ROI-focused IAM security gaps are creating avoidable cyber risk

At a glance

What this is: This is an Imprivata analysis arguing that IAM should be judged on both security and operational efficiency, because access friction can drive risky workarounds and undermine ROI.

Why it matters: It matters because IAM teams need controls that reduce friction without weakening governance, especially across NHI, autonomous, and human access paths.

By the numbers:

• A recent IANS Research report found that cybersecurity budgets increased only 4% in 2025, down from 8% the year prior.
• 61% of CIOs said it's very challenging to do so, according to Lenovo.

👉 Read Imprivata's analysis of ROI-focused IAM security and efficiency

Context

IAM is the layer that decides who or what can authenticate, obtain access, and keep using it. In this article, the core issue is not access control in the abstract, but the operational gap that appears when security design creates delay, manual work, and user frustration. That gap matters because people and teams will work around controls they see as obstacles, especially when budgets are tight and every tool must justify itself.

For identity programmes, the practical problem is that efficiency and security are being treated as separate objectives when they are now tightly linked. Weakly integrated access controls can lead to password sharing, credential sharing, and inconsistent enforcement across human users, service accounts, and automated systems. The article argues that IAM should be built to reduce friction while still supporting zero trust and continuous authentication.

Key questions

Q: How should security teams balance IAM security with user productivity?

A: Security teams should design IAM so that access is secure and usable at the same time. If controls slow normal work, users create workarounds that weaken security and reduce confidence in the programme. Measure login friction, exception rates, and shared-credential behaviour together so the team can fix the controls that drive unsafe shortcuts.

Q: Why do access controls fail when they are too hard to use?

A: Access controls fail when users see them as obstacles to work and start bypassing them through sharing, copying, or delaying changes. The control may still exist, but its security value drops because real behaviour no longer follows the intended design. Usability is therefore part of the threat model, not a separate concern.

Q: How can organisations tell whether IAM is actually improving ROI?

A: Organisations should look for lower exception volume, fewer manual access fixes, faster task completion, and fewer risky workarounds. If a control reduces incidents but creates heavy operational drag, it may not be delivering net value. ROI in IAM is strongest when security outcomes and productivity both improve.

Q: Who should own IAM decisions when friction and risk pull in different directions?

A: IAM ownership should sit with both security and operations leaders because the problem affects risk, workflow, and business continuity at the same time. Security teams define the trust model, while operations teams validate whether the design works in real work patterns. Shared accountability prevents controls that look good on paper but fail in practice.

Technical breakdown

How IAM friction becomes a security control failure

IAM friction is not just a usability issue. When login steps, approvals, or access handoffs become cumbersome, users and teams often create unofficial shortcuts such as shared passwords, copied credentials, or delayed offboarding. Those shortcuts weaken authentication assurance and make access governance harder to audit. In practice, the control failure is not that IAM exists, but that it is implemented in a way that encourages bypass behaviour. That is why identity controls must be evaluated as workflow systems, not just policy statements.

Practical implication: measure where users bypass identity controls and treat repeated workaround patterns as a control defect, not a training issue.

Zero trust and continuous authentication in access design

Zero trust works only when access decisions are continuously re-evaluated rather than assumed to remain valid after first login. Continuous authentication extends that idea by checking risk signals over time instead of relying on a single entry event. For IAM, this matters because hybrid work, cloud sprawl, and delegated access create changing trust conditions. If the identity layer cannot keep pace with those changes, organisations either over-permit access or slow work to a crawl. The balance is not theory, it is operational design.

Practical implication: tie authentication and session controls to changing context so access stays current without forcing users into unsafe shortcuts.

ROI-driven identity governance for human and non-human access

A cost-focused cybersecurity programme does not reduce the importance of IAM, it raises the bar for proving that IAM actually works. For human identity, the question is whether access policy supports productive work without creating manual exceptions. For non-human identity, the same logic applies to service accounts, API credentials, and automation that can amplify privilege mistakes. The strongest programmes measure both control strength and workflow impact, because a control that users evade is not delivering ROI even if it looks compliant on paper.

Practical implication: review identity controls against both risk reduction and work efficiency, then prioritise the ones that reduce exception volume.

Threat narrative

Attacker objective: The attacker wants to exploit the organisation's workaround culture and access complexity to move through trusted identity paths with less resistance.

1. Entry occurs when users or administrators encounter access friction and bypass normal login or credential handling pathways.
2. Escalation follows when shared credentials, copied secrets, or manual exceptions expand the usable privilege surface.
3. Impact appears as weaker accountability, harder detection, and a larger attack surface across human and non-human identities.

