Notifications
Clear all
Topic starter
25/06/2026 2:47 pm
TL;DR: Security and usability can be aligned by making identity the control plane, extending zero trust to vendors, adopting passwordless authentication, tightening shared-device access, and using access analytics and training to reduce workarounds, according to Imprivata. The practical lesson is that identity controls fail when they create friction that users route around.
NHIMG editorial — based on content published by Imprivata: Cybersecurity Awareness Month guidance on identity, usability, and secure workflows
Questions worth separating out
Q: How should organisations balance security and usability in identity controls?
A: They should design identity controls so the secure path is also the easiest path to complete work.
Q: Why do passwordless and zero trust programmes fail in practice?
A: They fail when they are introduced as extra steps rather than integrated into existing workflows.
Q: How do security teams know if identity friction is becoming a risk?
A: They should watch login duration, failed authentication, device utilisation, and the volume of manual exceptions.
Practitioner guidance
- Make identity the single control layer Map login, device trust, and application entitlement decisions into one policy model so users are not forced through parallel approval paths.
- Deploy passwordless in high-friction workflows first Start with roles that authenticate repeatedly on shared devices or frontline workstations, then add session reset, automatic credential clearing, and fast device checkout so the new method does not introduce residual access risk.
- Extend Zero Trust to third-party access Apply conditional access, monitoring, and lifecycle reviews to contractors and vendors with the same rigor used for employee access.
What's in the full article
Imprivata's full article covers the operational detail this post intentionally leaves for the source:
- Specific workflow examples for biometric, badge, and mobile credential use in frontline environments.
- Practical guidance on applying passwordless authentication to shared workstations and mobile devices.
- Concrete access analytics measures for tracking login duration, failure rates, and device usage.
- Culture and micro-training ideas for improving day-to-day security behaviour across the workforce.
👉 Read Imprivata's guidance on identity, usability, and Cybersecurity Awareness Month →
Identity as the control plane for security and usability?
Explore further
25/06/2026 3:56 pm
Identity is the only viable control plane when organisations want both security and usability. The article is correct that access policy cannot be treated as a separate security layer from the user workflow. When identity is the coordination point for authentication, device trust, and application access, teams can reduce the gap between policy intent and actual behaviour. That matters because many control failures begin as usability failures, not technical ones.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared with nearly 1 in 4 for securing human identities.
A question worth separating out:
Q: Who is accountable for securing vendor and contractor access?
A: The owning identity and access team is accountable for making third-party access follow the same policy, monitoring, and lifecycle discipline as employee access. Security, operations, and business owners all share execution responsibility, but accountability cannot be delegated away when vendors or contractors touch critical systems.
👉 Read our full editorial: Cybersecurity Awareness Month shows why identity must be the control plane
