Notifications
Clear all
Topic starter
08/06/2026 4:50 pm
TL;DR: Gartner’s 2025 Innovation Insight says CIAM has passed 40% market penetration and PIAM is still emerging, while most PIAM implementations remain custom-built and new vendors are entering with purpose-built tools. The practical shift is to treat B2C and B2B as capability sets for individuals and organisations, not just user labels.
NHIMG editorial — based on content published by Curity: the Gartner Innovation Insight on Customer and Partner Identity and Access Management
By the numbers:
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
Questions worth separating out
Q: How should IAM teams separate CIAM and PIAM governance?
A: Treat CIAM and PIAM as different operating models with different success criteria.
Q: When should organisations split external identity into separate programmes?
A: Split the programme when the trust boundary, identity source, or user journey differs materially.
Q: What do security teams get wrong about balancing CIAM security and UX?
A: They often treat friction as an implementation issue after the fact.
Practitioner guidance
- Separate CIAM and PIAM operating models Define distinct governance, architecture, and success metrics for identities that belong to individuals versus organisations.
- Map partner identity provenance before choosing controls For PIAM, document which identity provider sources are authoritative, how federation will work, and where self-service enrolment is acceptable.
- Review CIAM friction against conversion and recovery outcomes Test whether step-up checks, anti-account-takeover rules, and recovery journeys create abandonment or support load that negates the risk reduction.
What's in the full article
Curity's full blog covers the operational detail this post intentionally leaves for the source:
- How Curity maps CIAM and PIAM capabilities to concrete implementation patterns
- The report-backed market snapshot on CIAM penetration and PIAM maturity
- Practical guidance on identity provider integration and self-service federation planning
- The trade-off discussion between anti-account-takeover controls and user experience
👉 Read Curity’s analysis of CIAM and PIAM as separate IAM capability models →
CIAM and PIAM are changing fast, what should IAM teams do now?
Explore further
08/06/2026 6:40 pm
CIAM and PIAM should be treated as distinct IAM operating models, not variants of the same programme. The report is right to separate identity services for individuals from identity services for organisations because the governing assumptions differ from the start. Consumer identity is optimised for consent, recovery, and experience, while partner identity is optimised for delegated trust, organisational provenance, and controlled collaboration. Practitioners should stop collapsing both into one external identity roadmap.
A few things that frame the scale:
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to the Ultimate Guide to NHIs.
- Only 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
A question worth separating out:
Q: How do identity provider integrations affect PIAM risk?
A: Identity provider integrations determine whether partner access starts from a trustworthy source or from a weak assertion chain. If provenance is unclear, access reviews and policy checks are built on unstable identity data. That is why PIAM design must begin with authoritative identity sources and federation paths.
👉 Read our full editorial: Customer and partner identity needs are outgrowing B2C and B2B labels
