EPRs, interoperability, and AI-enabled services.

Key questions

Q: How should healthcare organisations balance digital security with clinician usability?

A: They should measure both together and treat access as part of the care delivery model. Security controls that slow clinicians down or force workarounds often get bypassed, which weakens both safety and governance. The practical target is secure access that fits the workflow, not security layered on after the workflow has already failed.

Q: Why does identity management matter in digital maturity programmes?

A: Because identity is the control layer that determines whether users can actually reach systems, complete tasks, and trust the environment. If access is fragmented, maturity scores can overstate real capability. Identity management turns digital investment into usable practice, which is why it should be measured as an operational dependency rather than a back-office function.

Q: What breaks when access controls create too much friction?

A: Users build workarounds, support demand increases, and security rules lose legitimacy. Over time, the organisation starts treating exceptions as normal, which creates governance drift. That pattern is especially damaging in healthcare because access delays directly affect clinical flow and the perceived value of the broader digital programme.

Q: How can teams tell whether access is improving digital experience?

A: Look for fewer login steps, more consistent session behaviour, fewer reported access workarounds, and better satisfaction from frontline users. Those signals show whether identity controls are supporting real work. If the environment is technically mature but users still struggle, the access layer is failing the programme.

Technical breakdown

Digital maturity versus digital experience

Digital maturity measures infrastructure, interoperability, security, and data capability. Digital experience measures whether those controls actually support the people using them. The gap matters because a system can score well on deployment while still producing poor outcomes at the point of care. In practice, maturity without usability creates hidden operational risk: clinicians take shortcuts, support costs rise, and security controls become friction rather than protection.

Practical implication: Measure access outcomes alongside capability scores so identity design is judged by workflow performance, not deployment alone.

Why identity sits at the centre of clinical usability

Identity and access management is the mechanism that determines whether a clinician can reach the right system at the right moment. In healthcare, that means authentication, federation, session continuity, and privilege boundaries all have direct operational impact. If access is inconsistent across sites or devices, digital maturity stalls because users experience the environment as unreliable. Good identity design reduces friction without weakening security, which is why it sits beneath every other digital investment.

Practical implication: Design access flows around clinician movement, not around internal system boundaries.

Why security and usability should be measured together

Security controls that are technically sound but operationally painful often fail in practice because users route around them. The better test is whether a control preserves security while reducing unnecessary effort at the point of use. In a healthcare setting, that means evaluating login steps, session persistence, and access consistency alongside risk outcomes. This is the difference between policy compliance and lived usability.

Practical implication: Track identity controls against both risk and user-experience metrics before scaling them across clinical environments.

Breaches seen in the wild

• Schneider Electric credentials breach — exposed credentials gave attackers access to Schneider Electric Jira, exfiltrating 40GB.
• Emerald Whale breach — exposed Git config files led to 15K secrets stolen and 10K repo compromises.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Digital maturity without identity usability is an incomplete control model: Organisations can deploy modern systems and still fail to deliver reliable access where it matters. The NHS assessment reinforces a broader identity lesson: deployment is not the same as operational control. If clinicians cannot move through systems efficiently, the programme has not achieved maturity in any practical sense. The practitioner conclusion is that access quality must be treated as part of the control surface, not as a separate service issue.

Identity friction becomes governance drift when it is normalised: Repeated workarounds around login, session handling, or access inconsistency eventually become accepted behaviour. That is how poor identity design turns into policy exception culture. The issue is not just inconvenience, but the steady erosion of trust in the control environment. The practitioner conclusion is that friction is an early warning indicator of governance weakness.

Clinical digital programmes need a measurable access layer, not just a technology inventory: The assessment’s value lies in comparing what exists with what actually works for users. That is the same discipline identity teams need across human IAM and machine access: measure whether access supports the task, not merely whether the control has been implemented. The practitioner conclusion is that identity metrics should be tied to workflow outcomes, not only compliance checks.

Access is the shared dependency across human, workload, and AI-enabled care: The article focuses on clinicians, but the governance implication is broader. Every digital programme now depends on identity for humans, service accounts, and emerging AI-assisted workflows. If access is fragmented for one actor type, it usually signals deeper design issues in the whole identity estate. The practitioner conclusion is to treat access experience as a cross-domain programme measure, not a point solution metric.

From our research:

• The average organisation believes more than 1 in 5 of their non-human identities are insufficiently secured, according to The 2024 ESG Report: Managing Non-Human Identities.
• 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, with 46% confirmed and 26% suspected.
• For a broader lifecycle view, NHI Lifecycle Management Guide helps teams link access quality to provisioning, rotation, and offboarding discipline.

What this signals

Identity experience is becoming a board-level maturity signal: As organisations publish more evidence on how systems are actually used, access quality will increasingly be judged alongside infrastructure and security posture. The practical shift is that IAM teams will need to show whether access design supports service delivery, not merely whether controls exist. That is where programme credibility will increasingly be won or lost.

Access friction is a cross-domain risk, not a single-team problem: The same design flaws that make human access painful also tend to surface later in workload and AI-assisted environments. That is why identity programmes need a common measurement language across human IAM, NHI governance, and emerging autonomous workflows. The lesson for practitioners is to use access experience as a shared control signal rather than a siloed service metric.

The NHS example suggests a named concept worth carrying forward: identity usability gap: the difference between a control being deployed and a control being usable in real workflows. For practitioner teams, that gap is where adoption, security, and accountability all begin to fail.

For practitioners

• Measure access friction alongside maturity scores Add login success rates, step counts, and session continuity to the same reporting pack as infrastructure and interoperability measures so identity is evaluated as part of digital maturity.
• Map workflow breakpoints to identity controls Identify where clinicians create workarounds around authentication, role switching, or session timeouts, then trace each issue back to a specific identity control that is producing the friction.
• Align security design to care-setting movement Review whether access patterns still work when staff move between wards, devices, and organisations, then redesign federation and access handoff where the current model creates delays.
• Use usability evidence in governance decisions Bring user-experience findings into access reviews, architecture boards, and investment cases so identity decisions are based on operational evidence rather than policy preference.

Key takeaways

• The real maturity gap is not between old and new technology, but between deployed systems and usable access.
• When access creates friction, users create workarounds, and workarounds quickly become governance drift.
• Identity teams should prove that access helps people do the job, not just that the control has been implemented.

Key terms

• Digital Maturity: Digital maturity is the extent to which an organisation has deployed integrated, secure, and data-capable systems. In practice, it is only meaningful when those systems can be used reliably in day-to-day work, because deployment without usability does not deliver operational change.
• Digital Experience: Digital experience is how people actually experience the systems an organisation has put in place. It covers speed, consistency, friction, and trust at the point of use, which makes it a practical measure of whether identity and access controls are helping or hindering the work.
• Identity Usability Gap: The identity usability gap is the difference between a control being present and a control being usable in real workflows. It appears when login, session, or access design is technically valid but operationally awkward, leading users to work around the control instead of relying on it.
• Access Friction: Access friction is the delay, inconsistency, or effort a person experiences when trying to reach a system or task. It becomes a governance issue when it is high enough to encourage shortcuts, exceptions, or support-heavy workarounds that weaken the intended control model.

Deepen your knowledge

Identity and access measurement in operational environments is a core theme in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building a governance model that has to work across users, workloads, and AI-enabled services, it is worth exploring.

This post draws on content published by Imprivata: As the NHS gains increased visibility into digital maturity and user experience, DMA findings signal where progress is needed. Read the original.