Notifications
Clear all
Topic starter
25/06/2026 2:47 pm
TL;DR: Organisations can strengthen cyber resilience by making identity the control plane, extending zero trust to third parties, adopting passwordless access, and using access analytics to reduce friction and risk during Cybersecurity Awareness Month, according to Imprivata. The underlying challenge is that security programmes still assume users will tolerate complexity, but control design only works when secure workflows are also the easiest workflows.
NHIMG editorial — based on content published by Imprivata: Cybersecurity Awareness Month guidance on balancing security and usability
Questions worth separating out
Q: How should organisations reduce login friction without weakening identity security?
A: Use passwordless authentication, risk-based verification, and shared-device workflows that clear sessions automatically.
Q: Why do vendor and contractor access paths need separate identity governance?
A: Because third-party access often expands trust beyond the internal workforce and is frequently reviewed less rigorously.
Q: What breaks when shared-workstation identity controls are too slow?
A: Users bypass them. If device checkout, logout, or reauthentication adds too much delay, people reuse sessions, leave credentials behind, or share access informally. That creates a gap between policy and practice, especially in frontline environments where speed matters and devices are shared across shifts.
Practitioner guidance
- Map friction hotspots before changing controls Baseline login duration, failed authentication rates, and device handoff issues across shared workstations, vendor access paths, and frontline roles.
- Extend zero trust to non-employee access paths Apply the same access review, monitoring, and least-privilege discipline to vendors and contractors that you use for employee identities.
- Prioritise passwordless rollout in high-frequency access workflows Start where users authenticate repeatedly and where credential reuse is most likely, such as shared devices and shift-based environments.
What's in the full article
Imprivata's full article covers the operational detail this post intentionally leaves for the source:
- How the recommended controls map to frontline healthcare, manufacturing, and public-safety workflows
- The practical trade-offs between biometric, badge, and passkey authentication in shared-device environments
- Examples of access-analytics metrics that can be used to benchmark login friction and adoption
- The workflow design considerations behind vendor and contractor access governance
👉 Read Imprivata's Cybersecurity Awareness Month guidance on identity and usability →
Identity as the control plane: are your controls keeping up?
Explore further
25/06/2026 3:56 pm
Security only works at scale when it is easier than the workaround: That is the real governance test in this article. Identity controls that slow users down create shadow processes, shared secrets, and informal exceptions that expand risk rather than reduce it. For IAM teams, the practical conclusion is that adoption quality is a security control, not a communications problem.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.
A question worth separating out:
Q: How do security teams know if access analytics is improving governance?
A: Look for sustained reductions in login time, failed authentications, and unresolved workflow anomalies after policy changes. If those measures do not improve, the issue is probably control design, not user behaviour. Access analytics should prove whether the secure workflow is actually becoming the easy workflow.
👉 Read our full editorial: Identity as the control plane: balancing security and usability
