ROI-focused IAM spending exposes the cost of access friction

At a glance

What this is: This analysis argues that ROI pressure is forcing organisations to re-examine IAM because access friction can create both operational inefficiency and security exposure.

Why it matters: It matters because IAM, NHI, autonomous systems, and human access programmes all fail when users or operators bypass controls that slow work more than they secure it.

By the numbers:

• cybersecurity budgets increased only 4% in 2025, down from 8% the year prior.
• 61% of CIOs said it's very challenging to prove ROI from tech investments.

👉 Read Imprivata's analysis of ROI-focused IAM spending and access friction

Context

IAM pressure is increasingly shaped by the same budget logic that governs every other security investment: leaders want measurable value, not just more control points. In that environment, identity and access management becomes a test of whether security can reduce risk without making work harder for humans or more brittle for machine identities.

The core problem is not that organisations lack access controls. It is that poorly integrated controls create delays, prompt credential sharing, and encourage workarounds that reduce the effective security value of the programme. That makes IAM a business efficiency issue and a governance issue at the same time, across human identity, NHI workflows, and any future autonomous access model built on the same assumptions.

Key questions

Q: How should security teams reduce IAM friction without weakening control?

A: Start by identifying the access paths that users bypass most often, then redesign those steps so they fit the actual workflow. The goal is not to remove verification, but to place it where it changes risk. If controls are too slow or disruptive, users will create shadow practices that reduce both security and visibility.

Q: Why does IAM usability now matter to security leaders?

A: Because bad access design produces security losses as well as productivity losses. When users encounter too much friction, they share credentials, request exceptions, or ignore intended process. That means usability is part of control effectiveness, and it belongs in the same governance conversation as authentication strength and policy enforcement.

Q: How can organisations tell whether IAM is improving ROI?

A: Look for fewer help desk tickets, fewer exception requests, shorter access delays, and lower rates of informal workarounds. If the programme is healthy, it should reduce manual effort while preserving or improving control outcomes. ROI in IAM is visible when security and productivity move in the same direction.

Q: Who should own the business case for modern IAM?

A: Ownership should sit with identity and security leaders together, because the business case spans risk reduction, user efficiency, and operational support costs. Finance will want the productivity story, while security will need the control story. A credible IAM case proves both with evidence from real access behaviour.

Technical breakdown

Why IAM friction becomes a security control failure

Access friction changes behaviour. When authentication steps, approvals, or application handoffs slow work more than they help it, users search for shortcuts such as shared passwords, repeated logins, or informal exceptions. That weakens the control plane because the actual policy in use is no longer the one designed by IAM teams. In practice, the security outcome depends not only on the control itself, but on whether it fits into the workflow well enough to be followed consistently. Continuous authentication and zero trust aim to reduce that gap, but only when they are implemented without creating avoidable delay.

Practical implication: measure where users bypass identity controls and redesign the most common friction points first.

How zero trust and continuous authentication support usable access

Zero trust and continuous authentication shift the trust decision away from a single login event and toward ongoing verification. That matters because modern work happens across hybrid environments, cloud services, and many short-lived sessions rather than a single trusted perimeter. The technical goal is to keep authentication and authorisation aligned with actual session risk without forcing repeated full re-entry at every step. For identity teams, the challenge is balancing step-up checks, session context, and device posture so that protection is proportional and does not invite workarounds.

Practical implication: tune verification steps to session risk instead of applying the same friction to every access request.

Why IAM now affects ROI across the whole security stack

IAM sits upstream of many other security investments because it governs who or what can reach applications, data, and administrative functions. If identity controls are noisy or slow, the organisation pays twice: once in lost productivity and again in weaker enforcement because people and systems route around the intended process. This is especially important in cloud and hybrid environments where access paths multiply and manual control scales poorly. IAM is therefore not just an access layer. It is a force multiplier or a drag factor for broader cyber resilience depending on how well it is integrated.

Practical implication: evaluate IAM as a control effectiveness layer, not just as an authentication project.

NHI Mgmt Group analysis

Access friction is now a governance risk, not just a user-experience issue. The article is right to treat inefficient identity controls as a security problem because people respond predictably to barriers by sharing credentials or bypassing process. That means the control failure is behavioural as much as technical, and the programme must be judged by whether it changes real access behaviour. The practitioner conclusion is simple: if an identity control invites routine circumvention, it is already losing value.

IAM is becoming the budgeting test for whether security can prove operational value. Budget pressure forces organisations to distinguish between controls that merely exist and controls that reduce workload, incidents, or manual effort. IAM is one of the few domains where those outcomes can be measured directly through login volume, exception rates, and help desk demand. The implication for security leaders is that access governance now needs a business case rooted in measurable workflow impact, not policy intent alone.