Breaches seen in the wild

• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.
• Azure Key Vault privilege escalation exposure — Azure Key Vault Contributor role misconfiguration enabled privilege escalation.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Security controls that create friction can become self-defeating. When IAM is hard to use, people do not stop working, they route around the control surface. That creates shadow practices such as credential sharing, duplicated access paths, and delayed changes to privilege state. The lesson for the field is not that usability trumps security, but that unusable identity controls degrade both.

ROI pressure is pushing IAM from a compliance function to an operational control. The article reflects a broader market shift: leaders now expect identity programmes to prove that they improve workflow efficiency as well as reduce risk. That makes access governance a business design issue, not just a security checklist issue. Practitioners should treat IAM outcomes as measurable productivity and resilience inputs.

Zero trust only works when identity is continuously trustworthy in practice. The article's focus on continuous authentication is directionally correct because static trust assumptions break down in hybrid and cloud environments. The field should stop treating authentication as a one-time event and start treating it as an ongoing state that must match work context.

Workaround behaviour is a governance signal, not user noncompliance. Repeated password sharing, delayed approvals, and manual overrides show where the identity model no longer fits the workflow. That is a programme design failure, not just a policy enforcement issue, and it should be used to identify where IAM architecture needs redesign.

Identity efficiency debt is a useful name for the hidden cost in this article. Inefficient access design accumulates operational drag until users compensate with unsafe behaviour. That debt shows up in audit findings, privilege sprawl, and reduced confidence in both human and machine identity controls. The practical conclusion is that efficiency and governance must be treated as the same problem from different angles.

From our research:

• 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, with 46% confirmed and 26% suspected, according to The 2024 ESG Report: Managing Non-Human Identities.
• The same report found that enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months.
• For a broader governance view, see Ultimate Guide to NHIs , Key Challenges and Risks for the control gaps that allow access friction, sprawl, and over-privilege to persist.

What this signals

Identity efficiency debt: as access controls create more manual work than the business will tolerate, organisations accumulate hidden risk in the form of shared credentials, exception sprawl, and inconsistent enforcement. That debt is especially dangerous where human, service account, and automated access paths overlap, because the weakest workflow becomes the easiest bypass.

The programme signal is clear: IAM teams should now track friction metrics alongside security metrics, because operational pain is often the earliest sign that control design is failing. With 2.7 separate incidents per compromised NHI in our 2024 ESG Report, the downstream cost of weak governance is rarely isolated to one account or one team.

Leaders should also expect pressure to justify access controls in business terms, not only compliance terms. That means pairing zero trust and continuous authentication language with measurable outcomes such as fewer exceptions, less password sharing, and faster completion of routine tasks.

For practitioners

• Measure access friction as a security metric Track login delays, approval bottlenecks, repeated access exceptions, and password-sharing reports together so identity teams can see where workflow pressure is driving unsafe behaviour.
• Map workaround patterns to identity control failures Review where users copy credentials, reuse shared accounts, or bypass approvals, then trace each pattern to the specific control that made the shortcut attractive.
• Align zero trust to changing session context Use continuous authentication and step-up checks for higher-risk actions instead of relying on a single login event to establish trust for the whole session.
• Treat IAM design as an ROI decision Compare the security value of identity controls with the operational cost they impose, then retire controls that create more exceptions than risk reduction.

Key takeaways

• IAM is no longer just a security control, because when it slows work too much it encourages the very behaviour that undermines security.
• The article's central warning is that efficiency and identity governance now move together, so bad access design becomes a risk multiplier.
• Practitioners should measure friction, exception volume, and workaround behaviour together, then redesign the controls that users are most likely to evade.

Key terms

• Identity Friction: The operational resistance users experience when identity controls slow down ordinary work. In practice, friction can trigger unsafe shortcuts such as shared passwords, delayed approvals, and manual exceptions that weaken security outcomes while making the programme feel harder to use.
• Continuous Authentication: A trust model that rechecks identity and session risk throughout the life of an access session instead of trusting the first login forever. For identity programmes, it helps security teams adapt access decisions to changing context in hybrid and cloud environments.
• Workaround Behaviour: Any user action that bypasses the intended identity control path because the official process is too slow, confusing, or disruptive. In governance terms, it is a signal that the control design is misaligned with how work actually gets done, not just a training issue.
• Identity Efficiency Debt: The hidden operational cost that builds up when identity controls create too much manual effort for the business to absorb. Over time, that debt shows up as exceptions, shadow processes, weaker accountability, and lower confidence in the control environment.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Imprivata: Experts urge shift toward ROI-focused cyber spending as IAM gaps introduce security risk and inefficiencies. Read the original.