Continuous authentication and zero trust only work when they reduce, rather than accumulate, friction. The article points toward a practical reality that many programmes still miss: every added verification step must earn its place in the workflow. If it does not, users will preserve productivity by finding another path around it. The practitioner conclusion is that verification design must be tuned to session risk and operational context, or the control will be rationally ignored.

Hybrid work and cloud expansion make identity the shared control surface for human and machine access. As environments become more distributed, the same access design choices affect employees, service accounts, and future autonomous systems. That raises the value of IAM architecture that can support consistent policy enforcement without assuming a single network boundary or a single identity type. The practitioner conclusion is to treat identity architecture as a cross-programme governance layer, not a siloed login toolset.

Efficiency-driven security spending is pushing the market toward controls that can demonstrate reduced friction and reduced risk at the same time. This is not a license to weaken security. It is a signal that identity programmes which cannot show operational benefit will struggle to compete for budget against automation, AI, and other efficiency investments. The practitioner conclusion is to frame IAM investments in terms of avoided work, fewer exceptions, and lower bypass pressure.

From our research:

• 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
• Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.
• For a wider governance lens, read Ultimate Guide to NHIs , Key Challenges and Risks for the visibility and over-privilege patterns that make IAM friction more dangerous.

What this signals

Access friction will keep reshaping security buying decisions. As budget owners push for measurable ROI, identity programmes will be judged on whether they reduce manual work while preserving policy enforcement. That shifts IAM from a compliance function to an operational efficiency control, and teams that cannot evidence this will struggle to justify expansion.

Credential-sharing pressure is a programme design signal, not just a user-behaviour problem. When users begin to route around access steps, the control design has failed to match the operating model. Identity teams should watch for repeated exceptions, growing help desk demand, and inconsistent session behaviour because those are early signs that IAM is being treated as an obstacle rather than an enabler.

For broader IAM maturity, link access design to lifecycle and risk controls. The most resilient programmes will connect authentication, access approval, recertification, and exception handling into one operating model rather than treating them separately. Use the The 52 NHI breaches Report to see how weak access governance compounds when identity sprawl and unmanaged credentials are present.

For practitioners

• Map identity friction points to bypass behaviour Identify the access steps that most often trigger password sharing, repeated logins, or informal exceptions. Prioritise the workflows where users are most likely to trade security for speed, then redesign those points before expanding broader control coverage.
• Quantify IAM value in operational terms Track login delays, help desk tickets, exception approvals, and the time saved by reducing manual access handling. Use those measures to show whether the programme is lowering friction while maintaining security outcomes.
• Tune continuous verification to session risk Apply stronger verification only when context changes or risk increases, rather than forcing the same interaction pattern everywhere. That keeps continuous authentication defensible while reducing the likelihood that users seek shortcuts around it.
• Review IAM as a cross-programme control layer Assess how identity controls affect cloud access, workforce productivity, and downstream security tools together. Treat IAM as infrastructure that shapes the effectiveness of the rest of the security stack, not as a standalone front-end process.

Key takeaways

• IAM becomes a security risk when it creates enough friction that users feel forced to bypass it.
• Budget pressure is pushing identity leaders to prove that access controls reduce manual work as well as exposure.
• The most durable IAM programmes balance verification, usability, and measurable operational value instead of treating them as competing goals.

Key terms

• Identity And Access Management: The discipline that governs who or what can access systems, data, and applications. In practice, IAM combines authentication, authorisation, lifecycle governance, and policy enforcement so access is granted, reviewed, and removed in a controlled way across human and non-human identities.
• Continuous Authentication: An access approach that keeps verifying a session after initial login by using context such as device state, behaviour, or risk signals. It reduces reliance on one-time trust decisions and is most effective when the repeated checks are proportionate enough that users do not work around them.
• Zero Trust Architecture: A security model that assumes no implicit trust based on network location or initial access. Each request is verified against context and policy, making identity, device, and session risk central to every authorisation decision instead of treating login as a permanent trust event.
• Access Workaround: Any informal method users adopt to get work done when the approved access process is too slow or inconvenient. Workarounds often include shared credentials, skipped approvals, or repeated exceptions, and they usually signal that a control is misaligned with real operational demand.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or governance in your organisation, it is worth exploring.

This post draws on content published by Imprivata: Experts urge shift toward ROI-focused cyber spending as IAM gaps introduce security risk and inefficiencies. Read the original.